ManualRuntimeSteps - cws-khuntly/WebSphere GitHub Wiki
date: 2025-05-08 14:55:51 created: 2025-05-08 14:55:32 categories:
- WebSphere / Server Build / Portal Server / Tivoli Access Manager / Manual
Obtain the appropriate PD jarfile from the target ISVA appliance and place it in ${WAS_INSTALL_ROOT}/tivoli/tam/
Login to the Portal host via SSH
Source setupCmdLine.sh:
source /opt/IBM/WebSphere/profiles/${PROFILE_NAME}/bin/setupCmdLine.sh
Export the WAS_INSTALL_ROOT variable:
declare -x WAS_INSTALL_ROOT="/opt/IBM/WebSphere/AppServer"
Export the environment variable:
declare -x ENV=XXX
Export the policy server variable:
declare -x POLICY_SERVER=XXX
Export the authz server variable:
declare -x AUTHZ_SERVER=XXX
Export the server identifier:
declare -x SERVER_ID=XXX
Export the admin ID:
declare -x ADMIN_ID=XXX
Copy the ConfigService property file:
cp /nfs/software/WebSphere/PortalServer/properties/ConfigService.properties ${USER_INSTALL_ROOT}/PortalServer/config/ConfigService.properties
Unconfigure TAM (if applicable):
java -cp ${WAS_INSTALL_ROOT}/tivol/tam/PD.jar \
-Dpd.home=${WAS_INSTALL_ROOT}/tivoli/tam/PolicyDirector -Dpd.cfg.home=${WAS_INSTALL_ROOT}/tivoli/tam \
com.tivoli.pd.jcfg.PDJrteCfg -was -action unconfig -java_home ${WAS_INSTALL_ROOT}/java/8.0/jre
NOTE: If multiple JVMs were previously configured, this must be run for each JVM, changing the ${SERVER_ID} value as appropriate
java -cp ${WAS_INSTALL_ROOT}/tivol/tam/PD.jar \
-Dpd.cfg.home=${WAS_INSTALL_ROOT}/tivoli/tam com.tivoli.pd.jcfg.SvrSslCfg -action unconfig \
-admin_id sec_master -admin_pwd *** -appsvr_id "${SERVER_ID}" -policysvr "${POLICY_SERVER}" \
-cfg_file ${WAS_INSTALL_ROOT}/tivoli/tam/PdPerm.properties
Turn off shell history:
set +o history
Configure Java for TAM:
java -cp ${WAS_INSTALL_ROOT}/tivoli/tam/PD.jar \
-Dpd.home=${WAS_INSTALL_ROOT}/tivoli/tam/PolicyDirector -Dwas.install.root=${WAS_INSTALL_ROOT} \
com.tivoli.pd.jcfg.PDJrteCfg -was -action config -host ${POLICY_SERVER} -port 7135 -config_type full \
-java_home ${WAS_INSTALL_ROOT}/java/8.0/jre -alt_config -cfgfiles_path ${WAS_INSTALL_ROOT}/tivoli/tam
NOTE: If multiple JVMs exist, this must be run for each JVM, changing the ${SERVER_ID} value as appropriate
java -cp ${WAS_INSTALL_ROOT}/tivoli/tam/PD.jar \
-Dpd.cfg.home=${WAS_INSTALL_ROOT}/tivoli/tam com.tivoli.pd.jcfg.SvrSslCfg -action config \
-admin_id ${ADMIN_ID} -admin_pwd XXX -appsvr_id "${SERVER_ID}" \
-policysvr ${POLICY_SERVER}:7135:1 -authzsvr ${AUTHZ_SERVER}:7136:1 -port 7223 \
-mode remote -dbdir ${WAS_INSTALL_ROOT}/tivoli/tam \
-cfg_file ${WAS_INSTALL_ROOT}/tivoli/tam/PolicyDirector/${SERVER_ID}.properties \
-key_file ${WAS_INSTALL_ROOT}/tivoli/tam/PolicyDirector/${SERVER_ID}.ks \
-cfg_action create
Add the Trust Association Interceptor:
Login to the ISC
Navigate to Security -> Global Security
Expand "Web and SIP security"
Select "Trust association"
Ensure "Enable trust association" is checked
Select "Interceptors"
Click "New…"
- Interceptor class name: com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus
- Add the following custom properties:
- Name: com.ibm.websphere.security.webseal.checkViaHeader
- Value: false
- Name: com.ibm.websphere.security.webseal.id
- Value: iv-user,iv-creds
- Name: com.ibm.websphere.security.webseal.loginId
- Value: wpsadmin
- Name: com.ibm.websphere.security.webseal.configURL
- Value: /opt/IBM/WebSphere/AppServer/tivoli/tam/PolicyDirector/PORTALSERVER.properties
- Name: com.ibm.websphere.security.webseal.ssoPwdExpiry
- Value: 600
- Name: com.ibm.websphere.security.webseal.ignoreProxy
- Value: false
- Name: com.ibm.websphere.security.webseal.viaDepth
- Value: 0
- Name: com.ibm.websphere.security.webseal.hostnames
- Value: Fully qualified name of the WebSEAL instance (or blank of wc.ac.impl.checkViaHeader is false)
- Name: com.ibm.websphere.security.webseal.ports
- Value: 443 (or blank of wc.ac.impl.checkViaHeader is false)
Save changes