Tivoli Policy Director for WebLogic Server User...
Transcript of Tivoli Policy Director for WebLogic Server User...
Tivoli Policy Director forWebLogic ServerUser GuideVersion 3.8 SC32-0831-00
Tivoli Policy Director forWebLogic ServerUser GuideVersion 3.8 SC32-0831-00
Tivoli SecureWay Policy Director for WebLogic Server User Guide
Copyright Notice
© Copyright IBM Corporation 2002. All rights reserved. May only be used pursuantto a Tivoli Systems Software License Agreement, an IBM Software LicenseAgreement, or Addendum for Tivoli Products to IBM Customer or LicenseAgreement. No part of this publication may be reproduced, transmitted, transcribed,stored in a retrieval system, or translated into any computer language, in any formor by any means, electronic, mechanical, magnetic, optical, chemical, manual, orotherwise, without prior written permission of IBM Corporation. IBM Corporationgrants you limited permission to make hardcopy or other reproductions of anymachine-readable documentation for your own use, provided that each suchreproduction shall carry the IBM Corporation copyright notice. No other rightsunder copyright are granted without prior written permission of IBM Corporation.The document is not intended for production and is furnished “as is” withoutwarranty of any kind. All warranties on this document are hereby disclaimed,including the warranties of merchantability and fitness for a particularpurpose.
U.S. Government Users Restricted Rights—Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corporation.
Trademarks
IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, Cross-Site, NetView, OS/2, PlanetTivoli, RS/6000, Tivoli Certified, Tivoli Enterprise, Tivoli Enterprise Console, TivoliReady, and TME are trademarks or registered trademarks of International BusinessMachines Corporation or Tivoli Systems Inc. in the United States, other countries,or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and othercountries.
Java and all Java-based trademarks are trademarks of Sun Microsystems,Inc. in the United States, other countries, or both.
Notices
References in this publication to Tivoli Systems or IBM products, programs, orservices do not imply that they will be available in all countries in which TivoliSystems or IBM operates. Any reference to these products, programs, or services isnot intended to imply that only Tivoli Systems or IBM products, programs, orservices can be used. Subject to valid intellectual property or other legallyprotectable right of Tivoli Systems or IBM, any functionally equivalent product,program, or service can be used instead of the referenced product, program, orservice. The evaluation and verification of operation in conjunction with otherproducts, except those expressly designated by Tivoli Systems or IBM, are theresponsibility of the user. Tivoli Systems or IBM may have patents or pendingpatent applications covering subject matter in this document. The furnishing of thisdocument does not give you any license to these patents. You can send licenseinquiries, in writing, to the IBM Director of Licensing, IBM Corporation, NorthCastle Drive, Armonk, New York 10504-1785, U.S.A.
© Copyright International Business Machines Corporation 2002. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corp.
iiiTivoli Policy Director for WebLogic Server User Guide
iv Version 3.8
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiWho Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
What This Book Contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Tivoli Policy Director Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Prerequisite Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Accessing Publications Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Ordering Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Providing Feedback about Publications . . . . . . . . . . . . . . . . . . . . . . . . . ix
Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Conventions Used in This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Typeface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 1. Introducing Policy Director for WebLogicServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introducing Policy Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Integrating Policy Director and WebLogic Server. . . . . . . . . . . . . . . . . . . . . . 3
Using Policy Director Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Using Policy Director Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 2. Installing Policy Director for WebLogicServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Software Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Installation Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Software Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
WebLogic Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
vTivoli Policy Director for WebLogic Server User Guide
Policy Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Installing Policy Director for WebLogic Server . . . . . . . . . . . . . . . . . . . . . . 14
Configuring Policy Director for WebLogic Server . . . . . . . . . . . . . . . . . . . . 15
Configuring a Custom Realm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring a WebSEAL Junction for the WebLogic Server . . . . . . . . . . . . . 22
Testing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 3. Using Policy Director for WebLogic Server 25Using the Demonstration Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Creating Test Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Usage Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
vi Version 3.8
Preface
Welcome to Tivoli®
Policy Director for WebLogic Server. Thisproduct extends Policy Director to support applications written forBEA WebLogic® Server. This guide provides installation,configuration, and administration instructions.
Who Should Read This BookThe target audience for this administration guide includes:
¶ Security administrators
¶ System installation and deployment administrators
¶ Network system administrators
¶ IT architects
What This Book ContainsThis document contains the following chapters:
¶ Chapter 1, “Introducing Policy Director for WebLogic Server”
Presents an overview of the authentication and authorizationservices provided by Policy Director for WebLogic Server.
¶ Chapter 2, “Installing Policy Director for WebLogic Server”
Describes how to install and configure Policy Director forWebLogic Server.
¶ Chapter 3, “Using Policy Director for WebLogic Server”
Describes how to use the demonstration application, andprovides usage tips, troubleshooting information, and limitations.
PublicationsThis section lists publications in the Tivoli Policy Director libraryand any other related documents. It also describes how to accessTivoli publications online, how to order Tivoli publications, and howto make comments on Tivoli publications.
viiTivoli Policy Director for WebLogic Server User Guide
Tivoli Policy Director LibraryThe following documents are available in the Tivoli Policy Directorlibrary:
¶ Tivoli SecureWay Policy Director Base Installation Guide,GC32-0735
¶ Tivoli SecureWay Policy Director Base Administration Guide,GC32-0680
¶ Tivoli SecureWay Policy Director Web Portal ManagerAdministration Guide, GC32-0737
¶ Tivoli SecureWay Policy Director Authorization ADK DeveloperReference, GC32-0813
¶ Tivoli SecureWay Policy Director WebSEAL AdministrationGuide, GC32-0684
¶ Tivoli SecureWay Policy Director WebSEAL DeveloperReference, GC32-0685
¶ Tivoli SecureWay Policy Director Release Notes, GI11-0895
Prerequisite PublicationsTo be able to use the information in this book effectively, you musthave some prerequisite knowledge, which you can get from thefollowing books:
¶ Tivoli SecureWay Policy Director Base Installation Guide,GC32-0735
¶ Tivoli SecureWay Policy Director Base Administration Guide,GC32-0680
¶ Tivoli SecureWay Policy Director Authorization ADK DeveloperReference, GC32-0813
¶ Tivoli SecureWay Policy Director WebSEAL AdministrationGuide, GC32-0684
Accessing Publications OnlineYou can access many Tivoli publications online at the TivoliCustomer Support Web site:
Publications
viii Version 3.8
http://www.tivoli.com/support/documents/
These publications are available in PDF or HTML format, or both.Translated documents are also available for some products.
Ordering PublicationsYou can order many Tivoli publications online at the following Website:
http://www.ibm.com/shop/publications/order
You can also order by telephone by calling one of these numbers:
¶ In the United States: 800-879-2755
¶ In Canada: 800-426-4968
¶ In other countries, for a list of telephone numbers, see thefollowing Web site:
http://www.tivoli.com/inside/store/lit_order.html
Providing Feedback about PublicationsWe are very interested in hearing about your experience with Tivoliproducts and documentation, and we welcome your suggestions forimprovements. If you have comments or suggestions about ourproducts and documentation, contact us in one of the followingways:
¶ Send an e-mail to [email protected].
¶ Complete our customer feedback survey at the following Website:
http://www.tivoli.com/support/survey/
Contacting Customer SupportIf you have a problem with any Tivoli product, you can contactTivoli Customer Support. See the Tivoli Customer Support Handbookat the following Web site:
http://www.tivoli.com/support/handbook/
Publications
ixTivoli Policy Director for WebLogic Server User Guide
The handbook provides information about how to contact TivoliCustomer Support, depending on the severity of your problem, andthe following information:
¶ Registration and eligibility
¶ Telephone numbers and e-mail addresses, depending on thecountry you are in
¶ What information you should gather before contacting support
Conventions Used in This BookThis book uses several conventions for special terms and actions,operating system-dependent commands and paths, and margingraphics.
Typeface ConventionsThe following typeface conventions are used in this book:
Bold Lowercase and mixed-case commands, commandoptions, and flags that appear within text appear likethis, in bold type.
Graphical user interface elements (except for titles ofwindows and dialogs) and names of keys also appearlike this, in bold type.
Italic Variables, values you must provide, new terms, andwords and phrases that are emphasized appear likethis, in italic type.
Monospace Commands, command options, and flags that appearon a separate line, code examples, output, andmessage text appear like this, in monospace type.
Names of files and directories, text strings you musttype, when they appear within text, names of Javamethods and classes, and HTML and XML tags alsoappear like this, in monospace type.
Contacting Customer Support
x Version 3.8
Introducing Policy Director forWebLogic Server
Policy Director for WebLogic Server is an extension to PolicyDirector Version 3.8 that implements a Policy Director CustomRealm for BEA WebLogic Server 6.1. The Custom Realm provides auser registry that is administered by Policy Director. Policy Directoruses group memberships in the user registry to affect authorizationdecisions made by WebLogic Server. The Custom Realm can also beused with Policy Director WebSEAL to support end-user singlesign-on.
Policy Director for WebLogic Server enables WebLogic Serverapplications to use Policy Director security without requiring anycoding or deployment changes.
Introducing Policy DirectorThe Policy Director for WebLogic Server implements a CustomRealm using the security services provided by a Policy Directorsecure domain. The Policy Director secure domain must be deployedprior to installation of Policy Director for WebLogic Server.
Users who are new to Policy Director should review the PolicyDirector security model before deploying a Policy Director securedomain. A brief summary of the Policy Director security model ispresented here.
1
1Tivoli Policy Director for WebLogic Server User Guide
1.In
trod
ucin
gP
olicy
Directo
rfo
rW
ebL
og
icS
erver
Policy Director is a complete authorization and network securitypolicy management solution that provides end-to-end protection ofresources over geographically dispersed intranets and extranets.
Policy Director features state-of-the-art security policy management.In addition, Policy Director supports authentication, authorization,data security, and resource management capabilities. You use PolicyDirector in conjunction with standard Internet-based applications tobuild highly secure and well-managed intranets and extranets.
At its core, Policy Director provides:
¶ An authentication framework
Policy Director supports a wide range of authenticationmechanisms.
¶ An authorization framework
Policy Director provides a framework for authorization policymanagement. Authorization policy is managed centrally anddistributed automatically to access enforcement points across theenterprise, including the Policy Director servers. The PolicyDirector authorization service provides permit and denydecisions on access requests for native Policy Director serversand third-party applications.
Policy Director WebSEAL is the Policy Director resource securitymanager for Web-based resources. WebSEAL is a high performance,multi-threaded Web server that applies fine-grained security toprotected web resources. WebSEAL can provide single sign-onsolutions and incorporate back-end Web application server resourcesinto its security policy.
You can learn more about Policy Director, including informationnecessary to make deployment decisions, by reviewing thedocumentation distributed with Tivoli SecureWay Policy DirectorVersion 3.8. Start with the following guides:
¶ Tivoli SecureWay Policy Director Base Installation Guide,GC32-0735
This guide describes how to plan, install, and configure a PolicyDirector secure domain. A series of easy installation scriptsenable you to quickly deploy a fully functional secure domain.
Introducing Policy Director
2 Version 3.8
These scripts are very useful when prototyping a secure domainthat meets your security policy requirements.
¶ Tivoli SecureWay Policy Director Base Administration Guide,GC32-0680
This document presents an overview of the Policy Directorsecurity model for managing protected resources. This guide alsodescribes how to configure the Policy Director servers that makeaccess control decisions. In addition, detailed instructionsdescribe how to perform important tasks such as declaringsecurity policies, defining protected object namespaces, andadministering user and group profiles.
¶ Tivoli SecureWay Policy Director WebSEAL AdministrationGuide, GC32-0684
This guide provides a comprehensive set of procedures andreference information for managing resources in a secure Webdomain. The guide also presents overview and concept materialthat describes the wide range of WebSEAL functionality.
¶ Tivoli SecureWay Policy Director Authorization ADK DeveloperReference, GC32-0813
This guide describes how to use the Policy Directorauthorization API to add security to third party applications. Thisdocument includes a description of the svrsslcfg utility. Thisutility is used during the configuration of Policy Director forWebLogic Server.
The Policy Director documentation is included on the TivoliSecureWay Policy Director Version 3.8 CD-ROMs, and is alsoavailable from the Tivoli Customer Support web site. See “AccessingPublications Online” on page viii.
Integrating Policy Director and WebLogic ServerThe integration of Policy Director with WebLogic Server 6.1 enablesWebLogic applications to take advantage of the following PolicyDirector features:
¶ Centralized access control of WebLogic resources in thefollowing way:
Introducing Policy Director
3Tivoli Policy Director for WebLogic Server User Guide
1.In
trod
ucin
gP
olicy
Directo
rfo
rW
ebL
og
icS
erver
v Changing a user’s group memberships alters their accessprivileges to WebLogic’s Java 2 Enterprise Edition (J2EE)resources in accordance with the group-to-role mappingscontained in the deployment descriptors for each WebLogicServer application.
v WebSEAL controls access to Uniform Resource Locators(URLs) that correspond to objects in the Policy Directorpolicy database. These can be static URL strings or can berepresented by pattern matching.
Integrated authorization is achieved by WebLogic Server’s use ofthe Policy Director for WebLogic Server Custom Realm todetermine which users belong to the groups that are mapped tothe J2EE application’s security roles. This means that a PolicyDirector administrator can affect the authorization decisions ofWebLogic Server through group membership within the PolicyDirector registry.
¶ Centralized user registry used by the Policy Directormanagement server and WebLogic Server. The Policy DirectorVersion 3.8 product distribution includes IBM SecureWayDirectory 3.2.1. The Policy Director for WebLogic ServerCustom Realm allows this registry, as well as other third-partyregistries that are supported by Policy Director Version 3.8, to beused as the WebLogic registry.
¶ Single sign-on through the use of Policy Director WebSEAL.
Single Sign-on is achieved by combining the one-time userauthentication of WebSEAL with the validation of user identityby the Policy Director for WebLogic Server Custom Realm.
This allows many authentication mechanisms, includingcertificates, to be used without any impact to the targetapplication.
The WebLogic server’s trust of WebSEAL is achieved through acombination of a WebSEAL junction and the use of the PolicyDirector for WebLogic Server Custom Realm. A junction is anetwork connection between a WebSEAL server and anapplication server, such that:
1. There is trust between WebSEAL and the application server.
Integrating Policy Director and WebLogic Server
4 Version 3.8
2. WebSEAL protects both its own resources and the resourceson the junctioned application server.
Using Policy Director Authentication
Figure 1 displays the model for the processing of requests for accessto protected resources. Requests can come from either external usersor internal users.
Authenticating External Users1. An external user requests access to a protected resource. The
request is received by WebSEAL before entering the securenetwork of the enterprise. (See Figure 1, arrow 1A)
2. WebSEAL authenticates the user in the Policy Director securedomain. (See Figure 1, arrow 2)
InternalBrowser
WebLogic Server 6.1
J2EEApplicationDeploymentDescriptors
WebLogicUser
Authentication
Policy Director Custom Realmfor WebLogic Server
WebLogicAccess
Managers
ExternalBrowser
Policy DirectorWebSEAL
Policy DirectorManagement
Server
Policy Database
1A
1B
2
3
4
5
B
A
Figure 1. Policy Director provides single sign-on authentication and a Custom Realmfor authorization decisions
Integrating Policy Director and WebLogic Server
5Tivoli Policy Director for WebLogic Server User Guide
1.In
trod
ucin
gP
olicy
Directo
rfo
rW
ebL
og
icS
erver
WebSEAL supports the following authentication methods:username/password, certificates, username and RSA SecureID, ora custom authentication mechanism.
Once authenticated, WebSEAL applies its own authorizationdecision based on the requested URL and the Policy Directoraccess policy. WebSEAL can apply considerations such asaccount validity, time-of-day, and authentication mechanism.
3. Once authorized, WebSEAL forwards the request to theWebLogic server. The request includes the external username anda special password within the basic authentication header. Thespecial password belongs to the configured user, and allows thePolicy Director for WebLogic Server Custom Realm to confirmWebSEAL as the origin of the request. (See Figure 1, arrow 3)
4. The WebLogic server transparently passes the authenticated useridentity and password to the Policy Director Custom Realm. (SeeFigure 1, arrow 4)
5. The Policy Director Custom Realm uses Policy Directorauthentication services to verify that the password provided byWebSEAL is correct for the configured user described above.That is, this password provides the basis of trust that therequest’s origin is WebSEAL. (See Figure 1, arrow 5)
The request is now ready for authorization.
Authenticating Internal UsersFigure 1 also displays the model for the processing of requests foraccess to protected resources by internal users that do not gothrough a WebSEAL junction:
1. (1B) Internal user sends request for access to a protectedresource. (See Figure 1, arrow 1B)
2. The WebLogic user authentication module sends the user identityto the Policy Director Custom Realm. (See Figure 1, arrow 4)
3. The Policy Director Custom Realm sends the authenticationrequest to the Policy Director management server. (See Figure 1,arrow 5)
Integrating Policy Director and WebLogic Server
6 Version 3.8
If authentication is successful, the Policy Director Custom Realmreturns the username to WebLogic Server, as the authenticateduser.
The request is now ready for authorization.
Using Policy Director AuthorizationThe authorization process occurs as follows:
1. When a request for a J2EE resource is received by WebLogicServer, it checks the relevant deployment descriptor informationto determine if access to the resource is restricted to certainroles. (See Figure 1, arrow A)
2. If the request requires the user to assume a role, the WebLogicServer queries the Policy Director Custom Realm to determinewhether the requesting user is a member of any of the groupsthat are mapped to the role. (See Figure 1, arrow B)
3. The Policy Director Custom Realm consults the Policy Directormanagement server to determine if the current user is a memberof the group. If the user is a member of a group that is mappedto a permitted role, access is granted. Otherwise, access isdenied. (See Figure 1, arrow 5)
Integrating Policy Director and WebLogic Server
7Tivoli Policy Director for WebLogic Server User Guide
1.In
trod
ucin
gP
olicy
Directo
rfo
rW
ebL
og
icS
erver
Integrating Policy Director and WebLogic Server
8 Version 3.8
Installing Policy Director forWebLogic Server
This chapter contains the following topics:
¶ “Software Contents”
¶ “Supported Platforms” on page 10
¶ “Installation Packages” on page 10
¶ “Software Prerequisites” on page 10
¶ “Installing Policy Director for WebLogic Server” on page 14
¶ “Configuring Policy Director for WebLogic Server” on page 15
¶ “Configuring a Custom Realm” on page 17
¶ “Configuring a WebSEAL Junction for the WebLogic Server” onpage 22
¶ “Testing the Configuration” on page 23
Software ContentsPolicy Director for WebLogic Server is distributed as one installationpackage. The installation package consists of the following:
¶ A JAR file, PDWLS_Realm.jar, containing the Policy DirectorCustom Realm and all the resources needed by the realm.
¶ An EAR file containing a demonstration enterprise application.
2
9Tivoli Policy Director for WebLogic Server User Guide
2.In
stalling
Po
licyD
irector
for
Web
Lo
gic
Server
Supported PlatformsPolicy Director for WebLogic Server is supported on the followingplatforms:
Operating System Release WebLogic Server Release
AIX 4.3.3 WebLogic Server 6.1, with ServicePack 1
Microsoft Windows 2000 AdvancedServer, with Service Pack 2
WebLogic Server 6.1, with ServicePack 2
Installation PackagesThe installation package is available as a software download fromthe following URL:http://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html
A valid login and password is required to access the Tivoli CustomerSupport software download site.
Software PrerequisitesSuccessful installation of Policy Director for WebLogic Serverrequires the prerequisites described in the following sections:
¶ “WebLogic Server”
¶ “Policy Director” on page 11
WebLogic ServerWebLogic Server 6.1 must be installed and configured on the systemthat will host Policy Director for WebLogic Server. WebLogic Server6.1 is currently installed without a default Custom Realm and islaunched using the startWebLogic command.
WebLogic Server should be running when Policy Director forWebLogic Server is installed. To start WebLogic Server, usestartWebLogic command.
Supported Platforms
10 Version 3.8
WebLogic Server is distributed with the necessary Java RuntimeEnvironment (JRE). Policy Director for WebLogic Server uses thissame JRE. Successful installation of WebLogic Server satisfies thePolicy Director for WebLogic Server prerequisite for a JRE.
Java Environment on AIXOn AIX systems, WebLogic Server 6.1 requires IBM Java RuntimeEnvironment (JRE), Version 1.3. WebLogic Server 6.1 distributesthis JRE, and installs it during the WebLogic Server installation.Policy Director for WebLogic Server uses this same version of theJRE.
Policy Director for WebLogic Server uses Java Native Interface(JNI) code. Ensure that the AIX environment is configured asdescribed in:/<BEA install dir>/jdk130/README.HTML
Policy DirectorPolicy Director for WebLogic Server has dependencies on otherPolicy Director software, as described in the following sections:
¶ “Policy Director Management Server and Authorization Server”
¶ “Policy Director WebSEAL” on page 12
¶ “Policy Director Runtime Environment and Authorization ADK”on page 13
¶ “Policy Director Base Fixpack 3 for Version 3.8” on page 13
¶ “Policy Director WebSEAL Fixpack 1 for Version 3.8” on page13
Policy Director Management Server and AuthorizationServer
A Policy Director Version 3.8 secure domain must be installed andconfigured prior to installing Policy Director for WebLogic Server.
The Policy Director secure domain is established when you installthe Tivoli SecureWay Policy Director management server. Thismanagement server is distributed on the Tivoli SecureWay PolicyDirector Base Version 3.8 CD-ROM for your operating system.
Software Prerequisites
11Tivoli Policy Director for WebLogic Server User Guide
2.In
stalling
Po
licyD
irector
for
Web
Lo
gic
Server
Policy Director supports two different modes of authorization:remote mode and local mode. The Policy Director authorizationserver must be installed if you choose to run Policy Director forWebLogic Server in remote mode.
Although you can use either mode with Policy Director forWebLogic Server, remote mode is strongly recommended. For acomplete discussion of remote and local mode, see the TivoliSecureWay Policy Director Base Administration Guide.
Typically, the Policy Director management server and authorizationserver are installed on a different system than the system that hostsPolicy Director for WebLogic Server.
See the Tivoli Secureway Policy Director Base Installation Guide forinstallation and configuration instructions for Policy Directormanagement server and Policy Director authorization server. Thisdocument is included on the Tivoli SecureWay Policy Director BaseVersion 3.8 CD-ROM for your operating system.
Note: The Policy Director management server must be updated withBase Fixpack 3. See “Policy Director Base Fixpack 3 forVersion 3.8” on page 13.
Policy Director WebSEALPolicy Director WebSEAL provides web-based security services thatcan be used by Policy Director for WebLogic Server. Policy Directorfor WebLogic Server, when combined with WebSEAL junctions, canbe used to provide a WebSEAL to WebLogic Server single sign-onsolution.
Policy Director WebSEAL is typically installed on a system otherthan the system that hosts Policy Director for WebLogic Server.
Policy Director WebSEAL requires that Policy Director managementserver be installed and configured.
For complete installation instructions, see the Tivoli SecurewayPolicy Director WebSEAL Installation Guide. This guide isdistributed on the Tivoli SecureWay Policy Director WebSEALVersion 3.8 CD-ROM.
Software Prerequisites
12 Version 3.8
Note: Policy Director WebSEAL must be updated with WebSEALFixpack 1. See “Policy Director WebSEAL Fixpack 1 forVersion 3.8”.
Policy Director Runtime Environment and AuthorizationADK
The following components from the Policy Director Base must beinstalled on the system that will host Policy Director for WebLogicServer:
¶ Policy Director Version 3.8 Runtime Environment
¶ Policy Director Version 3.8 Authorization ADK
¶ Policy Director Base Fixpack 3
The Policy Director secure domain must be established prior toinstalling these components on the system that will host PolicyDirector for WebLogic Server.
Policy Director Base Fixpack 3 for Version 3.8Each Policy Director system must be updated with Base Fixpack 3for Version 3.8. You must obtain and install the Fixpack for youroperating system.
The fixpack is titled FixPack 3.8-POL-0003.
Download and install the Policy Director Fixpack 3 from thefollowing URL:https://www.tivoli.com/secure/support/patches/Tivoli_SecureWay_Policy_Director_.html
You will need a login and password from Tivoli Customer Supportto access this web page.
Policy Director WebSEAL Fixpack 1 for Version 3.8Each Policy Director WebSEAL server system must be updated withWebSEAL Fixpack 1 for Version 3.8. You must obtain and install theFixpack for your operating system.
The fixpack is titled FixPack 3.8-PWS-0001.
Download and install the Policy Director WebSEAL Fixpack 1 fromthe following URL:
Software Prerequisites
13Tivoli Policy Director for WebLogic Server User Guide
2.In
stalling
Po
licyD
irector
for
Web
Lo
gic
Server
https://www.tivoli.com/secure/support/patches/Tivoli_SecureWay_Policy_Director_.html
You will need a login and password from Tivoli Customer Supportto access this web page.
The fixpack is also available from the following ftp site:ftp://ftp.tivoli.com/support/patches/patches_3.8/
Installing Policy Director for WebLogic ServerComplete the following steps on the system that hosts WebLogicServer:
1. Verify that the software prerequisites have been satisfied, asdescribed in “Software Prerequisites” on page 10.
In particular, verify that:
¶ WebLogic Server is installed, configured, and running on thehost system.
¶ The Policy Director secure domain has been established, anda WebSEAL server has been installed, within the networkenvironment.
¶ A Policy Director WebSEAL server has been configured andis accessible.
¶ The necessary fixpacks have been applied to the PolicyDirector management server and Policy Director WebSEAL.
2. Install and configure the following Policy Director components:
¶ Policy Director Runtime Environment
¶ Policy Director Authorization ADK
For complete installation instructions, see the Tivoli SecurewayPolicy Director Base Installation Guide.
3. Download the Policy Director for WebLogic Server files asdescribed in “Installation Packages” on page 10.
4. Unpack the distribution files as specified in the README filethat accompanies the download packages. Place the files in atemporary directory.
Software Prerequisites
14 Version 3.8
5. Continue to “Configuring Policy Director for WebLogic Server”
Configuring Policy Director for WebLogic ServerPolicy Director for WebLogic Server must be registered with thePolicy Director secure domain as a Policy Director authorization APIapplication.
Use the Policy Director utility svrsslcfg to complete the registration.Usage of this utility is summarized below.
For complete information on svrsslcfg, see the Tivoli SecurewayPolicy Director 3.8 Authorization ADK Developer Reference. Inaddition, see the README that is shipped with the AuthorizationADK demonstration application. This application is installed as partof the Policy Director Authorization ADK installation.
The svrsslcfg syntax is:svrsslcfg -config -f cfg_file -d kdb_dir -n server_name -s server_type-r port -P admin_pwd -S server_password
Note that file names must be specified as full pathnames, not relativepaths.
The following table describes the command line options:
Option Description
cfg_file Configuration file path and name.
kdb_dir The directory that is to contain the keyring databasefiles for the server.
server_name The name of the server. The name may be specified aseither server_name/hostname or server_name, in whichcase the local hostname will be appended to formname/hostname. The names ivacld, secmgrd, andivweb are reserved for Policy Director servers.
server_type The type of server being configured. The value mustbe either local or remote.
port_num Set the listening port number for the server. A value of0 may be specified only if the [aznapi-admin-services] stanza in the configuration file is empty.
Installing Policy Director for WebLogic Server
15Tivoli Policy Director for WebLogic Server User Guide
2.In
stalling
Po
licyD
irector
for
Web
Lo
gic
Server
Option Description
admin_pwd The Policy Director Administrator password. If thisparameter is not specified, the password will be readfrom stdin.
server_pwd The server’s password. You can request that apassword be created by the system by specifying adash (-) for the password.
An example set of configuration steps would be:
1. Create the <PD work directory>, such as C:\bea\PDWLSRealm\.
The <PD work directory> is a directory that will be used to storethe aznAPI.conf file, as well as the Policy Director SSLcertificates that will be used by the WebLogic Server tocommunicate with the Policy Director servers. It will also beused as temporary folder.
2. Copy the sample configuration file from <PolicyDirector-install-dir>\example\authzn_demo\cppconfiguration\ aznAPI.conf to this directory as filepdwlsrealm.conf and use it as input to svrsslcfg commandbelow.
3. Edit pdwlsrealm.conf and comment-out the line withAZN_ADMIN_SVC_TRACE.
4. Use svrsslcfg to configure Policy Director remote mode:svrsslcfg -add_replica -f cfg_file -h host_name -p port -k rank
Note: This command is not required when running in localmode. Running in remote mode is recommended.
The following options are used:
Option Description
cfg_file Configuration file path and name. This is a requiredparameter.
host_name TCP hostname of the Policy Director authorizationserver. This parameter is required.
Configuring Policy Director for WebLogic Server
16 Version 3.8
Option Description
server_port Listening port number of the ivacld (authorizationserver) replica server. This id the port number onwhich ivacld listens for requests. If not specified onan -add_replica action, a default of 7136 will beused.
replica_rank Replica order of preference among other replicas. Thisparameter defaults to 10 on the -add_replica action.
5. Use svrsslcfg to create the aznAPI configuration file:svrsslcfg -config -f c:\bea\pdwlsrealm\pdwlsrealm.conf-d c:\bea\pdwlsrealm -n pdwlsrealm -s remote-P <sec_master password> -S <PD-WLS-password> -r 0
6. View the new Policy Director server by issuing the command:pdadmin> server list
7. Continue to the next section: “Configuring a Custom Realm”.
Configuring a Custom RealmThe following table provides a key to the variables that are referredto in this section:
Variable Description
<BEA domaindirectory>
Directory of the installed domain of the WebLogicServer. In a standard installation this value wouldbe:
Windows: C:\bea\wlserver6.1\Config\mydomain
UNIX:/bea/wlserver6.1/Config/mydomain
<webseald servername>
Name of the host system for the Policy DirectorWebSEAL server. Generally of the formwebseald-hostname.
<PD Realm> Name of the Policy Director Custom Realm thatwill be added to WebLogic Server. This name canbe anything you choose.
Configuring Policy Director for WebLogic Server
17Tivoli Policy Director for WebLogic Server User Guide
2.In
stalling
Po
licyD
irector
for
Web
Lo
gic
Server
Variable Description
<PDCachingRealm> Name of the Policy Director Caching Realm thatwill be added to WebLogic Server. This name canbe anything you choose.
<AZN conf file path> The fully qualified path of the Policy Directorauthorization configuration file pdwlsrealm.conf,that is generated when using svrsslcfg to configurea Policy Director Authorization API application.
<configured user> The special Policy Director user that is used inorder to form a trust relationship betweenWebSEAL and WebLogic Server. The name ofthis user can be any valid Policy Director username.
<configured userpassword>
The password of the <configured user>.
<WebLogic server> The hostname of the WebLogic Server system.
<WebLogic Serverlisten port>
The port that WebLogic Server is listening on.
<pdadmin contextuser>
Name of the user that will be used to create apdadmin context. This user must be in theiv-admin user group or be delegated enoughpermission to be able to create, delete, modify,and list users and groups. You can do this bygiving the user the following permissions on anaccess control list (ACL) attached to the/Management object:
TcmdbsvatNWA
The name of the default ACL attached to the/Management object is default-management.
<pdadmin context userpassword>
Password for the <pdadmin context user>.
Complete the following steps on the system that hosts the WebLogicServer:
1. Extract the contents of PDWLS_Realm.jar to <PD workdirectory> This creates a sub-directory called image with thefollowing files in it:
Configuring a Custom Realm
18 Version 3.8
pdlib.dllpdAuthzn.jarlibpdlib.alibaznjni.apdadmin.jaraznjni.dllPDRealm.jar
2. Copy the appropriate shared libraries for your operating system(*.dll on Windows and *.a in AIX) from the above list into adirectory that is in the system path. For example:Windows: C:\Program Files\Tivoli\Policy Director\binAIX: /usr/lib
3. Ensure that pdadmin.jar, pdAuthzn.jar and PDRealm.jar areincluded in the CLASSPATH variable of the startWebLogicbatch file (on Windows systems) or shell script (on UNIXsystems) located in <BEA domain directory>.
4. Stop the WebLogic server.
5. Create the WebSEAL <configured user> using the PolicyDirector Web Portal Manager or the Policy Director utilitypdadmin.
For example, if <configured user> is websealsso and<configured user password> is pdwebwlssso, enter thefollowing pdadmin commands:pdadmin> user create websealsso cn=websealsso, o=ibm,c=auwebsealsso websealsso pdwebwlssso
pdadmin> user modify websealsso account-valid yes
For optimum security, protect the password for the configureduser. Change the password at regular intervals. Use the PolicyDirector random password generator to create the password:UNIX: /opt/PolicyDirector/sbin/genpass
6. Create the <pdadmin context user> that the Custom Realm useswith the Policy Director administration API. This user musteither be added to the iv-admin group or be delegated sufficientpermission such that it can add, delete, modify, and list usersand groups.
For example, the following command creates a user:
Configuring a Custom Realm
19Tivoli Policy Director for WebLogic Server User Guide
2.In
stalling
Po
licyD
irector
for
Web
Lo
gic
Server
pdadmin> user create <pdadmin context user>cn=<pdadmin context user>,o=ibm,c=au<pdadmin context user> <pdadmin context user><pdadmin context user password> iv-admin
Next, activate the new user account. For example:pdadmin> user modify < pdadmin context user > account-valid yes
7. Start the WebLogic server.
8. Launch the WebLogic Server console in a browser. Access thefollowing URL:http://<WLS_host>:<WLS listening port>/console
9. Click Security -> Realms -> Configure a new CustomRealm.
¶ Name: <PDRealm>
¶ Realm Class Name: com.tivoli.wlsrealm.PDRealm
¶ Supply the configuration data described in the followingtable:
Realm Property Valid Values Description
webseal.sso.configured true or false Defines whether WebSEALwill be configured andwhether to attempt to performsingle sign-on.
pdadmin.user.name <pdadmincontext user>
Name of the user that will beused to create a pdadmincontext. This user must be inthe iv-admin user group or bedelegated sufficient permissionsuch that they can add, delete,modify, and list users andgroups.
pdadmin.password <pdadmincontext userpassword>
Password of the above user.
Configuring a Custom Realm
20 Version 3.8
Realm Property Valid Values Description
pdrealm.registry.listing true or false Defines whether the PolicyDirector Custom Realm shouldlist users and groups,including group memberships,to the WebLogic Serverconsole window. This shouldbe set to false in productionenvironments. Set it to trueonly in a test environment.
connection.pool 1 - n Where n is an integer definingthe number of Realm objectsto instantiate in the Realmpool.
pdrealm.tracing true or false Turn Policy Director Realmtracing on or off. Trace will besent to the WebLogic Serverlog.
wls.admin.user <configureduser>
The special user that isconfigured in the PolicyDirector Custom Realmconfiguration data in order toform a trust relationshipbetween WebSEAL andWebLogic Server.
group.dn A validDistinguishedName (DN)
LDAP naming context wheregroups are defined. Forexample, c=gb.
user.dn A valid DN LDAP naming context whereusers are defined. Forexample, c=gb.
aznapi.conf.file <AZN conffile path>
The fully qualified pathnameof the Authorization APIconfiguration file,pdwlsrealm.conf, generatedby svrsslcfg.
10. Configure a new Caching Realm:
Configuring a Custom Realm
21Tivoli Policy Director for WebLogic Server User Guide
2.In
stalling
Po
licyD
irector
for
Web
Lo
gic
Server
¶ Name: <PDCachingRealm>
¶ Basic Realm: <PDRealm>
¶ Case Sensitive: Yes
¶ Use defaults for the caching settings.
11. Go to Security -> FileRealm and set it to <PDCachingRealm>.Leave all other fields unchanged.
12. Restart WebLogic Server.
Security settings will now take effect.
13. Continue to the next section: “Configuring a WebSEALJunction for the WebLogic Server”.
Configuring a WebSEAL Junction for theWebLogic Server
Complete the following steps on the system that hosts the PolicyDirector WebSEAL server:
1. Update the following configuration item in the WebSEALconfiguration file, webseald.conf:basicauth-dummy-passwd = <configured user password>
2. Stop and restart WebSEAL, to make the configuration changetake effect.
3. Use the pdadmin command to create a WebSEAL junction.
Be sure to use the -b option to supply the junction target URL.This is required for single sign-on.
For example:pdadmin> server task <webseald_server_name> create -t tcp-p <WebLogic Server listen port> -h <WebLogic server>-b supply <junction target>
Configuring a Custom Realm
22 Version 3.8
The above command uses the following variables:
Variable Description
<webseald_server_name> Name of the Policy Director WebSEALserver. Generally of the formwebseald-hostname.
<WebLogic server> The hostname of the WebLogic Server.
<WebLogic server listenport>
The port on which the WebLogic Server islistening.
<junction target> The URL target of the junction.
For complete information on creating and using Policy DirectorWebSEAL junctions, see the Tivoli SecureWay Policy DirectorWebSEAL Administration Guide.
Testing the ConfigurationVerify that the Policy Director Custom Realm has been correctlyconfigured by completing the following steps:
1. Use the WebLogic Server console to create a new test user.
2. Execute the following pdadmin command:pdadmin> user show <test user>
¶ Verify that account-valid is yes.
¶ Verify that password-valid is yes.
The Policy Director Custom Realm single sign-on solution allows asingle authentication step through WebSEAL that transparentlyauthenticates the user to the WebLogic Server. You can confirm thatthis is configured correctly by running the demonstration application.The demonstration application is described in the next chapter.
Configuring a WebSEAL Junction for the WebLogic Server
23Tivoli Policy Director for WebLogic Server User Guide
2.In
stalling
Po
licyD
irector
for
Web
Lo
gic
Server
Testing the Configuration
24 Version 3.8
Using Policy Director forWebLogic Server
This chapter contains the following topics:
¶ “Using the Demonstration Application”
¶ “Creating Test Users” on page 27
¶ “Usage Tips” on page 27
¶ “Troubleshooting Tips” on page 28
¶ “Limitations” on page 28
Using the Demonstration ApplicationYou can use the demonstration application to see an example of twotypes of authorization, and to exercise the WebSEAL single sign-oncapability.
The two types of authorization are:
¶ Declarative
In this case, the Deployment Descriptor ensures that only usersin the BankMembers group can successfully access the PDDemodemonstration Servlet.
¶ Programmatic
3
25Tivoli Policy Director for WebLogic Server User Guide
3.U
sing
Po
licyD
irector
for
Web
Lo
gic
Server
Using programmatic security, the Enterprise Java Bean ensuresthat only the owner of each account has the permission to viewtheir own account balance. For example, user Mark cannot viewuser Luke’s balance.
To run the demonstration application, complete the following steps:
1. Copy the demonstration application PDDemoApp.ear into <BEAdomain directory>\applications. Note that use of thisdirectory is not required. You can place the EAR file into anydirectory on your file system.
2. Use the WebLogic Server console to install the demonstrationapplication.
3. Use the WebLogic Server console to create the following users:MatthewMarkLukeJohn
4. Use the WebLogic Server console to create a BankMembersgroup.
5. Add all of the users created above to this group.
6. To access the demonstration application, access the followingURL:http://<WLS server>:<WLS listening port>/pddemo/PDDemo
Authenticate with one of the users defined above.
7. Verify that only users defined in the BankMembers group canaccess the Servlet.
8. Verify that the authenticated user can view their own balance, butnot the balance of any other user.
To test the WebSEAL Single Sign On, complete the following steps:
1. Access the following URL:https://<webseald server name>/<junction target>/pddemo/PDDemo
WebSEAL will prompt you to authenticate.
Using the Demonstration Application
26 Version 3.8
Note: Use HTTPS here because the default WebSEAL behavioris to prevent Basic or Forms-based authentication overHTTP.
2. Authenticate as one of the users defined above.
This process will single sign the user on to the WebLogic Serverand the Servlet will be invoked without requiring a secondauthentication. When accessed through WebSEAL, the PDDemodemonstration application will show identical behavior to thatshown when accessing the WebLogic Server directly.
3. Verify that the authenticated user can view their own balance, butnot the balance of any other user.
Creating Test UsersFor convenience, if many test users are required, a script namedusers.sh is provided. This tool can be used to create and/or deletemultiple test users, by creating appropriate pdadmin scripts:
¶ Run users.sh to generates two text files that pdadmin can useto add and remove a set of users to or from the user registry.
¶ To use the users.sh script, edit the script and define thevariables appropriate for your environment.
Two files are generated: add_users.txt andremove_users.txt. Use these files as input to pdadmin scriptsas follows:pdadmin -a sec_master -p <password> <add_users.txt
pdadmin -a sec_master -p <password> <remove_users.txt
Usage Tips1. Observe good security practices when enabling single sign-on for
external users. Ensure that authentication is performed only bythe WebSEAL server. To achieve this, disable access to theWebLogic Server by internal users that do not go through theWebSEAL server.
Using the Demonstration Application
27Tivoli Policy Director for WebLogic Server User Guide
3.U
sing
Po
licyD
irector
for
Web
Lo
gic
Server
2. Policy Director Custom Realm listing should be set to false inproduction environments. Set this to true only when testing toverify that a realm is operational.
3. To use the WebLogic Server System and Guest users throughWebSEAL, you must to create a dummy guest in Policy Director,and set the real Guest and System password to match theconfigured user’s password.
Note, however, this means that if you want to allow the guestuser to log in without going through WebSEAL (such as anaccess an intranet), you will need to expose the configured userpassword.
Troubleshooting TipsWhen a user has authenticated through forms-based login, andattempts to access a resource for which they do not have permission,the following error message may appear:Could not Sign On message from WebSEAL
This can occur because even though the user could actually beauthenticated, they don’t have permission to access the Servlet in theweb container.
If this error occurs when using Basic Authentication, the user will bere-prompted for the authentication details, instead of seeing the pagedescribed above. This is default WebLogic Server behavior andwould be seen if the user accesses the page either directly or throughWebSEAL.
Limitations1. Policy Director for WebLogic Server does not support recursive
group membership (groups within groups).
2. Centralized control of user access to WebLogic’s J2EE resourcesis limited to moving users between groups that have beenassigned to roles in application deployment descriptors.
3. Single sign-on to WebLogic Server using forms-basedauthentication is not supported.
Usage Tips
28 Version 3.8
4. WebLogic Server role membership checks require the PolicyDirector management server to be running.
5. Policy Director for WebLogic Server Does not implement thejava.security.ACL interface. Note that Policy Director ACLs donot correspond to WebLogic Server ACLs.
Limitations
29Tivoli Policy Director for WebLogic Server User Guide
3.U
sing
Po
licyD
irector
for
Web
Lo
gic
Server
Limitations
30 Version 3.8
Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.
SC32-0831-00