Enable WebSphere Application Server global security

 

+

Search Tips   |   Advanced Search

 

If you will not be using the WebSphere Portal configuration tasks to set up WebSphere Application Server global security, you should make sure that WebSphere Application Server security is set up per this topic. Only parameters that are required to have a certain value are discussed. Other settings can be set at the discretion.

Only use this procedure if the user registry configuration is an LDAP without realm support:

Do not use this procedure if you plan to use the Member Manager configuration (database and LDAP with realm support). Use the WebSphere Portal automated configuration tasks enable-security-wmmur-db and enable-security-wmmur-ldap to set up WebSphere Application Server security with the Member Manager user registry configuration. These tasks overwrite any settings in the WebSphere Application Server.

To verify the WebSphere Application Server global security configuration will work with WebSphere Portal :

  1. From WebSphere Application Server Administrative Console, click...

    Security | Global security

  2. Verify the following items. Other parameters do not affect WebSphere Portal.

    • Global Security is enabled.

    • Java 2 Security is disabled.

    • The Active Authentication Mechanism is LTPA.

    • The Active User Registry is an LDAP.

  3. Click...

    Security | Global security | Authentication | Authentication mechanisms | LTPA | Single Sign On (SSO)

  4. Verify the following items:

    • SSO is enabled.

    • Requires SSL should not be checked unless the portal is being configured for SSL connections from clients.

    • The Domain Name field should be set to a subset of the host name of the HTTP server that front-ends the portal. This will be used as the domain name of the LtpaToken cookie. This is not the LDAP server host.name.

  5. A correct configuration is required to allow WebSphere Application Server to talk to the directory. For details on setting this up, refer to the WebSphere Application Server security configuration documentation. In addition, if you are using a IBM Lotus Domino database for security then verify the Web inbound security attribute propagation option is disabled, where LtpaToken is generated by WebSphere Application Server so that Lotus Domino SSO can be maintained. Note that unless you performed theWebSphere Application Server installation manually, the Portal installer program sets this token alone as the default. (LtpaToken2 is not supported by Lotus Domino ). Refer to the WebSphere Application Server Infocenter topic Implementing single sign-on to minimize Web user authentications for details about token types. Once the configuration is correct, do the following steps:

    1. Copy the Base Distinguished Name (DN) value to the LDAPSuffix property value in the wpconfig.properties file.

    2. Select Ignore Case.

    3. Enabled SSL only if the connection from WebSphere Application Server to the directory is over SSL. See Setting up LDAP over SSL for more information.

    4. In the Additional Properties section, click Advanced LDAP user registry settings. The search filters and other settings must be set for the directory.

      • In the User Filter field, the attribute that appears before =%v is the attribute value that is used to log in to the portal. For example, if users log in to the portal by entering an e-mail address, and the e-mail address of the users is mapped to the LDAP user object attribute "emailaddress," then the attribute value should be emailaddress. This attribute value might or might not also be the first RDN attribute of our DNs.

        The LDAPUserPrefix value in the wpconfig.properties file should always be the first RDN attribute of the DNs. The following table explains how these values should be set.

        Login Attribute First RDN Attribute of DNs WebSphere Application Server User Filter Attribute wpconfig.properties LDAPUserPrefix
        Uid uid uid uid
        Emailaddress uid Emailaddress uid

      • Contact the LDAP Administrator for the objectclass necessary for the User Filter and Group Filter. Use the objectclass names you receive for the User Filter value of the LDAPUserObjectClass property, and for the Group Filter field of the LDAPGroupObjectClass property in the wpconfig.properties file.

    5. Run the enable-security-ldap task. Go to LDAP user registry and select the appropriate LDAP server.

  6. If you use a custom user registry, follow these steps:

    1. Click...

      Security | Global Security | User registries | Custom

      Verify that Ignore Case is selected. Other parameters do not affect WebSphere Portal.

 

Parent Topic

Using WAS global security