+

Search Tips   |   Advanced Search

Manage anonymous access for a FileNet deployment

IBM Connections requires anonymous access to be enabled set in FileNet for public communities unless external users are part of a community, in which case anonymous access needs to be disabled.

Configure an anonymous user is required if you want users to access Connections Content Manager without authenticating. The installation process prompts for an anonymous user, and if you entered an anonymous user account during the installation, anonymous access will already be configured. These steps may be used to enable or disable anonymous access after the installation. In some cases, such as when desktop single-sign is enabled, or when roles in the communities application have been restricted to limit access to authenticated users, setting up anonymous access for FileNet is optional. Refer to Roles for information on restricting access to anonymous users in communities.

To allow external users to participate in the Connections communities, then anonymous access needs to be disabled for Connections Content Manager.


Parent topic:
Configure the FileNet deployment used by Libraries


Enable anonymous access for a FileNet deployment

IBM FileNet Collaboration Services implements anonymous access with a designated user used only for this purpose. The user should be a system-type user that is not used by a real person. The user ID does not need, and should not have, any particular privileges on the object store beyond what is given by the installation guide. This user's access control records will determine what level of access is given to anonymous users. Consequently, choose a functional ID that is reserved for this purpose and that does not have special access.

The display name of the user used in this role might appear in some supplemental user interfaces, so a user account or functional ID should be chosen with a suitable display name matching the purpose of this account, for instance, Anonymous User. Do not choose the administrative account ID. Follow these steps to enable anonymous access

  1. Log into the WAS console hosting the FileNet server with the FNCS application.

  2. Enable use of authentication data on unprotected URLs:

    Navigate to...

      Security | Global Security | Web security | General Settings

    ...and select both of the following...

    • Authenticate only when the URI is protected
    • Use available authentication data when an unprotected URI is accessed

  3. Modify security role mapping for the FNCS application :

      Applications | WebSphere Enterprise Applications | fncs | Security role to user/group mapping | Authenticated option | Map Special Subjects | Everyone | OK

  • Install the authentication filter code :

    1. Still in WebSphere Administration console navigate to...

        WebSphere Enterprise Applications | FileNet Collaboration Services | Update

    2. For Application update options, select the Replace, add, or delete multiple files option.

    3. Select local file system if running the browser on the dmgr node and then locate the auth_filter_patch.zip file in the <connections_install_root>/ccm/ccm/ccm/auth_filter_patch/auth_filter_patch.zip directory. If the browser is not running on the dmgr node, then select remote file system, and choose the dmgr file system, locating the auth_filter_patch.zip file in the directory previously stated.

    4. Click Next and OK to update the application.

  • Click Applications > WebSphere enterprise applications > fncs > User RunAs roles,

  • Select the Anonymous role and enter the username and password of the LDAP user designated for the anonymous access role.

  • Click Apply and then click OK to save.

  • Click Save.

  • Resynchronize nodes with the master configuration, refer to Synchronize nodes.

  • Open the Administration Console for Content Platform Engine (ACCE) and expand the Object Stores node on the side navigation tree.

  • Right-click ICObjectStore, the object to configure, and then click Open.

  • Select Search, click New Object Store Search, select Collaboration Configuration in the Class menu, and then click Run.

  • From the Select Columns list, select the asterisk (*). Use the move button to place (*) into the Selected pane, and then click Search. A single result object displays after clicking OK for any popup warnings.

  • Click the object and then click Properties.

  • On the Properties tab, click the Property Value cell for Download Count Anonymous User Ids, which displays a dropdown menu.

  • Select Edit list, add the user into the list, and then select it from the dropdown menu. The user should be the same user you provided for the User RunAs roles in the WAS console in step 2; however, the SID of the user must be provided instead of the username. To understand how SID values are created, refer to Generate SID values.

  • Click OK.


    Disable anonymous access

    There are situations where disable anonymous access. For example, to allow external users to participate in the Connections communities, then anonymous access must be disabled for all of Connections, including Connections Content Manager. You may also disable anonymous access to force users to login before accessing content.

    1. Modify security role mapping for the FNCS application :

    2. Continuing in the WebSphere Administration console, select...

        Applications | WebSphere Enterprise Applications | fncs | Security role to user/group mapping | Authenticated | Map Special Subjects and All Authenticated in Application's Realm | OK

    3. Click...

        Applications | WebSphere Enterprise Applications | fncs | User RunAs roles | Anonymous role | Remove | OK

    4. Click Save.

    5. Resynchronize nodes with the master configuration.

    6. Open the Administration Console for Content Platform Engine (ACCE) and expand the Object Stores node on the side navigation tree.

    7. Right-click ICObjectStore, the object to configure, and then click Open.

    8. Select Search, click New Object Store Search, select Collaboration Configuration in the Class menu, and then click Run.

    9. Click the object and then click Properties.

    10. On the Properties tab, click the Property Value cell for Download Count Anonymous User Ids, which displays a dropdown menu.

    11. Select Edit list to remove the user from the list. The user to be removed should be the same user you previously provided for the User RunAs roles in the WAS console in step 2; however, the SID of the user must be provided instead of the username.

      • To confirm we are removing the correct value, and understand how SID values are created, refer to Generate SID values.

      • To remove the user, select the appropriate user from the list and click Remove. Click OK to confirm, click OK again to close the edit dialog, and then click Save to preserve the changes.