Friday, January 19, 2007

SSO between WPM and WebSEAL - Follow up from my previous posting...

I'm gathering that most people do not bother bringing Web Portal Manager behind WebSEAL very often. While it's doable the problem I ran into was the fact that sec_master is sort of a special user. It's not really a TAM user residing in the LDAP like all the rest of the TAM users so when you try to login to WPM as sec_master via WebSEAL you get a logon error from WebSEAL. Checking the WAS Log for details this is what I found:

[1/19/07 9:34:50:394 EST] 00000058 LdapRegistryI E SECJ0361E: Authentication failed for sec_master because user is not found in the registry.
[1/19/07 9:34:50:429 EST] 00000058 LdapRegistryI E SECJ0336E: Authentication failed for user sec_master because of the following exception {1}
[1/19/07 9:34:50:442 EST] 00000058 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is No user sec_master found.
[1/19/07 9:34:50:475 EST] 00000058 JaasLoginHelp A SECJ0222E: An unexpected exception occurred when trying to create a LoginContext. The LoginModule alias is system.WEB_INBOUND and the exception is com.ibm.websphere.security.auth.WSLoginFailedException: No user sec_master found.

For reference Technote #1153647 shows how to set this up at http://www-1.ibm.com/support/docview.wss?uid=swg21153647

In my previous posting, I mentioned that step 3 said to modify the authMethod in the pdwpm.conf file and that it simply wasn't there. I believe this is because the doc is referring to TAM 5.1 and since I'm running TAM 6.0 these properties are now located in amconf.properties. I found this file buried here on my WPM server:

/opt/IBM/WebSphere/AppServer/profiles/default/installedApps/wpmNode01Cell/TAMWPM.ear/classes/amconf.properties

I also since made a few other changes to my SSO configuration and then everything started working correctly with WPM behind WebSEAL except of course the issue with not being able to login as sec_master.

Anyhow here are the other items I changed on my SSO config for WPM:

1.) added iv_creds to the /wpm junction
2.) on the WPM server for WAS Global Security, modified:
Global Security > LTPA > Trust Association > Interceptors > WebSealTAI > Custom Props > Ports:
Changed 443 to 443,80
Global Security > LDAP User Registry > Type:
Changed Tivoli Directory Server to Custom

Not sure which if any of these solved the problem, but I can now login to WPM via WebSEAL as any TAM user. Again sec_master is a problem, but that's because sec_master is not a normal TAM user so I'm not sure what I'll do about it. We really don't gain a whole lot by putting WPM behind WebSEAL anyhow. I just wanted to do it for the sake of learning.

Cheers!

8 comments:

Adil said...

Hi Charles,

This was a very interesting topic for blogging, however it was real learning on my part since i am an amateur in TAM, also i would like to ask you something,

when the password of sec_master is changed will it have any effect on TAI++ configuration, coz when configuring TAI++ the credentials of sec_master is required? or is the sec_master credentials only required during initial configuration?

i appreciate any help provided, although i am sure u have a better understanding than myself, so you would be able to help out on this.

Anonymous said...

Hi Charles,

Firstly would like to thank you for creating such a wonderful Blog for IBM Tivoli Suite of Softwares..
I had little exposure to these set of products and your blog really drives me to try new things.....always look for an answer at your blog......GOD Bless You....

Coming to SSO for WPM.....

Trying to COnfigure Forms SSO for WPM behind WebSEAL and running into problems....can you guide me in this regard....

TAM 6.0
WAS 6.0

created a jucntion which has path to fsso.conf
Changed fsso.conf.template to fsso.conf and made changes to that file which did not work...

ant help inthis regard is greatly appreciated

Thanks
TIMTAM

Anonymous said...

I found this site using [url=http://google.com]google.com[/url] And i want to thank you for your work. You have done really very good site. Great work, great site! Thank you!

Sorry for offtopic

Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!

Anonymous said...

Free pills sinequan 25mg mobic Generic relafen World shippind neurontin Low price gestanin Without prescription himcolin

Anonymous said...

[url=http://aserwertasd.com]aserwertasd[/url]
aserwertasd

Anonymous said...

Blithesome New Year[url=http://sdjfh.in/flexpen/],[/url] everybody under the sun! :)

Gaya3 said...

Hi,

I'm working with both TAM 5.1 and TAM 6.
But I couln't find any difference between these both versions, except for the two step login in TAM 6.

Can you tell me what is the basic difference between these two version TAM 5.1 and TAM6 ?
Thanks