Setting up a Session Management Server (PDSMS)

This section provides information about installing and configuring a Tivoli Access Manager Session Management Server (SMS) system. The major role of the Session Management Server is to manage and monitor sessions across dispersed, clustered Web servers. The Session Management Server is an optional component of Tivoli Access Manager. It runs as a service of the IBM WebSphere Application Server, as show in Figure 3-6.

Figure 3-6 Tivoli Access Manager Session Management Server

The only prerequisite for the PDSMS installation is an installed and configured WebSphere Application Server server. A Tivoli Access Manager environment must exist before installing the Session Management Server. Access Manager WebSEAL or Access Manager Plug-in for Web Servers must be installed, configured, and running.

In addition, if you decide to enable WebSphere global security (to ensure that administration actions are secured), you need to create three groups in WebSphere Application Server that can be used to manage the Session Management Server environment:

򐂰 A group for administrators, for example: sms-administrators

򐂰 A group for delegators, for example: sms-delegators

򐂰 A group for clients, for example: sms-clients

The names of the groups must follow the naming conventions of the user registry used by WebSphere Application Server. You can use existing groups for this purpose, if desired.

As an installation option you can enable SSL for the communication between the Access Manager servers in the replica set and the IBM WebSphere Application

PDSMS

Operating System WebSphere Application

Server + GSKit PDlic

If you plan to use Access Manager certificates to authenticate with PDSMS, or if you want to use the Access Manager sec_master user (or other users and groups defined in the secAuthority=Default suffix) to administer PDSMS using either the session management command line or Web interface, then you must unconfigure the base DN in the LDAP user registry used by WebSphere Application Server.

An optional prerequisite component is a DB2 database. DB2 is required only if you are intending to use a DB2 database to store login history information. Also, an IBM DB2 JDBC™ driver must be available to the WebSphere Application Server.

Setting up a Session Management Server system is a three-step process that consists of installation, deployment to the application server or cluster, and configuration. After installing the Session Management Server using native installation utilities, the DSess.ear file must be deployed as a WebSphere Application Server application.

After installing the Session Management Server you can configure the server using the following command:

smscfg -action config

After installing the Session Management Server, you must reconfigure WebSEAL or the Plug-in for Web Servers (or both) to use the Session Management Server for managing sessions.

Along with the PDSMS installation, the structure of your session realms and associated replica set must be planned and mapped. Determine whether you want to have replicated Session Management Server instances that provide failover capability and improved performance.

3.4.1 Session Management Server administrative interfaces

The Session Management Server offers two kinds of administration interfaces:

򐂰 The session management Web interface (PDSMSWP)

򐂰 The session management command line interfaces (PDSMSCLI)

Both interfaces and dependent software are shown in Figure 3-7 on page 88.

Note: After deployment, do not start the DSess.ear application until the Session Management Server has been configured using the smscfg command.

Figure 3-7 Session Management Server administrative interfaces

You can administer the Session Management Server either by using the Tivoli Access Manager pdadmin command line utility located on the participating Tivoli Access Manager Authorization Server or by using a Web interface, which is part of the Tivoli Access Manager Web Portal Manager.

Session Management Server command line interface

Before you install and configure the session management command line interface, the following steps are required:

򐂰 As you can see from the Figure 3-7, to administer the Session Management Server from the command line, the Access Manager Command Line package (PDSMSCLI) must be installed on the Authorization Server.

򐂰 WebSEAL or the Plug-in for Web Servers component must be installed, configured, and running before the Session Management Server can operate.

򐂰 The Session Management Server and the Authorization Server components must be installed and configured before configuring the Access Manager session management command line component.

򐂰 The configuration requires the name of the server that hosts the Session Management Server and the port number to be used for communication between the server where the Session Management Server is hosted and the Authorization Server that is hosting the command line extension utility.

򐂰 If more than one Session Management Server is installed for failover and performance reasons, the host names and communication port numbers for each Session Management Server must be configured.

򐂰 Determine whether you want to enable SSL for session management command line interface communications. You can enable SSL between the Session Management Server and the Authorization Server so that all pdadmin

PDJRTE

򐂰 If you plan to use the Tivoli Access Manager sec_master user (or other users and groups defined in the secAuthority=Default suffix) to administer PDSMS using either the session management command line or Web interface, then you must unconfigure the base DN in the LDAP user registry used by WebSphere Application Server.

To configure (or unconfigure) the Session Management Server command line interface, use the pdsmsclicfg utility. This utility can be run either interactively, where the user is prompted to provide configuration information, or silently, where the utility accepts input from a response file. During configuration, the program prompts the user to specify the path to the configuration file for an already configured aznAPI application. If the Authorization Server (PDAcld) is installed and configured on the hosting system, the prompts default to the ivacld.conf configuration file.

Run the command from the system hosting the Session Management Server.

The pdsmsclicfg utility writes to the host Authorization Server configuration file, ivacld.conf.

The program prompts the user to specify the location of the Web service. The location of the Web service is defined by a host name and port that are separated by a semicolon. The user can specify multiple locations, when each location is separated by a comma. If this Web service uses a secure connection, the program prompts the user for the SSL options. The name of the configuration file for the authorization application and SSL files are saved during configuration to the pdsmsclicfg.conf configuration file. This configuration information will be used during unconfiguration to determine the location of the pdsmsclicfg.conf configuration file. The SSL configuration information is used as input into the backup utility. The presence of this configuration file is also used to determine the configuration status of the plug-in.

Optionally this command can be executed in the background if you choose the pdconfig utility for performing configuration task.

Session Management Server Web interface (PDSMSWPM)

Before you install and configure the session management Web interface system, you must perform the following pre-installation tasks:

򐂰 Figure 3-7 on page 88 shows that PDSMSWPM must be installed on the system that hosts the Web Portal Manager (PDWPM). So, as a prerequisite WPM (and all software that WPM requires) needs to be installed, and up and running. The session management Web interface can run as a service in WebSphere Application Server and it can be accessed through the WPM Web interface.

򐂰 WebSEAL or the Plug-in for Web Servers component must be installed, configured, and running before the Session Management Server can operate.

򐂰 The Session Management Server component must be installed and configured before configuring the session management Web Interface component.

򐂰 The configuration requires the name of the server that hosts the Session Management Server and the port number to be used for communication between the server where the Session Management Server is hosted and the Authorization Server that is hosting the command line extension utility.

򐂰 If more than one Session Management Server is installed for failover and performance reasons, the host names and communication port numbers for each Session Management Server must be configured.

򐂰 Determine whether you want to enable SSL for session management Web interface communications. You can enable SSL between the Web Portal Manager and the IBM WebSphere Application Server hosting the Session Management Server so that all communications between the Web interface and the Session Management Server are secure.

򐂰 Decide whether to use existing Web Portal Manager certificates for the SSL communication between the Web Portal Manager and the server hosting the Session Management Server, or to use the IBM WebSphere Application Server trust store certificates.

򐂰 If you plan to use the Tivoli Access Manager sec_master user (or other users and groups defined in the secAuthority=Default suffix) to administer the Session Management Server using either the session management command line or Web interface, then you must unconfigure the base DN in the LDAP user registry used by WebSphere Application Server.

The pdsmswpmcfg utility configures or unconfigures the Session Management Server Web Portal Manager extensions. When configured, the Session Management Server can be administered using Web Portal Manager.

Chapter 4.

Configuration and