CA API Gateway 9.1

9.4 9.1

Configure TAM Runtime Environment (Multiple Gateway Instances)

Once the Tivoli Access Manager Policy Director is installed, the next step is to configure the runtime component. This section describes how to configure the environment for a clustered (multiple instances) gateway. If you have a single Gateway instance (and have no need to expand to a cluster later), see the instructions for a single Gateway here. 
gateway
Once the Tivoli Access Manager Policy Director is installed, the next step is to configure the runtime component. This section describes how to configure the environment for a clustered (multiple instances) 
CA API Gateway
. If you have a single Gateway instance (and have no need to expand to a cluster later), see the instructions for a single Gateway here
IMPORTANT:
 For the TAM access control to function properly, ensure that the Java Virtual Machine on the client machines point to the correct Access Manager Policy server.
Install Multiple TAM Instances
To configure the TAM runtime environment for multiple instances:
  1. Make sure all TAM servers are running.
  2. Create your instance folders under the following directory.
    /opt/ibm/java-x86_64-60/jre
    For example, “/opt/ibm/java-x86_64-60/jre/inst1” and “/opt/ibm/java-x86_64-60/jre/inst2”. You will need to set the appropriate permissions for these folders, for example:
       # chmod -R 755 /opt/ibm/java-x86_64-60/jre/inst1
       # chmod -R 755 /opt/ibm/java-x86_64-60/jre/inst2
  3. Run the following commands:
    # cp /opt/PolicyDirector/java/export/pdjrte/PD.jar /opt/ibm/java-x86_64-60/jre/lib/ext/
# chmod 444 /opt/ibm/java-x86_64-60/jre/lib/ext/PD.jar
# export PATH=$PATH:/opt/ibm/java-x86_64-60/jre/bin
  4. Run the following command for each instance against the target TAM server:
    # java -Dfile.encoding=ISO8859-1 -Xnoargsconversion -Dpd.home=/opt/ibm/java-x86_64-60/jre/
    <instance>
     com.tivoli.pd.jcfg.PDJrteCfg -action config -cfgfiles_path /opt/ibm/java-x86_64-60/jre/
    <instance>
     -host 
    <instance_host_IP>
     -port 
    <instance_port>
     -was
     
    Where:
    • “<instance>”
       is the instance label created above
    • “<instance_host_ip>”
       is the hostname or IP address for the TAM server
    • “<instance_port>”
       by default is
      7135
    For the
    inst1
     and
    inst2
     example above, the commands would be:
    # java -Dfile.encoding=ISO8859-1 -Xnoargsconversion -Dpd.home=/opt/ibm/java-x86_64-60/jre/inst1 com.tivoli.pd.jcfg.PDJrteCfg -action config -cfgfiles_path /opt/ibm/java-x86_64-60/jre/inst1 -host 10.7.32.213 -port 7135 -was
# java -Dfile.encoding=ISO8859-1 -Xnoargsconversion -Dpd.home=/opt/ibm/java-x86_64-60/jre/inst2 com.tivoli.pd.jcfg.PDJrteCfg -action config -cfgfiles_path /opt/ibm/java-x86_64-60/jre/inst2 -host 10.7.32.126 -port 7135 -was
    You should see a message notifying you the configuration was successful. At this point, set the correct permissions using these commands:
    # chmod -R 755 /opt/ibm/java-x86_64-60/jre/inst1/PolicyDirector
# chmod -R 755 /opt/ibm/java-x86_64-60/jre/inst2/PolicyDirector
    You may ignore this message if it appears: “Unable to create the PDJLog.properties file in the specified JRE. Ensure you have the correct permission to do so.”
  5. Register the TAM client instance on the target TAM servers with this comman:
    # java -Dpd.cfg.home /opt/ibm/java-x86_64-60/jre/
    <instance
    > com.tivoli.pd.jcfg.SvrSslCfg -action config -domain $TAM_DOMAIN -mode $TAM_MODE -port 12347 -admin_id $TAM_ADMIN_ID -admin_pwd $TAM_ADMIN_PASSWORD -cfg_file $CFG_FILE -key_file $KEY_FILE -appsvr_id $APP_SVR_ID –policysvr $TAM_POLICY_SERVER_IP:
    <instance_port>
    :1 –authzsvr $TAM_POLICY_SERVER_IP:
    <instance_authzsvr_port>
    :1
    Where:
    • “<instance>”
       is the label/name for the TAM instance (required only when there are multiple instances; omit if only a single instance will exist)
    • “<instance_port>”
       is a port number (default=
      7135
      )
    • “<instance_authzsvr_port>”
       is a port number (default=
      7136
      )
    • “$TAM_DOMAIN” is always
      Default
    • “$TAM_MODE” is always
      remote
    • “$TAM_ADMIN_ID”  is the username of the TAM administrator
    • “$TAM_ADMIN_PASSWORD” is the password from the TAM administrator
    • “$CFG_FILE” is
      $JAVA_HOME/
      <instance>
      /PdPerm.properties
    • “$KEY_FILE” is
      $JAVA_HOME/
      <instance>
      /pdperm.ks
    • “$APP_SVR_ID” is the unique name for your Gateway
    • “$TAM_POLICY_SERVER_IP” is the IP address of your TAM policy server
  6. Set the correct permissions with these commands:
    # chmod 644 /opt/ibm/java-x86_64-60/jre/
    <instance>
    /PdPerm.properties
    # chmod 644 /opt/ibm/java-x86_64-60/jre/
    <instance>
    /pdperm.ks
You can now install the Tivoli Access Manager custom assertion on the Gateway.
Install TAM Custom Assertion
To install the Tivoli Access Manager custom assertion:
  1. Open a privileged shell on the Gateway and stop these services:
    # service ras stop
# service ssg stop
  2. Navigate to the directory containing the custom assertion RPM file and run this command:
    # rpm –ivh ssg-tam-
    <version>
    .noarch.rpm
  3. Next, run the following commands:
    # touch /opt/SecureSpan/Gateway/runtime/ras/remote-asertions.log
# chown layer7.gateway /opt/SecureSpan/Gateway/runtime/ras/remote-asertions.log
# chmod g+w /opt/SecureSpan/Gateway/runtime/ras/remote-asertions.log
After installing the custom assertion, modify the TAM Agent properties.
Update TAM Agent Properties
After the TAM custom assertion is installed, edit the TAM Agent properties so that it recognizes the additional TAM instances.
To update the TAM Agent properties:
  1. Open the properties file in a text editor:
    /opt/SecureSpan/Gateway/node/default/etc/conf/tam_agent.properties
    The following is an example of the
    tam_agent_properties
     file:
    ###########################################################
    # This is the properties file used by the TAM agent       #
    # Change values as appropriate.                           #
    ###########################################################
    # The TAM Policy Director configuration file
    # Example: tam.pd.config.file.name=c:/ibm/wsdk_v51/appserver/java/jre/PdPerm.properties
    # tam.pd.config.file.name=/opt/ibm/java-x86_64-60/jre/PdPerm.properties
    tam.pd.config.file.name.inst1=/opt/ibm/java-x86_64-60/jre/inst1/PdPerm.properties
    tam.pd.config.file.name.inst2=/opt/ibm/java-x86_64-60/jre/inst2/PdPerm.properties
    # The time interval (ms) of updating the principal cache in RAS.
    # The expired principals are removed from the cache during the update.
    principal.cache.update.interval=5000
    # Specify the duration (ms) the principal is stored in the cache.
    principal.expiry.duration=30000
    #
    pdcontext.cache.expiry.duration=30000
  2. Comment out the original configuration (shown in red in the above sample file):
       #tam.pd.config.file.name=/opt/ibm/java-x86_64-60/jre/PdPerm.properties
  3. Add a line for each TAM instance (shown in blue in the above sample file). For the
    inst1
     and
    inst2
     example above, the lines would be (each entry is on one line):
       tam.pd.config.file.name.inst1=/opt/ibm/java-x86_64-60/jre/inst1/PdPerm.properties
       tam.pd.config.file.name.inst2=/opt/ibm/java-x86_64-60/jre/inst2/PdPerm.properties
    Make note of the instance names as they will be used in the Authenticate using Tivoli Access Manager Assertion in the Policy Manager.
  4. Save and close the properties file.
  5. Restart the “ras” and “ssg” services:
    # service ras start
# service ssg start
    To verify that a service has started correctly, run this command:
         # service
    <service_name>
     status

Content feedback and comments