Configure SiteMinder w/Portal

 

+
Search Tips   |   Advanced Search

 


Overview

If you use SiteMinder to perform authorization for the portal, also use SiteMinder to perform authentication for the portal. Using SiteMinder to perform only authorization is not supported with Portal V5.1.

Complete the following steps to configure SiteMinder to perform authorization for WebSphere Portal:

  1. Install and configure WebSphere Portal, the database software, and the LDAP directory.

  2. Install Netegrity Policy Server.

  3. install the SiteMinder Software Development Kit on the same machine as WebSphere Portal. Refer to the SiteMinder documentation for more information.

  4. Review the...

    How to Implement the Java Agent API

    ...section in the SiteMinder Developer's API Guide to ensure that your environment is set up correctly.

  5. Copy the smjavasdk2.jar included in the SiteMinder Software Development Kit to the WebSphere Application Server lib directory. For example:

    C:\WebSphere\AppServer\lib

  6. Create and specify the following SiteMinder Domain objects. These objects must exist before running a configuration task. Refer to the SiteMinder Policy Design documentation for information about how to create these objects.

    User Directory Representing the LDAP server and suffix that WebSphere Portal is configured to use
    Authentication Scheme To associate with the SiteMinder realms that WebSphere Portal creates
    Agent A SiteMinder WebAgent that is configured to "support 4.x agents" or a custom SiteMinder agent. The agent must have a static shared secret to allow communication with the SiteMinder Policy Server.

  7. Optional: In SiteMinder version 5.5 and higher, the configuration for SiteMinder Web Agents, including shared secrets, is centrally administered and can be dynamic. You may create a new custom agent to ensure a static shared secret . Follow these steps to create a custom agent in SiteMinder:

    1. Open the SiteMinder Administration console.

    2. Select Agent Types from the View > Agent Types menu.

    3. Right-click Agent Types, and select Create Agent Type from the pop-up menu.

    4. Enter a Name and an Action for the new agent type. Other fields are optional.

    5. Click OK.

    6. Select Agents from the View > Agents menu.

    7. Right-click Agent, and select Create Agent to create an agent object of the new agent type.

    8. Note the name, action, and shared secret for this agent. You will use these values in the following step.

  8. Optional: Ensure that users are no longer created through WebSphere Portal.

    If you use SiteMinder, you probably have a user provisioning process for creating and updating users and groups and administering group membership. You probably will want to continue using that user provisioning process instead of managing your directory through WebSphere Portal. In fact, if you use WebSphere Portal to create users in the directory that SiteMinder uses, these users will not be able to log in to SiteMinder until you manually import them as SiteMinder users through the SiteMinder administration tools.

    WebSphere Portal creates entries in the directory in two ways:

    In WebSphere Portal, the ability to create new users through the Manage Users and Groups portlet is governed by WebSphere Portal access control.

  9. Locate the wp_root/config/wpconfig.properties file on the WebSphere Portal machine and create a backup copy before changing any values.

  10. Use a text editor to open the wp_root/config/wpconfig.properties file and enter the values appropriate for your environment.

    Note the following:

    • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.

    • Use / instead of \ for all platforms.

    • Some values, shown in italics below, might need to be modified to your specific environment.

    Password considerations: For security reasons, not store passwords in the wpconfig.properties file. It is recommended that you edit the wpconfig.properties prior to running a configuration task, inserting the passwords needed for that task. Then, after the task has run, you should delete all passwords from the wpconfig.properties file. For more information, see Delete passwords.

    Alternatively, you can specify the password on the command line using the following syntax:

      WPSconfig.{sh|bat} task_name -Dpassword_property_key=password_value

    As with other properties, each password property must have the -D prefix and be set equal to (=) a value. If you have multiple properties in a single command, use a space character between each -Dproperty=value setting.

  11. Edit the following values in the Advanced Security Configuration section of the wpconfig.properties file:

    Input Description
    EACserverName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace.

    If set, EACcellName and EACappname must also be set.

    reorderRoles This field will allow you to either have your externalized Portal role names displayed with the resource type first, or the role types first.
    EACcellName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace.

    If set, EACserverName and EACappname must also be set.

    EACappName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace.

    If set, EACcellName and EACservername must also be set.

    SMDomain SiteMinder Domain containing all externalized portal resources.
    SMScheme SiteMinder Authentication scheme object name to use when creating realms.
    SMAgent

    The agent name that is created on SiteMinder for a specific portal external security manager instance.

    SMAgentPw Password for SiteMinder agent (SMAgent).
    SMAdminId The administrative user ID that SiteMinder will use to access the SiteMinder policy server.
    SMAdminPw

    Password for SiteMinder administrative user (SMAdminId).

    SMUserDir SiteMinder User Directory object referencing the LDAP server used for Portal users and groups.
    SMFailover Failover mode of SiteMinder Policy Server. Must be set to true if more than one policy server is listed in the SMServers property.
    SMServers Comma-delimited list of servers for SiteMinder agent.

    If multiple servers are specified in the SMServers value:

    • The SMFailover value must be set to true

    • In wp_root/shared/app/config/services/ExternalAccessControlService.properties, you can specify the following values for each server manually (Tip: Make a backup copy before editing this file):

      ipaddress.accountingPort=44441

      ipaddress.authenticationPort=44442

      ipaddress.authorizationPort=44443

      ipaddress.connectionMax=30

      ipaddress.connectionMin=10

      ipaddress.connectionStep=5

      ipaddress.timeout=60

  12. Save the wpconfig.properties file.

  13. Open a command prompt and change to directory was_root/bin.

  14. Enter the following commands:

    1. startServer server1

    2. stopServer WebSphere_Portal

  15. Change to the directory wp_root/config.

  16. Enter the following command to run the appropriate configuration task for your specific operating system:

    • UNIX: ./WPSconfig.sh enable-sm-authorization -DSmAgentPw=password -DSmAdminPw=password

    • Windows: WPSconfig.bat enable-sm-authorization -DSmAgentPw=password -DSmAdminPw=password

    If the configuration task fails, validate the values in the wpconfig.properties file.

  17. Optional: Use the WebSphere Application Server encoding mechanism to mask the passwords in the ExternalAccessControlService.properties file. Back up the properties file, and then run following command. This command masks the sensitive fields and removes all comments from the file. The original version of the file with the password in the clear and all comments intact is preserved with a bak extension.

    • Windows: was_root\bin\PropFilePasswordEncoder.bat prop file property_name

    • UNIX: was_root/bin/PropFilePasswordEncoder.sh prop file property_name

    For example, on Windows:

    c> copy c:\Program Files\WebSphere\PortalServer\shared\app\config\services\ExternalAccessControlService.properties c:\Program Files\WebSphere\PortalServer\shared\app\config\services\ExternalAccessControlService.properties.original

    c> c:\Program Files\WebSphere\AppServer\bin\PropFilePasswordEncoder.bat c:\program Files\WebSphere\PortalServer\shared\app\config\services\ExternalAccessControlService.properties externalaccesscontrol.pdpw

  18. Restart WebSphere Portal. This populates the external security manager with the necessary topology items and contains a representation for the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL/1 role. The SiteMinder namespace will contain several subrealms in addition to the WebSphere Portal recognized role name.

  19. If users other than wpsadmin are allowed to externalize resources, add those users to the realm representing the Administrator of EXTERNAL_ACCESS_CONTROL.

  20. Proceed to the Resource Permissions portlet on the WebSphere Portal machine.

    1. Select a resource.

    2. Click the Assign Access icon.

    3. Click the Edit Role icon for a role that you want to externalize.

    4. Click Add to explicitly assign at least one user or group to the Administrator role for the resource.

    5. Optional: Explicitly assign additional roles. If you do not assign at least one user or group to each role type for the resource, use the external security manager interface to create this role type later.

    6. Click Done when you are finished, and then click OK to return to the page that displays the resource.

    7. Click the Externalize icon for the resource. This moves the roles that are defined for this resource in steps D and E to the SiteMinder Policy Domain. One policy is defined for each externalized role.

  21. Add users and groups to the SiteMinder policies corresponding to the appropriate roles.

  22. After configuring SiteMinder for external authorization in WebSphere Portal, any XMLAccess execution may be affected. If you wish to run XMLAccess, add the following property value change on the SiteMinderLoginModule custom property in the WebSphere Application Server administration console, by first selecting in order:

    1. Security

    2. JAAS Configuration

    3. Application Logins

    4. Portal_Login

    5. JAAS Login Modules

    6. com.ibm.wps.sso.SiteMinderLoginModule

    7. Custom properties
    Now that you are in Custom properties, if you wish to run XMLAccess add the isPassive value set to true. This property value change will allow requests that don't contain the SiteMinder authentication headers to login, but without a SiteMinder credential available to WebSphere Portal. Any resources controlled by SiteMinder will not be available. Normal requests through a valid SiteMinder WebAgent will still contain the necessary credentials. If this property value is not set, the SiteMinderLoginModule will fail in the absence of the SiteMinder authentication headers.

 

See also

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

 

Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.