000014580 - How to configure the WebSphere TAI so that it does not contact the aserver.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014580
Applies ToClearTrust Agent 4.7 for IBM WebSphere 6.1
IBM WebSphere 6.1.x
IssueHow to configure the WebSphere TAI so that it does not contact the aserver.

If there is more than one domain present WebSphere may throw the following exception when the Access Manager user name is not mapped correctly.

com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4538E Multiple principals were found for the 'user1' principal name."

Cause

When only the TAI portion of the RSA Agent 4.7 for WebSphere is installed there are two ways for the TAI to obtain the Access Manager User for SSO. 

1. If the cleartrust.agent.websphere.tai_validate_sessions setting in the cleartrust.properties file is set to true, then the TAI will extract the user name from the encrypted token in the CTSESSION cookie.  If this method is selected then then the TAI must establish a connection to the Access Manager aserver to decrypt the token and validate the session. 

2. If the cleartrust.agent.websphere.tai_validate_sessions  setting is set to false, then the TAI will extract the user name from the http header variable defined in the setting cleartrust.agent.websphere.tai_user_header.  In this configuration it is not necessary for the TAI to contact the Access Manager aserver to validate the session. 

The TAI is also able to apply a conversion to the username before doing the SSO in the WebSphere JAAS module.  To do this you must configure the TAI to create a WebSphere subject from the Access Manager username, you must enable DN conversion and you must provide a DN format in the cleartrust.properties file:

cleartrust.agent.portal.tai_create_subject=true
cleartrust.agent.portal.convert_uid_to_dn=true
cleartrust.agent.portal.user_dn_format=CT/uid=<%uid%>,ou=People, dc=rsasecurity, dc=com

By default if the DN conversion setting is enabled the TAI will also contact the Access Manager aserver to do user and user group look-ups in order to set the WebSphere roles.  If role information is not required then a new configuration parameter may be set in the cleartrust.properties file to prevent the role look-up and prevent the TAI from making an unnecessary connection to the aserver.  The new parameter is

cleartrust.agent.websphere.tai_disable_group_search=true

ResolutionTo prevent the TAI from contacting the Access Manager aserver to do user and group look up, enable the setting cleartrust.agent.websphere.tai_disable_group_search=true  in the the cleartrust.properties file.  For this setting to be effective you must apply hotfix 4.7.0.04 for the 4.7 Agent for WebSphere 6.1.  Contact RSA Customer Support and request this hotfix, or the latest cumulative hotfix for this agent.
Legacy Article IDa44563

Attachments

    Outcomes