The Connector for WebSphere uses the Trust Association Interceptor (TAI), the Identity System, the Access System, and the following components:
NetPointWASRegistry: This is the Connector for WebSphere. The
NetPointWASRegistry is a user data store implementation of the WebSphere CustomRegistry in Oracle Access Manager. The NetPointWASRegistry serves as a plug-in to the WebSphere Application Server (WAS).
The WebSphere CustomRegistry is also known as a custom user registry (CUR). The CustomRegistry defines the methods that the WAS uses to perform security operations for applications configured to use them. For example, the WebSphere CustomRegistry may be used to identify attributes such as username and password, and to combine user information from diverse data sources.
The NetPointWASRegistry consists of the Access Manager SDK and Identity XML. The NetPointWASRegistry establishes a native connection between the WAS and Oracle Access Manager, enabling WebSphere administrators to use policy-based security features to control user access to business applications.
IdentityXML: The Connector for WebSphere uses IdentityXML calls to get user and group information from the Identity Server. Typically, you use IdentityXML to integrate the Identity System with external software systems and to perform Identity System functions programmatically rather than using the Identity System GUI. Access Manager SDK: The Access Manager Software Developer's Kit (SDK) enables you to create an interface that can be built into WebSphere and to create an AccessGate that communicates with the Access Server for authentication purposes. The SDK is installed automatically when you install the Connector for WebSphere. The SDK is used by the TAI.
Custom Member Repository (CMR): The CMR is an extension of the Oracle Access Manager component called NetPointWASRegistry (a custom user registry). It resides on the WebSphere Portal Server. The WebSphere Portal Server uses WebSphere Application Server security for authentication when logging in to the Portal. The WebSphere Portal Server enables users to customize and personalize their experience and uses a component called Member Services to manage information about users, user accounts, user profile attributes, and group memberships.
The CMR is an instance of a Member Services component. The CMR connects the WebSphere Portal Server to the Identity System users and groups. The CMR implements the IBM WebSphere MemberRepository interface, and is used to assign and determine access control to the portlets. The CMR stores user.baseattributes and group.baseattributes. It supports only read operations, not create or modify or delete operations.
The WebSphere Portal Server will use the CMR to make IdentityXML queries like getAttributes for a user for personalization, getGroupMemberships, search users by attribute, and similar functions.
For more information, see the "Supported Versions and Platforms" on page 10-10. Note: The Connector for WebSphere does not support
getGroupMemberships. As a result, in the case of Nested Groups, if you check for inner group membership the parent group details will not be displayed.
Integration Architecture
Integration Architecture
The integration between WebSphere and Oracle Access Manager can vary depending on if you use only the NetPointWASRegistry or if you also use the Access System’s single sign-on. For details, see:
■ "Scenario 1: Use of NetPointWASRegistry" on page 10-5. ■ "Scenario 2: Architecture for Single Sign-On" on page 10-6.
For additional information, see "Mapping Users and Groups to Security Roles in WAS" on page 10-7. See also "Integration Scenario with the Oracle Access ManagerCMR" on page 10-8.
Scenario 1: Use of NetPointWASRegistry
The NetPointWASRegistry obtains Identity System-managed user and group information and performs authentication based on that information.
Figure 10–1 illustrates an implementation of the Connector for WebSphere using the NetPointWASRegistry.
Figure 10–1 Integrating the WebSphere Application Server with the NetPointWASRegistry
In this scenario, use of a WebGate is optional. The WebGate is needed only for single sign-on or to protect the WebPass.
Process overview: Login using WAS with the NetPointWASRegistry
1. A user tries to access a WebSphere resource through a browser.2. The WAS forwards the user's request to the Connector for WebSphere. Note: In this scenario, The WAS and both the Web servers must belong to the same domain.
4 WebServer Application Server
Oracle Access Manager Connector for WebSphere User's Browser 7 TAI LTPA Token Access Server LDAP NetPointWASRegistry AccessGate Web Server 1 2 6 1 3 Identity Server Web Server 2 WebPass WebGate 5
Integration Architecture
3. The Connector for WebSphere checks with the Access Server and authenticates the user.
4. If single sign-on is enabled in the WAS, an LTPA token is generated.
5. The Connector for WebSphere queries the Identity Server via WebPass for a list of groups to which the user belongs.
The Identity Server checks the directory and returns the information to the Connector for WebSphere.
6. The Connector for WebSphere returns this information to the WAS.
7. The WAS checks the deployment descriptor for a user-security or group-security role mapping.
If the user or group belongs to a security role that is allowed to access the resource, the WAS enables the user to access the resource.
Scenario 2: Architecture for Single Sign-On
The Access System’s single sign-on feature enables authenticated users to access protected resources without having to re-authenticate. To use the Access System’s single sign-on, you must enable the TAI and install an AccessGate plug-in on the Web server servicing WAS.
Figure 10–2 illustrates WAS using Access System single sign-on.
Figure 10–2 Single sign-on with the WebSphere Application Server
Note: In this scenario, a WebGate is required for single sign-on. 5
WebServer Application Server
Oracle Access Manager Connector for WebSphere User's Browser 8 4 TAI LTPA Token Access Server LDAP NetPointWASRegistry AccessGate 7 1 3 Identity Server Web Server 2 WebPass WebGate
Oracle Access Manager
Web Server 1 2
WebGate
3
Integration Architecture