Using external security managers in a cluster

If you are configuring security for IBM^® WebSphere^® Portal Express with an external security manager, review the additional considerations described in this section, depending on the external security manager that you are using. Perform any configuration for an external security manager after you have completed all other setup, including ensuring that the WebSphere Portal Express cluster is functional.

General considerations

The following considerations apply to all external security managers:

When setting up security in a cluster to use an external security manager, ensure that you perform the security configuration on each node in the cluster, as described in the following topics:
- IBM Tivoli^® Access Manager for e-business: Configuring Tivoli Access Manager
- Computer Associates eTrust SiteMinder: ../security/conf_sit.html
If you make any changes to the external security manager configuration after initially setting it up, ensure that any changes you make to the wpconfig.properties file are propagated to the other nodes in the cluster. Changes to the wpconfig.properties file are not included as part of the cluster resynchronization process.
If you are using an external Web server, additional configuration is required before running any task to configure an external security manager with a WebSphere Portal Express cluster. Edit the wkplc.properties file on each node, and ensure that the values for the WpsHostName and WpsHostPort properties are set to the host name and port number you are using for your Web server.

Tivoli Access Manager considerations

Ensure that you run the validate-pdadmin-connection task on each node in the cluster.
If the validate-pdadmin-connection task fails, run the run-svrssl-config task before attempting to run validate-pdadmin-connection again. Note that the wp.acc.impl.PDServerName parameter in the wkplc_comp.properties file represents an individual configured AMJRTE connection to Tivoli Access Manager, and each node in the cluster must have a unique value for wp.acc.impl.PDServerName before running the run-svrssl-config task.
Ensure that the WebSEAL Trust Association Interceptor (TAI) parameters are the same on each node in the cluster. If you run a configuration task at a later time that overwrites the WebSEAL junction, the WebSphere Application Server TAI properties are not automatically updated, so you must manually ensure that all nodes are using the same parameters.
Note the file location specified by the wp.ac.impl.PDPermPath parameter in the wkplc_comp.properties file. This property indicates the location of the Tivoli Access Manager AMJRTE properties file (PdPerm.properties). In a cluster composed of nodes with different operating systems, the location of the PdPerm.properties file might differ, depending on the node. You must ensure that the value of the wp.ac.impl.PDPermPath property on each node corresponds to the location of the PdPerm.properties file.
This value can be set globally for all cluster members by using the configURLName property, accessed in the deployment manager administrative console by clicking Security > JAAS Configuration > Application Logins > Portal_Login > JAAS Login Modules > com.tivoli.mts.PDLoginModule > Custom Properties.
To ensure that the location of the PdPerm.properties file is properly specified, use one of the following approaches:
- If your nodes are all on UNIX platforms, use the UNIX link command (ln) to ensure the value for configUrlName resolves on each node
- If the configURLName parameter is not set in the administrative console, the default location is relative to the JAVA_HOME system property under the following path: java_home/jre/PdPerm.properties. Make sure the wp.ac.impl.PDPermPath parameter for each node is set to this relative location before running the run-svrssl-config task, and completely remove the configURLName property from the PDLoginModule custom properties.
If you are creating an SSL junction in Tivoli Access Manager, you must set the value of WpsHostPort in the wkplc.properties file to the SSL port (default of 443) before running either of the following Tivoli Access Manager configuration tasks: enable-tam-all, enable-tam-tai. After you have successfully run the task, change the value of WpsHostPort back to its initial value. If you do not reset the property after running the Tivoli Access Manager tasks, subsequent attempts to access the portal by running the xmlaccess command (or configuration tasks that invoke it) will fail.