BEA WebLogic Server XΓU -...

84
IBM Tivoli Access Manager for e-business BEA WebLogic Server πXΓU 5.1 SC40-1922-00

Transcript of BEA WebLogic Server XΓU -...

Page 1: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

IBM Tivoli Access Manager for e-business

BEA WebLogic Server πXΓU

5.1

SC40-1922-00

Page 2: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli
Page 3: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

IBM Tivoli Access Manager for e-business

BEA WebLogic Server πXΓU

5.1

SC40-1922-00

Page 4: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

ΩTMªΣúeA²\¬ 57² C, yNzñΩTC

@]2003 11 δ

úDstⁿAhA≤ IBM Tivoli Access Manager]ús 5724-C08 5.1.0 AHß≥MqC

© Copyright International Business Machines Corporation 2003. All rights reserved.

Page 5: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

²

eÑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vA∩H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi≥ΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viWeb wΩT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viíoΓU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiNR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii÷X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiuWsX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

≤Uuπ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xipnΘΣñ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiñD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiirΘD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii@ttº . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

1 º[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Tivoli Access Manager w¼ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1πX Tivoli Access Manager WebLogic Server . . . . . . . . . . . . . . . . . . . . . . . 2

Tivoli Access Manager wA≤ . . . . . . . . . . . . . . . . . . . . . . 2íphMñΓ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4ΩMñΓ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Tivoli Access Manager w . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

ΘxOⁿPf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6iaBiMi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 wⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Σ¡x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9MOΘD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9nΘ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Tivoli Access Manager Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . 10Tivoli Access Manager Authorization Server . . . . . . . . . . . . . . . . . . . . . . . . 10Tivoli Access Manager WebSEAL Tivoli Access Manager Plug-in for Web Server . . . . . . . . . . 10BEA WebLogic Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Tivoli Access Manager Java ⌡µ . . . . . . . . . . . . . . . . . . . . . . . . . . 11

wδFiµw@ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11install_amwls ∩ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Qlíiµw@ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14b AIX Ww . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14b HP-UX Ww . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14b Solaris Ww . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15b Windows Ww . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3 tm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1 gGtm Tivoli Access Manager Java ⌡µ⌠ . . . . . . . . . . . . . . . . . . . . 17 2 gG]w startWebLogic CLASSPATH . . . . . . . . . . . . . . . . . . . . . . . . 18 3 gGtm Tivoli Access Manager for WebLogic . . . . . . . . . . . . . . . . . . . . . . 19 Dx Web ítm Tivoli Access Manager for WebLogic . . . . . . . . . . . . . 19qⁿOµtm Tivoli Access Manager for WebLogic . . . . . . . . . . . . . . . . . . . . . 21

4 gGtm Tivoli Access Manager Γ . . . . . . . . . . . . . . . . . . . . . . . . . 22

© Copyright IBM Corp. 2003 iii

Page 6: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

Dx Web ítm Tivoli Access Manager Γ . . . . . . . . . . . . . . . . 22qⁿOµtm Tivoli Access Manager Γ . . . . . . . . . . . . . . . . . . . . . . . . 22

5 gGtm BEA WebLogic Server µ@nJ . . . . . . . . . . . . . . . . . . . . . . . 24 WebSEAL Xtmµ@nJ . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Tivoli Access Manager Plug-in for Web Server tmµ@nJ . . . . . . . . . . . . . . . 25

6 gGb BEA WebLogic Server h°A⌠U]]AO⌠tm Tivoli Access Manager for WebLogic . . 26 7 gGtm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 µ@nJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27H Tivoli Access Manager WebSEAL iµµ@nJ . . . . . . . . . . . . . . . . . . . . . . 27

5 z@ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29b Tivoli Access Manager Authorization Server vA . . . . . . . . . . . . . . . . . . . 29H Tivoli Access Manager for WebLogic zMs. . . . . . . . . . . . . . . . . . . . 30dí . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30knZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32TnJh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Rú Tivoli Access Manager Γ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34°tm Tivoli Access Manager for WebLogic . . . . . . . . . . . . . . . . . . . . . . . . 34°nZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Mϕ¼nJoµ@nJó . . . . . . . . . . . . . . . . . . . . . . . . . . 35WebLogic Server ßXOΘº¼p . . . . . . . . . . . . . . . . . . . . . . . . . . 35

¡ε . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35wDMµMΦk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

6 úⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37q Solaris ú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37q Windows ú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37q AIX ú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38q HP-UX ú . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

² A. e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41amsspi.properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41rbpf.properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42amwlsjlog.properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

² B. ⁿOt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49AMWLSConfigure –action config . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50AMWLSConfigure –action unconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52AMWLSConfigure –action create_realm. . . . . . . . . . . . . . . . . . . . . . . . . . . 53AMWLSConfigure –action delete_realm. . . . . . . . . . . . . . . . . . . . . . . . . . . 55

² C. N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Wⁿ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

iv IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 7: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

w∩ IBM® Tivoli® Access Manager for BEA® WebLogic Server®]HU Tivoli

Access Manager for WebLogicCúXRF IBM Tivoli Access ManagerAHΣ

w∩ BEA WebLogic Server gíC

IBM® Tivoli® Access Manager (Tivoli Access Manager) O IBM Tivoli Access Manager

úXñA⌡µí≥ªnΘCªπXF IBM Tivoli Access Manager

íAHúsxvzMΦCoúOHπXíMΦíP

ΓAªαúsεzMΦAñzqlí⌠⌠M

íwhC

: IBM Tivoli Access Manager O²eW½ºnΘ Tivoli SecureWay® Policy Director

sWCPA∩⌠x Tivoli SecureWay Policy Director nΘPσ≤

ÑAz°A Policy ServerC

IBM Tivoli Access Manager for WebLogic Server ΓUiú IBM Tivoli Access

Manager M BEA WebLogic Server ΓftwBtmMzⁿC

A∩H

zΓUA∩HG

v wz

v ⌠⌠tz

v IT ]p

¬⌠xG

v ⌠⌠⌠qT≤wA]A HTTPBTCP/IPBαeqT≤w (FTP) M Telnet

v ípz WebLogic Server t

v wzA]AwPv

pGzΓ Secure Sockets Layer (SSL) qTAz⌠x SSL qT≤wB≈

µ½]MpKBB[KtΓkHzñC

e

σ≤]tUC G

v 1 uº[v

e Tivoli Access Manager for WebLogic úwvAíº[C

v 2 uwⁿv

íp≤w Tivoli Access Manager for WebLogicC

v 3 utmv

íp≤tm Tivoli Access Manager for WebLogicC

© Copyright IBM Corp. 2003 v

Page 8: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

v uz@v

íp≤díAHúknZB°ΩTM¡εC

v 5 uúⁿv

íp≤ú Tivoli Access Manager for WebLogicC

X

\ Tivoli Access Manager íwByH÷yíAΣXzo

yCΣXnyºßAA\suWⁿC

ΣL÷ IBM Tivoli Access Manager for e-business ú¡ΩTAibUC⌠

ñoG

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

Tivoli Access Manager w¿UCG

v yΩTz

v y≥ΩTz

v yWeb wΩTz

v viiyíoΓUz

v viiiyNRz

ΩT

v IBM Tivoli Access Manager for e-business ²\¬ (GI10-2757-00)

úwl Tivoli Access Manager ΩTC

v IBM Tivoli Access Manager for e-business N (GI11-4156-00)

úsΩTApnΘ¡εBµMΦkMíσ≤≤sC

≥ΩT

v IBM Tivoli Access Manager ≥wΓU (SC40-1919-00)

íp≤wMtm Tivoli Access Manager ≥nΘA]A Web Portal Manager

bCO IBM Tivoli Access Manager for e-business Web Security wΓU

@íAOMw∩ftΣL Tivoli Access Manager úgAp IBM Tivoli

Access Manager Ow∩πXgA IBM Tivoli Access Manager Ow∩@

tgC

v IBM Tivoli Access Manager ≥zΓU (SC32-1360-00)

í Tivoli Access Manager AºMCúq Web Portal Manager

M pdadmin ⁿO⌡µ@ⁿC

Web wΩT

v IBM Tivoli Access Manager for e-business Web Security wΓU (SC40-1920-00)

vi IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 9: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

ú Tivoli Access Manager ≥nΘH Web w≤wBtmMúⁿC

O IBM Tivoli Access Manager ≥wΓU@íC

v IBM Tivoli Access Manager ΓU (SC32-1369-00)

íp≤q Tivoli SecureWay Policy Director 3.8 Tivoli Access ManagerA

Tivoli Access Manager 5.1 C

v IBM Tivoli Access Manager for e-business WebSEAL zΓU (SC32-1359-00)

ú WebSEAL zzw Web ⌠ΩIΩBzM

NΩTC

v IBM Tivoli Access Manager for e-business IBM WebSphere Application Server πX

ΓU (SC40-1921-00)

úwBúMzⁿAΓ Tivoli Access Manager M IBM WebSphere ®

Application Server πXC

v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server πXΓU

(SC32-1367-00)

úwBúMzⁿAΓ Tivoli Access Manager M IBM WebSphere Edge

Server íπXC

v IBM Tivoli Access Manager for e-business Plug-in for Web Servers πXΓU

(SC40-1924-00)

ú plug-in for Web Server O@ Web ⌠wⁿBzMN

ΩTC

v IBM Tivoli Access Manager for e-business BEA WebLogic Server πXΓU

(SC40-1922-00)

úwBúMzⁿAΓ Tivoli Access Manager M BEA WebLogic Server π

XC

v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager Provisioning

tJΓU (SC32-1364-00)

ú÷πX Tivoli Access Manager M Tivoli Identity Manager @º[AB

íp≤Mw Provisioning Fast Start XC

íoΓU

v IBM Tivoli Access Manager for e-business Authorization C API Developer Reference

(SC32-1355-00)

úíp≤ Tivoli Access Manager v C API M Tivoli Access Manager A

PlugIn Abí[J Tivoli Access Manager wO@ΩC

v IBM Tivoli Access Manager for e-business Authorization Java Classes Developer Reference

(SC32-1350-00)

ú Java™ yÑv API Ω@A²íiH Tivoli Access Manager

wΩTC

eÑ vii

Page 10: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

v IBM Tivoli Access Manager for e-business Administration C API Developer Reference

(SC32-1357-00)

ú÷z API ²íiH⌡µ Tivoli Access Manager z@

ΩTCσ≤íz API C Ω@C

v IBM Tivoli Access Manager for e-business Administration Java Classes Developer

Reference (SC32-1356-00)

ú Java yÑz API Ω@A²íiH⌡µ Tivoli Access Manager

z@ΩTC

v IBM Tivoli Access Manager for e-business Web Security Developer Reference

(SC32-1358-00)

ú≤⌠OA (CDAS)B≤⌠∩M[c (CDMF) MKXjzM

í]pΩTC

NR

v IBM Tivoli Access Manager for e-business ⁿOΓU (SC32-1354-00)

ú Tivoli Access Manager úⁿOµí Script ÷ΩTC

v IBM Tivoli Access Manager Tº (SC32-1353-00)

ú Tivoli Access Manager úºTºíM@C

v IBM Tivoli Access Manager for e-business DPwΓU (SC32-1352-00)

ú Tivoli Access Manager DPwΩTC

v IBM Tivoli Access Manager for e-business απΓU (SC32-1351-00)

ú Tivoli Access Manager Pwqn² IBM Tivoli Directory Server

¿º⌠ απΩTC

÷X

CXP Tivoli Access Manager w÷XC

Tivoli Software Library ú\h Tivoli XApBΩϕµBd

ΩB⌡HiHC Tivoli Software Library iHbHU⌠ΣG

http://www.ibm.com/software/tivoli/library/

Tivoli Software Glossary ]AP Tivoli nΘ÷\hNywqC Tivoli nΘWⁿ

uσAziHq Tivoli nΘw⌠ http://www.ibm.com/software/tivoli/library/ ¬

Σ Glossary oC

IBM Global Security KitTivoli Access Manager iH IBM Global Security Kit (GSKit) 7.0 AúΩ

[K\αC GSKit OHbSw¡xM IBM Tivoli Access Manager Base CD ñA

H IBM Tivoli Access Manager Web Security CDB IBM Tivoli Access Manager Web

Admisistration Interfaces CD M IBM Tivoli Access Manager Directory Server CD ñC

viii IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 11: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

GSKit M≤iú iKeyman ≈zí gsk7ikmA²z#≈ΩwBpK≈t∩MnDCUCσ≤ib Tivoli Information Center ⌠ñoAP IBM

Tivoli Access Manager úíσ≤bP@qG

v IBM Global Security Kit Secure Sockets Layer M iKeyman ΓU (SC40-1923-00)

NúΩTpebΣ Tivoli Access Manager ⌠ñ SSL qT⌠⌠t

wzC

IBM Tivoli Directory ServerIBM Tivoli Directory Server 5.2 OHbz@tM IBM Tivoli Access

Manager Directory Server CD ñC

: IBM Tivoli Directory Server OºeoµnΘsWAªWOG

v IBM Directory Server]4.1 M 5.1

v IBM SecureWay Directory Server]3.2.2

IBM Directory Server 4.1 BIBM Directory Server 5.1 M IBM Tivoli Directory Server

5.2 íúb IBM Tivoli Access Manager 5.1 Σd≥C

ΣL÷ IBM Tivoli Directory Server ΩTA\G

http://www.ibm.com/software/network/directory/library/

IBM DB2 Universal DatabaseIBM DB2® Universal Database™ Enterprise Server Edition 8.1 OHb IBM Tivoli

Access Manager Directory Server CD ñAP IBM Tivoli Directory Server nΘ@w

Cϕz IBM Tivoli Directory ServerBz/OS™ OS/390® LDAP °A@ Tivoli

Access Manager n²A DB2C

ΣL÷ DB2 ΩTA\G

http://www.ibm.com/software/data/db2/

IBM WebSphere Application ServerIBM WebSphere Application Server Advanced Single Server Edition 5.0 OHb

@tM IBM Tivoli Access Manager Web z CD ñC WebSphere

Application Server Σ Web Portal Manager ]z Tivoli Access Manager

M Web zuπ]z IBM Tivoli Directory ServerC Tivoli Access Manager

] IBM WebSphere Application Server Fix Pack 2AªOHb IBM Tivoli

Access Manager WebSphere Fix Pack CD ñC

ΣL÷ IBM WebSphere Application Server ΩTA\G

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration OiHOqúAªú IBM

MQSeries® 5.2 IBM WebSphere® MQ 5.3 TºwMΦC IBM Tivoli

Access Manager for Business Integration i² WebSphere MQSeries íP

e¼í÷p≈AeπpKπΩCN WebSEAL

eÑ ix

Page 12: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

M IBM Tivoli Access Manager for Operating Systems @A IBM Tivoli Access Manager

for Business Integration ]OΣñ@ IBM Tivoli Access Manager AΩ

zíC

ΣL÷ IBM Tivoli Access Manager for Business Integration ΩTA\G

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

UOP IBM Tivoli Access Manager for Business Integration 5.1 ÷σ≤Ai

b Tivoli Information Center ⌠ñoG

v IBM Tivoli Access Manager for Business Integration zΓU (SC23-4831-01)

v IBM Tivoli Access Manager for Business Integration DPwΓU (GC23-1328-00)

v IBM Tivoli Access Manager for Business Integration N (GI11-0957-01)

v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for WebSphere BusinessIntegration BrokersIBM Tivoli Access Manager for WebSphere Business Integration Brokers O IBM Tivoli

Access Manager for Business Integration @íAiú WebSphere Business Integration

Message Broker 5.0 M WebSphere Business Integration Event Broker 5.0 w

MΦC IBM Tivoli Access Manager for WebSphere Business Integration Brokers h

P Tivoli Access Manager X@A@PúKXM¼OBñwqvH

fAA@PO@ JMS publish/subscribe íwC

ΣL÷ IBM Tivoli Access Manager for WebSphere Integration Brokers ΩTA

\G

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

UOP IBM Tivoli Access Manager for WebSphere Integration Brokers, 5.1 ÷

σ≤Aib Tivoli Information Center ⌠ñoG

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers zΓU

(SC32-1347-00)

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers N

(GI11-4154-00)

v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems OiHOqúCúFl

@túvh$Aªb UNIX tWúvh[jhCIBM Tivoli

Access Manager for Operating Systems N WebSEAL M IBM Tivoli Access Manager

for Business Integration @AOΣñ@ IBM Tivoli Access Manager AΩ

zíC

ΣL÷ IBM Tivoli Access Manager for Operating Systems ΩTA\G

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

x IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 13: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

UOP IBM Tivoli Access Manager for Operating Systems 5.1 ÷σ≤Aib

Tivoli Information Center ⌠ñoG

v IBM Tivoli Access Manager for Operating Systems wΓU (SC23-4829-00)

v IBM Tivoli Access Manager for Operating Systems zΓU (SC23-4827-00)

v IBM Tivoli Access Manager for Operating Systems DPwΓU (SC23-4828-00)

v IBM Tivoli Access Manager for Operating Systems N (GI11-0951-00)

v IBM Tivoli Access Manager for Operating Systems Read Me First (GI11-0949-00)

IBM Tivoli Identity ManagerIBM Tivoli Identity Manager 4.5 Ot$qúAi²zñz]pA

ID MKXM@]τYú°íBΩ@ts

vC Tivoli Identity Manager iHQ Tivoli Access Manager AgentAP Tivoli Access

Manager πXb@CΣL÷R Agent ΩTApz IBM NϕC

÷ IBM Tivoli Identity Manager ΣLΩTA\G

http://www.ibm.com/software/tivoli/products/identity-mgr/

uWsX

ziHbuWoúºiΓíσ≤µí (PDF) WσrOyÑ (HTML) µí

XF]iHb Tivoli nΘw (http://www.ibm.com/software/tivoli/library) ooΓ

µíXC

pGnbnΘwñMΣúXA÷@UnΘw¬Σ Product manuals CMßb Tivoli nΘΩTñWMΣB÷@UúWC

úX]AFNBwΓUBΓUBzΓUHío

C

: pGnTO PDF yoHCLA∩ Adobe Acrobat CL°íñAj

p∩]zun÷@U → CLANXo∩C

≤Uuπ

≤UuπSΓiUµúK°Ñ¡ΘQnΘúC

úAziHQ≤UNAaÑs²Cz]iHΣLN½@

í\αC

pnΘΣñ

bzV IBM Tivoli nΘΣñDºeA²÷@UUC⌠ Tivoli supportA\ I B M T i v o l i nΘΣñ⌠C⌠G

http://www.ibm.com/software/support/

pΣL≤UAHU⌠ñ IBM nΘΣñΓUíΦkApnΘΣ

ñG http://techsupport.services.ibm.com/guides/handbook.html

ΓUúHUΩTG

v ⁿΣnOPΩµnD

eÑ xi

Page 14: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

v qXA°zbΩaaw

v bzpßΣñºe¼ΩTMµ

ñD

SϕNyB@HtúPⁿO⌠DC

rΘD

UCrΘDG

Θ gΣσrB÷ΣrBB∩BJava ¼WH½≤ñ°Hpgⁿ

OjpgVXⁿOAHΘC

Θ BXDSϕrⁿyHΘ[HjC

Ñe gΣσrBtTºBΣJσrAH ⁿO∩ ñ°

HíXdB@δⁿOBeΘXBM'²WAíHÑe

C

@ttº

UNIX Dⁿw⌠AHϕ'²Cb Windows ⁿOµA

Γ $variable ½¿ %variable% @⌠ABΓ'²⌠ñC@(u (/)

½¿!u (\)CpGzO Windows tñ Bash ShellANiH UNIX D

C

xii IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 15: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

1 º[

Tivoli Access Manager for WebLogic O Tivoli Access Manager AªiHQ

Tivoli Access Manager wSAO@ BEA WebLogic Server ís@C

Tivoli Access Manager for WebLogic b BEA WebLogic Server wA

AOH Tivoli Access Manager zn²Oß CziH

IBM Tivoli Access Manager WebSEAL (WebSEAL) IBM Tivoli Access Manager

Plug-in for Web ServerA Tivoli Access Manager for WebLogic wSA

Σ@δiµµ@nJC

Tivoli Access Manager for WebLogic i² WebLogic Server í Tivoli Access

Manager wAún≤⌠≤sXípC

úLbw Tivoli Access Manager for WebLogic ºeA²íp Tivoli Access

Manager w⌠C

bípw⌠ºeATivoli Access Manager n²\ Tivoli Access Manager

w¼AziH\ow¼uKnC

Tivoli Access Manager w¼

Tivoli Access Manager O@πvP⌠⌠whzMΦAiM¼Ua

°í⌠⌠M°$í⌠⌠Ωú ∩ O@C

Tivoli Access Manager t²iwhzC$AªiΣwBvBΩ

wMΩzÑ\αCziHN Tivoli Access Manager M⌠⌠⌠¼

í@AHm¬wPz°í⌠⌠$í⌠⌠C

Tivoli Access Manager iúUC\αG

v w[c

Tivoli Access Manager ΣO≈εϕsxAΣñ]AGB≥Bϕ

µM HTTP YC

v v[c

Tivoli Access Manager úvhz[cCvhOñzM t

eA²zs°UBΩIIC Tivoli Access Manager vAiHw∩l

Tivoli Access Manager °AM≤OtísnDAú#\MM

ªC

WebSEAL O≤ Web ¼Ω Tivoli Access Manager ΩwzíCWebSEAL

O@¬ αBh½⌡µⁿ Web °AAHNwqδwM!ⁿO@

Web ΩC

FúπwMΦ Web ΩATivoli Access Manager Plug-in for Web

Server πXF Tivoli Access ManagerC $íOϕ@z Web °AP@Bz

@í≈@AªIC@ΦFnDBPwOnvMªAH

núwΦkC

© Copyright IBM Corp. 2003 1

Page 16: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

Tivoli Access Manager Plug-in for Web Server M WebSEAL iHúµ@nJMΦ

ABΓ Web íΩJΣwhñC

ziH\ IBM Tivoli Access Manager íσ≤A≤h÷ Tivoli Access

Manager ΩTA]AXípMªΩTCeÑCF@≈÷ Tivoli Access

Manager σ≤MµC

πX Tivoli Access Manager WebLogic ServerTivoli Access Manager for WebLogic 5.1 ΣG

v BEA WebLogic Server 7.0 SP2

v BEA WebLogic Server 8.1 SP1

Tivoli Access Manager for WebLogic 5.1 OwA (SSPI)A

BEA WebLogic Server úπw[cC

: Tivoli Access Manager for WebLogic 5.1 úΣ BEA WebLogic Server q

ΓC Tivoli Access Manager for WebLogic 4.1 $Σ BEA WebLogic Server

qΓC

BEA WebLogic Server ú SSPI ≤OtwΣ]p Tivoli Access

Manager for WebLogicAΓwSⁿX BEA WebLogic Server [cñC

Tivoli Access Manager wA≤

Tivoli Access Manager for WebLogic m½HC@ BEA WebLogic Server w⌠

#w]wΓABúUC BEA WebLogic Server wG

v OΣ

v vΣ

v ñΓ∩MΣ

Tivoli Access Manager for WebLogic w] BEA WebLogic Server ∩M

wΣMw]≈xswC

WCC@ΣA]t@z Bean (MBean)AiHzL WebLogic D

xsΦtmCUX NíoΣM MBean ú\αC

Tivoli Access Manager ú BEA WebLogic Server UCπXIG

Tivoli Access Manager for WebLogic OΣiΩ@ BEA WebLogic Server

íOCbíOñABEA WebLogic Server OHWMKXXO

CoWMKXXAhO Tivoli Access Manager Q Tivoli Access

Manager Java ⌡µ≤[HdC

Tivoli Access Manager for WebLogic ]úª vnJAú WebSEAL

Tivoli Access Manager Plug-in for Web Server µ@nJ\αC÷µ@nJ

\αΩTA\ 27 4 , yµ@nJzC

Tivoli Access Manager for WebLogic OΣOUC≤¿G

v OΣ

2 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 17: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

ªiHΓ IBM Tivoli Access Manager for WebLogic Server OΣπX

WebLogic w[cñC

v Java OMvA (JAAS) nJ

O⌡µíµ@nJOC JAAS nJ"@DDADDt

ΩO JAAS ⁿwDΘC Tivoli Access Manager for WebLogic ú

ª vnJAhOQ Tivoli Access Manager Java ⌡µ≤A

∩ Tivoli Access Manager Authorization Server O v¡C

v O MBean

ªiHzL WebLogic DxtmOΣCP]²⌡µn²

z@ApA Tivoli Access Manager for WebLogic DxsWMR

úC

vΣib BEA WebLogic Server M$ívAºíú@AªiH

Mw&O BEA WebLogic Server ΩsvCsMªOQH Tivoli

Access Manager Java ⌡µ≤e PDPermission OXC

Tivoli Access Manager for WebLogic vΣOUC≤¿C

v vΣ

ªiHΓvΣπX WebLogic w[cñCúFε BEA WebLogic

Server Ωsvº$A Tivoli Access Manager for WebLogic vΣ]t

dΓhíp Tivoli Access Manager ½≤íABq Tivoli Access Manager ½

≤íúhC

v v MBean

ªiHzL WebLogic DxtmvΣCz]iHIsª⌡µY@

ApAzL WebLogic Dx#MRúhC

ñΓ∩MΣ

ñΓ∩MΣ'AOb BEA WebLogic Server HtdzñΓ$ív

Aºíú@CñΓ∩MΣO½bñΓúOhAßOvΣ

d⌠C

ñΓ∩MΣOUC≤¿G

v ñΓ∩MΣC

ªiHΓñΓ∩MΣπX WebLogic w[cñC Tivoli Access Manager

for WebLogic ñΓ∩MΣd⌠OípMúñΓC

v ñΓ∩M MBeanC

ªiHzL WebLogic DxtmñΓ∩MΣCz]iHIsª⌡µY

@ApAzL WebLogic DxRúñΓAH#M≤sñΓ¿ΩµC

1 º[ 3

Page 18: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

íphMñΓ

hMñΓiHbípyzlñwqA]iHzL WebLogic Dx[H#Cbíp

J2EE íAíípyzlwqñΓMhAX Tivoli Access

Manager ⁿO@½≤íC

÷MziH Tivoli Access Manager zí pdadmin Tivoli Access

Manager Web Portal Manager #hA²Onúno≥Cb Tivoli

Access Manager for WebLogic BEA WebLogic Server ºeA@wnb Tivoli Access

Manager #@w]hCo@Obtm Tivoli Access Manager for WebLogic

⌡µ — ÷ Tivoli Access Manager for WebLogic tm@ΩTA\

17 3 , ytmzC

ΩMñΓ

BEA WebLogic Server iwq@úPΩ¼Ao¼ Tivoli Access Manager

for WebLogic úΣCb Tivoli Access Manager for WebLogic ϕñAΩ

¼úQ°@A]w∩. BEA WebLogic Server #sΩ¼A]

ΣC

w∩Ω¼wqhPñΓAúOHPΦíAxsb Tivoli Access

Manager ⁿO@½≤íñC

UO'ebΣd≥ABiHⁿO@ BEA WebLogic Server ΩG

v zΩ

v íΩ

v COM Ω

v EIS Ω

v EJB Ω

v JDBC Ω

v JMS Ω

v °AΩ

v URL Ω

v Web AΩ

b Tivoli Access Manager ⁿO@½≤íñΩAOHUCµíϕG

/WebAppServer/WLS/Resources/wls_domain/wls_realm/resource_type/Details

b Tivoli Access Manager ⁿO@½≤íññΓAOHUCµíϕG

/WebAppServer/WLS/Roles/wls_domain/wls_realm/role_name/AppName

o Tivoli Access Manager ⁿO@½≤xsWAiQH Tivoli Access Manager

for WebLogic tme[HtmC] BEA WebLogic Server ΣL

í°AAúiHtmP@ Tivoli Access Manager ⌠ñCo≥@ANiH

í°A¼ñΓMh#ñímFC

Tivoli Access Manager w

Tivoli Access Manager iHú∩$ííwCO$í

A⌡α WebSEAL Tivoli Access Manager Plug-in for Web Server µ@

4 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 19: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

nJ\αCpGnFzQ⌠⌠wO@AC@zL WebSEAL Tivoli Access

Manager Plug-in for Web ServerAq$í¼snD WebLogic ServerAú

úⁿ ísnDCUCX Níp≤Bz$íí

wC

H WebSEAL Oí

Uπp≤Bz $íAHsⁿO@ΩºnD¼C

Uo≈MµíFWBzC

1. $ínDsⁿO@ΩCbiJ°w⌠⌠ºeA WebSEAL ²

¼onDC

2. WebSEAL b Tivoli Access Manager w⌠ñInDABO

C

WebSEAL ΣUCwΦkGWKXBBW RSA

SecureIDA qw≈εC

WebSEAL nD URL Tivoli Access Manager shAMª v

vMªCWebSEAL iHMpbß BΘíAHw≈εÑN

C

3. URL nD@1≥ovAWebSEAL KNªαe WebLogic °AC

nD]A≥wY$íWSϕKXCSϕKXO≤ sso_userA

ªiH²wAT WebSEAL OnDIC

p sso_user ÷ΩTA\ 17 3 , ytmzC

4. WebLogic °AHzqΦíAΓgLO¡MKXAwA

C

5. wA Tivoli Access Manager OAAτ WebSEAL

úKXAOA≤Wú sso_userCτYAoKXúH⌠≥ªAⁿ

XnDIO WebSEALC

1. Tivoli Access Manager ú$íµ@nJw

1 º[ 5

Page 20: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

bwnvnDC

UdAOp≤Bz.zL WebSEAL plug-in wO@íúXA

HsⁿO@ΩºnD¼C

Uo≈MµíFWBzC

1. ínDsⁿO@ΩC

2. WebLogic ¡≈OΓ¡AwAC

3. wAΓOnDn²C

pGw¿\AwAKΓW WebLogic °AA

@gLwC

4. FviµnDABEA WebLogic Server d Tivoli Access Manager for

WebLogic vΣAhtdMw'egLO]]\.g

LOAOvsnDΩC

sv¡Oz∩ Tivoli Access Manager Authorization Server IsMwA Tivoli

Access Manager Authorization Server ∩≥vsΩñΓABMwO

nΓΣñ@ñΓA&'egLOC

ΘxOⁿPf

Tivoli Access Manager for WebLogic ñΘxOⁿAOH Tivoli Access Manager Java

⌡µ≤e IBM JLog OtdBzCziH Tivoli Access Manager for

WebLogic H Tivoli Access Manager for WebLogic M JLog eAtm² JLog

O BEA WebLogic Server OⁿOCo≥@ATivoli Access Manager for

WebLogic NiHΓ≤Oⁿ WebLogic ΘxFC

2. uTivoli Access Manager qΓvúíw

6 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 21: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

iaBiMi

Tivoli Access Manager for WebLogic O Tivoli Access Manager Java ⌡µ

O@ Tivoli Access Manager ⁿO@½≤ΩwMn²Cí Tivoli Access

Manager for WebLogic OΘhMwOn[js αC

Tivoli Access Manager Java ⌡µOΣ Tivoli Access Manager Authorization Server

CpGDn Authorization Server GFAN n°AC

zb⌠]ws acld M Tivoli Access Manager for WebLogic v

AC

ziH Tivoli Access Manager for WebLogic H Tivoli Access Manager Policy

Server Tivoli Access Manager Authorization Server vAAXsMªC

≤ αDMµ@óItGATivoli Access Manager Policy Server tmuαb

⌠CvAOMú⌠oCpi@BΩTA\

29yb Tivoli Access Manager Authorization Server vAzC

1 º[ 7

Page 22: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

8 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 23: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

2 wⁿ

tUCDDG

v yΣ¡xz

v yMOΘDz

v 10ynΘz

v 11ywδFiµw@z

v 14yQlíiµw@z

Σ¡x

Tivoli Access Manager for WebLogic 5.1 ΣG

v BEA WebLogic Server 7.0 SP2

v BEA WebLogic Server 8.1 SP1

Tivoli Access Manager for WebLogic úΣ qΓAOΣ BEA

WebLogic Server wA (SSPI)C

UC@tΣ Tivoli Access Manager for WebLogicG

v IBM AIX 5.1

v Sun Solaris 8 M 9

v Hewlett-Packard HP-UX 11.0 M 11i]¡≤ BEA WebLogic Server 7.0

v Microsoft Windows 2000 Server M Advanced Server (Service Pack 3)

: Tivoli Access Manager for WebLogic Σ Java 2 Security Manager tC

nΘHF@ Java hAΣñt Java 2 Security Manager SwíXw

u@\ivC

MOΘD

Tivoli Access Manager for WebLogic πUCOΘDG

v 64 MB RAMA 128 MBC

oOúF BEA WebLogic Server ⌠≤ΣL Tivoli Access Manager ≤ⁿw

OΘDH$AnOΘqCt$ 64 MB RAM o

αC

ΣL Tivoli Access Manager ≤OΘqM≤wwbD≈tW

Tivoli Access Manager ≤wCp÷ΩTA\ IBM Tivoli Access Manager

≥wΓUC

v 2 MB íA 4 MBC

úF BEA WebLogic Server íAH⌠≤ΣL Tivoli Access Manager

≤í$AnoíC

© Copyright IBM Corp. 2003 9

Page 24: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

v 5 MB íAs±ΘxC

oObnΘ≤nH$íC

pGnQaw Tivoli Access Manager for WebLogicAnUCU ñí²

Mn≤G

v yTivoli Access Manager Policy Serverz

v yTivoli Access Manager WebSEAL Tivoli Access Manager Plug-in for Web Serverz

v 11yBEA WebLogic Serverz

v 11yTivoli Access Manager Java ⌡µz

Tivoli Access Manager Policy Serverbw Tivoli Access Manager for WebLogic ºeA²# Tivoli Access Manager

w⌠C

Tivoli Access Manager w⌠O≤w Tivoli Access Manager Policy Server #C

A≤z@t IBM Tivoli Access Manager Base CD to Policy ServerC

qAw Tivoli Access Manager Policy Server túP≤x Tivoli Access

Manager for WebLogic tC

Tivoli Access Manager Authorization ServerTivoli Access Manager Authorization Server wb BEA WebLogic Server M

Tivoli Access Manager for WebLogic D≈WC

Authorization Server iHú Tivoli Access Manager vAsv BEA

WebLogic ServerC Authorization Server ]iH@OⁿMfX°AAxs°

AíO²C

Tivoli Access Manager WebSEAL Tivoli Access Manager Plug-infor Web Server

Tivoli Access Manager WebSEAL (WebSEAL) M Tivoli Access Manager Plug-in for Web

Server]PlugIniú Tivoli Access Manager for WebLogic Web ¼wAC

wAiHQoíAú@ BEA WebLogic Server µ@nJMΦC

WebSEAL PlugIn úOw Tivoli Access Manager for WebLogic ²Mn≤C

÷MpAϕznµ@nJMΦAªOαúW⌡C

p WebSEAL PlugIn wⁿA\ IBM Tivoli Access Manager for e-business

Web Security wΓUC

ϕz WebSEAL ΣL PROXY °As BEA WebLogic Server AnT

wo PROXY °AOs BEA WebLogic Server ⁿO@Ωºµ@p

ICpGn¡εsvA#@ BEA WebLogic Server suLoCsuLo

i²zO@⌠⌠hΩAúOHñΓ¡εsC÷#suLo

ΩTA\ BEA WebLogic Server íσ≤C

10 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 25: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

BEA WebLogic ServerBEA WebLogic Server wtmbNx Tivoli Access Manager for WebLogic

tWCBEA WebLogic Server O startWebLogic ⁿOC

BEA WebLogic Server bΣ¡x]úF AIX H$WAHnuJava

⌡µ⌠v@eC Tivoli Access Manager for WebLogic oP

uJava ⌡µ⌠vCpGnQaw BEA WebLogic ServerAí¼uJava ⌡

µ⌠v Tivoli Access Manager for WebLogic ²Mn≤C

AIX W IBM Java ⌡µ⌠

pGzO AIX tABEA WebLogic Server 7.0 nDΓ IBM Java ⌡µ⌠

1.3 Awbz Tivoli Access Manager for WebLogic tWCBEA WebLogic

Server 8.1 hOnDΓ IBM Java ⌡µ⌠ 1.4 wbz Tivoli Access Manager

for WebLogic tWC Tivoli Access Manager for WebLogic oP

Java ⌡µ⌠C

Tivoli Access Manager Java ⌡µ

Tivoli Access Manager Base Tivoli Access Manager Java Runtime 5.1 ⌠A

wbz Tivoli Access Manager for WebLogic tWABbWtmC

Tivoli Access Manager Java ⌡µ⌠iú Java ¼OMv≈αCo Java

O BEA WebLogic Server Java ⌡µ⌠C

bz Tivoli Access Manager for WebLogic tWtm Tivoli Access Manager Java

⌡µ⌠ºeA²# Tivoli Access Manager w⌠C

Tivoli Access Manager Java ⌡µ⌠OHC@Σ@t IBM Tivoli

Access Manager Base CD @eCpwⁿA\ IBM Tivoli Access Manager

≥wΓUC

wδFiµw@

i

owδFuA≤ BEA WebLogic Server 7.0 w]wmCpGzO

BEA WebLogic Server 8.1 A 14yQlíiµw

@z ⁿiµC

install_amwls wδFHAϕwMtmUC≤AH' WebLogic

Server t Tivoli Access Manager ]wC

v Access Manager Java ⌡µ⌠

v Access Manager for WebLogic Server

pGn install_amwls δFwMtm Tivoli Access Manager for WebLogic

Server tA⌡µUCBJG

1. ²b⌠ñ]w Tivoli Access Manager n²°ABPolicy Server H

Authorization ServerC

2 wⁿ 11

Page 26: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

2. wn@tíCpΣLΩTA\ 9yΣ

¡xzC

3. pGn°Dσ]w] ¼AMTºAb⌡µwδFºeA²w

@yÑΣM≤C

4. boí≈WwMtm BEA WebLogic ServerAB²#n BEA WebLogic

Server ⌠C

5. pGb Windows tWA²⌠⌡µñíC

6. BEA WebLogic ServerG

UNIX /WLS_install_dir/user_projects/domain_name/startWebLogic.sh

WindowsC:\WLS_install_dir\user_projects\domain_name/startWebLogic.cmd

7 . ]w CLASSPATH M PATH ABq BEA WebLogic Server

WebLogic_install_dir/server/bin '²⌡µUz ScriptAΓ WebLogic.jars [

CLASSPATH ñAH bin P lib '²UC

UNIX .setWLSEnv.sh

WindowssetWLSEnv.cmd

b⌡µwδFºeA²Tw BEA WebLogic Server H java i⌡µA

O±bt⌠eC

8. ⌡µ install_amwls íAí≤ AIXBHP-UX]¡≤ BEA WebLogic

Server 7.0BSolaris M Windows Tivoli Access Manager Web Security CD

'²UCpG BEA WebLogic Server Swbw]mAhUzⁿ

O⌡µwδFG

install_amwls -is:javahome path

Σñ path OⁿQδF⌡µw@ jre mC

:

a. install_amwls.options.template iHiµLn wAm½w]

w CzunsΦA[Jn YiC

v pGnm½w] AUzⁿOG

install_amwls -options install_amwls.options.template

v pGn⌡µLn wAUzⁿOG

install_amwls -silent -options install_amwls.options.template

b. Dσ¡xWwδFb BEA WebLogic Server H JDK Ai

αbw∩eWπúseσrCoπDúvTΩnΘw

@CpGzQn(oDAw IBM JDK 1.3.1ABª⌡µ

install_amwlsC

13 yinstall_amwls ∩zíAwδF@lúzΘJtm

ΩTCpGzu Windows tAⁿ Tivoli Access Manager for

WebLogic w]w'²AúLub Windows t$o≥C

: ΘJoΩT]ⁿw] ºßAKiHwMtm≤ALi@BJC

12 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 27: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

wδFXKneACXzwF≤BzºeQniµ

tmHªOQ¿CpGw¿\A²tmoóAú½÷ 17

3 , ytmz ñBJAHΓΦítm Tivoli Access Manager for

WebLogicAhN≥⌡µUCBJC

9. ε BEA WebLogic ServerC

10. dw@OΓ AMSSPIProviders.jar s

/bea_install_dir/weblogic/server/lib/mbeantypes '²UCpGúbo

'²UAHΓΦíNªq /amwls_install_dir/lib sLC

11. ÷ 18y 2 gG]w startWebLogic CLASSPATHz ñⁿA]

w startWebLogic ⁿO CLASSPATH ñC

12. #Mtm Tivoli Access Manager ΓCp÷ⁿA\ 22y 4

gGtm Tivoli Access Manager ΓzC

13. Q WebLogic DxA½s BEA WebLogic ServerC

14. pGznQ Tivoli Access Manager WebSEAL ú BEA WebLogic Server

µ@nJAA÷ 24y 5 gGtm BEA WebLogic Server µ@n

Jz ñⁿiµC

15. wMtmAH 26y 7 gGtmzñBJATw Tivoli Access

Manager for WebLogic wg∩ Tivoli Access Manager n²tmϕFC

install_amwls ∩

UOzb⌡µ install_amwls π∩C

ϕ 1. install_amwls wδFtm∩C

tm∩ í w]

ACL *FP Authorization Server qT

# Tivoli Access Manager DΘC

sec_master KX * Tivoli Access Manager zKXC

Policy Server D≈W *Policy Server πD≈WCpG

pdmgr.tivoli.com

Policy Server ≡ *Policy Server ÑnD≡Cw

]≡O 7135C7135

Authorization Server D≈W *Tivoli Access Manager Authorization

Server D≈WC

Authorization server ≡ * Authorization Server ≡C 7136

] true iíp AMWLS5.1 D

xtrue

WebLogic ⌠z *

BEA WebLogic Server ⌠zC

obz# WebLogic ⌠

ºewg#FC

WebLogic ⌠zKX * WebLogic ⌠zKXC

Access Manager for WebLogic Server

w'²⌠

pGb Windows tWAh

w] CC:\Program Files\Tivoli\pdwls

WebLogic Admin Server URL t3://localhost:7001

2 wⁿ 13

Page 28: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

Qlíiµw@

¿ ñAX≤z@tⁿG

v yb AIX Wwz

v yb HP-UX Wwz

v 15yb Solaris Wwz

v 16yb Windows Wwz

: bw Tivoli Access Manager for WebLogic ºeA²ε BEA WebLogic

ServerAwªºßA½sªC

b AIX Ww

iµ Tivoli Access Manager for WebLogic w@ANúYMM≤tm

BzC installpAΓnΘM≤wb AIX WCAHΓΦítm Tivoli

Access Manager for WebLogicC

: wtm Tivoli Access Manager for WebLogic ºßApGn½swAz

²útmú Tivoli Access Manager for WebLogic M≤C\ 38

yq AIX úzC

pGnb AIX Ww Tivoli Access Manager for WebLogicA¿UCⁿG

1. H root ¡≈nJC

2. τOí¼FnΘ²Mn≤A]A Tivoli Access Manager Base n≤C

\ 10ynΘzC

3. Γ IBM Tivoli Access Manager Web Security for AIX CD íi2≈ñC

4. b Shell úñΘJUCⁿOG

installp -acgNXd cd_mount_point/usr/sys/inst.images PDWLS

: dw@OΓ AMSSPIProviders.jar s

/bea_install_dir/weblogic/server/lib/mbeantypes '²UCpGúbo

'²UAHΓΦíNªq /amwls_install_dir/lib sLC

5. Atm Tivoli Access Manager for WebLogicC⌡!G 17 3 , yt

mzC

b HP-UX Ww

i

pGOwb HP-UX ¡xWAu BEA WebLogic Server 7.0 $Σ Tivoli

Access Manager for WebLogicC

wtm Tivoli Access Manager for WebLogic ºßApGn½swAz²

útmúªC\ 38yq HP-UX úzC

pGnb HP-UX Ww Tivoli Access Manager for WebLogicA¿UCBJG

1. H root ¡≈nJC

14 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 29: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

2. τOí¼FnΘ²Mn≤A]A Tivoli Access Manager Base n≤C

\ 10ynΘzC

3. pG.⌡µA²≤Iñ pfs_mountd A pfsdCH pfs_mountⁿOⁿ CDCpAΘJUCⁿOG

/usr/sbin/pfs_mount /dev/dsk/c0t0d0 /cd-rom

Σñ /dev/dsk/c0t0d0 Oⁿ CD mA /cd-rom OⁿⁿIC

4. ΘJUCⁿOw Tivoli Access Manager for WebLogic M≤G

# swinstall -s /cd_rom/hp PDWLS

oeπ@hTºAiDzRÑqwgQ¿CPπt@hT

ºAⁿX(nliµ⌡µÑqCq CD úYABwwWCo

eπ@hTºAiDz⌡µÑqwgQ¿C swinstall íHY⌠C

: dw@OΓ AMSSPIProviders.jar s

/bea_install_dir/weblogic/server/lib/mbeantypes '²UCpGúbo

'²UAHΓΦíNªq /amwls_install_dir/lib sLC

5. Atm Tivoli Access Manager for WebLogicC⌡!G 17 3 , yt

mzC

b Solaris Ww

iµ Tivoli Access Manager for WebLogic w@ANúYMM≤tm

BzC pkgaddAb Solaris Operating Environment]ºß SolarisWw

nΘM≤CAHΓΦítm Tivoli Access Manager for WebLogicC

: wtm Tivoli Access Manager for WebLogic ºßApGn½swAz

²útmúªC\ 37yq Solaris úzC

pGnb Solaris Ww Tivoli Access Manager for WebLogicA¿UCⁿG

1. H root ¡≈nJC

2. τOí¼FnΘ²Mn≤A]A Tivoli Access Manager Base n≤C

\ 10ynΘzC

3. íJ IBM Tivoli Access Manager Web Security for Solaris CDC

4. ⌡µUzⁿOAwonΘG

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/solaris/pddefault PDWLS

ΣñG

-d /cdrom/cdrom0/solaris ⁿM≤mC

-a /cdrom/cdrom0/solaris/pddefault ⁿwz Script mC

bC@M≤w¿AeWπUCTºG

M≤wgQwªC

2 wⁿ 15

Page 30: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

: dw@OΓ AMSSPIProviders.jar s

/bea_install_dir/weblogic/server/lib/mbeantypes '²UCpGúbo

'²UAHΓΦíNªq /amwls_install_dir/lib sLC

5. Atm Tivoli Access Manager for WebLogicC⌡! 17 3 , ytm

zC

b Windows Ww

iµ Tivoli Access Manager for WebLogic w@ANúYMM≤tm

BzC InstallShield setup.exe w Tivoli Access Manager for WebLogic

Cϕ InstallShield ¿ßA 17 3 , ytmzñⁿt

m Tivoli Access Manager for WebLogicC

: wtm Tivoli Access Manager for WebLogic ºßApGn½swAz

²útmúªC\ 37yq Windows úzC

pGnΓ Tivoli Access Manager for WebLogic wb Windows WA¿UCⁿG

1. Hπ Windows zMv¡≈nJ Windows ⌠C

2. τOí¼FnΘ²Mn≤A]A Tivoli Access Manager Base n≤C

\ 10ynΘzC

3. Γ IBM Tivoli Access Manager Web Security for Windows CD íi2≈ñC

4. ⌡µ Tivoli Access Manager for WebLogic InstallShield wíAΦk÷ΓU

HUAΣñUCⁿOñr3 E: Nϕ2≈G

E:\Windows\PolicyDirector\Disk Images\Disk1\PDWLS\Disk Images\Disk1\setup.exe

ou∩ wyÑv°íC

5. ∩AϕyÑAMß÷@UTwC

o InstallShield íBuw∩v°íC

6. ÷@UU@BC

ouvXv°íC

7. \¬vXApGPNo°A÷@UOC

ou∩ 'mv°íC

8. ⁿw]mAs²t@mCMß÷U@BC

oeulsv°íC

9. Twπwm(TAMß÷U@BC

oNúY!Coπ@hTºAⁿXowgw

ªC

10. ÷@U¿⌠wíC

11. dw@OΓ AMSSPIProviders.jar s

c:\bea_install_dir\weblogic\server\lib\mbeantypes '²UCpGúbo

'²UAHΓΦíNªq c:\amwls_install_dir\lib sLC

12. Atm Tivoli Access Manager for WebLogicC⌡! 17 3 , yt

mzC

16 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 31: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

3 tm

pGntm Tivoli Access Manager for WebLogicA¿UCU ñⁿG

v y 1 gGtm Tivoli Access Manager Java ⌡µ⌠z

v 18y 2 gG]w startWebLogic CLASSPATHz

v 19y 3 gGtm Tivoli Access Manager for WebLogicz

v 22y 4 gGtm Tivoli Access Manager Γz

v 24y 5 gGtm BEA WebLogic Server µ@nJz

v 26y 6 gGb BEA WebLogic Server h°A⌠U]]AO⌠

tm Tivoli Access Manager for WebLogicz

v 26y 7 gGtmz

: ñⁿ]zwwF Tivoli Access Manager for WebLogic nΘA

]A Tivoli Access Manager ≥≤tmCpGz.wnΘAϕ 9

2 , ywⁿzñⁿA#YwªC

1 gGtm Tivoli Access Manager Java ⌡µ⌠

Tivoli Access Manager Java ⌡µ⌠O Tivoli Access Manager for WebLogic ²

Mn≤Cz²tm Java ⌡µ≤ºßA$αtm BEA WebLogic Server

ΓC Tivoli Access Manager í pdjrtecfgA≤s BEA WebLogic

Server uJava ⌡µ⌠vC$ApGtth Java ⌡µA

Tw BEA WebLogic Server uJava ⌡µ⌠vO⌡µ pdjrtecfg íC

1. τwwF Tivoli Access Manager Base Java ⌡µ⌠C

p÷ΩTA\ 10ynΘzC

2. q BEA WebLogic Server WebLogic_install_dir/server/bin '²⌡µUz ScriptA

]w CLASSPATH M PATH AΓ WebLogic.jars [ CLASSPATH H bin

M lib '²ñG

UNIX .setWLSEnv.sh

WindowssetWLSEnv.cmd

b⌡µ ezInstall ºeA²Tw BEA WebLogic Server H java i⌡µO

±bt⌠ñC

3. Tivoli Access Manager Java ⌡µ⌠∩Hb BEA WebLogic ServerA

BHª@w JDK [HtmCΣBJpUG

a. N'²)½! Tivoli Access Manager w⌠ñ sbin '²CpG

UNIXG/opt/PolicyDirector/sbinWindowsGC:\Program Files\Tivoli\Policy Director\sbin

b. ⌡µ pdjrtecfg ⁿOApUG

pdjrtecfg -action config -host policy_server_name -java_home java_location

© Copyright IBM Corp. 2003 17

Page 32: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

Σñ java_location Oⁿ BEA WebLogic Server Java ⌡µ⌠'²mC

ªOG

WindowsBEA WebLogic Server 7.0

c:\bea\jdk131_ob\jre

BEA WebLogic Server 8.1

c:\bea\jdk141\jre

SolarisBHP-UX

/usr/local/bea/jdk141_03

AIX

b AIX tWABEA WebLogic Server 7.0 ft IBM Java ⌡

µ⌠ 1.3 A BEA WebLogic Server 8.1 ft IBM

Java ⌡µ⌠ 1.4 C pdjrtecfg ⁿOñ -java_home ∩A

] JRE b AIX ≈WwmCBEA WebLogic Server 7.0

/usr/java131

BEA WebLogic Server 8.1

/usr/java14

:

1) jre/lib '²U jsse.jarAQ½¿ BEA WebLogic Server 8.1 w⌠

W pdjrtecfg íCúLunzΓ Tivoli Access Manager Java ⌡

µ°tmAoNC

2) btm Sun v1.4 JRE AúnH¼í⌡µ pdjrtecfgApdconfig ítm JREAhtm@NóC

pp≤ pdjrtecfg ÷ΩTA\ IBM Tivoli Access Manager ≥

wΓU ñⁿOC

2 gG]w startWebLogic CLASSPATH

: b⌡µotmBJºeA²#@ WebLogic ⌠C

startWebLogic ⁿOO WebLogic ServerCzn∩ CLASSPATH ⌠A

H startWebLogic sⁿJ(T Java OC

¿UCⁿG

1. pG WebLogic Server (b⌡µA#YεªC

2. ΓUCW[ startWebLogic ⁿO CLASSPATH ñG

UNIX

/opt/pdwls/lib/AMSSPICore.jar/opt/pdwls/lib/rbpf.jar

Windows

C:\amwls_install_directory\lib\AMSSPICore.jarC:\amwls_install_directory\lib\rbpf.jar

18 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 33: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

startWebLogic ⁿOObww BEA WebLogic Server ⌠'²ñCb

wñAoOG

UNIX /WebLogic_install_directory/user_projects/domain_name

WindowsC:\WebLogic_install_directory\user_projects\domain_name

domain_name Ozb# BEA WebLogic Server ⌠∩WC

3. pGznw]yÑ]σAñLoBJC

pGznΣDw]yÑ]σyÑM≤AhzsWUC⌠

startWebLogic Script ñwq CLASSPATHG

UNIX

/opt/pdwls/nls/java/com/tivoli/amwls/sspi/nls

Windows

C:\Progra~1\Tivoli\pdwls\nls\java\com\tivoli\amwls\sspi\nls

: W[o'²ºßAiHsyÑM≤w[cwb/opt/pdwls/nls/java/com/tivoli/amwls/sspi/nls/ ΩC

3 gGtm Tivoli Access Manager for WebLogicziHqⁿOµQ Tivoli Access Manager Dx Web ítm Tivoli

Access Manager for WebLogicCNbUCX íoΓ∩C

zb⌡µoⁿºeA²# BEA WebLogic Server ⌠C

btm Tivoli Access Manager for WebLogic M#ΓΘJΩAOxsb

eñCziHQoe≤ Tivoli Access Manager for WebLogic µC

p÷ΩTA\ 41² A, yezC

Dx Web ítm Tivoli Access Manager forWebLogic

1. BEA WebLogic ServerG

UNIX /WLS_install_dir/user_projects/domain_name/startWebLogic.sh

WindowsC:\WLS_install_dir\user_projects\domain_name\startWebLogic.cmd

2. Web s²Asz BEA WebLogic º≈ BEA WebLogic DxC

τYG

http://WebLogic_server_name:7001/console

7001 Oⁿw] BEA WebLogic Server ≡Co OiHtmC

3. oπ BEA WebLogic Server nJeCHπzMv BEA

WebLogic Server ¡nJC

4. btm Tivoli Access Manager for WebLogic Server M# Tivoli Access Manager

ΓºeA²íp Tivoli Access Manager Dx Web íAú

Web iµtm@CUOípo Web íBJG

3 tm 19

Page 34: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

a. q BEA WebLogic Server ⌠tmXA∩ Web íC

b. ∩tms Web íC

c. ∩zLs²WⁿC

d. s²í amwls_install_dir\lib\AMWLSConsoleExtension.warCMß÷@

UWⁿC

e. ÷@U AMWLSConsoleExtension.war ∩C

f. ∩íp'AMß÷@UtmMπC

pGnd Dx Web íOwgQípAi¬íµñí

pΩ¿AAi W e b íΩ¿AoMµñX

AMWLSConsoleExtensionsCpGPíp Dx Web íA]b BEA

WebLogic Server ²íµñ[W Tivoli Access Manager AπbDx°

í¬ΣC

5. pGntm Tivoli Access Manager ⌠A÷@U BEA WebLogic Server ²í

µñsvzíC

6. oπtmeCziHΘJnΩTH∩ CpGQD

ΘJΩTA\UϕµC

UϕCO config @α∩C@ϕµCOn∩CG

ϕµCO∩ ∩C

n∩W í

domain_admin WebLogic ⌠z

domain_admin_pwd WebLogic ⌠zKX

remote_acl_user w∩ Authorization Server # Tivoli Access Manager DΘ

sec_master_pass Tivoli Access Manager sec_master zKX

pdmgrd_host Tivoli Access Manager Policy Server D≈WC

pdacld_host Tivoli Access Manager Authorization Server D≈WC

: zúΘJKXAb⌡µ@ºeAeúzΘJCoOFεKXdbⁿOñC

UϕCO config @∩ ∩C

∩W í

wls_server_url ⁿ WebLogic °A URLCw] O

t3://localhost:7001C

pdmgrd_port Tivoli Access Manager Policy Server ≡C

pdacld_port Tivoli Access Manager Authorization Server ≡C

am_domain ⁿ Tivoli Access Manager ⌠WCw] O DefaultC

amwls_home ⁿe Tivoli Access Manager for WebLogic Server w'²⌠C

÷@UMC

7. pGQ¿tmAkΣíµNCX Tivoli Access Manager for WebLogic Server

C

20 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 35: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

bzNiHtm Tivoli Access Manager ΓFC\ 22y 4 gGtm

Tivoli Access Manager ΓzC

qⁿOµtm Tivoli Access Manager for WebLogic1. BEA WebLogic ServerG

UNIX

/WLS_install_dir/user_projects/domain_name/startWebLogic.sh

Windows

C:\WLS_install_dir\user_projects\domain_name\startWebLogic.cmd

2. ⌡µUzⁿOtm Tivoli Access Manager for WebLogicC

: pG Tivoli Access Manager for WebLogic SbúYAw

m]e@íAΓ AMWLSConfigure Script ñ

AMSSPI_DIR A]Ωw'²mCPApG WebLogic Sw

w]mAN WLS_JAR ∩ ALWLSConfigure Script ñ

WebLogic.jar (TmC

UNIX install-dir/sbin/AMWLSConfigure.sh

Windowsinstall-dir\sbin\AMWLSConfigure.bat

AMWLSConfigure Java ítm Tivoli Access Manager for WebLogic

ⁿOµykOG

v AMWLSConfigure -action config [options ...]

tm Tivoli Access Manager for WebLogicC

v AMWLSConfigure -help [action]

πnM∩ A AMSSPIConfigureC

UϕCO config @α∩C@ϕµCOn∩CG

ϕµCO∩ ∩C

n∩W í

domain_admin WebLogic ⌠z

domain_admin_pwd WebLogic ⌠zKX

remote_acl_user w∩ Authorization Server # Tivoli Access Manager DΘ

sec_master_pass Tivoli Access Manager sec_master zKX

pdmgrd_host Tivoli Access Manager Policy Server D≈WC

pdacld_host Tivoli Access Manager Authorization Server D≈WC

: zúΘJKXAb⌡µ@ºeAeúzΘJCoOFεKXdbⁿOñC

UϕCO config @∩ ∩C

∩W í

3 tm 21

Page 36: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

deploy_extension ϕª] true AiHíp Tivoli Access Manager for Web Logic

Server DxCw] O trueC

wls_server_url ⁿ WebLogic °A URLCw] O

t3://localhost:7001C

pdmgrd_port Tivoli Access Manager Policy Server ≡C

pdacld_port Tivoli Access Manager Authorization Server ≡C

am_domain ⁿ Tivoli Access Manager ⌠WCw] O DefaultC

amwls_home ⁿe Tivoli Access Manager for WebLogic Server w'²⌠C

verbose zΘX¼L Cw] O falseC

bztm Tivoli Access Manager ΓC

4 gGtm Tivoli Access Manager Γ

Dx Web ítm Tivoli Access Manager Γ

ϕzw∩ BEA WebLogic Server wO@tm Tivoli Access Manager for WebLogic

Server A#@ΓAP Tivoli Access Manager w÷pCΣBJpUG

1. i¬íµñsvzíAMß÷@UΓC

2. oπ#ΓeCΘJnAMß÷@UuMvC

3. pGntm² BEA WebLogic Server 7.0 W# Tivoli Access Manager

ΓA⌡µUCBJG

a. b BEA WebLogic Server ²íµñA∩Pz⌠÷C

b. oπ⌠tmeC∩w C

c. q@δ w]ΓUMµñA∩zbWzBJ#ΓCMß

÷@UMC

pGntm² BEA WebLogic Server 8.1 W# Tivoli Access Manager

ΓA BEA WebLogic Server DxWuwv A]ww]Γ

C

4. ½s BEA WebLogic ServerC

5. pGnssvzíΓO(B@AkíµñsvzíΩ

¿MsAt Tivoli Access Manager n²'C

: pGzⁿw SSO wgsbAunzΘJKXú(TA

NΓ#Γ@Q¿A] SSOCboípUAzun≤s Tivoli

Access Manager for WebLogic rbpf.properties ñAϕ'AYiP

SSOC÷ rbpf.properties ΩTA\ 41² A, ye

zC

qⁿOµtm Tivoli Access Manager Γ

1. ⌡µUzⁿO# Tivoli Access Manager for WebLogic ΓC

: pG Tivoli Access Manager for WebLogic SbúYAw

m]e@íAΓ AMWLSConfigure Script ñ

AMSSPI_DIR A]Ωw'²mCPApG WebLogic Sw

22 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 37: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

w]mApGzO WebLogic 8.1 AN WLS_JAR ∩

ALWLSConfigure Script ñ WebLogic.jar (TmC

UNIX install-dir/sbin/AMWLSConfigure.sh

Windowsinstall-dir\sbin\AMWLSConfigure.bat

AMWLSConfigure Java ítm Tivoli Access Manager for WebLogic

ⁿOµykOG

v AMWLSConfigure -action create_realm [options ...]

# Tivoli Access Manager for WebLogic ΓC

v AMWLSConfigure -help [action]

πnM∩ A AMSSPIConfigureC

UϕCO create_realm @α∩C@ϕµCOn∩

CGϕµCO∩ ∩C

n∩W í

realm_name ⁿ'e# WLS ΓWC

domain_admin_pwd ⁿ WebLogic ⌠zKXC

user_dn_suffix ⁿbzL Dx Web í#OW

(DN) rC

group_dn_suffix ⁿbzL Dx Web í#sOW

(DN) rC

admin_group ⁿFítm Tivoli Access Manager sC

: zúΘJKXAb⌡µ@ºeAeúzΘJCoOFεKXdbⁿOñC

UϕCO create_realm @∩ ∩C

∩W í

user_dn_prefix ⁿbzL Dx Web í#OW

(DN) rC

group_dn_prefix ⁿbzL Dx Web í#sOW (DN)

rC

sso_enabled ϕª] true AiHµ@nJΣCw] O falseC

sso_user ⁿP Tivoli Access Manager #µ@nJH⌠÷pC

sso_pwd ⁿµ@nJKXC

verbose zΘX¼L Cw] O falseC

2. pGntm² BEA WebLogic Server 7.0 W# Tivoli Access Manager

ΓA⌡µUCBJG

a. Web s²Asz BEA WebLogic º≈ BEA WebLogic D

xCτYG

http://WebLogic_server_name:7001/console

3 tm 23

Page 38: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

7001 Oⁿw] BEA WebLogic Server ≡A OiHtmC

b. oπ BEA WebLogic Server nJeCHπzMv

¡nJC

c. b BEA WebLogic Server ²íµñA∩Pz⌠÷C

d. oπ⌠tmeC∩w C

e. q@δ w]ΓUMµñA∩zbWzBJ#ΓCMß

÷@UMC

pGntm² BEA WebLogic Server 8.1 W# Tivoli Access Manager

ΓA BEA WebLogic Server DxWuwv A]ww]⌠

C

3. ½s BEA WebLogic ServerC

4. pGnssvzíΓO(B@A¬íµñsvzíΩ

¿MsAt Tivoli Access Manager n²'C

5 gGtm BEA WebLogic Server µ@nJ

N z WebSEAL Tivoli Access Manager Plug-in for Web ServerAt

mµ@nJ BEA WebLogic ServerCpGúQΩ@µ@nJ\αAziñL C

WebSEAL M Tivoli Access Manager Plug-in for Web Server OHúPΦkΩ@w

Mµ@nJABúPt[cC÷w WebSEAL M Web °A PlugIn

ΩTA\ IBM Tivoli Access Manager for e-business Web Security wΓUC

÷tm WebSEAL IΩTMΩTA\ IBM Tivoli Access Manager for

e-business WebSEAL zΓUC!≤÷ PlugIn @MtmΩTA\ IBM Tivoli

Access Manager Plug-in for Web Servers πXΓUC

UCX NznΩ@[cAt$útmµ@nJ BEA WebLogic Server

WebSEAL M PlugIn tmΩTG

v y WebSEAL Xtmµ@nJz

v 25y Tivoli Access Manager Plug-in for Web Server tmµ@nJz

WebSEAL Xtmµ@nJ

pGnQ WebSEALAú BEA WebLogic Server µ@nJ\αAbz

WebSEAL °AtW⌡µUCBJG

1. WebSEAL tm webseald.confC

2. ]wUotm'G

basicauth-dummy-passwd = sso_pwd

oKXPbiµ#Γ@A sso_pwd µKX@C

3. ε½s WebSEALAHtm≤ C

4. pdadmin ⁿO# WebSEAL XC

: oBJiHb Tivoli Access Manager w⌠ñ⌠≤≈WiµCú@w

nb WebSEAL tW⌡µªCíAziHb Tivoli Access Manager

Policy Server tW⌡µªC

24 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 39: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

Tw -b ∩AúX' URLC∩≤µ@nJAoOnC

pAHs≥@µΘJUCⁿOG

pdadmin> server task webseald_server_name create -t tcp-p WebLogic_Server_listen_port -h WebLogic_Server-b supply junction_target

UϕwqWz pdadmin ⁿOñG

ϕ 2. pdadmin ⁿO∩

∩ í

webseald_server_name W e b S E A L °AWCoW@ΓíG

webseald-WebSEAL_server_instanceCztD≈W

@ WebSEAL_server_instance C±ΦíApGD≈WO

cruzAh webseald_server_name NOGwebseald-cruzCNG

pGzbP@°AWwFnX WebSEAL ΩA≥]

ⁿw°AΩC÷Ph°AΩ#XⁿA

\ IBM Tivoli Access Manager for e-business WebSEAL

zΓUC

WebLogic_Server BEA WebLogic Server D≈WC

WebLogic_Server_listen_port BEA WebLogic Server (bÑ≡Cw] O 7001C

-b supply bµ@nJCªiHTO WebSEAL qLΩKXC

junction_target X URL '

p# WebSEAL XπΩTA\ IBM Tivoli Access Manager for

e-business WebSEAL zΓUC

Tivoli Access Manager Plug-in for Web Server tmµ@nJ

pGn(T⌡µµ@nJAtm Tivoli Access Manager Plug-in for Web ServerA

b≥Y(TΩT IBM Tivoli Access Manager for WebLogic ServerCΣ

BJOb plug-in tmñAΓ≥tmßmvC

sΦ plug-in_install_dir/etc '²U pdwebpi.conf tmABΓUo [

[common-modules] qñG

[common-modules]post-authzn = BA

Mßb [BA qñAΓ add-hdr M supply-password O] BA H

sso_user KXCτYG

[BA]add-hdr = supplysupply-password = sso_pwd

ΣL÷tm Tivoli Access Manager Plug-in for Web Server ΩTA\ IBM

Tivoli Plug-in for Web Servers Integration GuideC

3 tm 25

Page 40: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

6 gGb BEA WebLogic Server h°A⌠U]]AO⌠tm TivoliAccess Manager for WebLogic

Dníbh°A⌠O⌠]w BEA WebLogic Server [cCp

Gnb BEA WebLogic Server h°A⌠]]AO⌠btm Tivoli Access

Manager for WebLogicA⌡µUCBJG

1. 19y 3 gGtm Tivoli Access Manager for WebLogiczM 22

y 4 gGtm Tivoli Access Manager Γz ñⁿAb BEA WebLogic

Server z°Atm Tivoli Access Manager for WebLogic M# Tivoli Access

Manager ΓC

2. bⁿz°AW]]AO¿b Tivoli Access Manager for WebLogicA

Γ Tivoli Access Manager for WebLogic eq⌠z°AAsC@

'≈W]ⁿz°ACeO≤

BEA_WLS_HOME/jdk_location/jre/amwls/AzΓªsC@ⁿz°A

P@mñC

7 gGtm

ziH⌡µUCBJA∩ Tivoli Access Manager n²Aτ Tivoli Access Manager

for WebLogic OwgtmϕG

1. BEA WebLogic Server Dx#MτsC

2. ⌡µUC pdadmin ⁿOG

pdadmin> user show test_user

v τ account-valid O yesC

v τ password-valid O yesC

Tivoli Access Manager for WebLogic µ@nJMΦi²zzL WebSEAL iµµ

@wBJAHzqΦíV BEA WebLogic Server τ¡≈CziH⌡µd

íATw(TatmFwCdííb 30yd

ízñC

26 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 41: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

4 µ@nJ

H Tivoli Access Manager WebSEAL iµµ@nJ

Tivoli Access Manager for WebLogic ΣqΣL Tivoli Access Manager ú]pA

Tivoli Access Manager WebSEALB Tivoli Access Manager Plug-in for Web Server M

Tivoli Access Manager Plug-in for Edge Serveriµ Web µ@nJC

WebSEAL M BEA WebLogic Server ºíH⌠÷YAOQtm HTTP ≥

ΩKX#Ce@ Tivoli Access Manager for BEA WebLogic Server úb

Ω@ qwΓA]FoΦkiµµ@nJC

Tivoli Access Manager HTTP !V Proxy]p WebSEALOWM

wµ@nJKXCoKXDnbPw!V Proxy OⁿH⌠Cϕ Tivoli Access

Manager Authorization Server τKXºßAnDΩYioC

UNzdp≤#H⌠÷YC

WdOUCBJG

1. WebSEAL Σ⌠≤O≈εA² WebSEAL O]pA

W/KXß CAeX BEA WebLogic Server Ω

nDC

2. WebSEAL OQ -b supply ∩P BEA WebLogic Server X[HtmC

WebSEAL btUze≥YñAΓnD BEA WebLogic

ServerG

v WebSEAL OL ID]ϕñ user-1

v webseald.conf ñ basicauth-dummy-passwd CoNOWúKXC

3. Tivoli Access Manager WebSEAL iµµ@nJ

© Copyright IBM Corp. 2003 27

Page 42: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

3. BEA WebLogic Server Γ ID MKX Tivoli Access Manager for WebLogic

OΣ[HτC

4. Tivoli Access Manager for WebLogic nJ Tivoli Access ManagerAτ

KXO Tivoli Access Manager for WebLogic tm WebSEAL µ@

nJCτoKXAOFb WebSEAL M BEA WebLogic Server º

íúH⌠÷YC

pGBJ 4 Q¿Ahϕ Tivoli Access Manager for WebLogic OΣ

∩ BEA WebLogic Server OFw IDCNAQKX]ϕñ

ws-passwdOtm WebSEAL µ@nJAo@un⌡µ@Y

iA]ª Tivoli Access Manager for WebLogic nJñCo

OΘOiHtmABiH÷¼C

ziHb#Γ]w SSOAúLpGnHΓΦí SSO Tivoli Access Manager

for WebLogicAN⌡µUCBJG

1. # SSO C

2. b amsspi.properties Tivoli Access Manager for WebLogic tmñ]wG

com.tivoli.amwls.sspi.Authentication.ssoEnabled = truecom.tivoli.amwls.sspi.Authentication.ssoTrustId = sso_username

28 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 43: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

5 z@

t÷≤ Tivoli Access Manager for WebLogic UCΩTG

v yb Tivoli Access Manager Authorization Server vAz

v 30yH Tivoli Access Manager for WebLogic zMsz

v 30ydíz

v 32yknZz

v 33yTnJhz

v 34yRú Tivoli Access Manager Γz

v 34y°tm Tivoli Access Manager for WebLogicz

v 35y°nZz

v 35y¡εz

b Tivoli Access Manager Authorization Server vA

w] ATivoli Access Manager for WebLogic O Tivoli Access Manager Policy

ServerAs² Tivoli Access Manager ⁿO@½≤ΩwñⁿO@½≤CúLo[

cuαb⌠ñA] Tivoli Access Manager Policy Server LkgA]

ú@ Tivoli Access Manager for WebLogic µ@óICvA! í

NiHú¬⌡µ αCvA[cnubú⌠ñC

UotmBJuαb Tivoli Access Manager for WebLogic (Ttmºß$α⌡µC

Tivoli Access Manager for WebLogic ΓvAAúbtm Tivoli

Access Manager Authorization Server WG

v Tivoli Access Manager vA

oOH Tivoli Access Manager Authorization Server ew]vAC

v RBPF ⁿO@½≤s²vA

oOH Tivoli Access Manager for WebLogic evAC

FTO Tivoli Access Manager for WebLogic vAA⌡µUCBJG

1. Γ rbpf_ent_pos_browser @íwq Tivoli Access Manager for WebLogic D

≈s Tivoli Access Manager Authorization Server D≈ABNª±bt⌠

⌠≤'²UC rbpf_ent_pos_browser @íwiHb Tivoli Access Manager

for WebLogic D≈'²ñΣG

UNIX /opt/PolicyDirector/lib

Windowsc:\Program Files\Tivoli\pdwls\bin

2. q Tivoli Access Manager Authorization D≈ ivacld.conf A≤G

UNIX /opt/PolicyDirector/etc

Windowsc:\Program Files\Tivoli\Policy Director\etc

3. ΓUΓµ[ [aznapi-entitlement-services] q¿ñG

© Copyright IBM Corp. 2003 29

Page 44: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

AZN_ENT_EXT_ATTR = azn_ent_ext_attrRBPF_POS_BROWSE = rbpf_ent_pos_browser

4. ½s Tivoli Access Manager Authorization ServerC

5. q Tivoli Access Manager for WebLogic D≈b

java_home/amwls/WLS_Domain_Name/WLS_Realm_Name ñ rbpf.properties —

Σñ WLS_Domain_Name Oⁿ BEA WebLogic Server ⌠WA

WLS_Realm_Name Oⁿ BEA WebLogic Server wΓWCΓUze∩

trueG

com.tivoli.pd.as.rbpf.UseEntitlements=true

6. ½s BEA WebLogic ServerC

unQ¿oBJA Tivoli Access Manager for WebLogic BEA WebLogic

Server K Tivoli Access Manager Authorization Server ⌡µⁿO@½≤

s²]P Tivoli Access Manager Policy Server !C

H Tivoli Access Manager for WebLogic zMs

ziHQ Tivoli Access Manager for WebLogicAb BEA WebLogic Server Dx

zMsCq BEA WebLogic Server DxwíµA²ßisv

zíMΓAπMsCNqoz

MsATO Tivoli Access Manager for WebLogic wC

ϕz∩ºßAeXzCziHbo⌡µUC

BJG

v CX Tivoli Access Manager for WebLogic C

v πOΩTC

v #C

ϕz∩sºßAeXszCziHbo⌡µUCB

JG

v CXsC

v πSwsΩTC

v #sC

ziHb÷ DxWAΘJHµjMµAΓh[s

ñAΓhs[ñC

bCsApGSb Max-Return µΘJ@ A≥X¼µ

ⁿwº°≤súπXC

ziHdíAdΓv¼dAHB WebSEAL µ@nJ

αOC

Γv¼pUG

v i

iípyzlA&MsMñΓC

30 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 45: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

v í

bílXñdñΓC

díO Web ≤M EJB ≤¿C

UNí Web ≤ñΓwhG

v iG

web.xml ípyzltdwq@Ws ServletRole µ@ñΓC weblogic.xml

ípyzlhwq ServletRole M BankMembersServlet sºíDΘ∩MCweb.xml ípyzlñw¡εAiHTOQ& ServletRole ñΓAs⌠≤Φk ServletC

v í]pG

doPost() ΦkΣLwO@Ao@OHí]pΦíATOIsíQ&

ServletRoleCiHµ Web ≤ñí]píwO@MiíwO

@CvdhOQ HTTPRequest.isUserInRole() Φk⌡µC

UNí EJB ≤ñTwhG

v iíwO@G

ejb-jar.xml ípyzltdwq@Ws EJBRole µ@ñΓC

weblogic-ejb-jar.xml ípyzlhwq EJBRole M BankMembersEJB sºíDΘ∩MC ejb-jar.xml ípyzlñΦk\ivAiTOQ&

EJBRole ñΓAs getBalance() ΦkC

v í]píwO@G

getBalance() Φkπ≤i@BwO@Ao@OHí]pΦíATOI

síQ& EJBRoleCvdhOQ EJBContext.isCallerInRole() Φk

⌡µC

v HbßWí]píwO@G

getBalance() ΦkiTOQnDbßAPIsDΘPWC½yíAu Banker1$α≈° Banker1 bßlBC

pGn⌡µdíA¿UCBJG

1. Ndí PDDemoApp.ear s! WebLogic_domain_directory\applicationsC

NAzúo'²AunΓ EAR ±bt⌠≤'²UYiC

díiHb /AMWLS_install_dir/demo ñΣC

2. BEA WebLogic Server Dx#UCG

Banker1Banker2Banker3Banker4URLUser1URLUser2URLUser3

3 . # 2 sGB a n k M e m b e r s E J B M B a n k M e m b e r s S e r v l e tCΓ

Banker1BBanker2BBanker3 M Banker4 oXA[Φ#sñC

5 z@ 31

Page 46: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

p BEA WebLogic Server DxⁿA\ BEA WebLogic Server í

σ≤C

4. BEA WebLogic Server DxípdíC

5. pGnsdíAsUC URLC

http://WebLogic_Server_host:WebLogic_Server_listening_port/pddemo/PDDemo

HWwq@µaiµOC

WebLogic_Server_host O BEA WebLogic Server tD≈WC

WebLogic_Server_listening_port O BEA WebLogic Server Ñb≡C

6. τu BankMembersServlet sñA$α≈s servletC

7. τgLOABO BankMembersEJB s¿AiH°L vlBA²úα°ΣL⌠≤lBC

pGn WebSEAL µ@nJA¿UCBJG

1. sUC URLG

https://webseald_server_name/junction_target/pddemo/PDDemo

WebSEAL Núziµ¡≈OC

p webseald_server_name junction_target íA\ 26y 7

gGtmzC

: bo HTTPSA]w] WebSEAL µ²εzL HTTP iµu≥

vuMϕ¼vwC

2. HWwqº@iµ¡≈OC

oBzi²∩ BEA WebLogic Server iµµ@nJABúG

wANiHIs ServletCϕzL WebSEAL sAPDDemo díNπ

Ps BEA WebLogic Server πPµC

3. τwwiH°L vlBA²úα°⌠≤ΣLl

BC

knZ

1. ∩$íµ@nJAϕunwuhCTw WebSEAL °A

⌡µwCpGno@IAí]τYAúOQ WebSEAL

s BEA WebLogic Server ∩ BEA WebLogic Server svCzi

H⌠⌠suLo¿o@CsuLoi²zO@⌠⌠hΩA

úOHñΓ¡εsC

2. ATivoli Access Manager WebLogic Server ΓúlówC

C@úú@@wtm]wAⁿwbΩwbߺeAie\

óW¡CNQoΓ]wñ-[HΩwCpApGN

WebLogic Server tme\ 5 nJóA²N Tivoli Access Manager tm

e\ 3 nJóAhb 3 nJóßANΩwC

32 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 47: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

TnJh

≤ LDAP ¼ Tivoli Access Manager wTnJhi²z²εqúKX≡A

ΦkⁿwnJóW¡Hg@ΩwíCh#@°≤AY

Ñ@qíAMß$αiµ≤h²ónJCpAhiαⁿ

w 3 óßA 180 ϕg@C o¼nJhiε@ϕoh

qúH≈únJC

TnJhnΓ pdadmin policy ⁿO]wX@G

v nJóW¡

policy set max-login-failures

v WXónJ]wg@

policy set disable-time-intervalg@]wi JbßΩwííjbßC

pG]wFbTóºßSwΩwíg@ºnJh]pdAh

6]ú(Tú(TNP@AⁿX≤KXh

LkbßC

ííjOHϕⁿw - pííj 60 ϕC

pG disable-time-interval h] disableAhQΩwLksbßAB

LDAP account valid ] noCzizL Web Portal Manager

½sbßC

: N disable-time-interval ] disable PB$z¿Czi[εN

bßΩTg$í≡CoípM≤z LDAP ⌠C$A

bß≤s@PY LDAP Ω@iαJ αh'C≥≤]Az

OíjC

UC pdadmin ⁿOAXP LDAP n²@C

ϕ 3. pdadmin LDAP nJhⁿO

ⁿO í

policy set max-login-failures number|unset [-user username]

policy get max-login-failures [-user username]

zjεΩIg@ºeεnJóW¡

hCo° policy set disable-time-interval ⁿOñ]w

g@wC

¡@zAziNhM!SwA

NhπΘM! LDAP n²ñC

C

w]]w 10 C

policy set disable-time-interval number|unset|disable [-user username]

policy get disable-time-interval [-user username]

5 z@ 33

Page 48: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

ϕ 3. pdadmin LDAP nJhⁿO (≥)

ⁿO í

zg@hAohεbFnJó

W¡AbßC

¡@zAziNg@hM!Sw

ANhπΘM! LDAP n²ñC

C

w]]w 180 ϕC

Rú Tivoli Access Manager Γ

Rú Tivoli Access Manager ΓBJpUG

1. BEA WebLogic ServerC

2. Dx≤w]ΓAª¿úO Tivoli Access Manager for WebLogic

create_realm @#ΓC

3. ½s BEA WebLogic ServerC

4. pGnQDxRú Tivoli Access Manager ΓAΣBJpUG

a. q BEA WebLogic Server ²CsvzíC

b. ÷@UΓCoπΓtmC

c. ÷@URúCoπRúΓtmC

d. ÷@UTwC#ΓµúOC

5. pGnQⁿOµRú Tivoli Access Manager ΓA AMWLSConfigure

-action delete_realmC÷P AMWLSConfigure -action delete_realm ⁿOft

∩ΩTA\ 49² B, yⁿOtzC

: pG Tivoli Access Manager for WebLogic SbúYwmA

Γ AMWLSConfigure Script ñ AMSSPI_DIR A]Ωw'²

mCPApG WebLogic Sww]mAN WLS_JAR ∩

ALWLSConfigure Script ñ WebLogic.jar (TmC

°tm Tivoli Access Manager for WebLogicpGn°tm Tivoli Access Manager for WebLogicA⌡µUCBJG

1. BEA WebLogic ServerC

2. Tw Tivoli Access Manager ΓwgRúC\yRú Tivoli Access Manager

ΓzC

3. pGnQDxN Tivoli Access Manager for WebLogic °tmA⌡µU

CBJG

a. ÷@UsvzíΩ¿CoπtmC

b. ÷@URúCoπ°tmC

c. ΘJ Tivoli Access Manager sec_master KXAMß÷@UTwC

d. tm⌠WµúOC

34 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 49: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

4. pGnqⁿOµN Tivoli Access Manager for WebLogic °tmA

AMWLSConfigure -action unconfig ⁿOC÷P AMWLSConfigure -action unconfig

ⁿOft∩A\ 49² B, yⁿOtzC

°nZ

DD G

v yMϕ¼nJoµ@nJóz

v yWebLogic Server ßXOΘº¼pz

Mϕ¼nJoµ@nJó

ϕzLMϕ¼nJiµwABsLLvsΩAiαX

UCTºG

WebSEAL LknJTº

oípiαoA]YΩWqLFwAL.MLvs Web tm

ñ ServletC

ϕu≥wvApGooAN½súúwAú

WíCoOw] BEA WebLogic Server µApG

zL WebSEAL sANoµC

WebLogic Server ßXOΘº¼p

DGßXF java.lang.OutofMemory º¼pC

íGϕ⌡µjq Access Manager for WebLogic Server Ñq@A BEA WebLogic

Server iα2Ω∩íC

MΦGb startWebLogic script ñA[j Java Virtual Machine (JVM) Ω∩j

pW¡∩CpG

%JAVA_HOME%\bin\java -ms64m -mx128m -xms200m -xx:MaxPermSize=128m

ziHí[cBbD≈tW⌡µjqOΘºBz'H

BEA WebLogic Server A\ BEA úíσ≤ñΩ∩jpC

í[HYµAHPwª⌠AΩ∩jpC

¡ε

1. Tivoli Access Manager for WebLogic úΣjs¿Ωµ]ssC

2. ÷M Tivoli Access Manager for WebLogic Σh Tivoli Access Manager ⌠A

²OC@⌠ sec_master Aús sec_masterC½yíA'ez

Lk∩ ≤C@ Tivoli Access Manager ⌠WC

3. b BEA WebLogic Server 8.1 ñA″-″ rúα@sWA]H anyother

]úO any-other@sWC

4. bw∩ Active Directory tm Tivoli Access Manager for WebLogic A≤

AdminGroupProp=Administrators ]wA] Active Directory ñwgzs

sbA]tmóCzbtm Tivoli Access Manager for WebLogic M

# Tivoli Access Manager for WebLogic ΓºeA²¿o@C

5 z@ 35

Page 50: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

5. bQ Tivoli Access Manager for WebLogic Dx#ñΓMhOSí

¡εCzúiHNs[hñAuα[ñΓñCbñΓMhº

íuα ″OR″Aúα ″AND″C

6. w] ATivoli Access Manager íO 2 pCziH≤

s PdPerm.properties ñ appsvr-credcache-life eAtmoí C

7. zúiHq WebSEAL Web °A Tivoli Access Manager Plug-inAµ@n

J WebLogic Server DxCúLAoqúOY½DA]q⌠⌠

⌠sAq]Lk WebLogic Server DxC

wDMµMΦk

1. pGQ Active Directory n²iµw@Aiαbípí

oDCoO]gbíñzsMtñΓ∩MPCb

Active Directory ñAzsMtúOw²wqALkúCpGn

úoATOz∩íIH(TwO@AsΦ

certificate.war Web íípyzlBúo∩MBMß[J∩≤Ω

zsMt∩MC

2. BEA WebLogic Server 8.1 DOúe\ Tivoli Access Manager for WebLogic

qDx≤shCoD BEA WebLogic Server ≤nD (CR) sO

CR125113CúD BEA WebLogic Server 8.1 AM≤MoDAhOLk

QDx≤shC

36 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 51: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

6 úⁿ

Níp≤ú IBM Tivoli Access Manager for WebLogic ServerC

¿UCΣñ@ ñⁿG

v yq Solaris úz

v yq Windows úz

v 38yq AIX úz

v 38yq HP-UX úz

q Solaris ú

bú Tivoli Access Manager for WebLogic ºeA²Rú Tivoli Access Manager

ΓH.tm Tivoli Access Manager for WebLogicC÷o@ΩTA

\ 34yRú Tivoli Access Manager ΓzM 34y°tm Tivoli

Access Manager for WebLogiczC

ziH pkgrm ú Solaris W Tivoli Access Manager for WebLogicC

¿UCⁿG

1. H root ¡≈nJC

2. pGnú Tivoli Access Manager for WebLogicAΘJHUⁿOG

# pkgrm PDWLS

oeXúAnDzTOnúz∩M≤CΘJ yC

3. oeXiTºAú⌠zbiµú@AScript HWv¡

⌡µCΘJ yC

¼ATºHYv@CXQúCßú Script l⌡µßAeWX@h¼

ATºAⁿXnΘM≤ú@wQ¿Cpkgrm íHY⌠C

oN¿ Tivoli Access Manager for WebLogic M≤ú@FC

pGzQnú IBM Tivoli Access Manager Base ²Mn≤]Tivoli Access Manager

Base ⌡µ⌠B Tivoli Access Manager Base Java ⌡µ⌠AH∩

Tivoli Access Manager íouπcAϕ IBM Tivoli Access Manager ≥

wΓUñⁿC

q Windows ú

bú Tivoli Access Manager for WebLogic ºeA²Rú Tivoli Access Manager

ΓH.tm Tivoli Access Manager for WebLogicC÷o@ΩTA

\ 34yRú Tivoli Access Manager ΓzM 34y°tm Tivoli

Access Manager for WebLogiczC

uWindows sW/úívAú Tivoli Access Manager for WebLogic

C¿UCⁿG

© Copyright IBM Corp. 2003 37

Page 52: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

1. HπzMv Windows nJC

2. ÷ΓUsW/úíC

3. ∩ Access Manager for WebLogic Application ServerC

4. ÷@U≤/úC

oú Tivoli Access Manager for WebLogic C

Xu@¿v∩C

5. ÷@UTwC

oN¿ Tivoli Access Manager for WebLogic ú@FC

pGzQnú IBM Tivoli Access Manager Base ²Mn≤]Tivoli Access Manager

Base ⌡µ⌠B Tivoli Access Manager Base Java ⌡µ⌠AH∩

Tivoli Access Manager íouπcAϕ IBM Tivoli Access Manager ≥

wΓUñⁿC

q AIX ú

bú Tivoli Access Manager for WebLogic ºeA²Rú Tivoli Access Manager

ΓH.tm Tivoli Access Manager for WebLogicC÷o@ΩTA

\ 34yRú Tivoli Access Manager ΓzM 34y°tm Tivoli

Access Manager for WebLogiczC

ziH installp íú AIX M≤ Tivoli Access Manager for

WebLogicC

pGzQnú IBM Tivoli Access Manager Base ²Mn≤]Tivoli Access Manager

Base ⌡µ⌠B Tivoli Access Manager Base Java ⌡µ⌠AH∩

Tivoli Access Manager íouπcAϕ IBM Tivoli Access Manager ≥

wΓUñⁿC

q HP-UX ú

bú Tivoli Access Manager for WebLogic ºeA²Rú Tivoli Access Manager

ΓH.tm Tivoli Access Manager for WebLogicC÷o@ΩTA

\ 34yRú Tivoli Access Manager ΓzM 34y°tm Tivoli

Access Manager for WebLogiczC

ziH swremove ú Tivoli Access Manager for WebLogic C¿U

CⁿG

1. H root ¡≈nJC

2. pGnú Tivoli Access Manager for WebLogicAΘJHUⁿOG

# swremove PDWLS

oX@tC¼ATºCoX@h¼ATºAⁿXRÑqwgQ

¿C swremove íN Tivoli Access Manager for WebLogic qw

ñúC

ú@¿Aswremove íK⌠C

38 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 53: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

oNb HP-UX W¿ Tivoli Access Manager for WebLogic ú@FC

pGzQnú IBM Tivoli Access Manager Base ²Mn≤]Tivoli Access Manager

Base ⌡µ⌠B Tivoli Access Manager Base Java ⌡µ⌠AH∩

Tivoli Access Manager íouπcAϕ IBM Tivoli Access Manager ≥

wΓUñⁿC

6 úⁿ 39

Page 54: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

40 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 55: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

² A. e

btm Tivoli Access Manager for WebLogic M#ΓΘJΩAOxsb

eñCziHQoe≤ Tivoli Access Manager for WebLogic µC

e≤ java_home/amwls/wls_domain_name/wls_realm_name/ UC Σñ

wls_domain_name Oⁿztm BEA WebLogic Server ⌠WA wls_realm_name

Oⁿzb⌠tm BEA WebLogic Server ⌠WC

e@TG

v amsspi.properties

t BEA WebLogic Server M SSPI ΦtmeC

v rbpf.properties

t Tivoli Access Manager for WebLogic tmeApA]wBñΓe

H Tivoli Access Manager O@½≤íxsWC

v amwlsjlog.properties

ñiHε Tivoli Access Manager for WebLogic OⁿMlAΣñ]

A⌡µl/TqCNAl\αvT Tivoli Access Manager for

WebLogic αA]zubPDp$l\αC

UCX NzíC@eC

O *** ϕúObtm Tivoli Access Manager for WebLogic ΘJeCo

eObtmQ]w] CpGzúnNª]w] AbtmM#Γ

ºeA²≤∩ .in ñe C config M create_realm @O .in

ñ A# ACL M Tivoli Access Manager O@½≤A]btm#Γ

ºßANLk≤∩FC²UCX ñ. *** eAbtmºß.MiH≤∩C

ziHb /pdwls_install_dir/etc ñΣ .in C

amsspi.properties NCMí amsspi.properties ñeC

com.tivoli.amwls.sspi.config.DeployerGroupProp***w] O DeployersCw] ABEA WebLogic Server 4 zsA

oei²Γ Deployers zsWA∩ Deployers H$W

C

com.tivoli.amwls.sspi.config.MonitorGroupProp***w] O MonitorsCw] ABEA WebLogic Server 4 zsA

oei²Γ Monitors zsWA∩ Monitors H$WC

com.tivoli.amwls.sspi.config.OperatorGroupProp***w] O OperatorsCw] ABEA WebLogic Server 4 zsA

i²Γ Operators zsWA∩ Operators H$WC

com.tivoli.amwls.sspi.config.AdminGroupProp***w] O AdministratorsCw] ABEA WebLogic Server 4 zs

© Copyright IBM Corp. 2003 41

Page 56: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

Ai²Γ Administrator zsWA∩ Administrators H$

WCoOϕ½neA] Windows wg@Ws Administrators

zsAHΓ Active Directory @oetN≤sC

com.tivoli.amwls.sspi.Authentication.GroupRegistryDeletew] O trueCoeiHPbRú Tivoli Access Manager sAO

]RúF≥'²ñsCoPb pdadmin Rús/÷ -registryXAO@íC

com.tivoli.amwls.sspi.Authentication.UserRegistryDeletew] O trueCoeiHPbRú Tivoli Access Manager AO

]RúF≥'²ñCoPb pdadmin Rú/÷

-registry XAO@íC

com.tivoli.amwls.sspi.Authentication.ssoEnabledw] O falseCªiH/q WebSEAL Web °A Tivoli Access

Manager Plug-inAµ@nJ BEA WebLogic Server \αC

com.tivoli.amwls.sspi.Authentication.ssoTrustIdNOQªAb WebSEAL Web °A Tivoli Access Manager

Plug-in ºí#H⌠÷pA⌡µµ@nJC

com.tivoli.amwls.sspi.Authentication.ssoPasswdExpiryw] O 120]CoeiHⁿw SSO H⌠ ID OA

LFoíºßAUAiµ SSO AK∩ Tivoli Access Manager O

SSO C

com.tivoli.amwls.sspi.RoleMapper.EnableWebProgRolecheckw] O trueCoeiH Web í]pñΓd@Cªi

H²z÷¼ Web íí]pwC

com.tivoli.amwls.sspi.RoleMapper.EnableEjbProgRolecheckw] O trueCoeiH EJB í]pñΓd@Cªi

H²z÷¼ EJB í]pwC

com.tivoli.amwls.sspi.Authentication.GroupDNPrefixLDAP w] O cn=CoeiH²zb Dx#s≤

rC

com.tivoli.amwls.sspi.Authentication.UserDNPrefixLDAP w] O cn=CoeiH²zb Dx#

≤rC

rbpf.properties NCMí rbpf.properties ñeC

com.tivoli.pd.as.rbpf.ProductNamew] O PDWLSCoeOb# Tivoli Access Manager ½≤M ACL A

@MíºC

com.tivoli.pd.as.rbpf.RoleContainerName***w] O R o l e sCtmºßAoeN∩

Roles/$WLS_Domain_Name/$WLS_Realm_NameCΣñ WLS_Domain_Name Oⁿz

42 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 57: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

tm BEA WebLogic Server ⌠WA WLS_Realm_Name Oⁿzt

m BEA WebLogic Server ΓWC

com.tivoli.pd.as.rbpf.ResourceContainerName***w] O ResourcesCtmºßAoeN∩

Resources/$WLS_Domain_Name/$WLS_Realm_NameCΣñ WLS_Domain_Name O

ⁿztm BEA WebLogic Server ⌠WA WLS_Realm_Name Oⁿz

tm BEA WebLogic Server ΓWC

com.tivoli.pd.as.rbpf.PosRoot***w] O WebAppServerCoeO Tivoli Access Manager for WebLogic ñ

ñΓMΩº½≤í∩C

com.tivoli.pd.as.rbpf.ProductId***w] O WLSCoeXF PosRoot A¿ñΓMΩº½≤íC

com.tivoli.pd.as.rbpf.AMActionGroup***w] O WebAppServerCoeO@sw]WA'bxs Tivoli

Access Manager for WebLogic sMªd@C

com.tivoli.pd.as.rbpf.AMAction***w] O iANϕIsCo@Ob Tivoli Access Manager for WebLogic ⌡

µsMªdAª[ AMActionGroup ñC

com.tivoli.pd.as.cache.EnableDynamicRoleCachingw] O trueCoeiHAñΓCAñΓOΘ

AO@δñΓAτYzñΓH$ñΓCª(Mt

ñΓ¿ΩµC

com.tivoli.pd.as.cache.DynamicRoleCachew] O com.tivoli.pd.as.cache.DynamicRoleCacheImplCoeO⌡µAñ

ΓOCnAziHΩ@ vAñΓAΣΦkOΩ@

com.tivoli.pd.as.cache.IDynamicRoleCache C

com.tivoli.pd.as.cache.DynamicRoleCache.NumBucketsw] O 20CoeiHⁿwb≥°ΩϕñxsAñΓ'xs

'C

com.tivoli.pd.as.cache.DynamicRoleCache.MaxUsersw] O 100000CoeOOΘñxs'Cor

úH NumBucketsANOCxsjpW¡C

com.tivoli.pd.as.cache.DynamicRoleCache.RoleLifetimew] O 20CoeiHⁿw(MtAñΓMªOdbO

ΘñϕC

com.tivoli.pd.as.cache.DynamicRoleCache.PrincipalLifeTimew] O 10CoeiHⁿwDΘxsb Tivoli Access Manager for

WebLogic OΘñCNAPdPerm.properties appsvr-credcache-lifeAOⁿb PDJRTE ñí°C Tivoli Access

Manager for WebLogic q PDJRTE oA]pGo p≤

appsvr-credcache-lifeAªb Tivoli Access Manager for WebLogic q PDJRTE

Qm½C

² A. e 43

Page 58: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

com.tivoli.pd.as.cache.EnableStaticRoleCachingw] O trueCoeiHRAñΓCRAñΓA

OzñΓ(MtñΓ¿ΩµCoOΘPAñΓ

OΘXG@AuO'úCªiH[jzñΓ αA]o

ñΓ¿Ωµú≤C

com.tivoli.pd.as.cache.StaticRoleCachew] O com.tivoli.pd.as.cache.StaticRoleCacheImplCoO⌡µRAñΓ

OCnAziHΩ@ vRAñΓAΣΦkOΩ@

com.tivoli.pd.as.cache.IStaticRoleCache C

com.tivoli.pd.as.cache.StaticRoleCache.Rolesw] O Admin, Operator, Monitor, DeployerCoeiHOdzñΓ

Mµ]HrI[HjCo≈MµññΓ¿ΩµA[RAñΓ

OΘñ]úOAñΓOΘCΣLñΓ¿ΩµAhO

AñΓOΘñC

com.tivoli.pd.as.cache.EnableObjectCachingw] O trueCoeiH½≤C½≤OΘiH

Tivoli Access Manager ½≤A]Aª bCªiH

ñΓvs÷ BEA WebLogic Server ΩA]ú]C@Ωn

Dd Tivoli Access Manager Authorization ServerC

com.tivoli.pd.as.cache.ObjectCachew] O com.tivoli.pd.as.cache.ObjectCacheImplCoeO⌡µ½≤

OCnAziHΩ@ v½≤AΣΦkOΩ@

com.tivoli.pd.as.cache.IObjectCache C

com.tivoli.pd.as.cache.ObjectCache.NumBucketsw] O 20CoeiHⁿwb≥°Ωϕñxs½≤'xs

'C

com.tivoli.pd.as.cache.ObjectCache.MaxResourcesw] O 10000CoeiHⁿwOΘñxs'Co

rúH NumBucketsANOC@xsjpW¡C

com.tivoli.pd.as.cache.ObjectCache.ResourceLifeTimew] O 20CoeiHⁿw½≤Odb½≤OΘñC

com.tivoli.pd.as.rbpf.UncheckedRolesw] O Unchecked, AmasUnckeched, AnonymousCoeiHⁿw J2EE .

dñΓMµ]HrIjCpGMµñ⌠≤@ñΓvs BEA

WebLogic Server ΩA≥L[F@δñΓAúvs

ªCMsúúα[oñΓñCoñΓiH v²

]]A.gwbsSwΩC≤ Tivoli Access

Manager for WebLogic tmΓWñΓ[h≥ BEA WebLogic Server Ω

ñA]o≈Mµ@wno.dñΓC÷Moeúbtmº

e]wA²un@]wºßANúiH≤∩C

com.tivoli.pd.as.rbpf.ExcludedRolesw] O Excluded, AmasExcludedCoeiHⁿw J2EE wúñΓM

µ]HrIjC]ApGΣñ⌠≤@ñΓ[bYΩWA≥

L[F@δñΓAúϕS@vsªCo J2EE w

44 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 59: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

úñΓiH ∩SwΩsvC÷Moeúb

tmºe]wA²un@]wºßANúiH≤∩C

com.tivoli.pd.as.rbpf.GrantUnprotectedAccessw] O trueCoeiHⁿwOn²s.ⁿO@nDΩFτ

YS@ñΓvs½≤C

com.tivoli.pd.as.rbpf.CopyParentRole***w] O falseCoei²zⁿwObSwh#ñΓ

]pAíhñΓAsb¬hwqñΓ¿]pA

sñΓCb Tivoli Access Manager ñAªΓ[bsh ACL

¿As[bíh½≤ ACL ñCoei²zb#

sñΓAΓºMñΓ¿ΩµWCqªP

PropogateChileRole ]P C

com.tivoli.pd.as.rbpf.PropagateChildRole***w] O falseCoei²zⁿwz∩≤b¬hwqñΓ¿Ω

µ]pAsñΓ≤AO]MblñΓW]pAí

hñΓC½yíApGzΓ userA [sñΓ RoleA ñA]nb

íhΓ userA [ RoleA ñCú²iH[j CopyParentRoleABb≤sñΓ¿ΩµAi@BMñΓ¿vCqªP

CopyParentRole ]P C

com.tivoli.pd.as.rbpf.UseEntitlementsw] O falseCoeⁿXzO Tivoli Access Manager

Authorization Server ñvAA¼÷ñΓvsΩ

ΩTCw] O falseA]ziH]w Tivoli Access Manager A'U¡A

² Tivoli Access Manager for WebLogic ⌡µCúLAoeb⌠U

uα] falseA]ªb Tivoli Access Manager Policy Server µ@óIC

vA]í½≤Ab≤¬h⌡µC]bú⌠UA

ϕ trueC

com.tivoli.pd.as.rbpf.EntitlementsUserw] O Tivoli Access Manager for WebLogic remote-acl-userCoeiH

s±QⁿwHvA⌡µ½≤d\CvAiHTOV Tivoli

Access Manager O@½≤í½≤AQ& Server Admin Generic

’s’ \ivCb config íAremote-acl-user [ iv-admin sñAB

Q&o\ivCziH≤oA≤s½≤A²O

TOosQ& ’s’ \ivAiH Tivoli Access Manager

O@½≤íñΩxsC

com.tivoli.pd.as.rbpf.IgnorePasswordPolicyOnUserCreatew] O falseCoei²zbzL BEA WebLogic Server Dx

#s Tivoli Access Manager AñLKXhC

com.tivoli.pd.as.rbpf.DeleteBaseRoleRecursivew] O trueCoeiⁿXbRú3ñΓAOnRúlñΓC

amwlsjlog.propertiesamwlsjlog.properties O@ JLog eCªiHε Tivoli Access Manager

for WebLogic M PDJRTE ñTMlC

² A. e 45

Page 60: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

úΓ amwlsjlog.properties teíCXA]jíúP'

L÷C÷MpAz.o$DOTMlC

amwlsjlog.properties ñ'AΦWO≤Ñhí'CziH@

≤Oⁿ\αA]iHµ@≤Oⁿ\αC

pGnOⁿ\αAunΓ isLogging e[znOⁿ\α≤YiCUCO Tivoli Access Manager for WebLogic ΣlMT≤CziH

w∩Σñ@eAOeAl/TCUNníC@

≤C

≤ í

l

AmasRBPFTraceLogger l Tivoli Access Manager for WebLogic

í@C

AmasCacheTraceLogger l Tivol i Access Manager for

WebLogic OΘC

AMSSPICfgTraceLogger l Tivoli Access Manager for WebLogic

config @ApA#ñΓC

AMSSPIAuthzTraceLogger l Tivoli Access Manager for WebLogic

vΣC

AMSSPIAuthnTraceLogger l Tivoli Access Manager for WebLogic

OΣC

AMSSPIRoleMapperTraceLogger l Tivoli Access Manager for WebLogic

ñΓ∩MΣC

AMSSPIResourceManagerTraceLogger

l Tivoli Access Manager for WebLogic ñ

ΩzíC

T

AmasCacheMessageLogger w∩ Tivoli Access Manager for WebLogic

í@iµTC

AmasRBPFMessageLogger w∩ Tivol i Access Manager for

WebLogic OΘiµTC

AMSSPICfgMessageLogger w∩ Tivoli Access Manager for WebLogic

config @]pA#ñΓiµTC

AMSSPIAuthzMessageLogger w∩ Tivoli Access Manager for WebLogic

vΣiµTC

AMSSPIAuthnMessageLogger w∩ Tivoli Access Manager for WebLogic

OΣiµTC

AMSSPIRoleMapperMessageLogger

w∩ Tivoli Access Manager for WebLogic

ñΓ∩MΣiµTC

AMSSPIResourceManagerMessageLogger

w∩ Tivoli Access Manager for WebLogic

ΩzíiµTC

WzC@≤ú baseGroup traceLogger M baseGroup messageLoggerC]eñeANpdC

baseGroup.AMSSPIAuthnMessageLogger.isLogging=true

46 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 61: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

WodiHw∩ Tivoli Access Manager for WebLogic OΣqA

T\αCpGzn∩≤]úFvΣº$l\αANo

[WUoXµG

baseGroup.TraceLogger.isLogging=truebaseGroup.AMSSPIAuthzMessageLogger.isLogging=false

½yíAΣLl≤uOq≥Θxí true wCuvΘx

íOΓ true ½¿ false C

² A. e 47

Page 62: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

48 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 63: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

² B. ⁿOt

© Copyright IBM Corp. 2003 49

Page 64: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

AMWLSConfigure –action configtm Tivoli Access Manager for WebLogic ServerC

yk

AMWLSConf igure –act ion conf ig –domain_admin d o m a i n _ a d m i n

–domain_admin_pwd domain_admin_password –remote_acl_user remote_acl_user

–sec_master_pwd sec_master_pwd –pdmgrd_host pdmgrd_host –pdacld_hostpdacld_host [–deploy_extension true|false] [–wls_server_url wls_server_url][–am_domain am_domain] [–pdmgrd_port pdmgrd_port] [–pdacld_port pdacld_port][–amwls_home amwls_home] [–verbose true|false]

–am_domain am_domain

ⁿ Tivoli Access Manager ⌠WCw]⌠O DefaultC

–amwls_home amwls_home

ⁿe Tivoli Access Manager for WebLogic Server w'²⌠C

–deploy_extension true|falseϕª] true AiHíp Tivoli Access Manager Web Logic Server 5.1

DxCw] O trueC

–domain_admin domain_admin

ⁿ WebLogic ⌠zC

–domain_admin_pwd domain_admin_password

ⁿ WebLogic ⌠zKXC

–pdacld_host pdacld_host

ⁿ Tivoli Access Manager Authorization Server D≈WC

–pdacld_port pdacld_port

ⁿ Tivoli Access Manager Authorization Server ≡Cw]≡O 7136C

–pdmgrd_host pdmgrd_host

ⁿ Tivoli Access Manager Policy Server D≈WC

–pdmgrd_port pdmgrd_port

ⁿ Tivoli Access Manager Policy Server ≡Cw]≡O 7135C

–remote_acl_user remote_acl_user

ⁿw∩ Authorization Server # Tivoli Access Manager DΘC

–sec_master_pwd sec_master_pwd

ⁿ Tivoli Access Manager zKX]qO sec_masterC

–verbose true|falseϕª] true AiHzΘXCw] O falseC

–wls_server_url wls_server_url

ⁿ WebLogic °A URLCw] O

t3://localhost:7001C

50 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 65: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

i

oⁿOO≤Uw]w'²ñG

v UNIX tG

/opt/pdwls/sbin/

v Windows tG

C:\Program Files\Tivoli\pdwls\sbin\

pGz∩Ow] H$w'²AoíO≤w'²U sbin '²]

pAinstall_dir\sbin\C

X

"⌠¼AXpUG

0 ⁿOQ¿C

1 ⁿOóC

ϕⁿOóAeX@hTºC÷oDíA\ IBM

Tivoli Access Manager TºC

² B. ⁿOt 51

Page 66: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

AMWLSConfigure –action unconfig°tm Tivoli Access Manager for WebLogic ServerC

yk

AMWLSConfigure –action unconfig –domain_admin_pwd domain_admin_pwd

–sec_master_pwd sec_master_pwd [–verbose true|false]

–domain_admin_pwd domain_admin_pwd

ⁿ Tivoli Access Manager for WebLogic Server ⌠zKXC

–sec_master_pwd sec_master_pwd

ⁿ Tivoli Access Manager zKX]qO sec_masterC

–verbose true|falseϕª] true AiHzΘXCw] O falseC

i

oⁿOO≤Uw]w'²ñG

v UNIX tG

/opt/pdwls/sbin/

v Windows tG

C:\Program Files\Tivoli\pdwls\sbin\

pGz∩Ow] H$w'²AoíO≤w'²U sbin '²]

pAinstall_dir\sbin\C

X

"⌠¼AXpUG

0 ⁿOQ¿C

1 ⁿOóC

ϕⁿOóAeX@hTºC÷oDíA\ IBM

Tivoli Access Manager TºC

52 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 67: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

AMWLSConfigure –action create_realmb WebLogic °A#wΓC

yk

AMWLSConfigure –action create_realm –realm_name realm_name

–domain_admin_pwd domain_admin_pwd –user_dn_suffix user_dn_suffix

–group_dn_suffix group_dn_suffix –admin_group admin_group [–user_dn_prefixuser_dn_prefix] [–group_dn_prefix group_dn_prefix] [–sso_enabled true|false][–sso_user sso_user] [–sso_pwd sso_pwd] [–verbose true|false]

–admin_group admin_group

ⁿFítm Tivoli Access Manager sC

–domain_admin_pwd domain_admin_pwd

ⁿ WebLogic ⌠zKXC

–group_dn_prefix group_dn_prefix

ⁿb#sOW (DN) rC

–group_dn_suffix group_dn_suffix

ⁿb#sOW (DN) rC

–realm_name realm_name

ⁿ'e# WLS ΓWC

–sso_enabled true|falseϕª] true AiHµ@nJΣCw] O falseC

–sso_pwd sso_pwd

ⁿµ@nJKX (sso_user)C

–sso_user sso_user

ⁿP Tivoli Access Manager #µ@nJH⌠÷pC

–user_dn_prefix user_dn_prefix

ⁿb#OW (DN) rC

–user_dn_suffix user_dn_suffix

ⁿb#OW (DN) rC

–verbose true|falseϕª] true AiHzΘXCw] O falseC

i

oⁿOO≤Uw]w'²ñG

v UNIX tG

/opt/pdwls/sbin/

v Windows tG

C:\Program Files\Tivoli\pdwls\sbin\

pGz∩Ow] H$w'²AoíO≤w'²U sbin '²]

pAinstall_dir\sbin\C

² B. ⁿOt 53

Page 68: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

X

"⌠¼AXpUG

0 ⁿOQ¿C

1 ⁿOóC

ϕⁿOóAeX@hTºC÷oDíA\ IBM

Tivoli Access Manager TºC

54 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 69: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

AMWLSConfigure –action delete_realmq WebLogic °ARúwΓC

yk

AMWLSConfigure –action delete_realm –domain_admin_pwd domain_admin_pwd

[–registry_clean true|false] [–verbose true|false]

–domain_admin_pwd domain_admin_pwd

ⁿ WebLogic ⌠zKXC

–registry_clean true|falseúbtmí#MsCw] O falseC

–verbose true|falseϕª] true AiHzΘXCw] O falseC

i

oⁿOO≤Uw]w'²ñG

v UNIX tG

/opt/pdwls/sbin/

v Windows tG

C:\Program Files\Tivoli\pdwls\sbin\

pGz∩Ow] H$w'²AoíO≤w'²U sbin '²]

pAinstall_dir\sbin\C

X

"⌠¼AXpUG

0 ⁿOQ¿C

1 ⁿOóC

ϕⁿOóAeX@hTºC÷oDíA\ IBM

Tivoli Access Manager TºC

² B. ⁿOt 55

Page 70: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

56 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 71: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

² C. N

ΩTOw∩ IBM bⁿΩúºúPAoXAbΣLΩaañA

IBM úúoúñúUúBAB\αCnDbzbaOi

oúPAAVϕa IBM ANϕdCbú IBM úB

íAAúϕtuα IBM úBíACun.I8 IBM

z]úvA⌠≤\αϕúBíAúiHN IBM úBíAC

úLAΣLD IBM úBíAbB@W⌠PτAΣd⌠≤C

boσ≤ñiα]t IBM ºMQMQ9Cú"

ezMQº⌠≤vCziHΦídvAτHG

IBM Director of Licensing

IBM Corporation

500 Columbus Avenue

Thornwood, NY 10594

U.S.A

Ynd÷G (DBCS) ΩTS\v¡yApzΩaa IBM

z]úíAΦíHG

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106, Japan

UCq¿YPΩºk°ΦAY°úAG IBM Hu¼vúA

úú⌠≤qºO]]A²ú¡≤iXSw OCY

abYµ÷Wú#\úWzOAhúL C

ΩTñiαNWLΩWC]AIBM wqFNqß

eJsñCPAIBM oH∩i/ñúú/íC

ΩTñ⌠≤∩D IBM ⌠zAIBM ∩⌠úúOC⌠W

ΩAD IBM úΩ@íAp]⌠y¿lAΣd⌠

Qß µtdC

IBM oHUAϕΦíG Qßú⌠≤ΩTAL∩ztdC

íº≥vY µo÷ΩAHKUCΩTió IBMCΣUCΩT

ⁿOG (1) W##íPΣLí]]Aíºí≤½ΩTΦí (2) ¼

wµ½ºΩTΦk Y⌠≤DpG

IBM Corporation

2Z4A/101

11400 Burnet Road

Austin, TX 78758

USA

© Copyright IBM Corp. 2003 57

Page 72: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

WzΩºoΣSϕn≤AbYípUIOΦoC

IBM ≥≤ΦºuIBM ßXvBuIBM ΩívXv⌠≤PÑXº°

AúñívíPΣAvΩC

⌠≤B[\⌡µ αΩúOb@ⁿε⌠UMwXC]AYbΣ

L@⌠UAoGiαjjúPCwwboÑqtWLAú

LoúOb@δtWXPGCAAwiαwzLΦí

⌠LC²ΩGiαDpC vSw⌠AdAΩ

C

úºD IBM úΩTAY@úAΣXnΣL

DoCIBM .LoúA]LkToD IBM ú⌡µ αBe

B⌠≤∩úΣLDiOLCpGz∩D IBM úα⌠≤

AwVúdC

÷ IBM .V⌠≤»zANϕ IBM 'Aiα≤.²nípU

M"C

ΩT]tΘµºΩM°idCF¿iαíodAΣ]A

HBqBPMúCÑWΩcAZⁿΩ°ºWa

A<XC

pGz°OΩTqlAMmΓiαúXC

UCMWⁿO IBM qbⁿΩM/ΣLΩaaUG

AIX

DB2

IBM

IBM x

SecureWay

Tivoli

Tivoli x

MicrosoftBWindowsBWindows NT M Windows xO Microsoft qbⁿΩM]

ΣLΩaaC

Java H Java ≥ªPxO Sun Microsystems, Inc. bⁿΩ/ΣLΩ

aaUC

UNIX O The Open Group bⁿΩΣLΩaaUC

ΣLqBúAWAiαOTAxC

58 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 73: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

Wⁿ

G

Jf⌠ (portal). @πX⌠AªY@

svAHAΦíú q Web ΩMµ]p

BeAASwC

≈ (public key). bqúwñAC@Húi≈C∩pK≈ (private key)C

¡

D≈ (host). s⌠⌠]p⌠⌠⌠ SNA ⌠

⌠Aiú∩⌠⌠ºsIqúCPA°⌠

wAD≈iHú∩⌠⌠ñεCD≈iHOß

B°APß M°AC

[K (encryption). bqúwñANΩ૨LkδµíAHεolΩαK

oΩC

i (scalability). ⌠⌠t"ÑWsΩ

qαOC

ívAí (external authorization service). @v API ⌡µ$íAií⌠

SvMª¿ Tivoli Access Manager vMª

@í≈CßiHuv ADKvooAC

²⌡ (directory schema). iHXb'²ñ ¼½≤OC¼½≤Owq

ykCe'²iHeC

°ovO (business entitlement). RAíwqδ°≤Ao°≤i≤Ω

vnDñC

(response file). @Ao]t@w²wqD]íúX¬Aiªú@

S@aΘJΣñ@ C

hu Proxy Nz (multiplexing proxy agent, MPA).ehß shDCϕß WAP sw

⌠AohDSuLusqT≤w

(WAP)vhDChD#µ@wWD!l°A

AzLWDu∩qvß nDM"C

h½]lw (multi-factor authentication). @ⁿO

@½≤h (POP)AjεΓHWwh

iµwCpAⁿO@ΩWsεiHnD

PHW/KXW/OqµXiµ

wCt\ⁿO@½≤h (protected object

policy)C

r (Suffix). @OWAiO ⌠O

d'²Ñhñ 'C≤u'²sqT

≤w (LDAP)v∩RW⌡'AHrA≤'

²ÑhΣLC@'C'²°AiHhr

AC@OⁿX ⌠Od'²ÑhC

sε (access control). bqúwñAoOⁿTwqútΩuα≥ovHvΦí

[HsC

sεMµ (Access control list, ACL). bqúwñAoOPY½≤÷@≈MµAo≈MµⁿXis

½≤DDHoDDsvCpAs

εMµNOP÷@≈MµAo≈MµⁿXis

AⁿX∩≤svC

sv (access permission). M!π½≤sMvC

wz (security management). MM∩½níMΩsεαOzhC

µU (self-registration). oO@BzAiªΘJnΩ¿wU Tivoli Access

Manager AúzJC

C

pK≈ (private key). bqúwñAu$D≈C∩≈ (public key)C

ñΓⁿw (role assignment). ⁿwñΓBzApN∩wqñΓ½≤πAϕ

svC

ñΓ (role activation). NsvM!ñΓBzC

© Copyright IBM Corp. 2003 59

Page 74: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

K

(User). LΦúºAHBBBzBmBíBqT≤wtC

n² (user registry). \n² (registry)C

εíΩ ID (uniform resource identifier, URI). O⌠⌠⌠WerΩA]AΩW]'²H

WBΩm]'²HWbqúAHs

ΩΦí]qT≤wAp HTTPCURI dεí

ΩwA URLC

εíΩw (uniform resource locator, URL). @sΩrANϕqúW⌠⌠]⌠⌠⌠ñΩTΩ

Co@sΩr]A (a) sΩTΩºqT≤w

YgWAH (b) qT≤wMΣΩTΩΩTC

pAb⌠⌠⌠⌠wqñAoOí≈sU

ΩTΩºqT≤wYgG

httpBftpBgopherBtelnetAH newsFUCO IBM

URLGhttp://www.ibm.comC

ⁿO@½≤ (protected object). ≤M ACL M

POPAHvsvΩtΩΦ½≤

ϕíCt\ⁿO@½≤h (protected object

policy) MⁿO@½≤í (protected object space)C

ⁿO@½≤ í (protected object space). ≤MACL M POPAHvsvΩtΩΩ

½≤ϕíCt\ⁿO@½≤ (protected object) M

ⁿO@½≤h (protected object policy)C

ⁿO@½≤h (protected object policy, POP). @whAN@ΣL°≤jε≤ ACL h\i

@ñCjε POP °≤d⌠b≤ΩzCt

\sεMµ (access control list)BⁿO@½≤

(protected object)BMⁿO@½≤í (protected object

space)C

A (service). °A⌡µu@CAiHO²ΩexsµnD]pAQ°AB

HTTP °ABqll≤°AM finger °AA]i

HO≤°u@ApACL°ABz°A

C

≈ (key). bqúwñAMKXtΓk@@AiNΩ[KKC\pK≈

(private key) M≈ (public key)C

≈Ωw (key database file). \≈⌠ (key

ring)C

≈∩ (key pair). bqúwñAⁿ≈pK≈CN≈t∩≤[KAe≈NT

º[KA¼≤HhpK≈NTºKCN≈t∩

≤ApK≈NTºϕk[KA

¼≤Hh≈NTºϕkKAHKτ

C

≈ (key file). \≈⌠ (key ring)C

≈⌠ (key ring). bqúwñAt≈BpK≈B¬HMC

E

O@Φ (quality of protection). ΩwhAwBπMpK°≤XMwC

Q

h (policy). MⁿzΩ@WhC

O (token). (1) b⌠⌠ñAqYΩ≥e

t@Ωv¡AHϕεF

ΘCΘCC@Ωú≈oMOεC

ΘCOO@SwTº¼AiϕΘ\i

vC (2) b⌠⌠ (LAN) ñAzLΘCΘAq@

met@mCϕOw[ΩA

ON¿TC

tm (configuration). (1) Mµ¼sΩTBzt

ºnwΘΦíC (2) ¿tBlt⌠⌠≈B

mMíC

tm½≤ (container object). N½≤í¿úP\αc'ⁿwC

Q@

@ (action). sεMµ (ACL) \ivCt

\sεMµ (access control list)C

≥w (basic authentication). wΦkº@AnΘJ WKXßA$PwuW

Ωsv¡C

⌡µ (run time). ⌡µqúííC⌡µ⌠O@⌡µ⌠C

KX (cipher). [KΩOLk¬AúD≈Nªα½¿Ω]KC

Mv (privilege attribute certificate). @≈

]AFDΘOHvAHDΘαOσ

≤C

60 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 75: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

MvA (privilege attribute certificateservice). NHw²Mwµíϕ PAC ૨ Tivoli

Access Manager ]!ºv API ⌡µß

$íCoA]iH]tm Tivoli Access

Manager AHΘ!w⌠ΣL¿CßiH

uv ADKvooACt\Mv

(privilege attribute certificate)C

ní (daemon). @ ⌡µ≥w

t\αíAp⌠⌠εCní

oAH⌡µΣ@FΣLníhOw⌡µC

X (junction). e WebSEAL °APß Web

í°Aºí HTTP HTTPS suC WebSEAL

XNϕß °AúO@AC

H root (trusted root). b Secure Sockets Layer

(SSL)A≈Mzñ (CA) ÷pOWC

v (authorization). (1) bqúwñAⁿP

PqútqTqútvQC (2) P∩

½≤BΩ\απ¡svC

vA í (authorization service plug-in). @iAⁿJíw]DLL @íwAi

Tivoli Access Manager v API ⌡µß bl]

wⁿJAH⌡µbuv APIv A@C

'eiA]AuzvBu$ívvBu

∩vBuovOvH PAC @CßiH

uv ADKvooAC

vWh (authorization rule). \Wh (rule)C

α (migration). wssíAHN¡C

Wh (Rule). @hΦ»zíAiH≤°AHδ≤]≤÷pí÷YA @X∩

"C

\iv (permission). sⁿO@½≤]pG'²αOC½≤\ivXNqOsεM

µ (ACL) wqCt\sεMµ (access control

list)C

qhD (common gateway interface, CGI). @

⌠⌠⌠AwqzL HTTP nDAq Web °A

eΩí]!Ve ScriptCCGI

Script O@H Scripting yÑ]p Perlg CGI

íC

s (bind). NOrPíñt@½≤÷pFpANOrPY Bt@Or÷pA

N(íPΩ÷pC

su (connection). (1) bΩqTñAⁿ\αµºí

#÷pAH≤ΩTC (2) b TCP/IP ñAⁿ

úiaΩyeAΓqT≤wíº

í⌠Cb⌠⌠⌠ñAsuqYt TCP

í t@tW TCP íC (3) btq

TñAⁿibΓtítMmíeΩu

⌠C

QG

µ@nJ (single signon, SSO). ⁿα≈nJ@

ABishíAúOanJ!C@

íCt\snJ (gloabl signon)C

Lnw (silent installation). @wΦíAªúeTºDxAONTºMxsbΘxñC

$A wiH"ΘJΩCt\"

(response file)C

n² (registry). ]tBtHnΘsvHtmΩTΩxsBC

ΩD≈ (virtual hosting). e\ Web °AQϕ@⌠

⌠⌠WhD≈αOC

WσrαeqT≤w (hypertext transfer protocol,HTTP). b⌠⌠⌠qT≤wñAⁿαeMπW

σσ≤qT≤wC

iÑw (step-up authentication). @ⁿO@½≤h (POP)Aªαww²tmwhAΩ

W]wh⌡µSwwhCiÑw POP ÷

MújεhwhiµwAHs

⌠≤wΩA²OnbPO@Ωh

h@¬hñiµwC

QT

Ω½≤ (resource object). Nϕu(⌠⌠ΩApABíC

≤BzqT (interprocess communication, IPC). (1)

íí¼ΩPBΣíBzCxB

HHíTºεC≤BzqT@δΦkC (2) O

@@t≈εAi²UBzbPqúz

L⌠⌠¼qHC

≤⌠∩M[c (cross domain mapping framework,CDMF). @í]pAi²ío qp≤∩M¡≈AHϕ WebSEAL e-Community SSO

\αAp≤BzC

Wⁿ 61

Page 76: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

≤⌠wA (cross domain authentication service,CDAS). @ú@íw≈ε WebSEAL AAo

≈εi²zNw] WebSEAL w≈@i"

Tivoli Access Manager ¡≈ WebSEAL qCt

\ WebSEALC

Q

z°A (management server). w@oC\

Policy ServerC

zA (administration service). @v API ⌡µ

$íAi∩ Tivoli Access Manager Ωz

í⌡µznDCzAN" pdadmin ⁿO nDAH⌡µ@pACⁿO@½≤≡¼c

ñ¡ IU½≤CßiHuv ADKvoo

AC

z⌠ (management domain). Tivoli Access Manager

ΩIOBvHsεwhw]⌠Co

⌠Obtm Policy Server #Ct\⌠

(domain)C

⌠ (domain). (1) @sΦBtMΩ

A@@PAAq@P'B@C (2) qú⌠⌠

ñtdεΩBzΩíCt\⌠W

(domain name)C

⌠W (domain name). b⌠⌠⌠qT≤wñAⁿD≈tWC⌠WO@jrjlW

¿CpApGD≈tπ⌠W

(FQDN) O as400.rchland.vnet.ibm.comAhUCC@úO

⌠WGas400.rchlandBvnet.ibm.comBvnet.ibm.comB

ibm.comC

⌠⌠¼w (network-based authentication). @ⁿO@½≤h (POP)A⌠⌠⌠qT≤w

(IP) ε½≤sCt\ⁿO@½≤h

(protected object policy)C

⌠⌠⌠qT≤w (Internet protocol, IP). b⌠⌠⌠

qT≤wñAⁿ@LsuqT≤wAizL⌠⌠

µ¼s⌠⌠eΩABi@¬qT≤w

hPΩΘ⌠⌠ºíCC

⌠⌠⌠qT≤w (Internet suite of protocols). @F⌠⌠⌠oqT≤wAzL Internet

Engineering Task Force (IETF) oGunD

(RFC)vC

⌡ (schema). HΩwqyÑϕ»zíAHπíΩwcCb÷píΩwñA⌡'wqFϕµB

CϕµñµHµPϕµí÷YC

²sqT≤w (lightweight directory accessprotocol, LDAP). @±íqT≤wA (a)

TCP/IP ú∩Σ X.500 íº'²s (b) ú

π≤° X.500 '²sqT≤w (DAP) n

ΩC LDAP]τ'²í

íiH'²@qΩxswHH

A÷ΩTApqll≤B≈AS

wtmCLDAP ²Ob RFC 1777 ñⁿwC

LDAP 3 Ob RFC 2251 ñⁿwA IETF .b

≥BzΣL\αCb RFC 2256 ñiHΣY

IETF wq LDAP ⌡'C

≤Otw ( l igh twe ight th i rd par tyauthentication, LTPA). @w[cAe\≤L@¿b⌠⌠⌠⌠ Web °Aiµµ@nJC

e (routing file). @tⁿO ASCII Ao

ⁿOYεTºtmC

snJ (global signon, GSO). unnJM

ΦAi²úNWMKXß Web

í°ACsnJi²zLµ@nJAs

L≥vpΓΩC GSO Yw∩ºΦBí

BΓ⌠hítMí¿ºj¼°]

pA°zhWMKXºCt

\µ@nJ (single signon)C

(digital signature). bqlñA[ΩµΩAΩµ[Kα½Ai²Ωµ

¼≤HτµMπABδiαyΩ

C

(replica). tt@°A'²°AC≈°AAHK[j αYu"íAT

wΩπC

ⁿ (polling). HTwíjΩwAHMwOΘΩBzC

Q

(certificate). bqúwñAⁿ@σ≤AiN≈s¡≈A]i∩

iµwCOzñoXC

zñ" (certificate authority, CA). @tdo

XCzñw¡≈H

QvABoXsB≤s

AHNúAQv[H

°C

62 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 77: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

QC

ovQ (entitlement). t$í'whΩTΩcCovQthΩAHSwíiHA

Φí[Hµí'αOC

ovQA (entitlement service). @v API ⌡

µ$íAiqDΘ@°≤$í

"ovOCovOqOíSΩAN

ΩzíHYΦí[HAsW!DΘ

AHKbvñi@BCßiHu

v ADKvooAC

αeqT≤w (file transfer protocol, FTP). b⌠

⌠⌠qT≤wñAⁿQuΘεqT≤w (TCP)v

M Telnet ÑAb≈D≈ºíαejqΩ

íhqT≤wC

QE

OW (distinguished name, DN). i @O'²

ñº'WCOWO: t∩¿Ao

t∩OHrIjC

(credentials). bwíoAíB⌠≤s÷pΣLw÷¡≈ΩTC

iwa⌡µ\hAApvBfMe⌠C

∩A (credentials modification service). @

v API ⌡µ$íAi∩ Tivoli Access

Manager Cßb$ío∩A¡≤⌡

µqMµsWú@AH¡≤Q

°i≤∩C

GQ@

Mµ (attribute list). @t ΩTMµAoΩTiHXvMªCMµO@ name

= value t∩c¿C

GQG

w (authentication). (1) bqúwñAⁿτ

¡≈s½≤ΩµC (2) bqúwñAⁿτ

Tº.≤∩lC (3) bqúwñAⁿτΩ

TtⁿO@ΩºCt\h½]l

w (multi-factor authentication)B⌠⌠¼w (network-based

authentication)AMiÑw (step-up authentication)C

A

ACL. \sεMµ (access control list)C

B

BA. \≥w (basic authentication)C

blade. úíSA≤≤C

C

CA. \zñ (certificate authority)C

CDAS. \≤⌠wA ( C r o s s D o m a i n

Authentication Service)C

CDMF. \≤⌠∩M[c (Cross Domain Mapping

Framework)C

CGI. \qhD (common gateway interface)C

cookie. °Axsbß ≈Abß≥Ñq@ísΩTCcookie e\°AOϕ÷≤ß Sw

ΩTC

D

DN. \OW (distinguished name)C

E

EAS. \$ívAí (External Authorization

Service)C

G

GSO. \snJ (global signon)C

H

HTTP. \WσrαeqT≤w (Hypertext Transfer

Protocol)C

I

IP. \⌠⌠⌠qT≤w (Internet Protocol)C

IPC. \≤BzqT (Interprocess Communication)C

L

LDAP. \ '²sqT≤w (Lightweight

Directory Access Protocol)C

LTPA. \≤Otw (lightweight third party

authentication)C

Wⁿ 63

Page 78: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

M

meta Ω (metadata). íwxsΩºΦΩC

P

PAC. \Mv (privi lege attribute

certificate)C

Policy Server. @÷≤ΣL°Abw⌠ñmΩT Tivoli Access Manager °AC

POP. \ⁿO@½≤h (protected object policy)C

R

RSA [K (RSA encryption). ≤[KMw≈[KktCtOb 1977 , Ron RivestBAdi

Shamir M Leonard Adleman oCtwO∩

ΓjΦn]°wC

S

Secure Sockets Layer (SSL). iúqTpKw

qT≤wC SSL iKß /°Aíºíq

TDB½∩yC SSL O Netscape

Communications Corp. M RSA Data Security, Inc. oC

SSL. \ Secure Sockets LayerC

SSO. \µ@nJ (Single Signon)C

U

URI. \εíΩ ID (uniform resource identifier)C

URL. \εíΩw (uniform resource locator)C

W

WebSEAL. @ Tivoli Access Manager bladeC

WebSEAL O@¬ αBh½⌡µⁿ Web °AAª

NwhM!ⁿO@½≤íCWebSEAL iú

µ@nJMΦANß Web í°AΩJ

ΣwhC

WPM. \ Web Portal ManagerC

Sϕr

Web Portal Manager (WPM). zw⌠ñº

Tivoli Access Manager Base WebSEAL wh Web

¼ííCo GUI iN pdadmin ⁿOµA² zα≈sAB²zα≈#e⌠

⌠AHⁿwe⌠zo⌠C

64 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 79: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

HñσrAσrASϕº

CC

eTfwtm 5, 32

efí

AMWLSConfigure -action config 50

AMWLSConfigure -action create_realm 53

AMWLSConfigure -action delete realm 55

AMWLSConfigure -action unconfig 52

Σ¡x 9

e¡fknZ 32

dí 30

ef²Mn≤

nΘ 10

svzí

w¼ 1

Java ⌡µ⌠ 11

Policy Server 10

w 14

b AIX 14

b HP-UX 14

b Solaris 15

b Windows 16

eEfiv 30

#

WebSEAL X

pdadmin 24

÷X viii

¡ε

ss 35

z J2EE Ω 35

java.security.ACL 35

eQfh

nJ 33

OΘD 9

eQ@fDPw 35

≥w

wtm 5

X

tm 24

v

i 30

í 30

ú Tivoli Access Manager for WebLogic

p≤ 37

úⁿ

AIX 38

HP-UX 38

Solaris 37

Windows 37

eQGfµ@nJ 10

Hdí 32

nJh 33

ív 30

eQf°

OΘú¼D 35

w 35

D 9

yÑM≤

Dσ 19

eGQGfw

$í 5

S WebSEAL 6

WebSEAL 5

Access Manager 5

© Copyright IBM Corp. 2003 65

Page 80: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

AAccess Manager

Java ⌡µ⌠ 17

pdjrtecfg 17

WebSEAL 10

AIX

wb 14

ú 38

AMWLSConfigure -action config 50

AMWLSConfigure -action create_realm 53

AMWLSConfigure -action delete realm 55

AMWLSConfigure -action unconfig 52

CCLASSPATH

HyÑM≤]w startWebLogic 19

]w startWebLogic 18

HHP-UX

wb 14

ú 38

Iinstallp 14

JJava

AIX W⌡µ 11

Ppdadmin

# WebSEAL X 24

pdjrtecfg

ⁿOµ 17

pkgadd 15

pkgrm 37

Policy Server 10

SSMIT 38

Solaris

wb 15

ú 37

startWebLogic

ⁿOm 19

startWebLogic, ]w CLASSPATH 18

swinstall 14

swremove 38

WWebLogic Server

wAú 9

eí 9

7.0 Σ 9

WebLogic °A

AM≤ 9

WebSEAL 1, 10

wtm 5

µ@nJ 10, 24

w 5

WebSEAL X

tm 24

Windows

wb 16

ú 37

66 IBM Tivoli Access Manager for e-business: BEA WebLogic Server πXΓU

Page 81: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli
Page 82: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli
Page 83: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli
Page 84: BEA WebLogic Server XΓU - IBMpublib.boulder.ibm.com/tividd/td/ITAME/SC32-1366-01/zh_TW/PDF/am51_wls_guide.pdfw∩ ® IBM ®Tivoli Access Manager for BEA WebLogic Server®]HU Tivoli

Printed in Denmark by IBM Danmark A/S

SC40-1922-00