Mapping an Active Directory account to administrative roles 

Map an account from Microsoft™ Active Directory to administrative roles in IBM WAS.

Before starting

This task is not required if you do not plan to use single sign-on based on SPNEGO/Kerberos.

You must configure IBM Connections to use Active Directory as the user directory. For more information, see the Setting up federated repositories topic.

Define an Active Directory account to be mapped to administrative roles in WAS. You will use this account in future for authentication to the Integrated Solution Console. In addition, these credentials will be used in applications for internal authentication like Search and J2C connection bus.

About this task

After enabling Kerberos in WAS, the default file-based repository no longer works and you can no longer log in to the WAS Integrated Solution Console using the wasadmin account. Any services that require authentication and that use the wasadmin credentials no longer work. Consequently, some functions in IBM Connections fail, including search indexing, notifications, adding widgets, and so on.

To prevent such problems, configure IBM Connections to map an account in Active Directory to the administrative roles in WAS.

To map the Active Directory account...

Procedure

1. Map an Active Directory account to administrative roles:

   1. Log in to the WAS Integrated Solution Console on the dmgr

   2. Click Users and groups -> Administrative user roles -> Add.

   3. From the list of Roles, select Admin Security Manager and Administrator.
      
      Tip: To select multiple values, press the Ctrl key.
      

   4. Enter the Active Directory account name in the Search string field and click Search.

   5. Select the account name in the Available column and click the right arrow button to add the account name to the Mapped to role column.

   6. Click OK.

   7. Click Save.
      

2. Update the messaging bus configuration:

   1. Click Security -> Bus security -> ConnectionsBus.

   2. Under Additional Properties, click Security -> Users and groups in the bus connector role -> New.

   3. In the SIB Security Resource Wizard window, click Users, enter the Active Directory account name in the Search pattern field, and click Next.

   4. Select the check box beside the account name and click Next.

   5. If you are satisfied with the summary information, click Finish.

   6. Click Save.
      

3. Change the J2C authentication:

   1. Click Security -> Global security.

   2. In the Authentication area, expand Java Authentication and Authorization Service and click J2C authentication data.

   3. Click connectionsAdmin.

   4. Enter the Active Directory account name in the User ID field.

   5. Enter the password for the Active Directory account in the Password field.

   6. Click OK.

   7. Click Save.
      

   Note: If you subsequently change the password for the Active Directory account that you map in this step, change the password here as well.
   

4. Update the mapping for the dsx-admin, search-admin, and widget-admin J2EE roles, replacing the currently-mapped user with the Activity Directory account.

   1. Click Applications -> Application Types -> WebSphere enterprise applications.

   2. Click Activities.

   3. Click Security role to user/group mapping.

   4. Select the search-admin check box and click Map users.

   5. In the Search String box, enter the name of the Active Directory account that you want to map to this role and click Search. If the account exists in the directory, it is displayed in the Available list.

   6. Select the account name from the Available box and move it to the Selected column by clicking the right arrow button.

   7. Click OK.

   8. Repeat steps c-f for the widget-admin and dsx-admin roles.
      
      Note: The widget-admin and dsx-admin roles might not have been defined for every application.
      

   9. Click OK.

   10. Repeat steps b-i for the other IBM Connections applications.

   11. Click Save.
       

5. Modify the runtime user for the Search application:

   1. Click Applications -> WebSphere enterprise applications -> Search.

   2. Under Details Properties, click User RunAs Roles.

   3. Enter the Active Directory account name in the username field.

   4. Enter the password for the Active Directory account in the Password field.

   5. Select the admin check box.

   6. Click Apply.
      
   Note: If you subsequently change the password for the Active Directory account that you map in this step, change the password here as well.
   

6. Optional: (Complete this step if you use Windows™ services for starting or stopping IBM Connections.) Update your Windows services for starting or stopping IBM Connections:

   1. Run wasservicecmd. For more information about using the wasservicecmd command, go to the Use WASServiceCmd to create Windows services page.

   2. Delete the previous Windows services that you used for starting or stopping IBM Connections.

   3. Add new Windows services, providing the user ID and password of the Active Directory account.
      
   Note: If you subsequently change the password for the Active Directory account that you map in this step, change the password here as well.
   

7. Stop all IBM Connections services and WAS node agents.

8. Restart the deployment manager.

9. Restart all IBM Connections services and WAS node agents.
   

Parent topic

Enable single sign-on for the Windows desktop
Next topic: Create a service principal name and keytab file

+

Search Tips   |   Advanced Search