CA API Gateway 9.1

9.4 9.1

Configure TAM Runtime Environment (Single Gateway Instance)

Once the Tivoli Access Manager Policy Director is installed, the next step is to configure the runtime component. This section describes how to configure the environment for a standalone (single instance) gateway. If you have a cluster of Gateways, see the instructions for multiple Gateways here. 
gateway
Once the Tivoli Access Manager Policy Director is installed, the next step is to configure the runtime component. This section describes how to configure the environment for a standalone (single instance) 
CA API Gateway
. If you have a cluster of Gateways, see the instructions for multiple Gateways here
If you only need a single Gateway instance but would like flexibility for the future, choose the multiple Gateway option and configure only a single instance for now.
IMPORTANT:
 For the TAM access control to function properly, ensure that the Java Virtual Machine on the client machines point to the correct Access Manager Policy server.
To configure the TAM runtime environment for a single instance:
  1. Run the following commands:
    # export PATH=$PATH:/opt/ibm/java-x86_64-60/jre/bin
# export CLASSPATH=/opt/PolicyDirector/java/export/pdjrte/PD.jar
# java -Dfile.encoding=ISO8859-1 -Xnoargsconversion -cp $CLASSPATH -Dpd.home=/opt/PolicyDirector com.tivoli.pd.jcfg.PDJrteCfg -action status
    You will see the following message:
    HPDBF0030W   The JRE (/opt/ibm/java-x86_64-60/jre) is not configured for the Tivoli Access Manager Runtime for Java
  2. Run the following command:
    # java -Dfile.encoding=ISO8859-1 -Xnoargsconversion -cp $CLASSPATH -Dpd.home=/opt/PolicyDirector com.tivoli.pd.jcfg.PDJrteCfg -action config -interactive
  3. Enter the appropriate values for your environment at the following configuration prompts:
    Specify the full path of the Java Runtime Environment (JRE) to configure for Tivoli Access Manager [/opt/ibm/java-x86_64-60/jre]: 
Enter 'full' or 'standalone' for the configuration type [full]:
Enter the hostname of the Access Manager policy server [<ssg>.l7tech.com]:
Enter the port number of the Access Manager policy server [7135]:
Enter the Access Manager policy server domain [null]:
    You see the following message:
    Tivoli Common Directory logging is not configured. If you want to use Tivoli Common Directory logging, you must enable logging and specify a directory for log files. The directory will be created if it does not exist.
    Enter the appropriate values for your environment at the following logging configuration prompts:
        Do you want to use Tivoli Common Directory logging (y/n) [n]?
    If you respond “y”, the following message displays:
    The default location of the Tivoli Common Directory is [/var/ibm/tivoli/common].
    When prompted, configure the log file location:
    Press enter to accept the default location, or type a different location and press enter:
    The following message is displayed:
    Log files for this application will be created in directory: /var/ibm/tivoli/common
    A message displays when the Java Access Runtime Manager installs successfully.
     
  4. Run the following commands:
    # java -Dfile.encoding=ISO8859-1 -Xnoargsconversion -cp $CLASSPATH -Dpd.home=/opt/PolicyDirector com.tivoli.pd.jcfg.PDJrteCfg -action status
# chmod -R 755 /opt/ibm/java-x86_64-60/jre/PolicyDirector
    The following message displays:
    HPDBF0031E   This Java Runtime Environment has already been configured.
You are now ready to register the TAM client.
Register TAM Client
To register the TAM client to the Policy Server:
  1. Run the following command to register the TAM client:
    # export JAVA_HOME=/opt/ibm/java-x86_64-60/jre
# $JAVA_HOME/bin/java -Dpd.cfg.home=$JAVA_HOME com.tivoli.pd.jcfg.SvrSslCfg -action config -domain $TAM_DOMAIN mode $TAM_MODE -port 12347 -admin_id $TAM_ADMIN_ID -admin_pwd $TAM_ADMIN_PASSWORD -cfg_file $CFG_FILE -key_file $KEY_FILE  appsvr_id $APP_SVR_ID -policysvr $TAM_POLICY_SERVER_IP:1 -authzsvr $TAM_POLICY_SERVER_IP:1
    Where:
    • “$TAM_DOMAIN” is always
      Default
    • “$TAM_MODE” is always
      remote
    • “$TAM_ADMIN_ID”  is the username of the TAM administrator
    • “$TAM_ADMIN_PASSWORD” is the password from the TAM administrator
    • “$CFG_FILE” is
      $JAVA_HOME/PdPerm.properties
    • “$KEY_FILE” is
      $JAVA_HOME/pdperm.ks
    • “$APP_SVR_ID” is the unique name for your Gateway
    • “$TAM_POLICY_SERVER_IP” is the IP address of your TAM policy server
  2. Run the following commands to set the correct permissions:
    # chmod 644 /opt/ibm/java-x86_64-60/jre/PdPerm.properties
# chmod 644 /opt/ibm/java-x86_64-60/jre/pdperm.ks
You can now install the Tivoli Access Manager custom assertion on the Gateway.
Install TAM Custom Assertion
To install the Tivoli Access Manager custom assertion:
  1. Open a privileged shell on the Gateway and stop these services:
    # service ras stop
# service ssg stop
  2. Navigate to the directory containing the custom assertion RPM file and run this command:
    # rpm –ivh ssg-tam-
    <version>
    .noarch.rpm
  3. Next, run the following commands:
    # touch /opt/SecureSpan/Gateway/runtime/ras/remote-asertions.log
# chown layer7.gateway /opt/SecureSpan/Gateway/runtime/ras/remote-asertions.log
# chmod g+w /opt/SecureSpan/Gateway/runtime/ras/remote-asertions.log
  4. Restart the “ras” and “ssg” services:
    # service ras start
# service ssg start
    To verify that a service has started correctly, run this command:
         # service
    <service_name>
     status

Content feedback and comments