Configure eTrust SiteMinder to perform authorization for WebSphere Portal

 

+
Search Tips   |   Advanced Search

 

We can configure Computer Associates eTrust SiteMinder to perform authorization independently from configuring it to perform authentication. However, if you use eTrust SiteMinder to perform authorization for the portal, you should also use it to perform authentication for the portal. Using eTrust SiteMinder to perform only authorization is not supported at this time.

Complete the following steps to configure eTrust SiteMinder to perform authorization for IBM WebSphere Portal :

  1. Install and configure WebSphere Portal, the database software, and the LDAP directory.

  2. Install eTrust SiteMinder 's Policy Server feature.

  3. You must install the eTrust SiteMinder Software Development Kit on the same machine as WebSphere Portal. Refer to the eTrust SiteMinder documentation for more information.

  4. Install the eTrust SiteMinder Trust Association Interceptor (TAI), following the instructions in the eTrust SiteMinder documentation.

  5. Ensure that the eTrust SiteMinder Software Development Kit smjavasdk2.jar is in the eTrust SiteMinder lib directory. If it is not there, the SDK will not install and the configuration task will not complete. If the directory is missing the jar file, copy the smjavasdk2.jar into it. The default eTrust SiteMinder library directory is: C:\WebSphere\AppServer\lib.

  6. Create and specify the following eTrust SiteMinder Domain objects. Refer to the eTrust SiteMinder Policy Design documentation for information about how to create these objects.

    • User Directory: the LDAP server and suffix

    • Authentication Scheme: to associate with the eTrust SiteMinder realms that eTrust SiteMinder creates

      An eTrust SiteMinder realm is different from an LDAP realm or a basic authentication realm. Within the eTrust SiteMinder administration console, a realm is an administrative object representing a protected URL root. An example is /wps/myportal. eTrust SiteMinder realms in combination with eTrust SiteMinder policies determine which users and groups are allowed to navigate to the protected URL root and its children URLs.

    • Agent: an eTrust SiteMinder WebAgent that is configured to support 4.x agents or a custom eTrust SiteMinder agent. The agent must have a static shared secret to allow communication with the eTrust SiteMinder Policy Server. See the step below for instructions on creating a custom eTrust SiteMinder agent.

  7. Optional: In eTrust SiteMinder version 5.5 and higher, the configuration for eTrust SiteMinder Web Agents, including shared secrets, is centrally administered and can be dynamic. You may create a new custom agent to ensure a static shared secret. Follow these steps to create a custom agent in eTrust SiteMinder :

    1. Open the eTrust SiteMinder Administration console.

    2. Select Agent Types from the View > Agent Types menu.

    3. Right-click Agent Types, and select Create Agent Type from the pop-up menu.

    4. Enter a Name and an Action for the new agent type. Other fields are optional.

    5. Click OK.

    6. Select Agents from the View > Agents menu.

    7. Right-click Agent, and select Create Agent to create an agent object of the new agent type.

    8. Note the name, action, and shared secret for this agent. You will use these values in the following step.

  8. Optional: Ensure that users are no longer created through WebSphere Portal. If you use eTrust SiteMinder, you probably have a user provisioning process for creating and updating users and groups and administering group membership. You will probably want to continue using that user provisioning process instead of managing the directory through WebSphere Portal. WebSphere Portal creates entries in the directory in two ways:

    • Administrators can create entries with the Manage Users and Groups portlet

    • Users can create entries with the self-registration screen

    In WebSphere Portal, the ability to create new users through the Manage Users and Groups portlet is governed by WebSphere Portal access control.

  9. Locate the portal_server_root/config/wpconfig.properties file on the WebSphere Portal machine and create a backup copy before changing any values.

  10. Edit the portal_server_root/config/wpconfig.properties file and enter the values appropriate for the environment.

  11. Edit the following values in the Advanced Security Configuration section of the wpconfig.properties file:

    Input Description
    EACserverName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the IBM Tivoli Access Manager for e-business namespace.

    If set, EACcellName and EACappName must also be set.

    reorderRoles This field will allow you to either have the externalized Portal role names displayed with the resource type first, or the role types first.
    EACcellName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace.

    If set, EACserverName and EACappName must also be set.

    EACappName (Optional) Namespace context information to further distinguish externalized portal role names from other roll names in the Tivoli Access Manager namespace.

    If set, EACcellName and EACservername must also be set.

    SMDomain eTrust SiteMinder Domain containing all externalized portal resources.
    SMScheme eTrust SiteMinder Authentication scheme object name to use when creating realms.
    SMAgent Agent name that is created on eTrust SiteMinder for a specific portal external security manager instance. This agent must support eTrust SiteMinder custom or 4.x Web agents.
    SMAgentPw Password for eTrust SiteMinder custom or 4.x Web agent (SMAgent).
    SMAdminId Administrative user ID that eTrust SiteMinder will use to access the eTrust SiteMinder policy server.
    SMAdminPw Password for eTrust SiteMinder administrative user (SMAdminId).
    SMUserDir eTrust SiteMinder User Directory object referencing the LDAP server used for Portal users and groups.
    SMFailover Failover mode of eTrust SiteMinder Policy Server.

    Must be set to true if more than one policy server is listed in the SMServers property.

    SMServers Comma-delimited list of servers for eTrust SiteMinder agent.

    If multiple servers are specified in the SMServers value:

    • The SMFailover value must be set to true

    • In WP External Access Control Service, we can specify the following values for each server as described in Setting configuration properties:

      • ipaddress.accountingPort=44441

      • ipaddress.authenticationPort=44442

      • ipaddress.authorizationPort=44443

      • ipaddress.connectionMax=30

      • ipaddress.connectionMin=10

      • ipaddress.connectionStep=5

      • ipaddress.timeout=60

  12. Save the wpconfig.properties file.

  13. Open a command prompt and change to the /bin directory in the path for the operating system, as detailed in this file.

  14. Enter the commands to first start the WebSphere Application Server server (server1), and then stop the WebSphere Portal server. Refer to this file for the details.

  15. Change to the directory portal_server_root/config.

  16. Enter the following command to run the appropriate configuration task for the specific operating system:

    ...where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal is installed; for example, wp_profile.

    If the configuration task fails, validate the values in the wpconfig.properties file.

  17. Optional: Use the WebSphere Application Server encoding mechanism to mask the passwords in WP External Access Control Service. Refer to the detailed instructions in Password masking in External Security Manager property files for masking passwords, changing masked passwords, or running commands with explicit password properties.

  18. Restart WebSphere Portal to verify that the setup steps completed at this point are working correctly. This populates the external security manager with the necessary topology items and contains a representation for the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL/1 role. The eTrust SiteMinder namespace will contain several subrealms in addition to the WebSphere Portal recognized role name.

  19. If users other than wpsadmin are allowed to externalize resources, add those users to the realm representing the Administrator of EXTERNAL_ACCESS_CONTROL.

  20. Proceed to the Resource Permissions portlet on the WebSphere Portal machine.

    1. Select a resource type.

    2. Click the Assign Access icon for the specific resource.

    3. Click the Edit Role icon for a role that you want to externalize.

    4. Click Add to explicitly assign at least one user or group to the chosen role for the resource.

    5. Select the specific users or user groups by clicking on Search for Users or User Groups or clicking on the pull down for the Search by option where the default is set to All available. Click OK.

    6. An informational message box should display the message that members were successfully added to the role.

    7. Optional: Explicitly assign additional roles. If you do not assign at least one user or group to each role type for the resource, use the external security manager interface to create this role type later. For example, if you do not assign any users or groups to the Editor role type for the resource, then use the external security manager interface to create the Editor role type later.

    8. Click the Externalize icon for the resource. These steps move every role that is defined for each resource you assigned to the eTrust SiteMinder Policy Domain. One policy is defined for each externalized role.

  21. Add users and groups to the eTrust SiteMinder policies corresponding to the appropriate roles.

  22. After configuring eTrust SiteMinder for external authorization in WebSphere Portal, any XML Configuration Interface (xmlaccess) execution may be affected. If you wish to run xmlaccess, add the following property value change on the SiteMinderLoginModule custom property in the WebSphere Application Server administration console, by first selecting in order: Security > JAAS Configuration > Application Logins > Portal_Login > JAAS Login Modules > com.ibm.wps.sso.SiteMinderLoginModule > Custom properties .

    Now that you are in Custom properties, if you wish to run xmlaccess add the isPassive value set to true. This property value change will allow requests that don't contain the eTrust SiteMinder authentication headers to login, but without an eTrust SiteMinder credential available to WebSphere Portal. Any resources controlled by eTrust SiteMinder will not be available. Normal requests through a valid eTrust SiteMinder WebAgent will still contain the necessary credentials. If this property value is not set, the SiteMinderLoginModule will fail in the absence of the eTrust SiteMinder authentication headers.

Related information:

 

Parent topic:

Use eTrust SiteMinder with WebSphere Portal