|Applies To||ClearTrust Agent 4.7 for IBM WebSphere 6.1|
IBM WebSphere 6.1.x
|Issue||How to configure the WebSphere TAI so that it does not contact the aserver.|
If there is more than one domain present WebSphere may throw the following exception when the Access Manager user name is not mapped correctly.
com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4538E Multiple principals were found for the 'user1' principal name."
When only the TAI portion of the RSA Agent 4.7 for WebSphere is installed there are two ways for the TAI to obtain the Access Manager User for SSO.
1. If the cleartrust.agent.websphere.tai_validate_sessions setting in the cleartrust.properties file is set to true, then the TAI will extract the user name from the encrypted token in the CTSESSION cookie. If this method is selected then then the TAI must establish a connection to the Access Manager aserver to decrypt the token and validate the session.
2. If the cleartrust.agent.websphere.tai_validate_sessions setting is set to false, then the TAI will extract the user name from the http header variable defined in the setting cleartrust.agent.websphere.tai_user_header. In this configuration it is not necessary for the TAI to contact the Access Manager aserver to validate the session.
The TAI is also able to apply a conversion to the username before doing the SSO in the WebSphere JAAS module. To do this you must configure the TAI to create a WebSphere subject from the Access Manager username, you must enable DN conversion and you must provide a DN format in the cleartrust.properties file:
By default if the DN conversion setting is enabled the TAI will also contact the Access Manager aserver to do user and user group look-ups in order to set the WebSphere roles. If role information is not required then a new configuration parameter may be set in the cleartrust.properties file to prevent the role look-up and prevent the TAI from making an unnecessary connection to the aserver. The new parameter is
|Resolution||To prevent the TAI from contacting the Access Manager aserver to do user and group look up, enable the setting cleartrust.agent.websphere.tai_disable_group_search=true in the the cleartrust.properties file. For this setting to be effective you must apply hotfix 4.7.0.04 for the 4.7 Agent for WebSphere 6.1. Contact RSA Customer Support and request this hotfix, or the latest cumulative hotfix for this agent.|
|Legacy Article ID||a44563|