tivoli policy director for weblogic server user...

Tivoli Policy Director forWebLogic ServerUser GuideVersion 3.8 SC32-0831-00

Tivoli SecureWay Policy Director for WebLogic Server User Guide

Copyright Notice

© Copyright IBM Corporation 2002. All rights reserved. May only be used pursuantto a Tivoli Systems Software License Agreement, an IBM Software LicenseAgreement, or Addendum for Tivoli Products to IBM Customer or LicenseAgreement. No part of this publication may be reproduced, transmitted, transcribed,stored in a retrieval system, or translated into any computer language, in any formor by any means, electronic, mechanical, magnetic, optical, chemical, manual, orotherwise, without prior written permission of IBM Corporation. IBM Corporationgrants you limited permission to make hardcopy or other reproductions of anymachine-readable documentation for your own use, provided that each suchreproduction shall carry the IBM Corporation copyright notice. No other rightsunder copyright are granted without prior written permission of IBM Corporation.The document is not intended for production and is furnished “as is” withoutwarranty of any kind. All warranties on this document are hereby disclaimed,including the warranties of merchantability and fitness for a particularpurpose.

U.S. Government Users Restricted Rights—Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corporation.

Trademarks

IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, Cross-Site, NetView, OS/2, PlanetTivoli, RS/6000, Tivoli Certified, Tivoli Enterprise, Tivoli Enterprise Console, TivoliReady, and TME are trademarks or registered trademarks of International BusinessMachines Corporation or Tivoli Systems Inc. in the United States, other countries,or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks are trademarks of Sun Microsystems,Inc. in the United States, other countries, or both.

Notices

References in this publication to Tivoli Systems or IBM products, programs, orservices do not imply that they will be available in all countries in which TivoliSystems or IBM operates. Any reference to these products, programs, or services isnot intended to imply that only Tivoli Systems or IBM products, programs, orservices can be used. Subject to valid intellectual property or other legallyprotectable right of Tivoli Systems or IBM, any functionally equivalent product,program, or service can be used instead of the referenced product, program, orservice. The evaluation and verification of operation in conjunction with otherproducts, except those expressly designated by Tivoli Systems or IBM, are theresponsibility of the user. Tivoli Systems or IBM may have patents or pendingpatent applications covering subject matter in this document. The furnishing of thisdocument does not give you any license to these patents. You can send licenseinquiries, in writing, to the IBM Director of Licensing, IBM Corporation, NorthCastle Drive, Armonk, New York 10504-1785, U.S.A.

© Copyright International Business Machines Corporation 2002. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corp.

iiiTivoli Policy Director for WebLogic Server User Guide

iv Version 3.8

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiWho Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

What This Book Contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Tivoli Policy Director Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Prerequisite Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Accessing Publications Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Ordering Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Providing Feedback about Publications . . . . . . . . . . . . . . . . . . . . . . . . . ix

Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Conventions Used in This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Typeface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 1. Introducing Policy Director for WebLogicServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Introducing Policy Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Integrating Policy Director and WebLogic Server. . . . . . . . . . . . . . . . . . . . . . 3

Using Policy Director Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Using Policy Director Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2. Installing Policy Director for WebLogicServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Software Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Installation Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Software Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

WebLogic Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

vTivoli Policy Director for WebLogic Server User Guide

Policy Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Installing Policy Director for WebLogic Server . . . . . . . . . . . . . . . . . . . . . . 14

Configuring Policy Director for WebLogic Server . . . . . . . . . . . . . . . . . . . . 15

Configuring a Custom Realm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring a WebSEAL Junction for the WebLogic Server . . . . . . . . . . . . . 22

Testing the Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 3. Using Policy Director for WebLogic Server 25Using the Demonstration Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Creating Test Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Usage Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Troubleshooting Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

vi Version 3.8

Preface

Welcome to Tivoli®

Policy Director for WebLogic Server. Thisproduct extends Policy Director to support applications written forBEA WebLogic® Server. This guide provides installation,configuration, and administration instructions.

Who Should Read This BookThe target audience for this administration guide includes:

¶ Security administrators

¶ System installation and deployment administrators

¶ Network system administrators

¶ IT architects

What This Book ContainsThis document contains the following chapters:

¶ Chapter 1, “Introducing Policy Director for WebLogic Server”

Presents an overview of the authentication and authorizationservices provided by Policy Director for WebLogic Server.

¶ Chapter 2, “Installing Policy Director for WebLogic Server”

Describes how to install and configure Policy Director forWebLogic Server.

¶ Chapter 3, “Using Policy Director for WebLogic Server”

Describes how to use the demonstration application, andprovides usage tips, troubleshooting information, and limitations.

PublicationsThis section lists publications in the Tivoli Policy Director libraryand any other related documents. It also describes how to accessTivoli publications online, how to order Tivoli publications, and howto make comments on Tivoli publications.

viiTivoli Policy Director for WebLogic Server User Guide

Tivoli Policy Director LibraryThe following documents are available in the Tivoli Policy Directorlibrary:

¶ Tivoli SecureWay Policy Director Base Installation Guide,GC32-0735

¶ Tivoli SecureWay Policy Director Base Administration Guide,GC32-0680

¶ Tivoli SecureWay Policy Director Web Portal ManagerAdministration Guide, GC32-0737

¶ Tivoli SecureWay Policy Director Authorization ADK DeveloperReference, GC32-0813

¶ Tivoli SecureWay Policy Director WebSEAL AdministrationGuide, GC32-0684

¶ Tivoli SecureWay Policy Director WebSEAL DeveloperReference, GC32-0685

¶ Tivoli SecureWay Policy Director Release Notes, GI11-0895

Prerequisite PublicationsTo be able to use the information in this book effectively, you musthave some prerequisite knowledge, which you can get from thefollowing books:





Accessing Publications OnlineYou can access many Tivoli publications online at the TivoliCustomer Support Web site:

Publications

viii Version 3.8

http://www.tivoli.com/support/documents/

These publications are available in PDF or HTML format, or both.Translated documents are also available for some products.

Ordering PublicationsYou can order many Tivoli publications online at the following Website:

http://www.ibm.com/shop/publications/order

You can also order by telephone by calling one of these numbers:

¶ In the United States: 800-879-2755

¶ In Canada: 800-426-4968

¶ In other countries, for a list of telephone numbers, see thefollowing Web site:

http://www.tivoli.com/inside/store/lit_order.html

Providing Feedback about PublicationsWe are very interested in hearing about your experience with Tivoliproducts and documentation, and we welcome your suggestions forimprovements. If you have comments or suggestions about ourproducts and documentation, contact us in one of the followingways:

¶ Send an e-mail to [email protected].

¶ Complete our customer feedback survey at the following Website:

http://www.tivoli.com/support/survey/

Contacting Customer SupportIf you have a problem with any Tivoli product, you can contactTivoli Customer Support. See the Tivoli Customer Support Handbookat the following Web site:

http://www.tivoli.com/support/handbook/

Publications

ixTivoli Policy Director for WebLogic Server User Guide

The handbook provides information about how to contact TivoliCustomer Support, depending on the severity of your problem, andthe following information:

¶ Registration and eligibility

¶ Telephone numbers and e-mail addresses, depending on thecountry you are in

¶ What information you should gather before contacting support

Conventions Used in This BookThis book uses several conventions for special terms and actions,operating system-dependent commands and paths, and margingraphics.

Typeface ConventionsThe following typeface conventions are used in this book:

Bold Lowercase and mixed-case commands, commandoptions, and flags that appear within text appear likethis, in bold type.

Graphical user interface elements (except for titles ofwindows and dialogs) and names of keys also appearlike this, in bold type.

Italic Variables, values you must provide, new terms, andwords and phrases that are emphasized appear likethis, in italic type.

Monospace Commands, command options, and flags that appearon a separate line, code examples, output, andmessage text appear like this, in monospace type.

Names of files and directories, text strings you musttype, when they appear within text, names of Javamethods and classes, and HTML and XML tags alsoappear like this, in monospace type.

Contacting Customer Support

x Version 3.8

Introducing Policy Director forWebLogic Server

Policy Director for WebLogic Server is an extension to PolicyDirector Version 3.8 that implements a Policy Director CustomRealm for BEA WebLogic Server 6.1. The Custom Realm provides auser registry that is administered by Policy Director. Policy Directoruses group memberships in the user registry to affect authorizationdecisions made by WebLogic Server. The Custom Realm can also beused with Policy Director WebSEAL to support end-user singlesign-on.

Policy Director for WebLogic Server enables WebLogic Serverapplications to use Policy Director security without requiring anycoding or deployment changes.

Introducing Policy DirectorThe Policy Director for WebLogic Server implements a CustomRealm using the security services provided by a Policy Directorsecure domain. The Policy Director secure domain must be deployedprior to installation of Policy Director for WebLogic Server.

Users who are new to Policy Director should review the PolicyDirector security model before deploying a Policy Director securedomain. A brief summary of the Policy Director security model ispresented here.

1

1Tivoli Policy Director for WebLogic Server User Guide

1.In

trod

ucin

gP

olicy

Directo

rfo

rW

ebL

og

icS

erver

Policy Director is a complete authorization and network securitypolicy management solution that provides end-to-end protection ofresources over geographically dispersed intranets and extranets.

Policy Director features state-of-the-art security policy management.In addition, Policy Director supports authentication, authorization,data security, and resource management capabilities. You use PolicyDirector in conjunction with standard Internet-based applications tobuild highly secure and well-managed intranets and extranets.

At its core, Policy Director provides:

¶ An authentication framework

Policy Director supports a wide range of authenticationmechanisms.

¶ An authorization framework

Policy Director provides a framework for authorization policymanagement. Authorization policy is managed centrally anddistributed automatically to access enforcement points across theenterprise, including the Policy Director servers. The PolicyDirector authorization service provides permit and denydecisions on access requests for native Policy Director serversand third-party applications.

Policy Director WebSEAL is the Policy Director resource securitymanager for Web-based resources. WebSEAL is a high performance,multi-threaded Web server that applies fine-grained security toprotected web resources. WebSEAL can provide single sign-onsolutions and incorporate back-end Web application server resourcesinto its security policy.

You can learn more about Policy Director, including informationnecessary to make deployment decisions, by reviewing thedocumentation distributed with Tivoli SecureWay Policy DirectorVersion 3.8. Start with the following guides:


This guide describes how to plan, install, and configure a PolicyDirector secure domain. A series of easy installation scriptsenable you to quickly deploy a fully functional secure domain.

Introducing Policy Director

2 Version 3.8

These scripts are very useful when prototyping a secure domainthat meets your security policy requirements.


This document presents an overview of the Policy Directorsecurity model for managing protected resources. This guide alsodescribes how to configure the Policy Director servers that makeaccess control decisions. In addition, detailed instructionsdescribe how to perform important tasks such as declaringsecurity policies, defining protected object namespaces, andadministering user and group profiles.


This guide provides a comprehensive set of procedures andreference information for managing resources in a secure Webdomain. The guide also presents overview and concept materialthat describes the wide range of WebSEAL functionality.


This guide describes how to use the Policy Directorauthorization API to add security to third party applications. Thisdocument includes a description of the svrsslcfg utility. Thisutility is used during the configuration of Policy Director forWebLogic Server.

The Policy Director documentation is included on the TivoliSecureWay Policy Director Version 3.8 CD-ROMs, and is alsoavailable from the Tivoli Customer Support web site. See “AccessingPublications Online” on page viii.

Integrating Policy Director and WebLogic ServerThe integration of Policy Director with WebLogic Server 6.1 enablesWebLogic applications to take advantage of the following PolicyDirector features:

¶ Centralized access control of WebLogic resources in thefollowing way:

Introducing Policy Director


1.In

trod

ucin

gP

olicy

Directo

rfo

rW

ebL

og

icS

erver

v Changing a user’s group memberships alters their accessprivileges to WebLogic’s Java 2 Enterprise Edition (J2EE)resources in accordance with the group-to-role mappingscontained in the deployment descriptors for each WebLogicServer application.

v WebSEAL controls access to Uniform Resource Locators(URLs) that correspond to objects in the Policy Directorpolicy database. These can be static URL strings or can berepresented by pattern matching.

Integrated authorization is achieved by WebLogic Server’s use ofthe Policy Director for WebLogic Server Custom Realm todetermine which users belong to the groups that are mapped tothe J2EE application’s security roles. This means that a PolicyDirector administrator can affect the authorization decisions ofWebLogic Server through group membership within the PolicyDirector registry.

¶ Centralized user registry used by the Policy Directormanagement server and WebLogic Server. The Policy DirectorVersion 3.8 product distribution includes IBM SecureWayDirectory 3.2.1. The Policy Director for WebLogic ServerCustom Realm allows this registry, as well as other third-partyregistries that are supported by Policy Director Version 3.8, to beused as the WebLogic registry.

¶ Single sign-on through the use of Policy Director WebSEAL.

Single Sign-on is achieved by combining the one-time userauthentication of WebSEAL with the validation of user identityby the Policy Director for WebLogic Server Custom Realm.

This allows many authentication mechanisms, includingcertificates, to be used without any impact to the targetapplication.

The WebLogic server’s trust of WebSEAL is achieved through acombination of a WebSEAL junction and the use of the PolicyDirector for WebLogic Server Custom Realm. A junction is anetwork connection between a WebSEAL server and anapplication server, such that:

1. There is trust between WebSEAL and the application server.

Integrating Policy Director and WebLogic Server

4 Version 3.8

2. WebSEAL protects both its own resources and the resourceson the junctioned application server.

Using Policy Director Authentication

Figure 1 displays the model for the processing of requests for accessto protected resources. Requests can come from either external usersor internal users.

Authenticating External Users1. An external user requests access to a protected resource. The

request is received by WebSEAL before entering the securenetwork of the enterprise. (See Figure 1, arrow 1A)

2. WebSEAL authenticates the user in the Policy Director securedomain. (See Figure 1, arrow 2)

InternalBrowser

WebLogic Server 6.1

J2EEApplicationDeploymentDescriptors

WebLogicUser

Authentication

Policy Director Custom Realmfor WebLogic Server

WebLogicAccess

Managers

ExternalBrowser

Policy DirectorWebSEAL

Policy DirectorManagement

Server

Policy Database

1A

1B

2

3

4

5

B

A

Figure 1. Policy Director provides single sign-on authentication and a Custom Realmfor authorization decisions



1.In

trod

ucin

gP

olicy

Directo

rfo

rW

ebL

og

icS

erver

WebSEAL supports the following authentication methods:username/password, certificates, username and RSA SecureID, ora custom authentication mechanism.

Once authenticated, WebSEAL applies its own authorizationdecision based on the requested URL and the Policy Directoraccess policy. WebSEAL can apply considerations such asaccount validity, time-of-day, and authentication mechanism.

3. Once authorized, WebSEAL forwards the request to theWebLogic server. The request includes the external username anda special password within the basic authentication header. Thespecial password belongs to the configured user, and allows thePolicy Director for WebLogic Server Custom Realm to confirmWebSEAL as the origin of the request. (See Figure 1, arrow 3)

4. The WebLogic server transparently passes the authenticated useridentity and password to the Policy Director Custom Realm. (SeeFigure 1, arrow 4)

5. The Policy Director Custom Realm uses Policy Directorauthentication services to verify that the password provided byWebSEAL is correct for the configured user described above.That is, this password provides the basis of trust that therequest’s origin is WebSEAL. (See Figure 1, arrow 5)

The request is now ready for authorization.

Authenticating Internal UsersFigure 1 also displays the model for the processing of requests foraccess to protected resources by internal users that do not gothrough a WebSEAL junction:

1. (1B) Internal user sends request for access to a protectedresource. (See Figure 1, arrow 1B)

2. The WebLogic user authentication module sends the user identityto the Policy Director Custom Realm. (See Figure 1, arrow 4)

3. The Policy Director Custom Realm sends the authenticationrequest to the Policy Director management server. (See Figure 1,arrow 5)


6 Version 3.8

If authentication is successful, the Policy Director Custom Realmreturns the username to WebLogic Server, as the authenticateduser.

The request is now ready for authorization.

Using Policy Director AuthorizationThe authorization process occurs as follows:

1. When a request for a J2EE resource is received by WebLogicServer, it checks the relevant deployment descriptor informationto determine if access to the resource is restricted to certainroles. (See Figure 1, arrow A)

2. If the request requires the user to assume a role, the WebLogicServer queries the Policy Director Custom Realm to determinewhether the requesting user is a member of any of the groupsthat are mapped to the role. (See Figure 1, arrow B)

3. The Policy Director Custom Realm consults the Policy Directormanagement server to determine if the current user is a memberof the group. If the user is a member of a group that is mappedto a permitted role, access is granted. Otherwise, access isdenied. (See Figure 1, arrow 5)



1.In

trod

ucin

gP

olicy

Directo

rfo

rW

ebL

og

icS

erver


8 Version 3.8

Installing Policy Director forWebLogic Server

This chapter contains the following topics:

¶ “Software Contents”

¶ “Supported Platforms” on page 10

¶ “Installation Packages” on page 10

¶ “Software Prerequisites” on page 10

¶ “Installing Policy Director for WebLogic Server” on page 14

¶ “Configuring Policy Director for WebLogic Server” on page 15

¶ “Configuring a Custom Realm” on page 17

¶ “Configuring a WebSEAL Junction for the WebLogic Server” onpage 22

¶ “Testing the Configuration” on page 23

Software ContentsPolicy Director for WebLogic Server is distributed as one installationpackage. The installation package consists of the following:

¶ A JAR file, PDWLS_Realm.jar, containing the Policy DirectorCustom Realm and all the resources needed by the realm.

¶ An EAR file containing a demonstration enterprise application.

2


2.In

stalling

Po

licyD

irector

for

Web

Lo

gic

Server

Supported PlatformsPolicy Director for WebLogic Server is supported on the followingplatforms:

Operating System Release WebLogic Server Release

AIX 4.3.3 WebLogic Server 6.1, with ServicePack 1

Microsoft Windows 2000 AdvancedServer, with Service Pack 2

WebLogic Server 6.1, with ServicePack 2

Installation PackagesThe installation package is available as a software download fromthe following URL:http://www.tivoli.com/secure/support/downloads/secureway/policy_dir/downloads.html

A valid login and password is required to access the Tivoli CustomerSupport software download site.

Software PrerequisitesSuccessful installation of Policy Director for WebLogic Serverrequires the prerequisites described in the following sections:

¶ “WebLogic Server”

¶ “Policy Director” on page 11

WebLogic ServerWebLogic Server 6.1 must be installed and configured on the systemthat will host Policy Director for WebLogic Server. WebLogic Server6.1 is currently installed without a default Custom Realm and islaunched using the startWebLogic command.

WebLogic Server should be running when Policy Director forWebLogic Server is installed. To start WebLogic Server, usestartWebLogic command.

Supported Platforms

10 Version 3.8

WebLogic Server is distributed with the necessary Java RuntimeEnvironment (JRE). Policy Director for WebLogic Server uses thissame JRE. Successful installation of WebLogic Server satisfies thePolicy Director for WebLogic Server prerequisite for a JRE.

Java Environment on AIXOn AIX systems, WebLogic Server 6.1 requires IBM Java RuntimeEnvironment (JRE), Version 1.3. WebLogic Server 6.1 distributesthis JRE, and installs it during the WebLogic Server installation.Policy Director for WebLogic Server uses this same version of theJRE.

Policy Director for WebLogic Server uses Java Native Interface(JNI) code. Ensure that the AIX environment is configured asdescribed in:/<BEA install dir>/jdk130/README.HTML

Policy DirectorPolicy Director for WebLogic Server has dependencies on otherPolicy Director software, as described in the following sections:

¶ “Policy Director Management Server and Authorization Server”

¶ “Policy Director WebSEAL” on page 12

¶ “Policy Director Runtime Environment and Authorization ADK”on page 13

¶ “Policy Director Base Fixpack 3 for Version 3.8” on page 13

¶ “Policy Director WebSEAL Fixpack 1 for Version 3.8” on page13

Policy Director Management Server and AuthorizationServer

A Policy Director Version 3.8 secure domain must be installed andconfigured prior to installing Policy Director for WebLogic Server.

The Policy Director secure domain is established when you installthe Tivoli SecureWay Policy Director management server. Thismanagement server is distributed on the Tivoli SecureWay PolicyDirector Base Version 3.8 CD-ROM for your operating system.

Software Prerequisites


2.In

stalling

Po

licyD

irector

for

Web

Lo

gic

Server

Policy Director supports two different modes of authorization:remote mode and local mode. The Policy Director authorizationserver must be installed if you choose to run Policy Director forWebLogic Server in remote mode.

Although you can use either mode with Policy Director forWebLogic Server, remote mode is strongly recommended. For acomplete discussion of remote and local mode, see the TivoliSecureWay Policy Director Base Administration Guide.

Typically, the Policy Director management server and authorizationserver are installed on a different system than the system that hostsPolicy Director for WebLogic Server.

See the Tivoli Secureway Policy Director Base Installation Guide forinstallation and configuration instructions for Policy Directormanagement server and Policy Director authorization server. Thisdocument is included on the Tivoli SecureWay Policy Director BaseVersion 3.8 CD-ROM for your operating system.

Note: The Policy Director management server must be updated withBase Fixpack 3. See “Policy Director Base Fixpack 3 forVersion 3.8” on page 13.

Policy Director WebSEALPolicy Director WebSEAL provides web-based security services thatcan be used by Policy Director for WebLogic Server. Policy Directorfor WebLogic Server, when combined with WebSEAL junctions, canbe used to provide a WebSEAL to WebLogic Server single sign-onsolution.

Policy Director WebSEAL is typically installed on a system otherthan the system that hosts Policy Director for WebLogic Server.

Policy Director WebSEAL requires that Policy Director managementserver be installed and configured.

For complete installation instructions, see the Tivoli SecurewayPolicy Director WebSEAL Installation Guide. This guide isdistributed on the Tivoli SecureWay Policy Director WebSEALVersion 3.8 CD-ROM.


12 Version 3.8

Note: Policy Director WebSEAL must be updated with WebSEALFixpack 1. See “Policy Director WebSEAL Fixpack 1 forVersion 3.8”.

Policy Director Runtime Environment and AuthorizationADK

The following components from the Policy Director Base must beinstalled on the system that will host Policy Director for WebLogicServer:

¶ Policy Director Version 3.8 Runtime Environment

¶ Policy Director Version 3.8 Authorization ADK

¶ Policy Director Base Fixpack 3

The Policy Director secure domain must be established prior toinstalling these components on the system that will host PolicyDirector for WebLogic Server.

Policy Director Base Fixpack 3 for Version 3.8Each Policy Director system must be updated with Base Fixpack 3for Version 3.8. You must obtain and install the Fixpack for youroperating system.

The fixpack is titled FixPack 3.8-POL-0003.

Download and install the Policy Director Fixpack 3 from thefollowing URL:https://www.tivoli.com/secure/support/patches/Tivoli_SecureWay_Policy_Director_.html

You will need a login and password from Tivoli Customer Supportto access this web page.

Policy Director WebSEAL Fixpack 1 for Version 3.8Each Policy Director WebSEAL server system must be updated withWebSEAL Fixpack 1 for Version 3.8. You must obtain and install theFixpack for your operating system.

The fixpack is titled FixPack 3.8-PWS-0001.

Download and install the Policy Director WebSEAL Fixpack 1 fromthe following URL:



2.In

stalling

Po

licyD

irector

for

Web

Lo

gic

Server

https://www.tivoli.com/secure/support/patches/Tivoli_SecureWay_Policy_Director_.html

You will need a login and password from Tivoli Customer Supportto access this web page.

The fixpack is also available from the following ftp site:ftp://ftp.tivoli.com/support/patches/patches_3.8/

Installing Policy Director for WebLogic ServerComplete the following steps on the system that hosts WebLogicServer:

1. Verify that the software prerequisites have been satisfied, asdescribed in “Software Prerequisites” on page 10.

In particular, verify that:

¶ WebLogic Server is installed, configured, and running on thehost system.

¶ The Policy Director secure domain has been established, anda WebSEAL server has been installed, within the networkenvironment.

¶ A Policy Director WebSEAL server has been configured andis accessible.

¶ The necessary fixpacks have been applied to the PolicyDirector management server and Policy Director WebSEAL.

2. Install and configure the following Policy Director components:

¶ Policy Director Runtime Environment

¶ Policy Director Authorization ADK

For complete installation instructions, see the Tivoli SecurewayPolicy Director Base Installation Guide.

3. Download the Policy Director for WebLogic Server files asdescribed in “Installation Packages” on page 10.

4. Unpack the distribution files as specified in the README filethat accompanies the download packages. Place the files in atemporary directory.


14 Version 3.8

5. Continue to “Configuring Policy Director for WebLogic Server”

Configuring Policy Director for WebLogic ServerPolicy Director for WebLogic Server must be registered with thePolicy Director secure domain as a Policy Director authorization APIapplication.

Use the Policy Director utility svrsslcfg to complete the registration.Usage of this utility is summarized below.

For complete information on svrsslcfg, see the Tivoli SecurewayPolicy Director 3.8 Authorization ADK Developer Reference. Inaddition, see the README that is shipped with the AuthorizationADK demonstration application. This application is installed as partof the Policy Director Authorization ADK installation.

The svrsslcfg syntax is:svrsslcfg -config -f cfg_file -d kdb_dir -n server_name -s server_type-r port -P admin_pwd -S server_password

Note that file names must be specified as full pathnames, not relativepaths.

The following table describes the command line options:

Option Description

cfg_file Configuration file path and name.

kdb_dir The directory that is to contain the keyring databasefiles for the server.

server_name The name of the server. The name may be specified aseither server_name/hostname or server_name, in whichcase the local hostname will be appended to formname/hostname. The names ivacld, secmgrd, andivweb are reserved for Policy Director servers.

server_type The type of server being configured. The value mustbe either local or remote.

port_num Set the listening port number for the server. A value of0 may be specified only if the [aznapi-admin-services] stanza in the configuration file is empty.

Installing Policy Director for WebLogic Server


2.In

stalling

Po

licyD

irector

for

Web

Lo

gic

Server

Option Description

admin_pwd The Policy Director Administrator password. If thisparameter is not specified, the password will be readfrom stdin.

server_pwd The server’s password. You can request that apassword be created by the system by specifying adash (-) for the password.

An example set of configuration steps would be:

1. Create the <PD work directory>, such as C:\bea\PDWLSRealm\.

The <PD work directory> is a directory that will be used to storethe aznAPI.conf file, as well as the Policy Director SSLcertificates that will be used by the WebLogic Server tocommunicate with the Policy Director servers. It will also beused as temporary folder.

2. Copy the sample configuration file from <PolicyDirector-install-dir>\example\authzn_demo\cppconfiguration\ aznAPI.conf to this directory as filepdwlsrealm.conf and use it as input to svrsslcfg commandbelow.

3. Edit pdwlsrealm.conf and comment-out the line withAZN_ADMIN_SVC_TRACE.

4. Use svrsslcfg to configure Policy Director remote mode:svrsslcfg -add_replica -f cfg_file -h host_name -p port -k rank

Note: This command is not required when running in localmode. Running in remote mode is recommended.

The following options are used:

Option Description

cfg_file Configuration file path and name. This is a requiredparameter.

host_name TCP hostname of the Policy Director authorizationserver. This parameter is required.

Configuring Policy Director for WebLogic Server

16 Version 3.8

Option Description

server_port Listening port number of the ivacld (authorizationserver) replica server. This id the port number onwhich ivacld listens for requests. If not specified onan -add_replica action, a default of 7136 will beused.

replica_rank Replica order of preference among other replicas. Thisparameter defaults to 10 on the -add_replica action.

5. Use svrsslcfg to create the aznAPI configuration file:svrsslcfg -config -f c:\bea\pdwlsrealm\pdwlsrealm.conf-d c:\bea\pdwlsrealm -n pdwlsrealm -s remote-P <sec_master password> -S <PD-WLS-password> -r 0

6. View the new Policy Director server by issuing the command:pdadmin> server list

7. Continue to the next section: “Configuring a Custom Realm”.

Configuring a Custom RealmThe following table provides a key to the variables that are referredto in this section:

Variable Description

<BEA domaindirectory>

Directory of the installed domain of the WebLogicServer. In a standard installation this value wouldbe:

Windows: C:\bea\wlserver6.1\Config\mydomain

UNIX:/bea/wlserver6.1/Config/mydomain

<webseald servername>

Name of the host system for the Policy DirectorWebSEAL server. Generally of the formwebseald-hostname.

<PD Realm> Name of the Policy Director Custom Realm thatwill be added to WebLogic Server. This name canbe anything you choose.

Configuring Policy Director for WebLogic Server


2.In

stalling

Po

licyD

irector

for

Web

Lo

gic

Server


<PDCachingRealm> Name of the Policy Director Caching Realm thatwill be added to WebLogic Server. This name canbe anything you choose.

<AZN conf file path> The fully qualified path of the Policy Directorauthorization configuration file pdwlsrealm.conf,that is generated when using svrsslcfg to configurea Policy Director Authorization API application.

<configured user> The special Policy Director user that is used inorder to form a trust relationship betweenWebSEAL and WebLogic Server. The name ofthis user can be any valid Policy Director username.

<configured userpassword>

The password of the <configured user>.

<WebLogic server> The hostname of the WebLogic Server system.

<WebLogic Serverlisten port>

The port that WebLogic Server is listening on.

<pdadmin contextuser>

Name of the user that will be used to create apdadmin context. This user must be in theiv-admin user group or be delegated enoughpermission to be able to create, delete, modify,and list users and groups. You can do this bygiving the user the following permissions on anaccess control list (ACL) attached to the/Management object:

TcmdbsvatNWA

The name of the default ACL attached to the/Management object is default-management.

<pdadmin context userpassword>

Password for the <pdadmin context user>.

Complete the following steps on the system that hosts the WebLogicServer:

1. Extract the contents of PDWLS_Realm.jar to <PD workdirectory> This creates a sub-directory called image with thefollowing files in it:

Configuring a Custom Realm

18 Version 3.8

pdlib.dllpdAuthzn.jarlibpdlib.alibaznjni.apdadmin.jaraznjni.dllPDRealm.jar

2. Copy the appropriate shared libraries for your operating system(*.dll on Windows and *.a in AIX) from the above list into adirectory that is in the system path. For example:Windows: C:\Program Files\Tivoli\Policy Director\binAIX: /usr/lib

3. Ensure that pdadmin.jar, pdAuthzn.jar and PDRealm.jar areincluded in the CLASSPATH variable of the startWebLogicbatch file (on Windows systems) or shell script (on UNIXsystems) located in <BEA domain directory>.

4. Stop the WebLogic server.

5. Create the WebSEAL <configured user> using the PolicyDirector Web Portal Manager or the Policy Director utilitypdadmin.

For example, if <configured user> is websealsso and<configured user password> is pdwebwlssso, enter thefollowing pdadmin commands:pdadmin> user create websealsso cn=websealsso, o=ibm,c=auwebsealsso websealsso pdwebwlssso

pdadmin> user modify websealsso account-valid yes

For optimum security, protect the password for the configureduser. Change the password at regular intervals. Use the PolicyDirector random password generator to create the password:UNIX: /opt/PolicyDirector/sbin/genpass

6. Create the <pdadmin context user> that the Custom Realm useswith the Policy Director administration API. This user musteither be added to the iv-admin group or be delegated sufficientpermission such that it can add, delete, modify, and list usersand groups.

For example, the following command creates a user:



2.In

stalling

Po

licyD

irector

for

Web

Lo

gic

Server

pdadmin> user create <pdadmin context user>cn=<pdadmin context user>,o=ibm,c=au<pdadmin context user> <pdadmin context user><pdadmin context user password> iv-admin

Next, activate the new user account. For example:pdadmin> user modify < pdadmin context user > account-valid yes

7. Start the WebLogic server.

8. Launch the WebLogic Server console in a browser. Access thefollowing URL:http://<WLS_host>:<WLS listening port>/console

9. Click Security -> Realms -> Configure a new CustomRealm.

¶ Name: <PDRealm>

¶ Realm Class Name: com.tivoli.wlsrealm.PDRealm

¶ Supply the configuration data described in the followingtable:

Realm Property Valid Values Description

webseal.sso.configured true or false Defines whether WebSEALwill be configured andwhether to attempt to performsingle sign-on.

pdadmin.user.name <pdadmincontext user>

Name of the user that will beused to create a pdadmincontext. This user must be inthe iv-admin user group or bedelegated sufficient permissionsuch that they can add, delete,modify, and list users andgroups.

pdadmin.password <pdadmincontext userpassword>

Password of the above user.


20 Version 3.8

Realm Property Valid Values Description

pdrealm.registry.listing true or false Defines whether the PolicyDirector Custom Realm shouldlist users and groups,including group memberships,to the WebLogic Serverconsole window. This shouldbe set to false in productionenvironments. Set it to trueonly in a test environment.

connection.pool 1 - n Where n is an integer definingthe number of Realm objectsto instantiate in the Realmpool.

pdrealm.tracing true or false Turn Policy Director Realmtracing on or off. Trace will besent to the WebLogic Serverlog.

wls.admin.user <configureduser>

The special user that isconfigured in the PolicyDirector Custom Realmconfiguration data in order toform a trust relationshipbetween WebSEAL andWebLogic Server.

group.dn A validDistinguishedName (DN)

LDAP naming context wheregroups are defined. Forexample, c=gb.

user.dn A valid DN LDAP naming context whereusers are defined. Forexample, c=gb.

aznapi.conf.file <AZN conffile path>

The fully qualified pathnameof the Authorization APIconfiguration file,pdwlsrealm.conf, generatedby svrsslcfg.

10. Configure a new Caching Realm:



2.In

stalling

Po

licyD

irector

for

Web

Lo

gic

Server

¶ Name: <PDCachingRealm>

¶ Basic Realm: <PDRealm>

¶ Case Sensitive: Yes

¶ Use defaults for the caching settings.

11. Go to Security -> FileRealm and set it to <PDCachingRealm>.Leave all other fields unchanged.

12. Restart WebLogic Server.

Security settings will now take effect.

13. Continue to the next section: “Configuring a WebSEALJunction for the WebLogic Server”.

Configuring a WebSEAL Junction for theWebLogic Server

Complete the following steps on the system that hosts the PolicyDirector WebSEAL server:

1. Update the following configuration item in the WebSEALconfiguration file, webseald.conf:basicauth-dummy-passwd = <configured user password>

2. Stop and restart WebSEAL, to make the configuration changetake effect.

3. Use the pdadmin command to create a WebSEAL junction.

Be sure to use the -b option to supply the junction target URL.This is required for single sign-on.

For example:pdadmin> server task <webseald_server_name> create -t tcp-p <WebLogic Server listen port> -h <WebLogic server>-b supply <junction target>


22 Version 3.8

The above command uses the following variables:


<webseald_server_name> Name of the Policy Director WebSEALserver. Generally of the formwebseald-hostname.

<WebLogic server> The hostname of the WebLogic Server.

<WebLogic server listenport>

The port on which the WebLogic Server islistening.

<junction target> The URL target of the junction.

For complete information on creating and using Policy DirectorWebSEAL junctions, see the Tivoli SecureWay Policy DirectorWebSEAL Administration Guide.

Testing the ConfigurationVerify that the Policy Director Custom Realm has been correctlyconfigured by completing the following steps:

1. Use the WebLogic Server console to create a new test user.

2. Execute the following pdadmin command:pdadmin> user show <test user>

¶ Verify that account-valid is yes.

¶ Verify that password-valid is yes.

The Policy Director Custom Realm single sign-on solution allows asingle authentication step through WebSEAL that transparentlyauthenticates the user to the WebLogic Server. You can confirm thatthis is configured correctly by running the demonstration application.The demonstration application is described in the next chapter.

Configuring a WebSEAL Junction for the WebLogic Server


2.In

stalling

Po

licyD

irector

for

Web

Lo

gic

Server

Testing the Configuration

24 Version 3.8

Using Policy Director forWebLogic Server

This chapter contains the following topics:

¶ “Using the Demonstration Application”

¶ “Creating Test Users” on page 27

¶ “Usage Tips” on page 27

¶ “Troubleshooting Tips” on page 28

¶ “Limitations” on page 28

Using the Demonstration ApplicationYou can use the demonstration application to see an example of twotypes of authorization, and to exercise the WebSEAL single sign-oncapability.

The two types of authorization are:

¶ Declarative

In this case, the Deployment Descriptor ensures that only usersin the BankMembers group can successfully access the PDDemodemonstration Servlet.

¶ Programmatic

3


3.U

sing

Po

licyD

irector

for

Web

Lo

gic

Server

Using programmatic security, the Enterprise Java Bean ensuresthat only the owner of each account has the permission to viewtheir own account balance. For example, user Mark cannot viewuser Luke’s balance.

To run the demonstration application, complete the following steps:

1. Copy the demonstration application PDDemoApp.ear into <BEAdomain directory>\applications. Note that use of thisdirectory is not required. You can place the EAR file into anydirectory on your file system.

2. Use the WebLogic Server console to install the demonstrationapplication.

3. Use the WebLogic Server console to create the following users:MatthewMarkLukeJohn

4. Use the WebLogic Server console to create a BankMembersgroup.

5. Add all of the users created above to this group.

6. To access the demonstration application, access the followingURL:http://<WLS server>:<WLS listening port>/pddemo/PDDemo

Authenticate with one of the users defined above.

7. Verify that only users defined in the BankMembers group canaccess the Servlet.

8. Verify that the authenticated user can view their own balance, butnot the balance of any other user.

To test the WebSEAL Single Sign On, complete the following steps:

1. Access the following URL:https://<webseald server name>/<junction target>/pddemo/PDDemo

WebSEAL will prompt you to authenticate.

Using the Demonstration Application

26 Version 3.8

Note: Use HTTPS here because the default WebSEAL behavioris to prevent Basic or Forms-based authentication overHTTP.

2. Authenticate as one of the users defined above.

This process will single sign the user on to the WebLogic Serverand the Servlet will be invoked without requiring a secondauthentication. When accessed through WebSEAL, the PDDemodemonstration application will show identical behavior to thatshown when accessing the WebLogic Server directly.

3. Verify that the authenticated user can view their own balance, butnot the balance of any other user.

Creating Test UsersFor convenience, if many test users are required, a script namedusers.sh is provided. This tool can be used to create and/or deletemultiple test users, by creating appropriate pdadmin scripts:

¶ Run users.sh to generates two text files that pdadmin can useto add and remove a set of users to or from the user registry.

¶ To use the users.sh script, edit the script and define thevariables appropriate for your environment.

Two files are generated: add_users.txt andremove_users.txt. Use these files as input to pdadmin scriptsas follows:pdadmin -a sec_master -p <password> <add_users.txt

pdadmin -a sec_master -p <password> <remove_users.txt

Usage Tips1. Observe good security practices when enabling single sign-on for

external users. Ensure that authentication is performed only bythe WebSEAL server. To achieve this, disable access to theWebLogic Server by internal users that do not go through theWebSEAL server.

Using the Demonstration Application


3.U

sing

Po

licyD

irector

for

Web

Lo

gic

Server

2. Policy Director Custom Realm listing should be set to false inproduction environments. Set this to true only when testing toverify that a realm is operational.

3. To use the WebLogic Server System and Guest users throughWebSEAL, you must to create a dummy guest in Policy Director,and set the real Guest and System password to match theconfigured user’s password.

Note, however, this means that if you want to allow the guestuser to log in without going through WebSEAL (such as anaccess an intranet), you will need to expose the configured userpassword.

Troubleshooting TipsWhen a user has authenticated through forms-based login, andattempts to access a resource for which they do not have permission,the following error message may appear:Could not Sign On message from WebSEAL

This can occur because even though the user could actually beauthenticated, they don’t have permission to access the Servlet in theweb container.

If this error occurs when using Basic Authentication, the user will bere-prompted for the authentication details, instead of seeing the pagedescribed above. This is default WebLogic Server behavior andwould be seen if the user accesses the page either directly or throughWebSEAL.

Limitations1. Policy Director for WebLogic Server does not support recursive

group membership (groups within groups).

2. Centralized control of user access to WebLogic’s J2EE resourcesis limited to moving users between groups that have beenassigned to roles in application deployment descriptors.

3. Single sign-on to WebLogic Server using forms-basedauthentication is not supported.

Usage Tips

28 Version 3.8

4. WebLogic Server role membership checks require the PolicyDirector management server to be running.

5. Policy Director for WebLogic Server Does not implement thejava.security.ACL interface. Note that Policy Director ACLs donot correspond to WebLogic Server ACLs.

Limitations


3.U

sing

Po

licyD

irector

for

Web

Lo

gic

Server

Limitations

30 Version 3.8

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

SC32-0831-00

tivoli policy director for weblogic server user...

Documents