Enable IBMid

After installing WebSphere Commerce development environment, we can optionally enable IBMid credentials as a single sign-on to access web-based tools such as the Management Center. Enabling IBMid for WebSphere Commerce development environment also enables global and application security.


Before beginning

  1. Update...

      C:\Windows\System32\drivers\etc\hosts

    ...to map ibmidsdk to localhost:

        # localhost name resolution is handled within DNS itself.
        # 127.0.0.1 localhost ibmid

  2. Install OpenSSL for Windows. We can download it from the official OpenSSL website or using the Cygwin utility.


Procedure

  1. Set up and run the enablement script.

    • Setting up the enablement script includes updating the OIDC.properties file to contain environment-specific properties, including those which enable global and application security.

    • Running the enablement script (enableOIDC.bat) uses the environment-specific properties when called.

    1. Edit...

    2. Update the file to match the environment using the following template:

          #-----------------------------------------------------------------------
          # App security section currenctly used for Authoring server section only
          #------------------------------------------------------------------------
          # Admin User ID needed to enable global security.
          oidc.primaryAdminId=
          
          # RunAsID needed to enable App security
          oidc.securityID=
          
          # oidc.primaryAdminPwd and oidc.securityPwd.
          oidc.primaryAdminPwd=
          oidc.securityPwd=
          
          #---------------------------------------------------------------------
          # set oidcCustom.properties
          #----------------------------------------------------------------------
          # Update this section after you register the IBMid SSO.
          # sample value clientID=YmNlND1yN1WtMzg4YiOO
          clientID=
          
          # sample value clientSecret=zmU4MTdj0DgtZDJmYyoo
          clientSecret=
          
          # Your registered machine's full host name.
          # In this example, it is set to the mapped host name from the Before starting step.
          # That is, the value of RPHost matches the host name that is mapped to localhost.
          RPHost=ibmid
          

      Note: If you do not have a client ID or client secret, contact IBM Support.

    3. Save changes and close the file.

    4. Run the enablement script:

    5. Ensure that the enablement script completed successfully by reviewing the log file...

  2. Download and add the certificates to the trusted store.

    1. Download and extract the following file, which contains several OpenSSL certificates:

    2. In WebSphere Commerce development environment, right-click WebSphere Commerce Test server and open the WebSphere Application Server administrative console.

    3. Go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates.

    4. Delete the existing prepiamkey and idaaskey certificates, if they exist.

    5. Go to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates > Add.

    6. Add the downloaded certificates:

      Alias File name
      prepiamkey prepiam.toronto.ca.ibm.com.pem
      idaaskey idaas.iam.ibm.com.pem
      symanteckey symantec.pem
      verisignkey verisign-root-ca.pem

    7. Click Apply and OK.

  3. Update the application security role for the WAS Application Security user.

    1. Edit: workspace_dir\WC\META-INF\ibm-application-bnd.xml

    2. Add the <user> subelement to the WCSecurityRole element, specifying the WebSphere Application Server Application Security user. For example:

        <security-role name="WCSecurityRole">
           <user name="uid=configadmin,o=defaultWIMFileBasedRealm" />
           <special-subject type="SERVER" />
        </security-role>
        

    3. Add the following element at the same level as the WCSecurityRole element:

        <security-role name="All">
           <special-subject type="ALL_AUTHENTICATED_IN_TRUSTED_REALMS" />
        </security-role>
        

    4. Save our changes and close the file. As a result, your updated ibm-application-bnd.xml file might resemble the following snippet:

        <?xml version="1.0" encoding="UTF-8"?>
        <application-bnd
           xmlns="http://websphere.ibm.com/xml/ns/javaee"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
           version="1.0">
        
           <security-role name="WCSecurityRole">
              <user name="uid=configadmin,o=defaultWIMFileBasedRealm" />
              <special-subject type="SERVER" />
           </security-role>
           
           <security-role name="All">
              <special-subject type="ALL_AUTHENTICATED_IN_TRUSTED_REALMS" />
           </security-role>
           
        </application-bnd>
        

  4. Disable session integration.

    With IBMid enabled, we might encounter an error in the logs where an anonymous user is trying to authenticate as the current IBMid. To ensure that this does not occur, disable session integration.

    1. Open the WebSphere Application Server administrative console and go to...

        Servers | Server Types | WebSphere Application Servers | WebSphere Portal | Web Container Settings | Web container | Session management | General Properties

    2. Clear Security integration.

    3. Click Apply and OK.

  5. Restart the WebSphere Commerce Test Server.

  6. Verify that IBMid is enabled.

    1. Register an IBMid user at the following page:

        https://www.ibm.com/account/us-en/signup/register.html?a=@OIDC_CLIENT_ID@

    2. Verify that the IBMid login form displays by going to the following page:

        https://ibmid:8000/webapp/wcs/tools/LogonWithIbmId

  7. Troubleshooting: If you encounter problems, enable the following trace to investigate the issue:

      *=info: enable.trace.log.*=all: com.ibm.websphere.commerce.WC_SERVER=all: com.ibm.ws.security.openidconnect.client.*=all

Previous topic: Verify the installation