Files for
Size:
1.01 Mb
Download

IBM Tivoli Access Manager for e-business

 

BEA WebLogic Server

5.1

SA30-2210-00

IBM Tivoli Access Manager for e-business

 

BEA WebLogic Server

5.1

SA30-2210-00

!

, 71 C

(2003 11 )

, IBM Tivoli Access Manager( 5724-C08) 5, 1,

0 .

© Copyright International Business Machines Corporation 2003. All rights reserved.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. vii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. vii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. viii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. viii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. viii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. ix

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. ix

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

. x

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. xi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. xi

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. xv

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. xv

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. xv

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. xvi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. xvi

. . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. xvi

1 . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

. 1

Tivoli Access

Manager

. . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

. 1

Tivoli Access

Manager

WebLogic . . . . . . . . . . . . . . . . . . .

.

.

.

. 2

Tivoli Access

Manager Security Service Provider Interface . . . . . . . . . .

.

.

.

. 3

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

. 5

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

. 5

Tivoli Access

Manager . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

. 6

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

. 8

, , . . . . . . . . . . . . . . . . . . . . . . . .

.

.

.

. 8

2 . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 11

. . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 11

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 12

Tivoli Access

Manager Policy Server . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 12

Tivoli Access

Manager Authorization Server . . . . . . . . . . . . . . . . . .

. .

.

 

. 12

Tivoli Access Manager WebSEAL Tivoli Access Manager Plug-in for Web Servers . .

. .

.

 

. 13

BEA WebLogic Server . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 13

Tivoli Access

Manager Java . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 14

. . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 14

install_amwls

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. .

.

 

. 16

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

AIX . . . . . . . . . . . . . .

.

. . . . .

.

. . . . .

.

. . . . .

.

.

17

HP-UX . . . . . . . . . . . . .

.

. . . . .

.

. . . . .

.

. . . . .

.

. 18

Solaris . . . . . . . . . . . . .

.

. . . . .

.

. . . . .

.

. . . . .

.

.

19

© Copyright IBM Corp. 2003

iii

Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.

. 20

3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.

. 23

1

: Tivoli Access Manager Java Runtime Environment . . . . . . . . . . . . . .

.

. 23

2

: startWebLogic CLASSPATH . . . . . . . . . . . . . . . . . . .

.

. 25

3

: Tivoli Access Manager for WebLogic . . . . . . . . . . . . . . . . . .

.

. 26

Console Extension Web

Application Tivoli Access Manager for WebLogic . . . .

.

. 26

Tivoli Access

Manager for WebLogic . . . . . . . . . . . . . . . . .

.

. 28

4

: Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . .

.

. 29

Console Extension Web

Application Tivoli Access Manager . . . . . . .

.

. 29

Tivoli Access

Manager . . . . . . . . . . . . . . . . . . . .

.

. 30

5 : BEA WebLogic Server . . . . . . . . . . . . . . . . . . . . . 32 WebSEAL . . . . . . . . . . . . . . . . . . . . . . 32 Tivoli Access Manager Plug-in for Web Servers . . . . . . . . . . 33

6 : BEA WebLogic Server Tivoli Access Manager for

WebLogic . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 34

7 : . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 34

4 . . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 37

Tivoli Access Manager WebSEAL . . . . . . .

. . . . . . . . .

.

.

. 37

5 . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 39

Tivoli Access Manager Authorization Server .

. . . . . . . . .

.

.

. 39

Tivoli Access Manager for WebLogic . . . . .

. . . . . . . . .

.

.

. 40

. . . . . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 41

. . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 43

3 policy . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 44

Tivoli Access Manager . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 45

Tivoli Access Manager for WebLogic . . . . . . . . . .

. . . . . . . . .

.

.

. 46

. . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

.

.

. 46

. . . . . . . . . . . . . . . . . . . . . . 46

WebLogic

. . . . . . . . . . . . . . . . . . . . . . .

. 47

. . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. 47

. . . .

. . . . . . . . . . . . . . . . . . . . . . .

. 48

6 . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. 49

Solaris . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. 49

Windows . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. 50

AIX . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. 50

HP-UX . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . .

. 51

A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

amsspi.properties . . . . . . . . . . . . . .

.

. . . .

.

.

.

.

.

.

.

. .

.

. .

.

.

53

rbpf.properties . . . . . . . . . . . . . . .

.

. . . .

.

.

.

.

.

.

.

. .

.

. .

.

.

55

amwlsjlog.properties . .

.

.

. .

. . . .

.

. .

.

. . .

.

.

. . . . .

.

. . . .

.

.

.

60

B. .

.

.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

AMWLSConfigure -action config .

. . . .

.

. .

.

. . .

.

.

. . . . .

.

. . . .

.

.

.

64

iv IBM Tivoli Access Manager for e-business: BEA WebLogic Server

AMWLSConfigure -action unconfig . . . . . . . . . . . . . . . . . . . . . . . . . . 66

AMWLSConfigure -action create_realm . . . . . . . . . . . . . . . . . . . . . . . . . 67

AMWLSConfigure -action delete_realm . . . . . . . . . . .

. . . . . .

. . . . .

. .

.

69

C. . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . .

. .

. 71

. . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . .

. .

. 73

. . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . .

. .

. 75

. . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

. . . . .

. .

.

83

v

vi IBM Tivoli Access Manager for e-business: BEA WebLogic Server

IBM® Tivoli® Access Manager for BEA® WebLogic Server® ( Tivoli Access Manager for WebLogic) . IBM Tivoli Access Manager BEA WebLogic Server

.

IBM® Tivoli® Access Manager(Tivoli Access Manager) IBM Tivoli Access Manager .IBM Tivoli Access Manager

. e-business

policy

.

: IBM Tivoli Access Manager Tivoli SecureWay® Policy Director

. Tivoli SecureWay Policy Director

Policy Server .

IBM Tivoli Access Manager for WebLogic Server BEA WebLogic Server IBM Tivoli Access Manager ,

.

.

vIT

.

vHTTP, TCP/IP, FTP Telnet

vWebLogic Server

SSL(Secure Sockets Layer) , SSL , (

), , CA(Certificate Authority)

.

© Copyright IBM Corp. 2003

vii

.

v1 , “ ”

Tivoli Access Manager for WebLogic

.

v2 , “

Tivoli Access Manager for WebLogic .

v3 ,

Tivoli Access Manager for WebLogic .

v4 , “ ”

, ,

.

v5 , “ ”

Tivoli Access Manager for WebLogic .

Tivoli Access Manager ,

.

.

IBM Tivoli Access Manager for e-business

.

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

Tivoli Access Manager .

vix

vix

vx

vxi

vIBM Tivoli Access Manager for e-business Read This First(GA30-2205-00) Tivoli Access Manager .

vIBM Tivoli Access Manager for e-business (GA30-2206-00)

viiiIBM Tivoli Access Manager for e-business: BEA WebLogic Server

,

.

vIBM Tivoli Access Manager (SA30-2207-00)

Web Portal Manager Tivoli Access Manager

. IBM Tivoli Access Manager for e-business , IBM Tivoli Access Manager for Business Integration IBM Tivoli Access Manager for Operating Systems

Tivoli Access Manager .

vIBM Tivoli Access Manager Base Administration Guide(SC32-1360-00) Tivoli Access Manager . pdadmin Web Portal Manager

.

vIBM Tivoli Access Manager for e-business (SA30-2208-00) Tivoli Access Manager ,

. IBM Tivoli Access Manager

.

vIBM Tivoli Access Manager Upgrade Guide(SC32-1369-00)

Tivoli SecureWay Policy Director 3.8 Tivoli Access Manager

Tivoli Access Manager 5.1 .

vIBM Tivoli Access Manager for e-business WebSEAL Administration Guide(SC32-1359-00)

WebSEAL

, .

vIBM Tivoli Access Manager for e-business IBM WebSphere Application Server

(SA30-2209-00)

Tivoli Access Manager IBM WebSphere® Application Server

, .

vIBM Tivoli Access Manager for e-business IBM WebSphere Edge Server

(SA30-2211-00)

Tivoli Access Manager IBM WebSphere Edge Server

, .

vIBM Tivoli Access Manager for e-business Plug-in for Web Servers Integration Guide(SC32-1365-00)

ix

,

.

v IBM Tivoli Access Manager for e-business BEA WebLogic Server

(SA30-2210-00)

Tivoli Access Manager BEA WebLogic Server ,

.

vIBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager Provisioning Fast Start Guide(SC32-1364-00)

Tivoli Access Manager Tivoli Identity Manager

Provisioning Fast Start .

vIBM Tivoli Access Manager for e-business Authorization C API Developer Reference(SC32-1355-00)

Tivoli Access Manager C API Tivoli Access Manager

Tivoli Access Manager

.

vIBM Tivoli Access Manager for e-business Authorization Java Classes Developer Reference(SC32-1350-00)

API JavaTivoli Access Manager .

vIBM Tivoli Access Manager for e-business Administration C API Developer Reference(SC32-1357-00)

API Tivoli Access Manager

. API C

.

vIBM Tivoli Access Manager for e-business Administration Java Classes Developer Reference(SC32-1356-00)

API Java Tivoli Access Manager

.

vIBM Tivoli Access Manager for e-business Web Security Developer Reference

(SC32-1358-00)

CDAS(Cross-Domain Authentication Service), CDMF(Cross-Domain Mapping Framework) Password Strength

.

x IBM Tivoli Access Manager for e-business: BEA WebLogic Server

vIBM Tivoli Access Manager for e-business Command Reference(SC32-1354-00) Tivoli Access Manager

.

vIBM Tivoli Access Manager Error Message Reference(SC32-1353-00) Tivoli Access Manager .

vIBM Tivoli Access Manager for e-business Problem Determination Guide(SC32-1352-00)

Tivoli Access Manager .

v I B M T i v o l i A c c e s s M a n a g e r f o r e - b u s i n e s s P e r f o r m a n c e T u n i n g Guide(SC32-1351-00)

IBM Tivoli Directory Server Tivoli Access Manager .

Tivoli Access Manager .

Tivoli Software Library white papers, datasheets, demonstrations, redbooks

announcement letters Tivoli .

Tivoli Software Library . http://www.ibm.com/software/tivoli/library/

Tivoli Software Glossary Tivoli

. Tivoli Software Glossary . Tivoli Software Library(http://www.ibm.com/software/tivoli/library/) Glossary

.

IBM Global Security Kit

Tivoli Access Manager IBM Global Security Kit(GSKit) 7.0

. GSKit IBM Tivoli Access Manager Base CD IBM Tivoli Access Manager Web Security CD, IBM Tivoli Access Manager Web Administration Interfaces CD IBM Tivoli Access Manager Directory Server CD .

GSKit , -

iKeyman gsk7ikm . Tivoli Information Center IBM Tivoli Access Manager

.

xi

v IBM Global Security Kit Secure Sockets Layer and iKeyman User’s Guide(SC32-1363-00)

Tivoli Access Manager SSL

.

IBM Tivoli Directory Server

IBM Tivoli Directory Server, 5.2 IBM Tivoli Access Manager Directory Server CD .

: IBM Tivoli Directory Server

.

vIBM Directory Server( 4.1 5.1)

vIBM SecureWay Directory Server( 3.2.2)

IBM Directory Server 4.1, IBM Directory Server 5.1 IBM Tivoli Directory Server 5.2 IBM Tivoli Access Manager 5.1

.

IBM Tivoli Directory Server .

http://www.ibm.com/software/network/directory/library/

IBM DB2 Universal Database

IBM DB2® Universal DatabaseEnterprise Server Edition, 8.1 IBM Tivoli

Access Manager Directory Server CD IBM Tivoli Directory Server

. IBM Tivoli Directory Server, z/OSOS/390® LDAP Tivoli Access Manager DB2

.

DB2 .

http://www.ibm.com/software/data/db2/

IBM WebSphere Application Server

IBM WebSphere Application Server, Advanced Single Server Edition 5.0

IBM Tivoli Access Manager Web Administration Interfaces CD

. WebSphere Application Server Tivoli Access Manager

Web Portal Manager IBM Tivoli Directory Server

. Tivoli Access Manager IBM WebSphere Application Server 2 , IBM

Tivoli Access Manager WebSphere Fix Pack CD .

xii IBM Tivoli Access Manager for e-business: BEA WebLogic Server

IBM WebSphere Application Server

.

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business Integration

IBM Tivoli Access Manager for Business Integration

, IBM MQSeries® 5.2 IBM WebSphere® MQ 5.3

. IBM Tivoli Access Manager for Business Integration

WebSphere MQSeries

. WebSEAL IBM Tivoli Access Manager for Operating Systems, IBM Tivoli Access Manager for Business Integration , IBM Tivoli Access Manager

.

IBM Tivoli Access Manager for Business Integration

.

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

IBM Tivoli Access Manager for Business Integration 5.1

Tivoli Information Center .

vIBM Tivoli Access Manager for Business Integration (SA30-1825-01)

vIBM Tivoli Access Manager for Business Integration

(GA30-2064-00)

vIBM Tivoli Access Manager for Business Integration (GA30-1827-01)

vIBM Tivoli Access Manager for Business Integration Read This First

(GA30-2063-00)

IBM Tivoli Access Manager for WebSphere Business

Integration Broker

IBM Tivoli Access Manager for Business Integration IBM Tivoli Access Manager for WebSphere Business Integration Broker WebSphere Business Integration Message Broker, 5.0 WebSphere Business Integration Event Broker, 5.0 . IBM Tivoli Access Manager for WebSphere Business Integration Broker Tivoli Access Manager

,

JMS / .

IBM Tivoli Access Manager for WebSphere Integration Broker

.

xiii

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

IBM Tivoli Access Manager for WebSphere Integration Broker, 5.1

Tivoli Information Center .

vIBM Tivoli Access Manager for WebSphere Business Integration Brokers Administration Guide(SC32-1347-00)

vIBM Tivoli Access Manager for WebSphere Business Integration Brokers

(GA30-2194-00)

vIBM Tivoli Access Manager for Business Integration Read This First

(GA30-2063-00)

IBM Tivoli Access Manager for Operating Systems

IBM Tivoli Access Manager for Operating Systems

, UNIX policy

. IBM Tivoli Access Manager for Operating Systems

WebSEAL IBM Tivoli Access Manager for Business Integration IBM Tivoli Access Manager .

IBM Tivoli Access Manager for Operating Systems

.

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

IBM Tivoli Access Manager for Operating Systems 5.1 Tivoli Information Center .

vIBM Tivoli Access Manager for Operating Systems (SA30-1841-01)

vIBM Tivoli Access Manager for Operating Systems (SA30-1840-01)

vIBM Tivoli Access Manager for Operating Systems

(SA30-1842-01)

vIBM Tivoli Access Manager for Operating Systems (GA30-1843-01)

vIBM Tivoli Access Manager for Operating Systems Read Me(GA30-1844-01)

IBM Tivoli Identity Manager

IBM Tivoli Identity Manager 4.5 ,

( : ID ) ( , ,

) . Tivoli Identity Manager Tivoli Access Manager Agent Tivoli Access Manager

. Agent IBM .

IBM Tivoli Identity Manager .

xiv IBM Tivoli Access Manager for e-business: BEA WebLogic Server

http://www.ibm.com/software/tivoli/products/identity-mgr/

Tivoli software library PDF HTML

.

http://www.ibm.com/software/tivoli/library

Product manuals . Tivoli Software Information Center .

, , ,

.

: PDF , Adobe Acrobat (

) .

.

.

.

Tivoli , IBM Tivoli Software Support

. Tivoli Support IBM Tivoli Software Support

.

http://www.ibm.com/software/support/

, IBM Software Support Guide

.

http://techsupport.services.ibm.com/guides/handbook.html

IBM Software Support

.

xv

,

.

.

, , , , Java .

, , .

, , , , ,

,

.

UNIX . Windows

, $variable %variable% ,

(/) (\) . Windows bash

, UNIX .

xvi IBM Tivoli Access Manager for e-business: BEA WebLogic Server

1

Tivoli Access Manager for WebLogic Tivoli Access Manager

BEA WebLogic Server Tivoli Access

Manager . BEA WebLogic Server Security Service Provider Interface , Tivoli Access Manager for WebLogic Tivoli Access Manager . IBM Tivoli Access Manager WebSEAL(WebSEAL) IBM Tivoli Access Manager Plug-in for Web Server

Tivoli Access Manager for WebLogic .

Tivoli Access Manager for WebLogic WebLogic

Tivoli Access Manager

.

Tivoli Access Manager for WebLogic Tivoli Access Manager

.

Tivoli Access Manager Tivoli Access Manager .

.

Tivoli Access Manager

Tivoli Access Manager

policy .

Tivoli Access Manager policy . , ,

, . Tivoli Access Manager

.

Tivoli Access Manager .

Tivoli Access Manager , , HTTP

.

Tivoli Access Manager policy . policy

© Copyright IBM Corp. 2003

1

. Tivoli Access Manager Tivoli Access Manager

(third-party)

.

WebSEAL Tivoli Access Manager . WebSEAL

.

Tivoli Access Manager Plug-in for Web Servers Tivoli Access Manager

.

.

Tivoli Access Manager Plug-in for Web Servers WebSEAL

policy

.

IBM Tivoli Access Manager

Tivoli Access Manager .

Tivoli Access Manager .

Tivoli Access Manager WebLogic

Tivoli Access Manager for WebLogic, 5.1 .

vBEA WebLogic Server 7.0 SP2

vBEA WebLogic Server 8.1 SP1

Tivoli Access Manager for WebLogic 5.1 SSPI(Security Service Provider Interface) BEA WebLogic Server

.

: Tivoli Access Manager for WebLogic 5.1 BEA WebLogic Server

. BEA WebLogic Server

Tivoli Access Manager for WebLogic 4.1 .

BEA WebLogic Server (thrid-party) ( : Tivoli Access Manager for WebLogic) SSPI BEA WebLogic Server

.

2 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

Tivoli Access Manager Security Service Provider Interface

Tivoli Access Manager for WebLogic BEA WebLogic Server BEA WebLogic Server

.

Tivoli Access Manager for WebLogic BEA WebLogic Server

.

WebLogic

Management Bean(MBean) .

MBean .

Tivoli Access Manager BEA WebLogic Server .

Tivoli Access Manager for WebLogic BEA WebLogic Server

. BEA WebLogic Server . Tivoli Access Manager Tivoli Access Manager Java

.

Tivoli Access Manager for WebLogic WebSEAL Tivoli Access Manager Plug-in for Web Servers

. 37 4

.

Tivoli Access Manager for WebLogic

.

IBM Tivoli Access Manager for WebLogic Server WebLogic

.

vJAAS(Java Authentication and Authorization Service)

. JAAS JAAS

( ) . Tivoli Access Manager for

1 3

WebLogic , Tivoli Access Manager

Java Tivoli Access Manager Authorization Server

.

vMBean

WebLogic .

Tivoli Access Manager for WebLogic

.

BEA WebLogic Server

. BEA WebLogic Server

. Tivoli Access Manager Java

PDPermission .

Tivoli Access Manager for WebLogic

.

WebLogic . Tivoli Access Manager for WebLogic BEA WebLogic Server

Tivoli Access Manager policy Tivoli Access Manager policy .

vMBean

WebLogic . WebLogic

policy .

BEA WebLogic Server

.

policy .

.

WebLogic . Tivoli Access Manager for WebLogic

.

vMBean

WebLogic . WebLogic

.

4 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

Policy

Policy WebLogic

. J2EE ,

policy Tivoli Access Manager .

Tivoli Access Manager pdadmin Tivoli Access Manager Web Portal Manager policy . Tivoli Access Manager for WebLogic BEA WebLogic Server

Tivoli Access Manager policy . Tivoli Access Manager for WebLogic . Tivoli Access Manager for WebLogic 23 3

.

BEA WebLogic Server , Tivoli Access Manager for WebLogic . Tivoli Access Manager for WebLogic , BEA WebLogic Server

.

policy Tivoli Access Manager

.

BEA WebLogic Server .

vCOM

vEIS

vEJB

vJDBC

vJMS

vURL

Tivoli Access Manager .

/WebAppServer/WLS/Resources/wls_domain/wls_realm/resource_type/Details

Tivoli Access Manager .

/WebAppServer/WLS/Roles/wls_domain/wls_realm/role_name/AppName

1 5

Tivoli Access Manager Tivoli Access Manager for WebLogic .

BEA WebLogic Server Tivoli Access Manager .

policy .

Tivoli Access Manager

Tivoli Access Manager

. WebSEAL Tivoli Access Manager Plug-in for Web Servers .

WebSEAL Tivoli Access Manager Plug-in for Web Servers

WebLogic

.

.

WebSEAL

.

1. Tivoli Access Manager .

.

1.. WebSEAL

2.WebSEAL Tivoli Access Manager

.

6 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

WebSEAL , , RSA SecureID

.

WebSEAL URL Tivoli Access Manager policy

. WebSEAL ( : ,

) .

3.URL , WebSEAL WebLogic

.

. sso_user Security Service Provider Interface WebSEAL .

sso_user 23 3

.

4.WebLogic ID Security Service Provider Interface

.

5.Security Service Provider Interface Tivoli Access Manager

WebSEAL sso_user

. , WebSEAL

.

WebSEAL

.

2. Tivoli Access Manager Custom Realm .

1 7

.

1..

2.WebLogic ID Security Service Provider Interface

.

3.Security Service Provider Interface

.

, Security Service Provider Interface

WebLogic .

4.BEA WebLogic Server (

)

Tivoli Access Manager for WebLogic

.

Tivoli Access Manager Authorization Server .

Tivoli Access Manager for WebLogic Tivoli Access Manager Java

IBM JLog . Tivoli Access Manager for WebLogic Tivoli Access Manager for WebLogic

JLog BEA WebLogic Server

. Tivoli Access Manager for WebLogic WebLogic

.

, ,

Tivoli Access Manager for WebLogic Tivoli Access Manager Java

Tivoli Access Manager

. Tivoli Access Manager for WebLogic

.

Tivoli Access Manager Java Tivoli Access Manager Authorization Server . 1 Authorization Server , 2

.

acld Tivoli Access Manager for WebLogic

.

8 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

Tivoli Access Manager for WebLogic Tivoli Access Manager Authorization Server Tivoli Access Manager Policy Server .

Tivoli Access Manager Policy Server

.

. 39 Tivoli Access Manager Authorization Server .

1 9

10 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

2

.

v12

v14

v17

Tivoli Access Manager for WebLogic, 5.1 .

vBEA WebLogic Server 7.0 SP2

vBEA WebLogic Server 8.1 SP1

Tivoli Access Manager for WebLogic

. , BEA WebLogic Server SSPI(Security Service Provider

Interface) .

Tivoli Access Manager for WebLogic .

vIBM AIX 5.1

vSun Solaris 8 9

vHewlett-Packard HP-UX 11.0 11i(BEA WebLogic Server 7.0 )

vMicrosoft Windows 2000 Server Advanced Server( 3)

: Tivoli Access Manager for WebLogic Java 2 Security Manager

. Java policy Java 2 Security Manager

.

Tivoli Access Manager for WebLogic

.

v 64MB RAM, 128MB

© Copyright IBM Corp. 2003

11

BEA WebLogic Server Tivoli Access Manager

. 64MB RAM

.

Tivoli Access Manager

Tivoli Access Manager . IBM Tivoli Access Manager .

v2MB , 4MB

BEA WebLogic Server Tivoli Access Manager

.

v5MB

.

Tivoli Access Manager for WebLogic

.

vTivoli Access Manager Policy Server

v13 Tivoli Access Manager WebSEAL Tivoli Access Manager Plug-in for Web Servers

v13 BEA WebLogic Server

v14 Tivoli Access Manager Java

Tivoli Access Manager Policy Server

Tivoli Access Manager for WebLogic Tivoli Access Manager

.

Tivoli Access Manager Policy Server Tivoli Access Manager

. Policy Server IBM Tivoli Access

Manager Base CD .

Tivoli Access Manager Policy Server Tivoli Access Manager for WebLogic .

Tivoli Access Manager Authorization Server

Tivoli Access Manager Authorization Server BEA WebLogic Server Tivoli Access Manager for WebLogic .

Authorization Server BEA WebLogic Server Tivoli Access Manager

. Authorization Server

.

12 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

Tivoli Access Manager WebSEAL Tivoli Access Manager Plug-in for Web Servers

Tivoli Access Manager WebSEAL(WebSEAL) Tivoli Access Manager Plug-in

for Web Servers( ) Tivoli Access Manager for WebLogic

. BEA WebLogic Server .

WebSEAL Tivoli Access Manager for WebLogic

.

.

WebSEAL IBM Tivoli Access Manager for e-business .

WebSEAL BEA WebLogic Server

, BEA WebLogic Server

. BEA WebLogic Server

.

.

BEA WebLogic Server .

BEA WebLogic Server

Tivoli Access Manager for WebLogic BEA WebLogic Server

. BEA WebLogic Server startWebLogic

.

BEA WebLogic Server AIX Java Runtime Environment . Tivoli Access Manager for WebLogic

JRE(Java Runtime Environment) . BEA WebLogic Server

JRE Tivoli Access Manager for WebLogic .

AIX IBM Java Runtime Environment

AIX BEA WebLogic Server 7.0 Tivoli Access Manager

for WebLogic IBM Java Runtime Environment 1.3

. AIX BEA WebLogic Server 8.1 Tivoli

Access Manager for WebLogic IBM Java Runtime Environment

1.4 . Tivoli Access Manager for WebLogic

Java Runtime Environment .

2 13

Tivoli Access Manager Java

Tivoli Access Manager for WebLogic Tivoli Access Manager

Tivoli Access Manager Java 5.1

.

Tivoli Access Manager Java Java

. Java BEA WebLogic Server JRE(Java Runtime Environment) .

Tivoli Access Manager for WebLogic Tivoli Access Manager Java Runtime Environment Tivoli Access Manager

.

Tivoli Access Manager Java Runtime Environment

IBM Tivoli Access Manager Base CD .

IBM Tivoli Access Manager .

BEA WebLogic Server, 7.0

. BEA WebLogic Server, 8.1 , 17

.

install_amwls Tivoli Access Manager for WebLogic Server .

vAccess Manager Java Runtime Environment

vAccess Manager for WebLogic Server

install_amwls Tivoli Access Manager for WebLogic Server

.

1.Tivoli Access Manager , Policy Server Authorization Server

.

2.. 11

.

3.( )

.

4.BEA WebLogic Server BEA WebLogic Server .

14 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

5.Windows .

6.BEA WebLogic Server .

UNIX /WLS_install_dir/user_projects/domain_name/ startWebLogic.sh

Windows

C:\WLS_install_dir\user_projects\domain_name/ startWebLogic.cmd

7.BEA WebLogic Server WebLogic_install_dir/server/bin

CLASSPATH PATH WebLogic

.jars CLASSPATH, bin lib .

UNIX .setWLSEnv.sh

Windows

setWLSEnv.cmd

BEA WebLogic Server Java

.

8. AIX, HP-UX(BEA WebLogic Server 7.0 ), Solaris Windows Tivoli Access Manager Web Security CD install_amwls

. BEA WebLogic Server

, . install_amwls -is:javahome path

path jre .

:

a.install_amwls. options.template .

.

v . install_amwls -options install_amwls.options.template

v .

install_amwls -silent -options install_amwls.options.template

b.BEA WebLogic Server JDK

.

.

, IBM JDK 1.3.1 install_amwls

.

2 15

16 install_amwls

. Windows Tivoli Access Manager for WebLogic .

: ( ),

.

,

. , 23

3 Tivoli Access Manager for WebLogic

.

9.BEA WebLogic Server .

10.AMSSPIProviders.jar /bea_install_dir/weblogic/ server/lib/mbeantypes .

, /amwls_install_dir/lib

.

11.25 2 : startWebLogic CLASSPATH

startWebLogic CLASSPATH .

12.Tivoli Access Manager . 29

4 : Tivoli Access Manager .

13.WebLogic BEA WebLogic Server .

14.Tivoli Access Manager WebSEAL BEA WebLogic Server

32 5 : BEA WebLogic Server .

15.34 7 :

Tivoli Access Manager for WebLogic Tivoli Access Manager

.

install_amwls

install_amwls .

1. install_amwls

 

 

 

 

 

 

 

Authorization Server

 

ACL *

Tivoli Access Manager (

 

 

)

 

sec_master *

Tivoli Access Manager

 

 

Policy Server .

 

Policy Server *

, .

 

 

pdmgr.tivoli.com

 

 

 

 

16 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

1. install_amwls ( )

Policy Server *

Policy Server

7135

. 7135 .

 

 

Authorization Server *

Tivoli Access Manager Authorization

 

Server

 

 

 

Authorization Server *

Authorization Server

7136

True AMWLS5.1

 

true

 

 

 

 

 

BEA WebLogic Server .

 

WebLogic *

WebLogic

 

 

.

 

WebLogic *

WebLogic

 

Access Manager for WebLogic Server Windows

C:\Program Files\Tivoli\pdwls

 

.

 

WebLogic Admin Server URL

 

t3://localhost:7001

 

 

 

.

vAIX

v18 HP-UX

v19 Solaris

v20 Windows

: Tivoli Access Manager for WebLogic BEA WebLogic Server .

AIX

Tivoli Access Manager for WebLogic

. AIX installp . Tivoli Access Manager for WebLogic

: Tivoli Access Manager for WebLogic

, . 50 AIX

.

AIX Tivoli Access Manager for WebLogic

.

1.root .

2.Tivoli Access Manager

. 12

.

2 17

3.IBM Tivoli Access Manager Web Security for AIX CD CD

.

4..

installp -acgNXd cd_mount_point/usr/sys/inst.images PDWLS

: AMSSPIProviders.jar /bea_install_dir/ weblogic/server/lib/mbeantypes .

/amwls_install_dir/lib

.

5.Tivoli Access Manager for WebLogic . 23

3

HP-UX

HP-UX Tivoli Access Manager for WebLogic BEA WebLogic Server 7.0 .

Tivoli Access Manager for WebLogic

, . 51 HP-UX

.

HP-UX Tivoli Access Manager for WebLogic

.

1.root .

2.Tivoli Access Manager

. 12

.

3.pfs_mountd pfsd

. pfs_mount CD . ,

.

/usr/sbin/pfs_mount /dev/dsk/c0t0d0 /cd-rom

/dev/dsk/c0t0d0 CD /cd-rom .

4.Tivoli Access Manager for WebLogic

.

# swinstall -s /cd_rom/hp PDWLS

18 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

.

. CD

. . swinstall

.

: AMSSPIProviders.jar /bea_install_dir/ weblogic/server/lib/mbeantypes .

, /amwls_install_dir/lib

.

5., Tivoli Access Manager for WebLogic . 23

3

Solaris

Tivoli Access Manager for WebLogic

. Solaris Operating Environment( Solaris )

pkgadd . , Tivoli Access Manager for WebLogic

: Tivoli Access Manager for WebLogic

, . 49 Solaris

.

Solaris Tivoli Access Manager for WebLogic

.

1.root .

2.Tivoli Access Manager

. 12

.

3.Solaris IBM Tivoli Access Manager CD .

4..

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/solaris/pddefault PDWLS

,

-d /cdrom/cdrom0/solaris

.

 

 

-a /cdrom/cdrom0/solaris/pddefault

.

 

 

, .

.

2 19

: AMSSPIProviders.jar /bea_install_dir/ weblogic/server/lib/mbeantypes .

, /amwls_install_dir/lib

.

5., Tivoli Access Manager for WebLogic . 23

3 .

Windows

Tivoli Access Manager for WebLogic

. Tivoli Access Manager for WebLogic InstallShield setup.exe

. InstallShield 23 3

Tivoli Access Manager for WebLogic .

: Tivoli Access Manager for WebLogic

, . 50

Windows .

Windows Tivoli Access Manager for WebLogic

.

1.Administrator Windows .

2.Tivoli Access Manager

. 12

.

3.IBM Tivoli Access Manager Web Security for Windows CD CD

.

4.Tivoli Access Manager for WebLogic InstallShield

. E: CD

.

E:\Windows\PolicyDirector\Disk Images\Disk1\PDWLS\Disk Images\Disk1\setup.exe

.

5.. InstallShield .

6..

.

7..

.

8.. .

20 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

.

9..

. .

10..

11.AMSSPIProviders.jar

c:\bea_install_dir\weblogic\server\lib\mbeantypes

. ,

c:\amwls_install_dir\lib .

12., Tivoli Access Manager for WebLogic . 23

3 .

2 21

22 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

3

Tivoli Access Manager for WebLogic

.

v1 : Tivoli Access Manager Java Runtime Environment

v25 2 : startWebLogic CLASSPATH

v26 3 : Tivoli Access Manager for WebLogic

v29 4 : Tivoli Access Manager

v32 5 : BEA WebLogic Server

v34 6 : BEA WebLogic Server

Tivoli Access Manager for WebLogic

v34 7 :

: Tivoli Access Manager Tivoli Access Manager for WebLogic

. 11 2

.

1 : Tivoli Access Manager Java Runtime Environment

Tivoli Access Manager Java Runtime Environment Tivoli Access Manager for

WebLogic . Java Runtime

BEA WebLogic Server . Tivoli Access Manager

pdjrtecfg BEA WebLogic Server JRE(Java Runtime

Environment) . Java , BEA

WebLogic Server JRE(Java Runtime Environment) pdjrtecfg

.

1.Tivoli Access Manager JRE(Java Runtime Environment)

.

12 .

2.BEA WebLogic Server WebLogic_install_dir/server/bin

CLASSPATH PATH CLASSPATH, bin lib WebLogic .jars .

UNIX .setWLSEnv.sh

Windows

setWLSEnv.cmd

© Copyright IBM Corp. 2003

23

ezInstall BEA WebLogic Server Java

.

3.Tivoli Access Manager Java Runtime Environment BEA WebLogic Server

JDK .

.

a.Tivoli Access Manager sbin

. , .

UNIX: /opt/PolicyDirector/sbin

Windows: C:\Program Files\Tivoli\Policy Director\sbin

b.pdjrtecfg .

pdjrtecfg -action config -host policy_server_name -java_home java_location

java_location BEA WebLogic Server Java Runtime Environment

. .

Windows

BEA WebLogic Server 7.0

c:\bea\jdk131_ob\jre

BEA WebLogic Server 8.1

c:\bea\jdk141\jre

Solaris, HP-UX

/usr/local/bea/jdk141_03

AIX

AIX BEA WebLogic Server 7.0 IBM Java Runtime

Environment 1.3 BEA WebLogic Server 8.1 IBM

Java Runtime Environment 1.4 . pdjrtecfg

-java_home AIX JRE

. BEA WebLogic Server 7.0

/usr/java131

BEA WebLogic Server 8.1

/usr/java14

:

1)BEA WebLogic Server 8.1 pdjrtecfg jre/lib

jsse.jar . Tivoli Access Manager Java Runtime .

2)Sun v1.4d JRE , pdjrtecfg

pdconfig JRE .

24 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

pdjrtecfg IBM Tivoli Access Manager

.

2 : startWebLogic CLASSPATH

: WebLogic .

startWebLogic WebLogic . startWebLogic

Java CLASSPATH

.

.

1.WebLogic .

2.startWebLogic CLASSPATH .

UNIX

/opt/pdwls/lib/AMSSPICore.jar

/opt/pdwls/lib/rbpf.jar

Windows

C:\amwls_install_directory\lib\AMSSPICore.jar

C:\amwls_install_directory\lib\rbpf.jar

startWebLogic BEA WebLogic Server

. .

UNIX /WebLogic_install_directory/user_projects/domain_name

Windows

C:\WebLogic_install_directory\user_projects\domain_name

domain_name BEA WebLogic Server

.

3.( ) .

( ) ,

startWebLogic CLASSPATH .

UNIX

/opt/pdwls/nls/java/com/tivoli/amwls/sspi/nls

Windows

C:\Progra~1\Tivoli\pdwls\nls\java\com\tivoli\amwls\sspi\nls

: , /opt/pdwls/nls/java/com/ tivoli/amwls/sspi/nls/ .

3 25

3 : Tivoli Access Manager for WebLogic

Tivoli Access Manager for WebLogic Tivoli Access Manager Console Extension Web Application .

.

BEA WebLogic Server

.

Tivoli Access Manager for WebLogic

. Tivoli Access Manager for WebLogic

. 53 A

.

Console Extension Web Application Tivoli Access Manager for WebLogic

1.BEA WebLogic Server .

UNIX /WLS_install_dir/user_projects/domain_name/startWebLogic.sh

Windows

C:\WLS_install_dir\user_projects\domain_name\ startWebLogic.cmd

2.BEA WebLogic BEA WebLogic

. , . http://WebLogic_server_name:7001/console

7001 BEA WebLogic Server . .

3.BEA WebLogic Server . BEA WebLogic Server .

4.Tivoli Access Manager for WebLogic Server Tivoli Access Manager

Tivoli Access Manager Console Extension Web Application .

.

a.BEA WebLogic Server

.

b..

c..

d.amwls_install_dir\lib\AMWLSConsoleExtension.war

. .

e.AMWLSConsoleExtension.war .

26 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

f..

Console Extension Web Application

. .

AMWLSConsoleExtensions .

BEA WebLogic Server

Tivoli Access Manager .

5.Tivoli Access Manager BEA WebLogic Server

Access Manager .

6.. .

.

config .

. .

 

 

 

 

domain_admin

WebLogic

 

 

domain_admin_pwd

WebLogic

 

 

remote_acl_user

Authorization Server Tivoli Access Manager

 

( )

 

 

sec_master_pass

Tivoli Access Manager sec_master

 

 

pdmgrd_host

Tivoli Access Manager Policy Server

 

 

pdacld_host

Tivoli Access Manager Authorization Server

 

 

:

. .

config .

 

 

 

 

wls_server_url

WebLogic URL . t3://

 

localhost:7001 .

 

 

pdmgrd_port

Tivoli Access Manager Policy Server

 

 

pdacld_port

Tivoli Access Manager Authorization Server

 

 

am_domain

Tivoli Access Manager . Default

 

.

 

 

amwls_home

Tivoli Access Manager for WebLogic Server

 

.

 

 

.

7., Tivoli Access Manager for WebLogic Server

.

Tivoli Access Manager . 29 4 : Tivoli

Access Manager .

3 27

Tivoli Access Manager for WebLogic

1.BEA WebLogic Server .

UNIX

/WLS_install_dir/user_projects/domain_name/startWebLogic.sh

Windows

C:\WLS_install_dir\user_projects\domain_name\startWebLogic.cmd

2.Tivoli Access Manager for WebLogic .

: Tivoli Access Manager for WebLogic

( ), AMWLSConfigure

AMSSPI_DIR .

, WebLogic , WLS_JAR

ALWLSConfigure WebLogic.jar

.

UNIX install-dir/sbin/AMWLSConfigure.sh

Windows

install-dir\sbin\AMWLSConfigure.bat

Tivoli Access Manager for WebLogic AMWLSConfigure Java

.

vAMWLSConfigure -action config [options ...]

Tivoli Access Manager for WebLogic .

vAMWLSConfigure -help [action]

AMSSPIConfigure .

config .

. .

 

 

 

 

domain_admin

WebLogic

 

 

domain_admin_pwd

WebLogic

 

 

remote_acl_user

Authorization Server Tivoli Access Manager

 

( )

 

 

sec_master_pass

Tivoli Access Manager sec_master

 

 

pdmgrd_host

Tivoli Access Manager Policy Server

 

 

pdacld_host

Tivoli Access Manager Authorization Server

 

 

:

. .

28 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

config .

 

 

 

 

deploy_extension

true , Tivoli Access Manager for Web Logic Server

 

. true .

 

 

wls_server_url

WebLogic URL .

 

t3://localhost:7001 .

 

 

pdmgrd_port

Tivoli Access Manager Policy Server

 

 

pdacld_port

Tivoli Access Manager Authorization Server

 

 

am_domain

Tivoli Access Manager . Default

 

.

 

 

amwls_home

Tivoli Access Manager for WebLogic Server

 

.

 

 

verbose

.

 

false .

 

 

Tivoli Access Manager .

4 : Tivoli Access Manager

Console Extension Web Application Tivoli Access

Manager

Tivoli Access Manager for WebLogic Server BEA WebLogic Server

Tivoli Access Manager

. .

1.Access Manager

.

2.. . .

3.BEA WebLogic Server 7.0 Tivoli Access Manager

, .

a.BEA WebLogic Server

.

b.. .

. .

BEA WebLogic Server 8.1 Tivoli Access Manager

BEA WebLogic Server

.

4. BEA WebLogic Server .

3 29

5.Access Manager ,

Access Manager Tivoli Access Manager .

: SSO

, SSO .

, Tivoli Access Manager for WebLogic rbpf.properties

SSO . rbpf.properties 53 A

.

Tivoli Access Manager

1.Tivoli Access Manager for WebLogic

.

: Tivoli Access Manager for WebLogic

( ), AMWLSConfigure

AMSSPI_DIR .

WebLogic WebLogic 8.1

, WLS_JAR ALWLSConfigure

WebLogic.jar .

UNIX install-dir/sbin/AMWLSConfigure.sh

Windows

install-dir\sbin\AMWLSConfigure.bat

Tivoli Access Manager for WebLogic AMWLSConfigure Java

.

vAMWLSConfigure -action create_realm [options ...]

Tivoli Access Manager for WebLogic .

vAMWLSConfigure -help [action]

AMSSPIConfigure .

create_realm .

. .

 

 

 

 

realm_name

WLS .

 

 

domain_admin_pwd

WebLogic .

 

 

user_dn_suffix

Console Extension Web Application

 

(DN) .

 

 

30 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

group_dn_suffix

Console Extension Web Application

 

(DN) .

 

 

admin_group

Tivoli Access Manager .

 

 

:

. .

create_realm .

 

 

 

 

user_dn_prefix

Console Extension Web Application

 

(DN) .

 

 

group_dn_prefix

Console Extension Web Application

 

(DN) .

 

 

sso_enabled

true .

 

false .

 

 

sso_user

Tivoli Access Manager

 

.

 

 

sso_pwd

.

 

 

verbose

.

 

false .

 

 

2.BEA WebLogic Server 7.0 Tivoli Access Manager

, .

a.BEA WebLogic BEA WebLogic

. , . http://WebLogic_server_name:7001/console

7001 BEA WebLogic Server ,

.

b.BEA WebLogic Server .

.

c.BEA WebLogic Server

.

d.. .

. .

BEA WebLogic Server 8.1 Tivoli Access Manager

BEA WebLogic Server

.

3. BEA WebLogic Server .

3 31

4.Access manager Access Manager Tivoli Access manager

.

5 : BEA WebLogic Server

WebSEAL Tivoli Access Manager Plug-in for Web Servers

BEA WebLogic Server

.

.

WebSEAL Tivoli Access Manager Plug-in for Web Servers

. WebSEAL

IBM Tivoli Access Manager

for e-business Web Security Installation Guide . WebSEAL

IBM Tivoli Access Manager for e-business

WebSEAL Administration Guide .

IBM Tivoli Access Manager Plug-in for Web Servers Integration Guide .

BEA WebLogic Server

WebSEAL .

vWebSEAL

v33 Tivoli Access Manager Plug-in for Web Servers

WebSEAL

WebSEAL BEA WebLogic Server

WebSEAL .

1.WebSEAL webseald.conf .

2.. basicauth-dummy-passwd = sso_pwd

sso_pwd

.

3.WebSEAL .

4.pdadmin WebSEAL .

32 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

: Tivoli Access Manager

. WebSEAL .

, Tivoli Access Manager Policy Server

.

-b junction URL .

.

, .

pdadmin> server task webseald_server_name create -t tcp -p WebLogic_Server_listen_port -h WebLogic_Server

-b supply junction_target

pdadmin .

2. pdadmin

 

 

 

 

webseald_server_name

WebSEAL . ( : webseald-

 

WebSEAL_server_instance) .

 

WebSEAL_server_instance .

 

, cruz webseald_server_name

 

webseald-cruz . : WebSEAL

 

, .

 

junction IBM

 

Tivoli Access Manager for e-business WebSEAL Administration Guide

 

.

 

 

WebLogic_Server

BEA WebLogic Server

 

 

WebLogic_Server_listen_port

BEA WebLogic Server . 7001 .

 

 

-b supply

. WebSEAL

 

.

 

 

junction_target

junction URL

 

 

WebSEAL junction IBM Tivoli Access Manager

for e-business WebSEAL Administration Guide .

Tivoli Access Manager Plug-in for Web Servers

Tivoli Access Manager Plug-in for Web Servers IBM Tivoli Access Manager for WebLogic Server . ,

.

plug-in_install_dir/etc pdwebpi.conf

[common-modules] .

3 33

[common-modules] post-authzn = BA

, [BA} add-hdr supply-password BA

sso_user . , .

[BA]

add-hdr = supply supply-password = sso_pwd

Tivoli Access Manager Plug-in for Web Servers IBM Tivoli Plug-in for Web Servers Integration Guide .

6 : BEA WebLogic Server

Tivoli Access Manager for WebLogic

BEA WebLogic Server

. BEA WebLogic Server

Tivoli Access Manager for WebLogic ,

.

1.26 3 : Tivoli Access Manager for WebLogic 29

4 : Tivoli Access Manager Tivoli Access Manager for WebLogic BEA WebLogic Server

Tivoli Access Manager .

2.Tivoli Access Manager for WebLogic

( ) Tivoli Access Manager for WebLogic .

BEA_WLS_HOME/jdk_location/jre/amwls/

.

7 :

Tivoli Access Manager for WebLogic Tivoli Access Manager

.

1.BEA WebLogic Server

.

2.pdadmin . pdadmin> user show test_user

v account-valid yes .

v password-valid yes .

34 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

Tivoli Access Manager for WebLogic BEA WebLogic Server WebSEAL

.

. 41

.

3 35

36 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

4

Tivoli Access Manager WebSEAL

Tivoli Access Manager for WebLogic Tivoli Access Manager ( : Tivoli Access Manager WebSEAL, Tivoli Access Manager Plug-in for Web Servers Tivoli Access Manager Plug-in for Edge Server)

.

WebSEAL BEA WebLogic Server HTTP

dummy .

Tivoli Access Manager for BEA WebLogic Server

.

Tivoli Access Manager HTTP ( : WebSEAL)

.

. Tivoli Access Manager Authorization Server

, .

.

3. Tivoli Access Manager WebSEAL

.

© Copyright IBM Corp. 2003

37

1.WebSEAL ( : /

) WebSEAL . , BEA WebLogic Server .

2.WebSEAL -b supply BEA WebLogic Server

. WebSEAL BEA WebLogic Server .

v WebSEAL ID( user-1)

v webseald.conf basicauth-dummy-passwd.

.

3.BEA WebLogic Server Tivoli Access Manager for WebLogic

ID .

4.Tivoli Access Manager for WebLogic Tivoli Access Manager

Tivoli Access Manager for WebLogic WebSEAL

. WebSEAL BEA WebLogic Server .

4 , Tivoli Access Manager for WebLogic BEA WebLogic Server ID . (

ws-passwd) WebSEAL

Tivoli Access Manager for WebLogic

.

.

SSO SSO Tivoli Access Manager for WebLogic

.

1.SSO .

2.amsspi.properties Tivoli Access Manager for WebLogic

.

com.tivoli.amwls.sspi.Authentication.ssoEnabled = true com.tivoli.amwls.sspi.Authentication.ssoTrustId = sso_username

38 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

5

Tivoli Access Manager for WebLogic

.

vTivoli Access Manager Authorization Server

v40 Tivoli Access Manager for WebLogic

v41

v43

v44 3 policy

v45 Tivoli Access Manager

v46 Tivoli Access Manager for WebLogic

v46

v47

Tivoli Access Manager Authorization Server

Tivoli Access Manager for WebLogic Tivoli Access Manager

Tivoli Access Manager Policy Server . , Tivoli Access Manager Policy Server

Tivoli Access Manager for WebLogic

. ,

.

.

Tivoli Access Manager for WebLogic

. Tivoli Access Manager for WebLogic

Tivoli Access Manager Authorization Server

.

vTivoli Access Manager

Tivoli Access Manager Authorization Server

.

vRBPF

Tivoli Access Manager for WebLogic

.

© Copyright IBM Corp. 2003

39

Tivoli Access Manager for WebLogic

.

1.Tivoli Access Manager for WebLogic Tivoli Access Manager Authorization Server rbpf_ent_pos_browser

, PATH . rbpf_ent_pos_browser Tivoli Access Manager for WebLogic .

UNIX /opt/PolicyDirector/lib

Windows

c:\Program Files\Tivoli\pdwls\bin

2.Tivoli Access Manager Authorization ivacld.conf

.

UNIX /opt/PolicyDirector/etc

Windows

c:\Program Files\Tivoli\Policy Director\etc

3.[aznapi-entitlement-services] .

AZN_ENT_EXT_ATTR = azn_ent_ext_attr RBPF_POS_BROWSE = rbpf_ent_pos_browser

4.Tivoli Access Manager Authorization Server .

5.Tivoli Access Manager for WebLogic java_home/amwls/ WLS_Domain_Name/WLS_Realm_Name rbpf.properties

. , WLS_Domain_Name BEA WebLogic Server

WLS_Realm_Name BEA WebLogic Server .

true . com.tivoli.pd.as.rbpf.UseEntitlements=true

6. BEA WebLogic Server .

, Tivoli Access Manager for WebLogic BEA WebLogic Server Tivoli Access Manager Policy Server Tivoli Access Manager Authorization Server

.

Tivoli Access Manager for WebLogic

Tivoli Access Manager for WebLogic BEA WebLogic Server

. BEA WebLogic Server

Access Manager

. Tivoli Access Manager for WebLogic

.

40 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

.

.

vTivoli Access Manager for WebLogic .

v.

v.

.

.

v.

v.

v.

.

,

.

, WebSEAL

.

.

.

.

EJB .

.

v:

web.xml ServletRole . weblogic.xml ServletRole BankMembersServlet

( ) . web.xml

Servlet ServletRole

.

v:

5 41

doPost() ServletRole

.

.

HTTPRequest.isUserInRole() .

EJB .

v:

EJBRole ejb-jar.xml . weblogic-ejb-jar.xml EJBRole BankMembersEJB

. ejb-jar.xml

getBalance() EJBRole

.

v:

getBalance() EJBRole

. EJBContext.isCallerInRole()

.

v:

getBalance() ( )

. , Banker1 Banker1

.

.

1.PDDemoApp.ear

WebLogic_domain_directory\applications .

. EAR

. AMWLS_install_dir/demo .

2.BEA WebLogic Server .

Banker1

Banker2

Banker3

Banker4

URLUser1

URLUser2

URLUser3

3.BankMembersEJB BankMembersServlet .

Banker1, Banker2, Banker3 Banker4 . BEA WebLogic Server BEA WebLogic Server

.

4.BEA WebLogic Server .

5.URL .

42 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

http://WebLogic_Server_host:WebLogic_Server_listening_port/pddemo/PDDemo

Banker .

WebLogic_Server_host BEA WebLogic Server .

WebLogic_Server_listening_port BEA WebLogic Server

.

6.BankMembersServlet Servlet

.

7.BankMembersEJB

.

WebSEAL .

1.URL . https://webseald_server_name/junction_target/pddemo/PDDemo

WebSEAL .

webseald_server_name junction_target 34

7 : .

: WebSEAL HTTP

HTTPS .

2..

BEA WebLogic Server ,

Servlet . WebSEAL , PDDemo BEA WebLogic Server

.

.

1.. WebSEAL

. , , , WebSEAL

BEA WebLogic Server BEA WebLogic Server .

.

.

2.Tivoli Access Manager WebLogic Server

.

5 43

.

. , WebLogic 5

Tivoli Access Manager ,

.

3 policy

LDAP Tivoli Access Manager 3 policy

. Policy

. , policy 3

180 . policy

1 .

3 policy pdadmin policy

.

policy

policy

.

policy 3

( ), ( ) , policy

.

. 60 .

policy ,

LDAP .

Web Portal Manager .

:

.

. LDAP . , LDAP

.

.

44 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

pdadmin LDAP .

3. pdadmin LDAP policy

 

 

 

 

policy set max-login-failures {number|unset} [-user username]

 

 

policy get max-login-failures [-user username]

 

 

 

 

 

policy . policy

 

 

 

.

 

policy LDAP

 

policy

 

.

 

10 .

 

 

policy set disable-time-interval {number|unset|disable} [-user username]

 

 

policy get disable-time-interval [-user username]

 

 

 

 

 

policy .

 

policy

 

LDAP policy

 

.

 

180 .

 

 

Tivoli Access Manager

Tivoli Access Manager .

1.BEA WebLogic Server .

2.Tivoli Access Manager for WebLogic create_realm

.

3.BEA WebLogic Server .

4.Tivoli Access Manager .

a.BEA WebLogic Server Access Manager .

b.. .

c.. .

d.. .

5.Tivoli Access Manager AMWLSConfigure -action delete_realm . AMWLSConfigure -action delete_realm

63 B

.

5 45

: Tivoli Access Manager for WebLogic

, AMWLSConfigure AMSSPI_DIR

. , WebLogic

, WLS_JAR ALWLSConfigure WebLogic.jar

.

Tivoli Access Manager for WebLogic

Tivoli Access Manager for WebLogic .

1.BEA WebLogic Server .

2.Tivoli Access Manager . 45 Tivoli Access Manager .

3.Tivoli Access Manager for WebLogic

.

a.Access Manager . .

b.. .

c.Tivoli Access Manager sec_master .

d..

4.Tivoli Access Manager for WebLogic

AMWLSConfigure -action unconfig . AMWLSConfigure -action unconfig 63

B .

.

v47 WebLogic

, .

WebSEAL .

Servlet

.

46 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

,

. BEA WebLogic Server

WebSEAL .

WebLogic

: java.lang.OutofMemory .

: Access Manager for WebLogic Server , BEA

WebLogic Server .

: startWebLogic JVM(Java Virtual Machine)

. , .

%JAVA_HOME%\bin\java -ms64m -mx128m -xms200m -xx:MaxPermSize=128m

, BEA WebLogic Server BEA

.

.

1.Tivoli Access Manager for WebLogic ( )

.

2.Tivoli Access Manager for WebLogic Tivoli Access Manager

sec_master sec_master . ,

Tivoli Access Manager

.

3.BEA WebLogic Server 8.1 -

any-other anyother .

4.Active Directory Tivoli Access Manager for WebLogic ,

AdminGroupProp=Administrators .

Active Directory administrators

. Tivoli Access Manager for WebLogic Tivoli Access Manager for WebLogic .

5.Tivoli Access Manager for WebLogic policy

. policy

. policy OR, AND.

5 47

6.Tivoli Access Manager

. PdPerm.properties appsvr-credcache-life

.

7.WebLogic Server Console Extension Tivoli Access Manager Plug-in for Web Servers WebSEAL .

WebLogic

.

1.Active Directory

. Administrator

. Active Directory Administrator

. , certificate.war

Administrator

.

2.BEA WebLogic Server 8.1 Tivoli Access Manager for WebLogic

policy .

BEA WebLogic Server (CR) CR125113 . BEA WebLogic Server 8.1

policy .

48 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

6

IBM Tivoli Access Manager for WebLogic Server

.

.

vSolaris

v50 Windows

v50 AIX

v51 HP-UX

Solaris

Tivoli Access Manager for WebLogic Tivoli Access Manager

Tivoli Access Manager for WebLogic

. 45 Tivoli Access Manager

46 Tivoli Access Manager for WebLogic

.

Solaris Tivoli Access Manager for WebLogic pkgrm

. .

1.root .

2.Tivoli Access Manager for WebLogic .

# pkgrm PDWLS

. y .

3.super

. y .

. postremove

, . pkgrm

.

Tivoli Access Manager for WebLogic .

IBM Tivoli Access Manager (Tivoli Access Manager

, Tivoli Access Manager JRE(Java Runtime Environment)

Tivoli Access Manager ) IBM Tivoli Access

Manager .

© Copyright IBM Corp. 2003

49

Windows

Tivoli Access Manager for WebLogic Tivoli Access Manager

Tivoli Access Manager for WebLogic

. 45 Tivoli Access Manager

46 Tivoli Access Manager for WebLogic

.

Windows / Tivoli Access Manager for WebLogic . .

1.Windows .

2./ .

3.Access Manager for WebLogic Application Server .

4./ .

Tivoli Access Manager for WebLogic .

.

5..

Tivoli Access Manager for WebLogic .

IBM Tivoli Access Manager (Tivoli Access Manager

, Tivoli Access Manager JRE(Java Runtime Environment)

Tivoli Access Manager ) IBM Tivoli Access Manager .

AIX

Tivoli Access Manager for WebLogic Tivoli Access Manager

Tivoli Access Manager for WebLogic

. 45 Tivoli Access Manager

46 Tivoli Access Manager for WebLogic

.

AIX Tivoli Access Manager for WebLogic installp

.

IBM Tivoli Access Manager (Tivoli Access Manager

, Tivoli Access Manager JRE(Java Runtime Environment)

Tivoli Access Manager ) IBM Tivoli Access

Manager .

50 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

HP-UX

Tivoli Access Manager for WebLogic Tivoli Access Manager

Tivoli Access Manager for WebLogic

. 45 Tivoli Access Manager

46 Tivoli Access Manager for WebLogic

.

swremove Tivoli Access Manager for WebLogic .

.

1.root .

2.Tivoli Access Manager for WebLogic .

# swremove PDWLS

.

. swremove Tivoli Access Manager for WebLogic .

, swremove .

HP-UX Tivoli Access Manager for WebLogic .

IBM Tivoli Access Manager (Tivoli Access Manager

, Tivoli Access Manager JRE(Java Runtime Environment)

Tivoli Access Manager ) IBM Tivoli Access

Manager .

6 51

52 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

A.

Tivoli Access Manager for WebLogic

. Tivoli Access Manager for WebLogic

.

java_home/amwls/wls_domain_name/wls_realm_name/ .

wls_domain_name BEA WebLogic Server

wls_realm_name BEA WebLogic Server

.

.

vamsspi.properties

BEA WebLogic Server SSPI .

vrbpf.properties

Tivoli Access Manager for WebLogic ., , Tivoli Access Manager

.

vamwlsjlog.properties

/ Tivoli Access Manager for WebLogic . Tivoli Access Manager for WebLogic .

.

.

*** Tivoli Access Manager for WebLogic

. .

.in

. config create_realm .in

ACL Tivoli Access Manager

. ***

.

.in pdwls_install_dir/etc .

amsspi.properties

amsspi.properties .

© Copyright IBM Corp. 2003

53

com.tivoli.amwls.sspi.config.DeployerGroupProp***

Deployers . , BEA WebLogic Server

, Deployers

Deployers .

com.tivoli.amwls.sspi.config.MonitorGroupProp***

Monitors . , BEA WebLogic Server

, Monitors Monitors

.

com.tivoli.amwls.sspi.config.OperatorGroupProp***

Operators . , BEA WebLogic Server

, Operators Operators

.

com.tivoli.amwls.sspi.config.AdminGroupProp***

Administrators . , BEA WebLogic Server

, Administrator

Administrators . Windows

Administrators

Active Directory

.

com.tivoli.amwls.sspi.Authentication.GroupRegistryDelete

true . Tivoli Access Manager

. pdadmin

-registry .

com.tivoli.amwls.sspi.Authentication.UserRegistryDelete

true . Tivoli Access Manager

. pdadmin

-registry .

com.tivoli.amwls.sspi.Authentication.ssoEnabled

false . BEA WebLogic Server Tivoli Access Manager Plug-in for Web Servers WebSEAL /

.

com.tivoli.amwls.sspi.Authentication.ssoTrustId

WebSEAL Tivoli Access Manager Plug-in for Web Servers

54 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

com.tivoli.amwls.sspi.Authentication.ssoPasswdExpiry

120( ) . SSO ID ( )

. , SSO SSO Tivoli Access Manager .

com.tivoli.amwls.sspi.RoleMapper.EnableWebProgRolecheck

true .

.

.

com.tivoli.amwls.sspi.RoleMapper.EnableEjbProgRolecheck

true . EJB

. EJB

.

com.tivoli.amwls.sspi.Authentication.GroupDNPrefix

LDAP , cn= .

.

com.tivoli.amwls.sspi.Authentication.UserDNPrefix

LDAP , cn= .

.

rbpf.properties

rbpf.properties .

com.tivoli.pd.as.rbpf.ProductName

PDWLS . Tivoli Access Manager ACL

.

com.tivoli.pd.as.rbpf.RoleContainerName***

Roles . , Roles/$WLS_Domain_Name

/$WLS_Realm_Name . WLS_Domain_Name

BEA WebLogic Server , WLS_Realm_Name BEA

WebLogic Server .

com.tivoli.pd.as.rbpf.ResourceContainerName***

Resources . , Resources/ $WLS_Domain_Name/$WLS_Realm_Name .

WLS_Domain_Name BEA WebLogic Server ,

WLS_Realm_Name BEA WebLogic Server .

A. 55

com.tivoli.pd.as.rbpf.PosRoot***

WebAppServer . Tivoli Access Manager for WebLogic

.

com.tivoli.pd.as.rbpf.ProductId***

WLS . PosRoot

.

com.tivoli.pd.as.rbpf.AMActionGroup***

WebAppServer . Tivoli Access Manager for WebLogic

.

com.tivoli.pd.as.rbpf.AMAction***

(invoke) i . Tivoli Access Manager for WebLogic , AMActionGroup

.

com.tivoli.pd.as.cache.EnableDynamicRoleCaching

true .

. , ,

. .

com.tivoli.pd.as.cache.DynamicRoleCache

com.tivoli.pd.as.cache.DynamicRoleCacheImpl .

. ,

. c o m . t i v o l i . p d . a s . c a c h e . IDynamicRoleCache .

com.tivoli.pd.as.cache.DynamicRoleCache.NumBuckets

20 .

.

com.tivoli.pd.as.cache.DynamicRoleCache.MaxUsers

100000 .

. NumBuckets

.

com.tivoli.pd.as.cache.DynamicRoleCache.RoleLifetime

20 .

( ) .

com.tivoli.pd.as.cache.DynamicRoleCache.PrincipalLifeTime

10 . ( ) Tivoli Access Manager for WebLogic ( ) .

56 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

PdPerm.properties appsvr-credcache-life PDJRTE

. Tivoli Access Manager for WebLogic PDJRTE .

appsvr-credcache-life , Tivoli Access Manager for WebLogic PDJRTE .

com.tivoli.pd.as.cache.EnableStaticRoleCaching

true .

.

.

.

.

com.tivoli.pd.as.cache.StaticRoleCache

com.tivoli.pd.as.cache.StaticRoleCacheImpl .

. ,

. com.tivoli.pd.as.cache. IStaticRoleCache .

com.tivoli.pd.as.cache.StaticRoleCache.Roles

Admin, Operator, Monitor, Deployer .

.

.

.

com.tivoli.pd.as.cache.EnableObjectCaching

true .

. Tivoli Access Manager . BEA WebLogic Server

, Tivoli Access Manager Authorization Server .

com.tivoli.pd.as.cache.ObjectCache

com.tivoli.pd.as.cache.ObjectCacheImpl .

. ,

. com.tivoli.pd.as.cache.IObjectCache

.

com.tivoli.pd.as.cache.ObjectCache.NumBuckets

20 .

.

A. 57

com.tivoli.pd.as.cache.ObjectCache.MaxResources

10000 .

. NumBuckets

.

com.tivoli.pd.as.cache.ObjectCache.ResourceLifeTime

20 . ( )

.

com.tivoli.pd.as.rbpf.UncheckedRoles

Unchecked, AmasUnckeched, Anonymous .

J2EE . BEA WebLogic Server ,

. .

( )

. Tivoli Access Manager for WebLogic

BEA WebLogic Server

Anonymous .

.

com.tivoli.pd.as.rbpf.ExcludedRoles

Excluded, AmasExcluded . J2EE

. ,

,

. J2EE

.

.

com.tivoli.pd.as.rbpf.GrantUnprotectedAccess

true . , ,

.

com.tivoli.pd.as.rbpf.CopyParentRole***

false . (

:) (

:) . Tivoli Access Manager ACL

ACL .

.

PropogateChileRole .

58 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

com.tivoli.pd.as.rbpf.PropagateChildRole***

false .

( : ) ( :

) . , userA

RoleA userA RoleA

. CopyParentRole

. CopyParentRole

.

com.tivoli.pd.as.rbpf.UseEntitlements

false .

Tivoli Access Manager Authorization Server .

false , Tivoli Access Manager Tivoli Access Manager for WebLogic . , Tivoli Access Manager Policy Server

false .

. ,

true .

com.tivoli.pd.as.rbpf.EntitlementsUser

Tivoli Access Manager for WebLogic remote-acl-user .

. Tivoli Access Manager

‘s’

. config romote-acl-user iv-admin

.

, Tivoli Access Manager

Resources ‘s’

.

com.tivoli.pd.as.rbpf.IgnorePasswordPolicyOnUserCreate

false . BEA WebLogic Server

Tivoli Access Manager policy

.

com.tivoli.pd.as.rbpf.DeleteBaseRoleRecursive

true .

.

A. 59

amwlsjlog.properties

amwlsjlog.properties JLog . Tivoli Access Manager for WebLogic PDJRTE

.

amwlsjlog.properties

.

.

amwlsjlog.properties .

.

, isLogging

. Tivoli Access Manager for WebLogic

.

/ .

.

 

 

 

 

 

 

 

 

 

 

 

AmasRBPFTraceLogger

 

Tivoli Access Manager for WebLogic

 

 

 

 

 

 

AmasCacheTraceLogger

 

Tivoli Access Manager for WebLogic

 

 

 

 

 

 

AMSSPICfgTraceLogger

 

Tivoli Access Manager for WebLogic config

 

 

( : )

 

 

 

AMSSPIAuthzTraceLogger

 

Tivoli Access Manager for WebLogic

 

 

 

 

 

 

AMSSPIAuthnTraceLogger

 

Tivoli Access Manager for WebLogic

 

 

 

 

 

 

AMSSPIRoleMapperTraceLogger

 

Tivoli Access Manager for WebLogic

 

 

 

 

 

 

AMSSPIResourceManagerTrace

 

Tivoli Access Manager for WebLogic

Logger

 

 

 

 

 

 

 

 

 

 

AmasCacheMessageLogger

 

Tivoli Access Manager for WebLogic

 

 

 

 

 

 

AmasRBPFMessageLogger

 

Tivoli Access Manager for WebLogic

 

 

 

 

 

 

AMSSPICfgMessageLogger

 

Tivoli Access Manager for WebLogic config

 

 

( : )

 

 

 

AMSSPIAuthzMessageLogger

 

Tivoli Access Manager for WebLogic

 

 

 

 

 

 

60 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

 

 

 

 

AMSSPIAuthnMessageLogger

Tivoli Access Manager for WebLogic

 

 

 

 

AMSSPIRoleMapperMessage

Tivoli Access Manager for WebLogic

Logger

 

 

 

AMSSPIResourceManager

Tivoli Access Manager for WebLogic

MessageLogger

 

 

 

baseGroup traceLogger baseGroup messageLogger

. , .

baseGroup.AMSSPIAuthnMessageLogger.isLogging=true

Tivoli Access Manager for WebLogic

.

.

baseGroup.TraceLogger.isLogging=true

baseGroup.AMSSPIAuthzMessageLogger.isLogging=false

, true .

, true false .

A. 61

62 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

B.

© Copyright IBM Corp. 2003

63

AMWLSConfigure -action config

Tivoli Access Manager for WebLogic Server .

A M W L S C o n f i g u r e - a c t i o n c o n f i g - d o m a i n _ a d m i n d o m a i n _ a d m i n

-domain_admin_pwd domain_admin_password -remote_acl_user remote_acl_user

-sec_master_pwd sec_master_pwd -pdmgrd_host pdmgrd_host -pdacld_host pdacld_host [-deploy_extension {true|false}] [-wls_server_url wls_server_url] [-am_domain am_domain] [-pdmgrd_port pdmgrd_port] [-pdacld_port pdacld_port] [-amwls_home amwls_home] [-verbose {true|false}]

-am_domain am_domain

Tivoli Access Manager . Default

.

-amwls_home amwls_home

Tivoli Access Manager for WebLogic Server

.

-deploy_extension {true|false}

true Tivoli Access Manager Web Logic Server 5.1

. true .

-domain_admin domain_admin

WebLogic .

-domain_admin_pwd domain_admin_password

WebLogic .

-pdacld_host pdacld_host

Tivoli Access Manager Authorization Server .

-pdacld_port pdacld_port

Tivoli Access Manager Authorization Server .

7136 .

-pdmgrd_host pdmgrd_host

Tivoli Access Manager Policy Server .

-pdmgrd_port pdmgrd_port

Tivoli Access Manager Policy Server .

7135 .

64 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

-remote_acl_user remote_acl_user

Authorization Server Tivoli Access Manager ( )

.

-sec_master_pwd sec_master_pwd

Tivoli Access Manager ( sec_master) .

-verbose {true|false}

true . false .

-wls_server_url wls_server_url

WebLogic URL . t3://localhost:7001

.

.

vUNIX:

/opt/pdwls/sbin/

vWindows :

C:\Program Files\Tivoli\pdwls\sbin\

,

sbin ( : install_dir\sbin\) .

.

0.

1.

. IBM Tivoli Access Manager Error Message Reference .

B. 65

AMWLSConfigure -action unconfig

Tivoli Access Manager for WebLogic Server .

AMWLSConfigure -action unconfig -domain_admin_pwd domain_admin_pwd

-sec_master_pwd sec_master_pwd [-verbose {true|false}]

-domain_admin_pwd domain_admin_pwd

Tivoli Access Manager for WebLogic Server .

-sec_master_pwd sec_master_pwd

Tivoli Access Manager ( sec_master) .

-verbose {true|false}

true . false .

.

vUNIX:

/opt/pdwls/sbin/

vWindows :

C:\Program Files\Tivoli\pdwls\sbin\

,

sbin ( : install_dir\sbin\) .

.

0.

1.

. IBM Tivoli Access Manager Error Message Reference .

66 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

AMWLSConfigure -action create_realm

WebLogic .

AMWLSConfigure -action create_realm -realm_name realm_name

-domain_admin_pwd domain_admin_pwd -user_dn_suffix user_dn_suffix

-group_dn_suffix group_dn_suffix -admin_group admin_group [-user_dn_prefix

user_dn_prefix] [-group_dn_prefix group_dn_prefix] [-sso_enabled {true|false}] [-sso_user sso_user] [-sso_pwd sso_pwd] [-verbose {true|false}]

-admin_group admin_group

Tivoli Access Manager .

-domain_admin_pwd domain_admin_pwd

WebLogic .

-group_dn_prefix group_dn_prefix

(DN) .

-group_dn_suffix group_dn_suffix

(DN) .

-realm_name realm_name

WLS .

-sso_enabled {true|false}

true .

false .

-sso_pwd sso_pwd

(sso_user) .

-sso_user sso_user

Tivoli Access Manager

.

-user_dn_prefix user_dn_prefix

(DN) .

-user_dn_suffix user_dn_suffix

(DN) .

-verbose {true|false}

true . false .

B. 67

.

vUNIX:

/opt/pdwls/sbin/

vWindows :

C:\Program Files\Tivoli\pdwls\sbin\

,

sbin ( : install_dir\sbin\) .

.

0.

1.

. IBM Tivoli Access Manager Error Message Reference .

68 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

AMWLSConfigure -action delete_realm

WebLogic .

AMWLSConfigure -action delete_realm -domain_admin_pwd domain_admin_pwd

[-registry_clean {true|false}] [-verbose {true|false}]

-domain_admin_pwd domain_admin_pwd

WebLogic .

-registry_clean {true|false}

. false .

-verbose {true|false}

true . false .

.

vUNIX:

/opt/pdwls/sbin/

vWindows :

C:\Program Files\Tivoli\pdwls\sbin\

,

sbin ( : install_dir\sbin\) .

.

0.

1.

. IBM Tivoli Access Manager Error Message Reference .

B. 69

70 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

C.

. IBM

, .

IBM

. IBM , IBM ,

. IBM

, ,

. IBM ,

.

IBM

.

. .

135-270

467-12,

. .

: 080-023-8080

2 (DBCS) IBM

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106, Japan

. IBM

,

( , ) “

” .

, .

.

, . IBM

( ) ( )

.

© Copyright IBM Corp. 2003

71

IBM ,

.

IBM

.

IBM

.

(i)( )

.

135-270

467-12,

. .

( , ) .

IBM IBM , IBM (IPLA)

.

.

.

. ,

.

.

IBM ,

. IBM IBM ,

,

. IBM .

IBM

.

. , ,

.

.

72 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

.

IBM Corporation

.

AIX

DB2

IBM

IBM

SecureWayTivoli

Tivoli

Microsoft, Windows, Windows NT Windows

Microsoft Corporation .

Java Java Sun Microsystems,Inc .

UNIX Open Group .

, .

C. 73

74 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

(virtual hosting).

(private key).

.

(public key).

.

(management domain). Tivoli Access Manager

, policy

. Policy Server

. (domain)

(management server). .

Policy Server

(administration service). Tivoli Access Manager

API .

pdadmin

. ADK

.

(DN: distinguished name).

. : ,

.

(configuration). (1)

. (2) ,

,

(authorization rule). (rule)

(authorization service plug-in). API

,

Tivoli Access Manager API

(DLL

).

, , , PAC

. ADK

.

(credentials modification service).

Tivoli Access Manager

API .

,

.

(credentials). ,

, ID .

( : , )

.

(authorization). (1)

. (2)

,

(permission). ( : )

.

ACL(Access Control List) . ACL(Access Control

List)

(GSO: Global Signon).

.

.

GSO

. (SSO: Single

Signon)

(basic authentication).

,

© Copyright IBM Corp. 2003

75

(network-based authentication).

IP(Internet Protocol)

POP(Protected Object Policy). POP(Protect Object

Policy)

(multi-factor authentication).

POP(Protected Object Policy). ,

/ /

. POP(Protected Object Policy)

(step-up authentication).

, policy

POP(Protected Object Policy).

POP

,

policy .

(SSO: Single Signon).

. (GSO: Global Signon)

(domain name).

.

. ,

(FQDN) as400.rchland.vnet.ibm.com ,

. a s 4 0 0 . r c h l a n d . v n e t . i b m . c o m ,

vnet.ibm.com, ibm.com

(domain). (1)

, . (2)

.

(domain name)

(directory schema).

.

( ,

, )

.

(daemon). ( :

) .

,

.

(digital signature). e-commerce

,

.

(routing file).

ASCII

(run time). .

.

(registry). ,

(rule). ( )

(migration).

(metadata).

(bind). ID

. , ID , ID ,

(security management).

(quality of protection). ,

(protected object space). ACL POP

76 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

.

(protected object) POP(Protect Object Policy)

(protected object). ACL POP

. POP(Protect Object Policy)

(protected object space)

(replica). .

.

(blade).

(business entitlement).

(user registry). (registry)

(user). , , , , ,

, , , , ,

(service). .

( , HTTP Server, ), ( :

) .

(attribute list).

. =

.

(schema).

, .

, ,

.

(trusted root). SSL(Secure Sockets Layer)

CA(Certificate Authority)

(encryption).

(cipher). ( )

(access permission).

(access control).

.

(role assignment).

,

(role activation).

(connection). (1)

. (2) TCP/IP

. TCP

TCP .

(3)

(external authorization service). Tivoli

Access Manager

API

. ADK

.

(response file).

,

(certificate).

ID

. CA(Certificate Authority) .

(authentication). (1) ID

. (2)

. (3)

77

. ,

(authentication) (authentication)

(entitlement service).

API .

. ADK

.

(entitlement). policy

.

policy .

(Internet suite of protocols).

IETF(Internet Engineering Task Force)

RFC(Requests for Comment)

(silent installation).

.

.

(response file)

(resource object). ( :

, )

(self-registration).

Tivoli Access Manager

(suffix).

. LDAP(Lightweight Directory Access Protocol) ,

.

.

(action). ACL(Access Control List) .

ACL(Access Control List)

(container object).

region

(cookie).

.

.

(scalability).

(key database file). (key ring)

(key ring). , ,

(key pair). .

,

,

. ,

,

.

(key file). (key ring)

(key).

. (private key) (public key)

(token). (1)

.

.

. (2)

(LAN)

. ,

.

(portal). ,

( : , )

(polling).

78 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

 

CGI(Common Cateway Interface). HTTP

 

 

 

(host). ( : SNA )

. . CGI

.

( : Perl) CGI .

 

D

. ,

.

 

 

DN. (distinguished name:DN)

A

ACL. ACL(Access Control List)

ACL(Access Control List).

. , ACL

.

E

EAS. (External Authorization Service)

F

FTP(File Transfer Protocol).

TCP Telnet

B

BA. (basic authentication)

C

CA. CA(Certificate Authority)

CA(Certificate Authority). . CA(Certificate Authority) ID

, ,

,

.

G

GSO. GSO(Global Signon)

H

HTTP. HTTP(Hypertext Transfer Protocol)

HTTP(Hypertext Transfer Protocol).

CDAS. CDAS(Cross Domain Authentication Service)

CDAS(Cross Domain Authentication Service).

WebSEAL , Tivoli Access Manager ID WebSEAL

WebSEAL .

WebSEAL

CDMF. CDMF(Cross Domain Mapping Framework)

CDMF(Cross Domain Mapping Framework).

WebSEA e-Community SSO ID

CGI. CGI(Common Cateway Interface)

I

IP. IP(Internet Protocol)

IPC. IPC(Interprocess Communication)

IPC(Interprocess Communication). (1)

,

. (2)

IP(Internet Protocol).

79

J

junction. WebSEAL

HTTP HTTPS . WebSEAL junction

.

L

LDAP. LDAP(Lightweight Directory Access Protocol)

LDAP(Lightweight Directory Access Protocol). (a) X.500

TCP/IP , (b) X.500 DAP(Directory Access Protocol) . LDAP (

) ( :

, )

. LDAP

RFC 1777 . LDAP 3 RFC 2251 , IETF

. IETF LDAP

RFC 2256 .

LTPA. LTPA(Lightweight Third Party Authentication)

LTPA(Lightweight Third Party Authentication).

M

MPA(Multiplexing Proxy Agent).

.

WAP , WAP(Wireless Access Protocol) .

,

.

P

PAC. PAC(Privilege Attribute Certificate) .

PAC (privilege attribute certificate service).

PAC Tivoli Access Manager ,

API .

Tivoli Access Manager

. ADK

. PAC(Privilege Attribute

Certificate)

PAC(Privilege Attribute Certificate). ( )

( )

policy.

Policy Server.

Tivoli Access Manager

POP. POP(Protect Object Policy)

POP(Protect Object Policy).

ACL policy

policy . POP

. ACL(Access Control List), (protected

object) (protected object space)

R

RSA (RSA encryption).

. 1977 Ron Rivest, Adi Shamir

Leonard Adleman .

,

.

S

SSL. SSL(Secure Sockets Layer)

SSL(Secure Sockets Layer).

. SSL / ,

. SSL Netscape Communications Corp. RSA Data Security, Inc. .

SSO. SSO(Single Signon)

U

URI. URI(Uniform Resource Identifier)

URI(Uniform Resource Identifier). (

), ( )

( : HTTP)

80 IBM Tivoli Access Manager for e-business: BEA WebLogic Server

. URI

, URL .

URL. URL(Uniform Resource Locator)

URL(Uniform Resource Locator).

( : ) .

(a)

(b)

. ,

( : http, ftp, gopher, telnet news). IBM URL http://www.ibm.com .

W

WebSEAL. Tivoli Access Manager . WebSEAL

policy

. WebSEAL

policy

.

WPM. WPM(Web Portal Manager)

WPM(Web Portal Manager). Tivoli Access Manager WebSEAL policy

. pdadmin

, GUI

,

.

81

82 IBM Tivoli Access Manager for e-business: BEA WebLogic Server