Previous Topic: Configure the SiteMinder WSS AgentNext Topic: SiteMinder WSS Agent for IBM WebSphere Logging

Web Services Security GuidesCA SiteMinder® Web Services Security Agent for IBM WebSphere GuideConfigure WebSphere to Work with the SiteMinder WSS Agent

Configure WebSphere to Work with the SiteMinder WSS Agent

This section contains the following topics:

Set the JAVA_AGENT_ROOT JVM System Property

Set the log.log-config-properties Environment Variable

Configure General WebSphere Settings

Configure the SiteMinder WSS Agent Login Module in WebSphere

Set the JAVA_AGENT_ROOT JVM System Property

Because the SiteMinder WSS Agent may not be installed in the same file system location on every system in clustered and SSO WebSphere environments, you must define a JVM system property, JAVA_AGENT_ROOT to define the installed location of the SiteMinder WSS Agent.

To set the JAVA_AGENT_ROOT JVM system property

  1. Open the WebSphere Integrated Solutions Console.
  2. Click the following, in the order shown:

    In the navigation tree: Servers, Application Server

    In the work area: server_name, Java and Process Management, Process Definition, Java virtual Machine, Additional Properties, Custom Properties.

  3. Create a new variable in Custom Properties named JAVA_AGENT_ROOT and specify its value as the location where the SiteMinder WSS Agent is installed. For example, in Windows enter: 
    JAVA_AGENT_ROOT=C:\SoaSecurityManager\wasagent
  4. Save the changes in the master repository.

Set the log.log-config-properties Environment Variable

You must define a JVM system property, log.log-config-properties, to define the location of the SiteMinder WSS Agent logging configuration file.

To set the log.log-config-properties JVM system property

  1. Open the WebSphere Integrated Solutions Console.
  2. Click the following, in the order shown:

    In the navigation tree: Servers, Application Server

    In the work area: server_name, Java and Process Management, Process Definition, Java Virtual Machine, Additional Properties, Custom Properties.

  3. Create a new variable in Custom Properties named log.log-config-properties and specify its value as the location of the SiteMinder WSS Agent logging configuration file (relative to the installed location of the SiteMinder WSS Agent, WSS_HOME).

    For example, in Windows enter:

    log.log-config-properties=config\log-config.properties
  4. Save the changes in the master repository and restart the server.

Configure General WebSphere Settings

Before you configure the SiteMinder WSS Agent, you must do the following:

Enable WebSphere Security Options

To enable security options for the WebSphere managed domain

  1. If necessary, start the WebSphere Server and the WebSphere Integrated Solutions Console.
  2. In the navigation tree click one of the following as appropriate for your WebSphere version:
  3. Set the Enable Administrative Security option.
  4. Set the Use Java 2 security to restrict application access to local resources option.
  5. Click Apply to apply your changes. To save changes, click System Administration and Save Changes to Master Repository.

    Note: Until you save changes to the master repository, the Integrated Solutions Console uses a local workspace to track your changes.

Configure LDAP as a WebSphere User Registry

In a typical deployment, WebSphere and the Policy Server are configured to use the same LDAP user registry.

Note: If you are not configuring WebSphere and the Policy Server to use the same LDAP user registry (typically because WebSphere is already configured with a custom user registry), verify that the custom registry is properly configured (see the WebSphere documentation for information) and configure user mapping.

To configure a Policy Server LDAP user directory as a WebSphere user registry

  1. If necessary, start the WebSphere Server and the WebSphere Integrated Solutions Console.
  2. In the navigation tree click one of the following as appropriate for your WebSphere version:
  3. In the User account repository section, select Standalone LDAP Registry from the Available Realm Definitions drop-down menu.
  4. Click Apply to save your changes.
  5. Click Configure.
  6. Under Server user identity, enter the select the Server identity that is stored in repository option and type the identity and password of a user account to use to run the application server for security purposes in the corresponding fields.
  7. Under General Properties , fill in the following fields and then click Apply.
  8. Depending on the WebSphere configuration, check Reuse Connection and Ignore case for authorization.
  9. On WebSphere 7.0, select the Standalone LDAP registry option from the Available realm definitions drop-down and click Set as current.
  10. Click Apply to apply your changes. To save changes to the master repository, click System Administration and Save Changes to Master Repository.

    Note: Until you save changes to the master repository, the Integrated Solutions Console uses a local workspace to track your changes.

Configure the SiteMinder WSS Agent Login Module in WebSphere

You configure the SiteMinder WSS Agent Login Module in the WebSphere Application Server using the WebSphere Integrated Solutions Console. General information about configuring Login Modules is available in the WebSphere documentation.

To configure the WebSphere Application Server to use the SiteMinder WSS Agent Login Module

  1. If necessary, start the WebSphere Server and the WebSphere Integrated Solutions Console.
  2. Click the following, in the order shown:

    In the navigation tree: Security, Secure Administration, Applications and Infrastructure.

    In the work area: Java Authentication and Authorization Service, System Logins.

  3. Click New to create a new System Login profile. This profile will contain SiteMinder WSS Agent Login Module and two other standard WebSphere login modules create the WebSphere identity and credentials so that the identity is propagated to the rest of WebSphere and can be used for WebSphere single sign-on.
  4. Under General Properties on the New page, enter "XMLAgent" in the Alias field and click Apply.
  5. Under Additional Properties, click JAAS login modules.
  6. Add the SiteMinder WSS Agent Login Module:
    1. On the JAAS Login Modules page, click New.
    2. Under General Properties on the New page, enter the SiteMinder WSS Agent Login Module class name: 
      com.ca.soa.agent.appserver.jaas.XMLAgentLoginModule
    3. Ensure that REQUIRED is selected from the Authentication strategy drop-down list.
    4. Click Apply to save your changes.
  7. Add the WebSphere LTPA Login Module:
    1. Back on the JAAS Login Modules page, click New.
    2. Under General Properties on the New page, enter the WebSphere LTPA Login Module class name: 
      com.ibm.ws.security.server.lm.ltpaLoginModule
    3. Ensure that REQUIRED is selected from the Authentication strategy drop-down list.
    4. Click Apply to save your changes.
  8. Add the WebSphere Default Inbound Login Module:
    1. Back on the JAAS Login Modules page, click New.
    2. Under General Properties on the New page, enter the WebSphere Default Inbound Login Module class name:
    3. com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule
    4. Ensure that REQUIRED is selected from the Authentication strategy drop-down list.
    5. Click Apply to save your changes.
  9. Back on the JAAS Login Modules page, click Set Order.
  10. Under General Properties on the JAAS Login Module Order page, if necessary, move the Login Modules so that they appear in the following order: 
    com.ca.soa.agent.appserver.jaas.XMLAgentLoginModule

    com.ibm.ws.security.server.lm.ltpaLoginModule

    com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule
  11. Click Apply to save your changes.To save changes permanently, click System Administration and Save Changes to the Master Repository.

    Note: Until you save changes to the master repository, the Integrated Solutions Console uses a local workspace to track your changes.