+

Search Tips   |   Advanced Search


Enable federated security

We can use the Configuration Wizard to configure HCL WebSphere Portal to use a federated LDAP for security. Use the following information to get familiar with the information you must provide in the wizard and the configuration procedure that it generates. The primary Configuration Wizard options are based on your target configuration topology, such as a stand-alone server or a cluster. The federated security option is included with both "Set Up a Stand-alone Server" and "Set Up a Cluster". For the stand-alone server topology, run the federated security option after database transfer. For the cluster topology, run the federated security option after you create the cluster, but before you add more nodes.


Validation option

For this configuration option, the wizard can connect to your LDAP directory and validate the information that you enter in the wizard. By default, validation is enabled. On the Security Settings panel, we can choose to turn validation on or off by selecting Yes or No to the "Validate LDAP user registry entries" option. Select No if you know that your parameters are correct and that your LDAP server is unavailable at the time of creating your instructions. Two types of validation are performed when we select to validate settings including field syntax and LDAP connection validations. The syntax validation, for example, checks entered a valid port number in the range of 1 - 65535. The connection validation, for example, checks that a connection can be made to your LDAP server. Enabling validation is recommended because it can prevent a possible failure by validating your entries in the wizard before you run the configuration. The LDAP settings including:

  • Repository ID
  • Host name
  • Port
  • Bind DN
  • Bind password
  • Base DN
  • Administrator group DN
  • Administrator DN
  • and Administrator password


Worksheet

When you set up the federated security, you answer questions about your wanted configuration. Some fields apply to all federated security configurations. Some fields are required based on your environment. The remaining fields are advanced and do not apply to most configurations.


Minimal required fields

The following table lists the fields that are unique to the LDAP configuration. You might be prompted for additional information about system or user IDs and passwords that you defined during the portal installation process. Attention: The Enable Federated Security option modifies the wimconfig.xml file. Make a backup copy of this file before you run any of the configuration tasks.

    Field Label Property Your Value
    LDAP Repository ID federated.ldap.id
    LDAP host name federated.ldap.host
    LDAP port federated.ldap.port
    Bind DN federated.ldap.bindDN The following parameters must be unique to your environment:

    • PortalAdminId: User ID entered in the Administrator user ID field during the installation
    • Bind DN
    • Administrator DN from LDAP
    Bind password federated.ldap.bindPassword
    Base DN federated.ldap.baseDN This field is optional. However, it is recommended that you enter a Base DN that matches your LDAP settings. If you are using a Domino LDAP, and you do not have a Base DN defined, then we can leave this field blank.


Use an administrator from your LDAP

If you select to use an administrator from your LDAP server, then you must provide additional information about the LDAP group and ID.

    Field Label Property Your Value
    Administrator group DN from LDAP newAdminGroupId
    Administrator DN from LDAP newAdminId The following parameters must be unique to your environment:

    • PortalAdminId: this parameter is the user ID that you enter in the Administrator user ID field during the installation
    • Bind DN
    • Administrator DN from LDAP

    Administrator password from LDAP newAdminPw
    Default parent for group groupParent
    Default parent for PersonAccount personAccountParent


Advanced fields

Click Advanced on the Customize Values page to see the advanced properties. Default values are provided for advanced fields that are required.

    Field Label Property Your Value
    LDAP group objectclasses federated.ldap.et.group.objectClass
    LDAP group objectclasses for creating groups federated.ldap.et.group.objectClassForCreate
    LDAP group search bases federated.ldap.et.group.searchBases
    LDAP PersonAccount objectclasses federated.ldap.et.personaccount.objectClasses
    LDAP PersonAccount objectclasses for creating users federated.ldap.et.personaccount.objectClassesForCreate
    LDAP search bases for the PersonAccount federated.ldap.gm.personaccount.searchBases
    Group dummy member federated.ldap.gm.dummyMember
    Group member attribute federated.ldap.gm.groupMemberName
    Group object class federated.ldap.gm.objectClas
    GM member attribute scope federated.ldap.gm.scope
    Membership attribute name federated.ldap.gc.name
    GC member attribute scope federated.ldap.gc.scope
    Certificate filter federated.ldap.certificateFilter
    Certificate map mode federated.ldap.certificatMapMode
    Group RDN attribute groupRdnProperties
    PersonAccount RDN attribute personAccoutnRdnProperties
    Application server SSL configuration federated.ldap.sslConfiguration


Nested or dynamic group support

If you need nested group support, then the wizard provides default values for some of the advanced fields. The default values are based on your LDAP server selection. You must click Advanced to see the fields to verify the defaults. Nested or dynamic group support fields include Group member attribute, Membership attribute name, LDAP group objectclasses, and GC member attribute scope.


Enabling federated security

After you answer questions and provide information about your LDAP, the wizard generates a custom configuration procedure. Depending on your environment, the wizard generates a configuration process. The following steps reflect all possible steps in the configuration process. The steps do not represent a literal configuration. The steps are provided as a reference. If you click View Step Command, we can see the task and properties that are associated with each step in the wizard.

  1. Manual Step: Retrieve the SSL certificate from the SSL port.

      Condition Select to configure SSL enabled LDAP.
      ConfigEngine task None

  2. On the Deployment Manager, go to the /AppServer/java/8.0/bin directory.

  3. Create a backup of the HCL WebSphere Portal profile before modifying cell security.

    The backup is created in /opt/IBM/WebSphere/AppServer/profiles/cw_profile/.

      Condition None
      ConfigEngine task None

  4. Validate your LDAP server settings.

      Condition None
      ConfigEngine task validate-federated-ldap

  5. Add an LDAP user registry to the default federated repository.

      Condition None
      ConfigEngine task wp-create-ldap
      recycle-dmgr-if-cluster

  6. Register the WebSphere Application Server scheduler tasks.

      Condition None
      ConfigEngine task stop-portal-server
      start-portal-server
      reregister-scheduler-tasks

  7. Replace the file-based HCL WebSphere Portal and WebSphere Application Server users and groups with users and groups from your LDAP server.

      Condition Select to use an administrator and administrator group that is stored in your LDAP.
      ConfigEngine task wp-change-portal-admin-user
      wp-change-was-admin-user

  8. Update the user registry where new users and groups are stored.

      Condition None
      ConfigEngine task wp-set-entitytypes

  9. Recycle the servers after a security change.

      Condition None
      ConfigEngine task recyle-servers-after-security-change

  10. Update the search administration user.

      Condition Select to use an administrator and administrator group that is stored in your LDAP.
      ConfigEngine task start-portal-server
      action-fixup-after-security-change-portal-wp.search.webscanner

  11. After you change the security model, the servers need to be restarted. Restart the portal server.

      Condition None
      ConfigEngine task recycle-servers-after-security-change
      start-portal-server

  12. Verify that all defined attributes are available in the configured LDAP user registry.

      Condition None
      ConfigEngine task wp-validate-federated-ldap-attribute-config

  13. Manual Step: Update the appropriate MemberFixerModule.properties file with the values for your LDAP users.

      Condition Select to use an administrator and administrator group that is stored in your LDAP.
      ConfigEngine task None

  14. Run the member fixer tool.

      Condition Select to use an administrator and administrator group that is stored in your LDAP.
      ConfigEngine task run-wcm-admin-task-member-fixer

  15. Restart the HCL Portal Server.

      Condition None
      ConfigEngine task stop-portal-server
      start-portal-server

  16. Manual Step: Map attributes to ensure proper communication between HCL WebSphere Portal and the LDAP server.

      Condition None
      ConfigEngine task None


See also

  1. Configuration Wizard Overview