Use eTrust SiteMinder with WebSphere Portal

 

+
Search Tips   |   Advanced Search

 

 

Overview

We can use eTrust SiteMinder to perform authentication or to perform both authentication and authorization for the portal. Using eTrust SiteMinder to perform only authorization is not supported.

IBM recommends that you perform any configuration for an external security manager after you have completed all other setup tasks, including ensuring that the WebSphere Portal cluster is functional.

We can configure eTrust SiteMinder to perform authentication and authorization in either of two ways:

  1. Configure both authorization and authentication using enable-sm-all.

  2. Configure authentication and authorization manually, step by step.

 

Run enable-sm-all

  1. Install and configure...

    • WebSphere Portal
    • Database software
    • LDAP directory

  2. Install Computer Associate's Policy Server.

  3. Install the eTrust SiteMinder SDK on the same machine as WebSphere Portal.

    Ensure that the eTrust SiteMinder Software Development Kit smjavasdk2.jar is located in...

    WAS_HOME/lib

  4. Install the eTrust SiteMinder Trust Association Interceptor (TAI), following the instructions in the eTrust SiteMinder documentation.

  5. Create and specify the following eTrust SiteMinder Domain objects.

    User Directory LDAP server and suffix
    Authentication Scheme Associate with the eTrust SiteMinder realms that WebSphere Portal creates

    An eTrust SiteMinder realm is different from an LDAP realm or a basic authentication realm. Within the eTrust SiteMinder administrative console, a realm is an administrative object representing a protected URL root. An example is...

    /wps/myportal

    eTrust SiteMinder realms in combination with eTrust SiteMinder policies determine which users and groups are allowed to navigate to the protected URL root and its children URLs.

    Agent eTrust SiteMinder WebAgent that is configured to support 4.x agents or a custom eTrust SiteMinder agent. The agent must have a static shared secret to allow communication with the eTrust SiteMinder Policy Server.

  6. Now that eTrust SiteMinder components are ready, continue preparing the WebSphere Portal. Locate the portal_server_root/config/wpconfig.properties file on the WebSphere Portal machine and create a backup copy before changing any values.

  7. Use a text editor to open the portal_server_root/config/wpconfig.properties file. Read the note and then follow the instructions for entering the values appropriate for the environment.

    • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference, which contains a complete list of properties and their default values.

    • Use / instead of \ for all platforms.

    • Some values, shown in italics in the steps below, might need to be modified to the specific environment.

    • The Namespace management parameters cover both eTrust SiteMinder and Tivoli Access Manager.

    Edit the following values in the Advanced Security Configuration section of the wpconfig.properties file:

    Input Description
    EACserverName (Optional) Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

    If set, EACcellName and EACappName must also be set.

    reorderRoles This field will allow us to either have the externalized Portal rolenames displayed with the resource type first, or the role types first.
    EACcellName (Optional) Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

    If set, EACserverName and EACappName must also be set.

    EACappName (Optional) Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

    If set, EACcellName and EACserverName must also be set.

    SMConfigFile Location of the eTrust SiteMinder TAI WebAgent.conf file.
    SMDomain eTrust SiteMinder Domain containing all externalized portal resources.
    SMScheme eTrust SiteMinder Authentication scheme object name to use when creating realms.
    SMAgent Agent name that is created on eTrust SiteMinder for a specific portal external security manager instance. This agent must support eTrust SiteMinder custom or 4.x agents.
    SMAgentPw Password for eTrust SiteMinder custom or 4.x Web agent (SMAgent).
    SMAdminId Administrative user ID that eTrust SiteMinder will use to access the eTrust SiteMinder policy server.
    SMAdminPw Password for the eTrust SiteMinder administrative user (SMAdminId).
    SMUserDir eTrust SiteMinder User Directory object referencing the LDAP server used for Portal users and groups.
    SMFailover Failover mode of the eTrust SiteMinder Policy Server.

    Must be set to true if more than one policy server is listed in the SMServers property.

    SMServers Comma-delimited list of servers for the eTrust SiteMinder agent.

  8. Save the portal_server_root/config/wpconfig.properties file.

  9. In the following steps the use of eTrust SiteMinder does not apply to a z/OS environment.

  10. Open a command prompt and change to the following directory:

  11. Enter the following commands, noting that the z/OS commands do not apply when using eTrust SiteMinder :

    1. Enter the following command:

      • UNIX:

        ./startServer.sh server1

      • Windows:

        startServer.bat server1

      • i5/OS:

        startServer -profileName profile_root

        ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

      ...where server1 is the name of the WebSphere Application Server administrative server.

    2. Enter the following command:

      • UNIX:

        ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

      • Windows:

        stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

      • i5/OS:

        stopServer WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

        ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

  12. Change directory to portal_server_root/config.

  13. If you have stored the passwords in the wpconfig.properties file, enter the following command to run the appropriate configuration task for the specific operating system. If you choose not to store the passwords in the wpconfig.properties file, enter instead the command with passwords in the first note below. Entering this configuration task automatically updates the WebSphere Application Server and WebSphere Portal configurations with the property values you supply to enable eTrust SiteMinder ESM integration:

    If you do not wish to store the passwords in the wpconfig.properties file, we may supply any password property on the command line. For example:

    If the configuration task fails, validate the values in the wpconfig.properties file.

  14. Click here to go to the step that verifies that eTrust SiteMinder is working properly.

  15. After eTrust SiteMinder is configured for external authorization and authentication in WebSphere Portal, you may wish to use the XML Configuration Interface (xmlaccess). By default, the XML configuration interface cannot access the portal through eTrust SiteMinder.

    To allow the XML configuration interface to access the portal through eTrust SiteMinder, use eTrust SiteMinder to define the configuration URL (/wps/config) as unprotected.

    After the configuration URL is defined as unprotected, only WebSphere Portal enforces access control to this URL. Other portal resources, such as the URL...

    /wps/myportal

    ...are still protected by eTrust SiteMinder.

    Follow the procedure to allow for xmlaccess execution.

 

Related information

 

Parent topic:

External security managers