Configure WebSphere Portal for Active Directory with realm support
Configure the AD Schema
- If not installed, install the Windows 2000 Support Tool from the...
\SUPPORT\TOOLS...directory on the Windows 2000 Setup CD.
- Register Active Directory Schema (schmmgmt.dll) by running the following command at a command line:
regsvr32 schmmgmt.dll- Load the Security Administration Tools console...
- ...for Windows 2003...
Windows Start menu | Run | mmc /a | OK
- ...Windows 2000...
Windows Start Menu | Programs |Windows 2000 Support Tools | Security Administration Tools | Console | Add/Remove Snap-in | Standalone tab | Add | Active Directory Schema | Add- Configure the Active Directory Schema Snap-in using the following steps:
- For Windows 2003:
- From the Security Administration Tools console...
Active Directory Schema (right-click) | Operations Master- For Windows 2000:
- From the Security Administration Tools console,
Active Directory Schema | Operations Master- Select The Schema can be modified on this Domain Controller, and click OK to save this change.
- If you are using Windows 2000. Create the preferredLanguage attribute:
- From the Security Administration Tools console...
Active Directory Schema | Attributes (right-click) | Create Attribute | Continue- Enter the following values in Create New Attribute:
Field name Description Common Name preferredLanguage LDAP Display Name preferredLanguage Unique X500 Object ID 2.16.840.1.113730.3.1.39 Syntax Unicode String - Click OK to create the preferredLanguage attribute.
- Follow these steps to add the preferredLanguage attribute to the user object class:
- From the Security Administration Tools console,
Active Directory Schema | Classes | user | Attributes | Optional | Add- Select preferredLanguage from the list of objects and click OK to add this object.
- Follow these steps to enable the preferredLanguage mapping to the Member Manager XML file:
- Edit...
$WP_HOME/PortalServer/config/templates/wmm/wmmLDAPAttributes_ACTIVE_DIRECTORY.xml.- Find the following attribute map tag:
<attributeMap wmmAttributeName="preferredLanguage" pluginAttributeName="preferredLanguage" applicableMemberTypes="Person" dataType="String" valueLength="128" multiValued="false" />- Remove the comment tags on the lines above and below the map tag block. Comment tags are <!-- and -->.
- Save and close the text file before configuring WebSphere Portal.
Configure WebSphere Portal
Follow these steps to edit the wpconfig.properties file and run the appropriate configuration tasks so that WebSphere Portal can work with the LDAP server.
A configuration template might exist to support these instructions. Refer to the...
wp_root/config/helpers...directory for available configuration templates. If you do not want to use a configuration template, simply follow the instructions below as written.
These steps allow you to configure your LDAP server to use virtual portal and realm support.
Password considerations: For security reasons, not store passwords in the wpconfig.properties file. It is recommended that you edit the wpconfig.properties prior to running a configuration task, inserting the passwords needed for that task. Then, after the task has run, you should delete all passwords from the wpconfig.properties file.
Alternatively, you can specify the password on the command line using the following syntax:
WPSconfig.{sh|bat} task_name
-D password_property_key=password_valueAs with other properties, each password property must have the
-D prefix and be set equal to (=) a value. If you have multiple properties in a single command, use a space character between each-Dproperty=value setting.
Steps for this task
- Ensure that the LDAP software is installed and any setup required by WebSphere Portal has been performed.
- Locate the wpconfig.properties file and create a back up copy before changing any values.
wp_root/config/wpconfig.properties- Use a text editor to open the wpconfig.properties file and enter the values appropriate for your environment.
WebSphere Application Server properties
Property Value WasUserid Description: The user ID for WebSphere Application Server security authentication. This should be the fully qualified distinguished name (DN). For LDAP configuration this value should not contain spaces.
Note: If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank.
Recommended value: cn=wpsbind,cn=users,dc=yourco,dc=com
Default LDAP value: ReplaceWithYourWASUserId
WasPassword Description: The password for WebSphere Application Server security authentication.
Note: If a value is specified for WasPassword, a value must also be specified for WasUserid. If WasPassword is left blank, WasUserid must also be left blank.
Recommended value: <none>
Default value: ReplaceWithYourWASUserPwd
Portal configuration properties
Property Value PortalAdminId Description: The user ID for the WebSphere Portal administrator. This should be the fully qualified distinguished name (DN).
For LDAP configuration this value should not contain spaces.
Recommended value: cn=portaladminid,cn=users,dc=yourco,dc=com
Default value: uid=<portaladminid>,o=default organization
PortalAdminIdShort Description: The short form of the user ID for the WebSphere Portal administrator, as defined in the PortalAdminId property.
Recommended value: <none>
Default value: <portaladminid>
PortalAdminPwd Description: The password for the WebSphere Portal administrator, as defined in the PortalAdminId property.
Recommended value: <none>
Default value: <none>
PortalAdminGroupId Description: The group ID for the group to which the WebSphere Portal administrator belongs.
The recommended value is only a guideline. Before setting this propety, check the name of the group schema in your unique environment.
Recommended value: cn=wpsadmins,cn=groups,dc=yourco,dc=com
Default value: cn=wpsadmins,o=default organization
PortalAdminGroupIdShort Description: The short form of the group ID for the WebSphere Portal administrator, as defined in the PortalAdminGroupId property.
Recommended value: <none>
Default value: wpsadmins
WpsContentAdministrators Description: The group ID for the WebSphere Content Administrator group.
Default value: cn=wpsContentAdministrators,cn=groups,dc=yourco,dc=com
Default value: cn=wpsContentAdministrators,o=default organization
WpsContentAdministratorsShort Description: The WebSphere Content Administrators group ID.
Recommended value: <none>
Default value: wpsContentAdministrators
WpsDocReviewer Description: The group ID for the WebSphere Document Reviewer group.
Recommended value: cn=wpsDocReviewer,cn=groups,dc=yourco,dc=com
Default value: cn=wpsDocReviewer,o=default organization
WpsDocReviewerShort Description: The WebSphere Document Reviewer group ID.
Recommended value: wpsDocReviewer
Default value: wpsDocReviewer
Database properties
Property Value DbUser Description: The user ID for the database administrator.
Recommended value: <none>
Default value: db2admin
DbPassword Description: The password for the database administrator.
Recommended value: <none>
Default value: ReplaceWithYourDbAdminPwd
WebSphere Portal Security LTPA and SSO configuration
Property Value LTPAPassword Description: The password for the LTPA bind.
Recommended value: <none>
Default value: <none>
LTPATimeout Description: Specifies the number of minutes after which an LTPA token will expire.
Recommended value: 120
Default value: 120
SSODomainName Description: Specifies the domain name for all allowable single signon host domains.
- Enter the part of the domain that is common to all servers that participate in single signon. For example, if WebSphere Portal has the domain portal.us.ibm.com and another server has the domain another_server.ibm.com, enter ibm.com.
- To specify multiple domains, use a semicolon ; to separate each domain name. For example, your_co.com;ibm.com.
Single signon (SSO) is achieved via a cookie that is sent to the browser during authentication. When connecting to other servers in the TCP/IP domain specified in the cookie, the browser sends the cookie. If no domain is set in the cookie, the browser will only send the cookie to the issuing server. See the WebSphere Application Server documentation for further details about this setting.
Recommended value: your company's domain name
Default value: <none>
LDAP Properties Configuration
Property Value Lookaside Description: Specifies if a Lookaside database is to be used in combination with the LDAP server. A Lookaside database stores attributes which cannot be stored in your LDAP server. This combination of LDAP plus a Lookaside database is needed to support Member Manager, however, using a Lookaside database can slow down performance.To enable the LDAP + Lookaside database combination, set this property to true.
This value cannot be configured after security is enabled. If you intend to use a Lookaside database, set this value before configuring security.
Recommended value: false
Default value: false
WmmDefaultRealm Description: The default realm of the Member Manager user registry (UR) configuration. Set this property before enabling security with
enable-security-wmmur-ldap orenable-security-wmmur-db .Recommended value: portal
Default value: portal
LDAPHostName Description: The host information for the LDAP server that WebSphere Portal will use; for example, yourserver.yourcompany.com.
Recommended value: <none>
Default value: yourldapserver.com
LDAPPort Description: The server port of the LDAP directory.
Recommended value (non-SSL): 389
Default value: 389
LDAPAdminUId Description: The LDAP administrator id.
Recommended value: <none>
Default value: cn=root
LDAPAdminPwd Description: The LDAP administrator password. If the LDAPAdminUId is blank, this property must be blank as well.
Recommended value: <none>
Default value: <none>
LDAPServerType Description: Type of LDAP Server to be used.
Recommended value: ACTIVE_DIRECTORY
Default value: IBM_DIRECTORY_SERVER
WmmSystemId Description: The fully-qualified distinguished name (DN) of a user in the LDAP. This DN is stored in the credential vault for PUMA's use to access the Member Manager EJB. The Member Manager EJB is secured by WebSphere Application Server Security starting with WebSphere Portal 5.1. An authenticated security context is now established before WebSphere Portal can access Member Manager.
This value should not contain spaces and must not contain any suffixes in the custom user registry case.
Recommended value: cn=wmmsystemid,cn=users,dc=yourco,dc=com
Default value: <none>
WmmSystemIdPassword Description: Password for WmmSystemId.
Recommended value: <none>
Default value: <none>
Advanced LDAP Configuration
Property Value LDAPSuffix Description: The LDAP Suffix. Choose a value appropriate for your LDAP server. This is the distinguished name (DN) of the node in the LDAP containing all user and group information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all users that will log into the Portal and all Portal groups.
If WebSphere Application Server configuration tasks (e.g., enable-security-ldap) are used to activate WebSphere Application Server Security, this value will be used as the single Base Distinguished Name for the Application Server LDAP configuration. This value will be qualified with the LDAPUserSuffix and LDAPGroupSuffix values in order to configure Member Manager.
Recommended value: dc=yourco,dc=com
Default value: dc=yourco,dc=com
LdapUserPrefix Description: RDN prefix attribute name for user entries.
Recommended value: cn
Default value: uid
LDAPUserSuffix Description: The DN suffix attribute name for user entries. Choose the value appropriate for your LDAP server. With the "LDAPSuffix" appended to this value, it is the DN of the common root node in the LDAP containing all user information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all users that will log into the Portal including the Portal admin users (e.g., wpsadmin and wpsbind).
Recommended value: cn=users
Default value: cn=users
LdapGroupPrefix Description: RDN prefix attribute name for user entries.
Recommended value: cn
Default value: cn
LDAPGroupSuffix Description: The DN suffix attribute name for group entries. Choose a value appropriate for your LDAP server. With the "LDAPSuffix" appended to this value, it is the DN of the common root node in the LDAP containing all group information for the Portal being configured. As such, it is the lowest container in the LDAP tree still containing all group entries for the Portal including the Portal admin group (e.g., wpsadmins).
Recommended value: cn=groups
Default value: cn=groups
LDAPUserObjectClass Description: The LDAP object class of the Portal users in your LDAP directory that will log into the Portal being configured.
Recommended value: user
Default value: inetOrgPerson
LDAPGroupObjectClass Description: The LDAP object class of all the groups in your LDAP directory that the Portal will access.
Recommended value: group
Default value: groupOfUniqueNames
LDAPGroupMember Description: The attribute name in the LDAP group object of the "membership" attribute. Choose a value appropriate for your LDAP server.
Recommended value: member
Default value: uniqueMember
LDAPsslEnabled Description: Specifies whether secure socket communications is enabled to the LDAP server.
Recommended value (non-SSL): false
Recommended value (SSL): true
Default value: false
- Optional: If you installed WebSphere Application Server as part of the WebSphere Portal installation and you plan to use WebSphere Application Server single signon, ensure that the following property in the wpconfig.properties file has the recommended value and not the default value. WebSphere Portal uses Form-based login for authentication, which requires SSO to be enabled; otherwise, you will be no longer able to login to WebSphere Portal.
If you installed WebSphere Portal onto a pre-existing instance of WebSphere Application Server, skip this step. Any pre-existing settings for WebSphere Application Server SSO are automatically detected and preserved when you run the appropriate task to configure security.
WebSphere Portal Security LTPA and SSO Configuration
Property Value SSORequiresSSL Description: Specifies that single signon is enabled only when requests are over HTTPS Secure Sockets Layer (SSL) connections. Choose False unless SSL is already enabled for WebSphere Portal. In most cases, SSL for WebSphere Portal will not yet be in place. After SSL for WebSphere Portal is set up, change this value using the WebSphere Application Server administrative console.
Recommended value (non-SSL): false
Recommended value (SSL): true
Default value: false
- Save the file.
- In a command prompt, change to the WebSphere Application Server /bin directory.
- Windows/Unix: was_root/bin
- Enter the following commands:
- startServer server1
- stopServer WebSphere_Portal
- Change to the WebSphere Portal configuration directory.
- Windows/Unix: wp_root/config
- Enter the following command to run the appropriate configuration task for your specific operating system:
- UNIX: ./WPSconfig.sh validate-wmmur-ldap
-DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password -DWmmSystemIdPassword=password - Windows: WPSconfig.bat validate-wmmur-ldap
-DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password -DWmmSystemIdPassword=password If the configuration task fails, validate the values in the wpconfig.properties file.
- Follow these steps if you are running this task on a node that is already federated and have not previously used this step to copy Member Manager files to the deployment manager:
- Run the following command which will create the wasextarchive.jar file in the wp_root/config/work directory, which contains the Member Manager binaries.
- UNIX:
./WPSconfig.sh archive-was-ext - Windows:
WPSconfig.bat archive-was-ext - Copy the wasextarchive.jar file from wp_root/config/work directory to the installation root folder of the WebSphere Portal Network Deployment Manager, for example Dmgr_root.
- Stop WebSphere Portal Network Deployment Manager by issuing the following command from the Dmgr_root/bin directory:
- UNIX:
./stopManager.sh - Windows:
stopManager.bat - Un-archive the wasextarchive.jar file in the Dmgr_root directory using the following command from the Dmgr_root directory:
- UNIX:
./java/bin/jar -xvf wasextarchive.jar - Windows:
\java\bin\jar -xvf wasextarchive.jar - Verify that the Dmgr_root/lib/ext directory contains some files with names starting with the word wmm.
- Start WebSphere Portal Network Deployment Manager by issuing the following command from the Dmgr_root/bin directory:
- UNIX:
./startManager.sh - Windows:
startManager.bat - If you meet either of the following criteria:
- You installed WebSphere Portal on a pre-existing instance of WebSphere Application Server which did not have Global Security enabled
- You installed WebSphere Application Server as part of the WebSphere Portal installation
Enter the appropriate command to run the configuration task for your specific operating system:
If this is a cluster environment, stop all cluster members before enabling security using the enable-security-wmmur-ldap task.
- UNIX: ./WPSconfig.sh enable-security-wmmur-ldap
-DWasPassword=password -DPortalAdminPwd=password -DDbPassword=password -DLTPAPassword=password -DLDAPAdminPwd=password -DWmmSystemIdPassword=password - Windows: WPSconfig.bat enable-security-wmmur-ldap
-DWasPassword=password -DPortalAdminPwd=password -DDbPassword=password -DLTPAPassword=password -DLDAPAdminPwd=password -DWmmSystemIdPassword=password - Check the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the wpconfig.properties file. Before running the task again, be sure to stop the WebSphere Portal appserver. To stop the server follow these steps.
- In a command prompt, change to the WebSphere Application Server /bin directory.
- Windows/Unix: was_root/bin
- Enter the following command and specify the WebSphere Application Server user ID and password (as defined by the WasUserid and WasPassword properties):
stopServer WebSphere_Portal -user was_admin_userid -password was_admin_password
- If you are using wmm.xml to store Member Manager configuration information, modify wp_root/wmm/wmm.xml to change the wmmGernateExtId value from true to false. By default this value is true. But for Active Directory this value needs to be set to false. In the <ldapRepository...> stanza of the wmm.xml file, change the value as follows: wmmGenerateExtId="false"
- Uncomment preferredLanguage attributeMap by completing the following steps:
- Go to the /wp_root/wmm directory.
- Make a backup copy of wmmLDAPServerAttributes.xml. For example, copy and rename wmmLDAPServerAttributes.xml to wmmLDAPServerAttributes.xml.orig.
- Open the wmmLDAPServerAttributes.xml file.
- Search for the preferredLanguage attributeMap element. By default, it is commented out.
- Remove the comment tags.
- Save the file.
- If you are using Windows 2003 Active Directory, modify wp_root/wmm/wmm.xml. In the <ldapRepository...> stanza of the wmm.xml file, change the adapterClassName= value to:
adapterClassName="com.ibm.ws.wmm.ldap.activedir.ActiveDirectory2003AdapterImpl" .
- If you are using LDAP over SSL, refer to Set up LDAP over SSL and be sure your LDAP is properly configured.
- If you are using LDAP over SSL: accessable should be accessible
- Enable Member Manager to use SSL by importing the CA root certificate to was_root/etc/DummyServerTrustFile.jks. Do this by using the WebSphere Application Server IKeyMan GUI tool, or by using the following command:
keytool -import -file rootcert.cer -keystore was_root/etc/DummyServerTrustFile.jksThe Root Certificate, rootcert.cer, of the LDAP server is required to authenticate to the LDAP server and is created when Setting up LDAP over SSL. The default password for DummyServerKeyFile.jks is WebAS.
- Configure WebSphere Portal to use LDAP over SSL.
- If you are using wmm.xml to store Member Manager configuration information, modify wp_root/wmm/wmm.xml and make the following changes:
- Change the LDAP port from 389 to the port on which your LDAP server is listening for LDAP over SSL traffic. The recommended value is 636. In the <ldapRepository...> stanza of the wmm.xml file, change the port number as desired:
ldapPort="636"
- In the <ldapRepository...> stanza of the wmm.xml file, add the following key/value pairs: java.naming.security.protocol="ssl"
- If you are using resource-pme.xml to store Member Manager configuration information, use the WebSphere Application Server Administrative Console to change the port number and add a new attribute.
- To change LDAP Port Number, open the WebSphere Application Server Administrative Console and choose Member Manager Provider > MembershipProvider > LDAP Profile Repositories > LDAP Repository Name. Change Port to the SSL port being used (default is 636).
- To add the java.naming.security.protocol customer property, open the WebSphere Application Server Administrative Console and choose Member Manager Provider > MembershipProvider > LDAP Profile Repositories > LDAP Repository Name > Custom Properties. Click New button and enter java.naming.security.protocol for Name and ssl for Value.
- Click OK to see the updated Custom Properties.
- After applying the change, if you open resource-pme.xml, you see the property has been added: <propertySet xmi:id="J2EEResourcePropertySet_1">
<resourceProperties xmi:id="J2EEResourceProperty_1" name="java.naming.security.protocol" type="java.lang.String" value="ssl" description="JNDI environment property to specify the security protocol to use."/>
<resourceProperties xmi:id="J2EEResourceProperty_2" name="java.naming.security.authentication" type="java.lang.String" value="simple" description="JNDI environment property to specify the type of authentication to use."/>
</propertySet>
- Restart WebSphere Portal.
- Stop and start the servers.
- In a command prompt, change to the WebSphere Application Server /bin directory.
- Windows/Unix: was_root/bin
- Enter the following commands. If you are running with security enabled on WebSphere Application Server, specify a user ID and password for security authentication when entering the commands.
- Stop server 1.
- stopServer server1
- Security enabled: stopServer server1 -user was_admin_userid -password was_admin_password
- Start server 1.
- startServer server1
- Start WebSphere Portal appserver
- startServer WebSphere_Portal
- Perform this step only if you installed WebSphere Portal on a pre-existing instance of WebSphere Application Server. Manually deploy portlets if you installed WebSphere Portal without configuring it during installation:
- Ensure that WebSphere Portal is running.
- In a command prompt, change to the WebSphere Portal /config directory.
- Windows/Unix: wp_root/config
- Enter the appropriate command to run the configuration task for your specific operating system:
- UNIX: ./WPSconfig.sh portlets -DPortalAdminPwd=password
- Windows: WPSconfig.bat portlets -DPortalAdminPwd=password
- If you installed WebSphere Portal into a pre-existing SSO environment. Because you will not be given the option to import your existing token file, perform the following steps:
- To import your SSO Token:
- In the WebSphere Application Server Administrative Console, select Security > Authentication Mechanisms > LTPA.
- Enter the LTPA token password in the Password field.
- Enter the password again in the Confirm password field.
- In the Key File Name field, enter the LTPA token file.
- Click Import Keys.
- Click Save.
- To set your SSO Domain:
- In the WebSphere Application Server Administrative Console, select Security > Authentication Mechanisms > LTPA.
- Click Single Signon in Additional Properties.
- Enter the domain name in the Domain Name field.
- Click Ok.
- If you want to allow users or portal administrators to create and modify directory attributes through self-registration and self-care screens or the user management portlet. Perform the following steps:
WebSphere Portal can be configured to create the distinguished name (DN) for a user account created through WebSphere Portal interfaces (self-registration or the user management portlet create new user functions) by using the common name (cn) as the first Relative Distinguished Name (RDN) component. The default configuration of WebSphere Portal generates this attribute based on the surname and givenname attribute. The configuration is located in the puma.properties file
- Open the PumaService.properties file. You can find this file in the wp_root/shared/app/config/services directory.
- Add user.sync.remove.attributes=cn,CN.
- Save the file.
- Restart the WebSphere_Portal appserver.
Note: If you do not perform these steps WebSphere Portal will not be able to create or update a user by using portal functions because of a misconfiguration.
The following entry defines the user common name pattern and can be used to customize common name. In the pattern, you can define which attribute is used. Therefore the maximum amount of attributes has to be provided by puma.commonname.parts. See the following example for more details:
eg: firstname+" "+lastname puma.commonname = {0} {1} puma.commonname.parts = 2 puma.commonname.0 = firstname puma.commonname.1 = lastname
Verifying configuration
Access WebSphere Portal via http://hostname.yourco.com:port_number/wps/portal and verify that you can log in.
Configuring WebSphere Portal to work with an LDAP directory automatically enables WebSphere Application Server Global Security. Once security is enabled, type the fully qualified host.name when accessing WebSphere Portal and the WebSphere Application Server Administrative Console.
Security is enabled
Once you have enabled security with your LDAP directory, provide the user ID and password required for security authentication on WebSphere Application Server when you perform certain administrative tasks with WebSphere Application Server. For example, to stop the WebSphere Portal appserver, you would issue the following command:
stopServer WebSphere_Portal -user was_admin_userid -password was_admin_password
Switching the login LDAP attribute
Follow these steps to switch the login LDAP attribute from the default (uid) to another LDAP attribute (such as emailAddress):
- Open the WebSphere Application Server AdminConsole.
- Go to Security > User Registries > Custom > Custom Properties.
- If wmmUserSecurityNameAttr already exists, select it. Otherwise click New.
- If not already set, set Name as wmmUserSecurityNameAttr and Value to the attribute you would like, such as emailAddress.
( Attribute names are found in wp_root/wmm/wmmLDAPServerAttributes.xml, where wp_root is the WebSphere Portal installation directory)
- Save your changes.
- Open the file wp_root/wmm/wmm.xml.
- Set userSecurityNameAttribute to the attribute you would like to be used as login the attribute (using the example in Step 4, the setting would look like: userSecurityNameAttribute="emailAddress".)
- Save the file and restart PortalServer.
Next steps
You have completed this step. Continue to the next step by choosing the following topic:
- LDAP user registry
- Plan
- Install Active Directory
- Set up Active Directory
- Set up Active Directory over SSL
- Verifying
- Verifying LDAP
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.