Friday, January 12, 2007

SSO Between WPM and TAM using TAI

We though since SSO between TIM and TAM was so easy then naturally Web Portal Manager (WPM) would be just as easy. No such luck. WPM is a bit more involved. First of all we have Web Portal Manager and WebSeal on two separate VMs. Our LDAP (TAM User Registry) is also a separate VM. I followed TechNote #1153647 from the IBM Support Web Site. This is regarding TAMeb 5.1 so it's a little dated, but IBM Tech Support says it should work for the newer environment as well. That being TAMeb 6.0 and my WPM server is using WAS 6.0 with refresh pack 2.

So, the instructions were pretty straight forward accept for Step 3. Modify the "authMethod" in the pdwpm.conf file to the value SSO. This file was supposed to be at /opt/PolicyDirector/etc on the WPM server, but is wasn't. The only file that was close was pdwpm.conf.template. So I assumed that they wanted me to copy this to pdwpm.conf and make the modification as noted in the step.

Another little difference is that when you web to the WAS server to get to the Admin console, prior to version 6 the default port was 9090. For WAS 6 it is 9060. The instructions here walk you through the Admin Console to set up LTPA and User Registry parameters. Essentially you will be pointing the WAS server to the LDAP so this Admin Console will also be secure when you are done. No longer will you be able to just type anything in the login prompt to get into the Admin console. You may have to create some LDAP users along the way for this to work. I created a WAS Admin ID and a WPM User ID for this whole process. One thing to note is that in Step 11 you will have to complete the User Registry Form and the Bind (DN) shown in the example uses cn=root. I tried a different user ID that has basically just read access to the LDAP and when I tried to apply the User Registry settings I had a credential failure. I had to use the cn=root as shown in the instructions. I'm guessing this is because my other user did not have enough access to something in the LDAP, the instructions do not really explain what exactly all these accounts need to do.

The only thing I did not do from these instructions is enable the Diagnostic Trace Service. (I may need to go back and do this)

The Problem:

When I try to access Web Portal Manager via WebSeal I get a login prompt:

a.) If I try to login as sec_master or other TAM users I get an error "Could not Sign User on"

b.) If I try to web directly to the WPM Server I get basic authentication (not sure why that is), but I cannot login as sec_master at all. I keep getting prompted for login

If I try to login as another TAM user I get a different error "Delegate credential was specified but its value is null"

At this point I can hit the Back button in the error message and WPM will present me with the logon form instead of basic. Then I can actually login as sec_master.

At this point I'm pretty sure there is something I've missed or maybe the difference between TAM 5.1 and 6 or WAS 5 and 6 is causing this. I eventually found the file where I found the "authMethod" parameter that was supposed to be in pdwpm.conf. The thought was that maybe this is where we should be setting this parameter instead of the pdwpm.conf. You would not believe where the amconf.peoperties file is buried:


Well, I should hopefully have an answer from IBM Tech support soon on this. If not, then maybe I wont worry about putting the WPM behind TAM at all.

1 comment:

Phil said...

So did you find out any more info. In particular around the "Delegate credential was specified but its value is null" I am receiving the same error?