Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

---

 

Configure Active Directory for non-realm support

Choose this option to configure the WebSphere Application Server to access the LDAP server directly. In this configuration, only one user registry and, therefore only one "realm", can be created. Configuring for LDAP without realm support should be used only for systems where only one environment is required and all user information can be stored in one location. However, to provide for future flexibility, the recommended configuration is for LDAP with realm support.

When configuring WebSphere Portal Express for security with Active Directory 2000, the administrator must decide how they want to handle the preferredLanguage attribute. They can either store the preferredLanguage attribute in the LDAP Lookaside buffer or modify the Active Directory schema to include the preferredLanguage attribute.

• Using the Lookaside database: Follow these steps to configure the Lookaside database to read or write the preferredLanguage attribute:

  Using the Lookaside database is the recommended method to modify the preferredLanguage attribute for Active Directory 2000.

  1. Start with a WebSphere Portal Express configuration where security is not enabled.

  2. You should use the security_active_directory.properties helper file to set the properties that will later be transferred to the wpconfig.properties file. See Using configuration templates for information about using helper files.

  3. After editing the security_active_directory.properties file to include the correct set of properties for your environment, also set the Lookaside property to true. Setting this property to true will configure WebSphere Portal Express to use a set of tables, referred to as the lookaside database, to store additional attributes from the user profile that are not mapped to the LDAP database.

  4. Follow the directions at the top of the security_active_directory.properties file to transfer these properties to the wpconfig.properties file and then run the enable-security-ldap task.

  5. Stop and restart the WebSphere Portal Express server. You can now test that WebSphere Portal Express is configured to use the WebSphere Portal Express lookaside tables for preferredLanguage by logging into WebSphere Portal Express and selecting Edit My Profile. Change your preferred language using the drop down selection and then click OK to save the changes.

• Changing Active Directory schema to prepare for configuration: The preferredLanguage attribute must be added to the Active Directory scheme to create and modify users. Perform the following steps to add the preferredLanguage Attribute to Active Directory.

  1. Perform this step only if you are using Windows 2000 and have not installed the Windows 2000 Support Tool: install the Support Tool from the \SUPPORT\TOOLS directory on the Windows 2000 Setup CD.

  2. Register Active Directory Schema (schmmgmt.dll) by running the following command at a command line: regsvr32 schmmgmt.dll

  3. Add the Active Directory Schema Snap-in using the following steps:

     1. Load the Security Administration Tools console as below:

        • For Windows 2003:

          1. From the Windows Start menu, select Run.

          2. In the Run dialog box, type mmc /a and click OK.

        • For Window 2000: From the Windows Start Menu, select Programs>Windows 2000 Support Tools>Security Administration Tools.

     2. Select Console>Add/Remove Snap-in.

     3. From the Standalone tab, click Add.

     4. Select Active Directory Schema from the list of Available Standalone Snap-ins.

     5. Click Add to add the snap-in to the console.

  4. Configure the Active Directory Schema Snap-in using the following steps:

     • For Windows 2003: Perform this step only if you need to transfer the operation master of this schema to another controller

       1. From the Security Administration Tools console, right-click on Active Directory Schema and select Operations Master.

       2. Choose the new master and click Change.

     • For Window 2000:

       1. From the Security Administration Tools console, right-click on Active Directory Schema and select Operations Master.

       2. Select The Schema can be modified on this Domain Controller, and click OK to save this change.

  5. Perform this step only if you are using Windows 2000. Create the preferredLanguage attribute:

     The steps that apply to the preferredLanguage attribute are only for Windows 2000. Active Directory 2003 includes preferredLanguage in its default schema and no changes are required for successful use.

     1. From the Security Administration Tools console, expand Active Directory Schema>Attributes.

     2. Right-click on Attributes and select Create Attribute.

     3. Click Continue to access the new attribute properties.

     4. Enter the following values in Create New Attribute:

        Field name	Value
        Common Name	preferredLanguage
        LDAP Display Name	preferredLanguage
        Unique X500 Object ID	2.16.840.1.113730.3.1.39
        Syntax	Unicode String

     5. Click OK to create the preferredLanguage attribute.

  6. Perform this step only if you are using Windows 2000. Follow these steps to add the preferredLanguage attribute to the user object class:

     1. From the Security Administration Tools console, expand Active Directory Schema>Classes.

     2. Double-click on user to open the user properties.

     3. Select the Attributes tab.

     4. In the Optional section, click Add to add a new schema object.

     5. Select preferredLanguage from the list of objects and click OK to add this object.

  7. Perform this step only if you are using Windows 2000. Follow these steps to enable the preferredLanguage mapping to the Member Manager XML file:

     1. Use a text editor to open portal_server_root\wmm\wmmLDAPAttributes_AD.xml.

     2. Find the following attribute map tag:

        <attributeMap    wmmAttributeName="preferredLanguage"
                         pluginAttributeName="preferredLanguage"
                         applicableMemberTypes="Person"
                         dataType="String"
                         valueLength="128"
                         multiValued="false" />

     3. Remove the comment tags on the lines above and below the map tag block. Comment tags are <!-- and -->.

     4. Save and close the text file before configuring WebSphere Portal Express.

Follow these steps to edit the wpconfig.properties and wpconfig_dbdomain.properties files and run the appropriate configuration tasks so that WebSphere Portal Express can work with the LDAP server.Note the following:

• These instructions apply to either a single server installation or a cluster environment. When setting up a cluster to use an LDAP server, it is only necessary to perform these steps on the primary node in the cluster. For detailed instructions on creating the cluster, refer to Clustering and WebSphere Portal Express.

• A configuration template might exist to support these instructions. Refer to the portal_server_root/config/helpers directory for available configuration templates. Use the configuration template to update the wpconfig.properties and wpconfig_dbdomain.properties files, as described in Configuration program, according to the property descriptions and recommended values provided below. If you do not want to use a configuration template, simply follow the instructions below as written.

 

Password considerations: For security reasons, you should not store passwords in the wpconfig.properties file. IBM recommends that you edit the wpconfig.properties prior to running a configuration task, inserting the passwords needed for that task. Then, after the task has run, you should delete all passwords from the wpconfig.properties file. For more information, see Deleting passwords from configuration scripts.

Alternatively, you can specify the password on the command line using the following syntax: WPSconfig.{sh|bat} task_name -Dpassword_property_key=password_value

As with other properties, each password property must have the -D prefix and be set equal to (=) a value. If you have multiple properties in a single command, use a space character between each -Dproperty=value setting.

1. Ensure that the LDAP software is installed and any setup has been performed.

2. Locate the wpconfig.properties and wpconfig_dbdomain.properties files in the following directory and create a back up copy before changing any values:

   • Linux:

     portal_server_root/config/

   • Windows:

     portal_server_root\config\

   • i5/OS:

     portal_server_root_user/config/

3. Use a text editor to open the wpconfig.properties and wpconfig_dbdomain.propertiesfiles and enter the values appropriate for your environment. Note the following:

   • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.

   • Use / instead of \ for all platforms.

   • Some values, shown in italics below, might need to be modified to your specific environment.

    

   Section of the wpconfig.properties file: IBM^® WebSphere^® Application Server

   Property	Value
   WasUserid	The user ID for WebSphere Application Server security authentication. For an LDAP configuration this should be the fully qualified distinguished name (DN) of a current administrative user for the WebSphere Application Server. For a configuration using Member Manager User Registry database the short version of the distinguished name must be used. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank. For LDAP configuration this value should not contain spaces. Type: Alphanumeric text string Example: When using LDAP security: Tivoli Directory Server: uid=wpsbind,cn=users,dc=example,dc=com Lotus Domino: cn=wpsbind,o=example.com Active Directory: cn=wpsbind,cn=users,dc=example,dc=com Active Directory Application Mode: cn=wpsbind,cn=users,dc=example,dc=com Sun Java System Directory Server: uid=wpsbind,ou=people,o=example.com Novell eDirectory: uid=wpsbind,ou=people,o=example.com Example: When using Custom User Registry (CUR): CUR: wpsbind Default: ReplaceWithYourWASUserID
   WasPassword	The password for WebSphere Application Server security authentication. If a value is specified for WasPassword, a value must also be specified for WasUserid. If WasPassword is left blank, WasUserid must also be left blank. Type: Alphanumeric text string Recommended: Set this value according to a environment. Default: ReplaceWithYourWASUserPwd

    

   Section of the wpconfig.properties file: WebSphere Portal Express configuration properties

   WpsContentAdministrators, WpsDocReviewer, and PortalAdminGroupId should be different groups.

   Property	Value
   PortalAdminId	The user ID for the WebSphere Portal Express administrator, which should be the fully qualified distinguished name (DN). Notes: For LDAP configuration this value should not contain spaces. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Type: Alphanumeric text string, conforming to the LDAP distinguished name format   Examples for LDAP: Tivoli Directory Server: uid=portaladminid,cn=users,dc=example,dc=com Lotus Domino: cn=portaladminid,o=example.com Active Directory and Active Directory Application Mode: cn=portaladminid,cn=users,dc=example,dc=com Sun Java System Directory Server: uid=portaladminid,ou=people,o=example.com Novell eDirectory: uid=portaladminid,ou=people,o=example.com Custom User Registry example: uid=portaladminid Windows and Linux default: none i5/OS default: uid=portaladminid,o=default organization
   PortalAdminPwd	The password for the WebSphere Portal Express administrator, as defined in the PortalAdminId property. Type: Alphanumeric text string Example: yourportaladminpwd Default: none
   PortalAdminGroupId	The group ID for the group to which the WebSphere Portal Express administrator belongs. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Type: Alphanumeric text string, conforming to the LDAP distinguished name format   Examples for LDAP: Tivoli Directory Server: cn=wpsadmins,cn=groups,dc=example,dc=com Lotus Domino: cn=wpsadmins Active Directory: cn=wpsadmins,cn=groups,dc=example,dc=com Active Directory Application Mode: cn=wpsadmins,cn=groups,dc=example,dc=com Sun Java System Directory Server: cn=wpsadmins,ou=groups,o=example.com Novell eDirectory: cn=wpsadmins,ou=groups,o=example.com Custom User Registry example: cn=wpsadmins,o=default organization Default: cn=wpsadmins,o=default organization
   WpsContentAdministrators	The group ID for the WebSphere Content Administrator group. Type: Alphanumeric text string   Example values: DEV (No security): WpsContentAdministrators=cn=wpsContentAdministrators,o=default organization Member Manager User Repository database: WpsContentAdministrators=cn=wpsContentAdministrators,o=default organization   LDAP example values: Tivoli Directory Server: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com Lotus Domino: cn=wpsContentAdministrators Active Directory: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com Active Directory Application Mode: cn=wpsContentAdministrators,cn=groups,dc=example,dc=com Sun Java System Directory Server: cn=wpsContentAdministrators,ou=groups,o=example.com Novell eDirectory: cn=wpsContentAdministrators,ou=groups,o=example.com Default: cn=wpsContentAdministrators,o=default organization
   WpsContentAdministratorsShort	The WebSphere Content Administrators group ID. Type: Alphanumeric text string Default: wpsContentAdministrators
   WpsDocReviewer	The group ID for the WebSphere Document Reviewer group Type: Alphanumeric text string   Example values: DEV (No security): WpsDocReviewer=cn=wpsDocReviewer,o=default organization Database user registry: WpsDocReviewer=cn=wpsDocReviewer,o=default organization   LDAP example values: Tivoli Directory Server: cn=wpsDocReviewer,cn=groups,dc=example,dc=com Lotus Domino: cn=wpsDocReviewer Active Directory: cn=wpsDocReviewer,cn=groups,dc=example,dc=com Active Directory Application Mode: cn=wpsDocReviewer,cn=groups,dc=example,dc=com Sun Java System Directory Server: cn=wpsDocReviewer,ou=groups,o=example.com Novell eDirectory: cn=wpsDocReviewer,ou=groups,o=example.com Default: cn=wpsDocReviewer,o=default organization
   WpsDocReviewerShort	The WebSphere Document Reviewer group ID. Type: Alphanumeric text string Default: wpsDocReviewer

    

   Section of the wpconfig.properties file: WebSphere Portal Express Security LTPA configuration

   Property	Value
   LTPAPassword	The password for the LTPA bind. Type: Alphanumeric text string Default: none
   LTPATimeout	The number of minutes after which an LTPA token will expire. Type: Numeric text string Default: 120
   SSODomainName	The domain name for all allowable single signon host domains. Enter the part of the domain that is common to all servers that participate in single signon. For example, if WebSphere Portal Express has the domain portal.us.ibm.com and another server has the domain another_server.ibm.com, enter ibm.com. To specify multiple domains, use a semicolon ; to separate each domain name. For example, your_co.com;ibm.com. Single signon (SSO) is achieved using a cookie that is sent to the browser during authentication. When connecting to other servers in the TCP/IP domain specified in the cookie, the browser sends the cookie. If no domain is set in the cookie, the browser will only send the cookie to the issuing server. See the WebSphere Application Server documentation for further details about this setting. Type: Fully-qualified domain name Default: none

    

   Section of the wpconfig.properties file: LDAP Properties Configuration

   Property	Value
   LookAside	You can either install with LDAP only or with LDAP using a Lookaside database. The purpose of a Lookaside database is to store attributes which cannot be stored in your LDAP server; this combination of LDAP plus a Lookaside database is needed to support the Database user registry. To enable a Lookaside database, set this property to true. If you intend to use a Lookaside database, set this value before configuring security, as it cannot be configured after security is enabled. Set Lookaside to true if you are using IBM Workplace Web Content Management™. Using a Lookaside database can slow down performance. Type: true - LDAP + Lookaside database false - LDAP only Default: false
   LDAPHostName	The host information for the LDAP server that WebSphere Portal Express will use. Type: Fully qualified host name of the LDAP server Default: yourldapserver.com
   LDAPPort	The server port of the LDAP directory. Type: Alphanumeric text string Example: 389 for non-SSL or 636 for SSL Default: 389 Configuration tasks only work against a non-SSL port. After configuring security, you will need to manually configure security over SSL and change this value to the SSL value.
   LDAPAdminUId	The user ID for the administrator of the LDAP directory. Member Manager uses this ID to bind to the LDAP to retrieve users attributes, create new users and groups in the LDAP and update user attributes. This ID is not required to be the LDAP admin DN, but rather an ID with sufficient authority for the use cases just cited. If this property is omitted, the LDAP is accessed anonymously and read-only. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN). Type: Alphanumeric text string, conforming to the LDAP distinguished name format. For example, cn=userid. Default: cn=root
   LDAPAdminPwd	The password for the LDAP directory administrator, as defined in the LDAPAdminUId property. If the LDAPAdminUId is blank, this property must be blank as well. Type: Alphanumeric text string Default: none
   LDAPServerType	The type of LDAP Server to be used.   Example values: Tivoli Directory Server: IBM_DIRECTORY_SERVER Lotus Domino: DOMINO502 Active Directory: ACTIVE_DIRECTORY Active Directory Application Mode: ACTIVE_DIRECTORY Sun Java System Directory Server: IPLANET Novell eDirectory: NDS Default: IBM_DIRECTORY_SERVER
   LDAPBindID	The user ID for LDAP Bind authentication. This user ID is used by WebSphere Application Server to bind to the LDAP to retrieve user attributes required for authentication. If this property is omitted, the LDAP is access anonymously and is then read-only. Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).   Example values: Tivoli Directory Server: uid=wpsbind,cn=users,dc=example,dc=com Lotus Domino: cn=wpsbind,o=example.com Active Directory: cn=wpsbind,cn=users,dc=example,dc=com Active Directory Application Mode: cn=wpsbind,cn=users,dc=example,dc=com Sun Java System Directory Server: uid=wpsbind,ou=people,o=example.com Novell eDirectory: uid=wpsbind,ou=people,o=example.com Default: uid=wpsbind,cn=users,dc=example,dc=com
   LDAPBindPassword	The password for LDAP Bind authentication. If the LDAPBindID is blank, this property must be blank as well. Type: Alphanumeric text string Default: none

    

   Section of the wpconfig.properties file: Advanced LDAP Configuration

   Property	Value
   LDAPSuffix	The LDAP Suffix. Choose a value appropriate for your LDAP server. This is the distinguished name (DN) of the node in the LDAP containing all user and group information for the configuration. As such, it is the lowest container in the LDAP tree still containing all users that will log into WebSphere Portal Express and all groups. If WebSphere Application Server configuration tasks (for example, enable-security-ldap) are used to activate WebSphere Application Server Security, this value will be used as the single Base Distinguished Name for the Application Server LDAP configuration. This value will be qualified with the LDAPUserSuffix and LDAPGroupSuffix values in order to configure Member Manager. Make sure to set the value of the suffix to the exact case of the suffix as set in the LDAP directory. For example, if a users' DN in LDAP is returned as uid=tuser,CN=Users,DC=example,DC=com, set this value to DC=example,DC=com. Using dc=example,dc=com will cause awareness problems. For more information on this see technical note 1174297.   Example values: Tivoli Directory Server: dc=example,dc=com Lotus Domino: this value is null Active Directory: dc=example,dc=com Active Directory Application Mode: dc=example,dc=com Sun Java System Directory Server: o=example.com Novell eDirectory: o=example.com Default: dc=example,dc=com
   LdapUserPrefix	The RDN prefix attribute name for user entries. Choose a value appropriate for your LDAP server.   Example values: Tivoli Directory Server: uid Lotus Domino: cn Active Directory: cn Active Directory Application Mode: cn Sun Java System Directory Server: uid Novell eDirectory: uid Default: uid
   LDAPUserSuffix	The DN suffix attribute name for user entries. Choose a value appropriate for your LDAP server. With LDAPSuffix appended to this value, it is the DN of the common root node in the LDAP containing all user information for the configuration. As such, it is the lowest container in the LDAP tree still containing all users that will log into WebSphere Portal Express including the administrative users (for example, wpsadmin and wpsbind) Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).   Example values: Tivoli Directory Server: cn=users Lotus Domino: o=example.com Active Directory: cn=users Active Directory Application Mode: cn=users Sun Java System Directory Server: ou=people Novell eDirectory: ou=people Default: cn=users
   LdapGroupPrefix	The RDN prefix attribute name for group entries. Type: cn Default: cn
   LDAPGroupSuffix	The DN suffix attribute name for group entries. Choose a value appropriate for your LDAP server. With LDAPSuffix appended to this value, it is the DN of the common root node in the LDAP containing all group information for the configuration. As such, it is the lowest container in the LDAP tree still containing all group entries for WebSphere Portal Express including the administrative group (., wpsadmins). Make sure to type the value in lower case, regardless of the case used in the distinguished name (DN).   Example values: Tivoli Directory Server: cn=groups Lotus Domino: this value is null Active Directory: cn=groups Active Directory Application Mode: cn=groups Sun Java System Directory Server: ou=groups Novell eDirectory: ou=groups Default: cn=groups
   LDAPUserObjectClass	The LDAP object class of the users in your LDAP directory that will log into WebSphere Portal Express.Example values: Tivoli Directory Server: inetOrgPerson Lotus Domino: dominoPerson Active Directory: user Active Directory Application Mode: user Sun Java System Directory Server: inetOrgPerson Novell eDirectory: inetOrgPerson Default: inetOrgPerson
   LDAPGroupObjectClass	The LDAP object class of all the groups in your LDAP directory that WebSphere Portal Express will access.Example values: Tivoli Directory Server: groupOfUniqueNames Lotus Domino: dominoGroup Active Directory: group Active Directory Application Mode: group Sun Java System Directory Server: groupOfUniqueNames Novell eDirectory: groupOfNames Shared UserRegistry with WebSeal/IBM Tivoli® Access Manager for e-business Version 5.1: accessGroup Shared UserRegistry with WebSeal/IBM Tivoli Access Manager for e-business Version 6: groupOfNames Default: groupOfUniqueNames
   LDAPGroupMember	The attribute name in the LDAP group object of the "membership" attribute. Choose a value appropriate for your LDAP server.Example values: Tivoli Directory Server: uniqueMember Lotus Domino: member Active Directory: member Active Directory Application Mode: member Sun Java System Directory Server: uniqueMember Novell eDirectory: uniqueMember Shared UserRegistry with WebSeal/Tivoli Access Manager: member Default: uniqueMember
   LDAPUserFilter	The filter used by WebSphere Application Server for finding users in the LDAP.   Example values: Tivoli Directory Server: (&(uid=%v)(objectclass=inetOrgPerson)) Lotus Domino: (&(|(cn=%v)(uid=%v))(|(objectclass=dominoPerson)(objectclass=inetOrgPerson))) Active Directory: (&(|(cn=%v)(samAccountName=%v))(objectclass=user)) Active Directory Application Mode: { (&(cn=%v)(objectclass=user)) } Sun Java System Directory Server: (&(uid=%v)(objectclass=inetOrgPerson)) Novell eDirectory: (&(uid=%v)(objectclass=inetOrgPerson)) Default: (&(uid=%v)(objectclass=inetOrgPerson))
   LDAPGroupFilter	The filter used by WebSphere Application Server for finding groups in the LDAP.   Example values: Tivoli Directory Server: (&(cn=%v)(objectclass=groupOfUniqueNames)) Lotus Domino: (&(cn=%v)(|(objectclass=dominoGroup)(objectclass=groupOfNames) (objectclass=groupOfUniqueNames))) Active Directory: (&(cn=%v)(objectclass=group)) Active Directory Application Mode: (&(cn=%v)(objectclass=group)) Sun Java System Directory Server: (&(cn=%v)(objectclass=groupOfUniqueNames)) Novell eDirectory: (&(cn=%v)(objectclass=groupOfNames)) Default: (&(cn=%v)(objectclass=groupOfUniqueNames))

    

   Section of the wpconfig.properties file:

    

   IBM Workplace Web Content Management Properties

   Property	Value
   WcmAdminGroupId	The group ID for the Web Content Management Administrators group. This should be the fully qualified distinguished name (DN) of a current administrative user for the WebSphere Application Server. For LDAP configuration this value should not contain spaces. Type: Alphanumeric text string   Example values: DEV (No security): WcmAdminGroupId=cn=wcmadmins,o=default organization Database user registry: WcmAdminGroupId=cn=wcmadmins,o=default organization   LDAP example values: Tivoli Directory Server: cn=wcmadmins,cn=groups,dc=example,dc=com Lotus Domino: cn=wcmadmins Active Directory: cn=wcmadmins,cn=groups,dc=example,dc=com Active Directory Application Mode: cn=wcmadmins,cn=groups,dc=example,dc=com Sun Java System Directory Server: cn=wcmadmins,ou=groups,o=example.com Novell eDirectory: cn=wcmadmins,ou=groups,o=example.com Default: cn=wcmadmins,o=default organization
   WcmAdminGroupIdShort	The Web Content Management Administrators group ID. Type: Alphanumeric text string Default: wcmadmins

   Section of the wpconfig_dbdomain.properties file: Database properties in wpconfig_dbdomain.properties

   The following two properties are required when using a Lookaside database and/or federation.

   Property	Value
   wmm.DbUser	The user ID for the database administrator. Notes: For SQL Server and non-wmm databases only, unless you are the system administrator, the values for dbdomain.DbUser and dbdomain.DbSchema must be the same. For Oracle and SQL Server, if the user you are using is an administrative user that has authority over the FEEDBACK schema, the administrative user should be entered for the dbdomain.DbUser property. For Oracle only: For non-feedback domains, DbSchema and DbUser MUST be the same. For Feeback domains, the default schema name is FEEDBACK. If the value is set to something besides FEEDBACK, you also have to set the schemaName property in <wps_home>/shared/app/config/services/FeedbackService.properties to the new schema. Type: Alphanumeric text string Default for all domains: wpdb2ins ReplacewithyourDBAdminUser Recommended: Release: releaseusr Community: communityusr Customization: customizationusr JCR: icmadmin WMM: wmmdbusr Feedback: feedback LikeMinds: lmdbusr
   wmm.DbPassword	The password for the database administrator. A value must be set for this property; it cannot be empty. Type: Alphanumeric text string Default for all domains: ReplaceWithYourDbAdminPwd

4. Optional: If you installed WebSphere Application Server as part of the WebSphere Portal Express installation and you plan to use WebSphere Application Server single signon, ensure that the following property in the wpconfig.properties file has the recommended value and not the default value. WebSphere Portal Express uses Form-based login for authentication, which requires SSO to be enabled; otherwise, you will be no longer able to login to WebSphere Portal Express.

   If you installed onto a pre-existing profile of WebSphere Application Server, skip this step. Any pre-existing settings for WebSphere Application Server SSO are automatically detected and preserved when you run the appropriate task to configure security.

    

   Section of the wpconfig.properties file: WebSphere Portal Express Security LTPA and SSO Configuration

   Property	Value
   SSORequiresSSL	The property that specifies that Single Sign-On function is enabled only when requests are over HTTPS Secure Socket Layer (SSL) connections. Type: true, false Default: false

5. Save the file.

6. Stop the WebSphere Portal Express server:

   If this is a clustered environment, ensure the deployment manager and all node agents are active.

   1. Open a command prompt and change to the following directory:

      • Linux:

        was_profile_root/bin

      • Windows:

        was_profile_root\bin

      • i5/OS:

        app_server_root/bin

   2. Enter the following command:

      • Linux:

        ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

      • Windows:

        stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

      • i5/OS:

        stopServer.sh WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

        where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

7. Change to the following directory:

   • Linux:

     portal_server_root/config/

   • Windows:

     portal_server_root\config\

   • i5/OS:

     portal_server_root_user/config/

8. Enter the following command to run the appropriate configuration task for your specific operating system:

   • Linux:

     ./WPSconfig.sh validate-ldap -DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password

   • Windows:

     WPSconfig.bat validate-ldap -DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password

   • i5/OS:

     WPSconfig.sh  -profileName profile_root validate-ldap -DWasPassword=password -DPortalAdminPwd=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password

     where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

   If the configuration task fails, validate the values in the wpconfig.properties and wpconfig_dbdomain.properties files.

9. Perform this step only if you meet any of the following criteria:

   • You installed WebSphere Portal Express on a pre-existing profile of WebSphere Application Server which did not have Global Security enabled

   • You installed WebSphere Application Server as part of the WebSphere Portal Express installation

   • You installed WebSphere Portal Express on i5/OS which created a new profile in a pre-existing WebSphere Application Server

   Enter the appropriate command to run the configuration task for your specific operating system:

   If this is a cluster environment, stop all cluster members (application servers) before enabling security using the enable-security-ldap task. Ensure the deployment manager and all node agents are active.

   • Linux:

     ./WPSconfig.sh enable-security-ldap -DWasPassword=password -DPortalAdminPwd=password -Dwmm.DbPassword=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password

   • Windows:

     WPSconfig.bat enable-security-ldap -DWasPassword=password -DPortalAdminPwd=password -Dwmm.DbPassword=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password

   • i5/OS:

     WPSconfig.sh  -profileName profile_root enable-security-ldap -DWasPassword=password 
     -DPortalAdminPwd=password -Dwmm.DbPassword=password -DLTPAPassword=password -DLDAPAdminPwd=password -DLDAPBindPassword=password

     where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

10. Check the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the wpconfig.properties and wpconfig_dbdomain.properties files. Before running the task again, be sure to stop the WebSphere Portal Express server. To stop the server follow these steps:

    If this is a clustered environment, ensure the deployment manager and all node agents are active.

    1. Open a command prompt and change to the following directory:

       • Linux:

         was_profile_root/bin

       • Windows:

         was_profile_root\bin

       • i5/OS:

         app_server_root/bin

    2. Enter the following command:

       • Linux:

         ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

       • Windows:

         stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

       • i5/OS:

         stopServer.sh WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

11. Follow these steps to comment out the preferredLanguage attributeMap:

    Do not perform this step if the preferredLanguage attribute is defined in the LDAP server.

    1. Go to the following directory:

       • Windows and Linux:

         portal_server_root/wmm

       • i5/OS:

         portal_server_root_user/wmm

    2. Make a backup copy of wmmLDAPServerAttributes.xml. For example, copy and rename wmmLDAPServerAttributes.xml to wmmLDAPServerAttributes.xml.orig.

    3. Open the wmmLDAPServerAttributes.xml file.

    4. Search for the preferredLanguage attributeMap element.

    5. Add comment tags around the preferredLanguage attributeMap element.

    6. Save the file.

    If you do not comment out the preferredLanguage attributeMap element, you will have problems when you try to create a new user.

12. If you are using Windows 2003 Active Directory, modify wmm.xml in the following directory:

    • Windows and Linux:

      portal_server_root/wmm/wmm.xml

    • i5/OS:

      portal_server_root_user/wmm/wmm.xml

    In the <ldapRepository...> stanza of the wmm.xml file, change the adapterClassName= value to: adapterClassName="com.ibm.ws.wmm.ldap.activedir.ActiveDirectory2003AdapterImpl".

13. Enter the following commands to restart server1 and WebSphere_Portal server. If you are running with security enabled on WebSphere Application Server, specify a user ID and password for security authentication when entering the commands.

    If this is a clustered environment, stop and start all node agents and the deployment manager.

    1. Open a command prompt and change to the following directory:

       • Linux:

         was_profile_root/bin

       • Windows:

         was_profile_root\bin

       • i5/OS:

         app_server_root/bin

    2. Enter the following command:

       • Linux:

         ./stopServer.sh server1 -user admin_userid -password admin_password

       • Windows:

         stopServer.bat server1 -user admin_userid -password admin_password

       • i5/OS:

         stopServer.sh server1 -profileName profile_root -user admin_userid -password admin_password

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

       server1 is the name of your WebSphere Application Server administrative server.

    3. Enter the following command:

       • Linux:

         ./startServer.sh server1

       • Windows:

         startServer.bat server1

       • i5/OS:

         startServer.sh server1 -profileName profile_root

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

       server1 is the name of your WebSphere Application Server administrative server.

    4. Enter the following command:

       • Linux:

         ./startServer.sh WebSphere_Portal

       • Windows:

         startServer.bat WebSphere_Portal

       • i5/OS:

         startServer.sh WebSphere_Portal -profileName profile_root

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

14. Perform this step only if you installed WebSphere Portal Express into a pre-existing SSO environment. Because you will not be given the option to import your existing token file...

    • To import your SSO Token:

      1. In the WebSphere Application Server Administrative Console, select Security > Global Security > Authentication > Authentication mechanisms > LTPA.

      2. Enter the LTPA token password in the Password field.

      3. Enter the password again in the Confirm password field.

      4. In the Key File Name field, enter the LTPA token file.

      5. Click Import Keys.

      6. Click Save.

    • To set your SSO Domain:

      1. In the WebSphere Application Server Administrative Console, select Security > Global Security > Authentication > Authentication mechanisms > LTPA.

      2. Click Single Signon in Additional Properties.

      3. Enter the domain name in the Domain Name field.

      4. Click OK.

15. Perform this step only if common name (CN) is the Relative Distinguished Name (RDN) attribute of your distinguished name (DN) and you want to allow users or administrators to modify directory attributes through self-care screens or the user management portlet. Set the user.sync.remove.attributes=cn,CN property value in Puma service, as described in Setting configuration properties:

    WebSphere Portal Express can be configured to create the CN for a user account created through WebSphere Portal Express interfaces (self-registration or the user management portlet create new user functions). The default configuration of WebSphere Portal Express generates this attribute based on the surname (sn) and givenname attribute. The configuration is also located in WP PumaService in the WebSphere Application Server Administrative Console. Modify the Puma service, by following steps described in Setting configuration properties

    The following entry defines the user common name pattern and can be used to customize common name. In the pattern, you can define which attribute is used. Therefore the maximum amount of attributes has to be provided by puma.commonname.parts. See the following example for more details:

    For example:	firstname+" "+lastname       			puma.commonname = {0} {1}
          			puma.commonname.parts = 2
          			puma.commonname.0 = givenName       			puma.commonname.1 = sn

    This function is not available if the CN attribute is the RDN attribute.

16. Verify that your configuration works. Access WebSphere Portal Express using http://hostname.example.com:10038/wps/portal, where hostname.example.com is the fully qualified host name of the machine where WebSphere Portal is running and 10038 is the default transport port that is created by WebSphere Application Server. and verify that you can log in.

    Configuring WebSphere Portal Express to work with an LDAP directory automatically enables WebSphere Application Server Global Security. Once security is enabled, type the fully qualified host name when accessing WebSphere Portal Express and the WebSphere Application Server Administrative Console.

17. Run the Member Fixer tool to update the member names used by Web Content Management with the corresponding members in the LDAP directory. This step ensures that access to the Web content libraries for the Intranet and Internet Site Templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP directory.

    1. Edit the portal_server_root/config/templates/express/MemberFixer.properties file.

    2. Update the contentAuthors_new property with the group name you used for the content authors group during LDAP configuration.

    3. Save your changes and close the file.

    4. Open a command prompt and change to the following directory.

       • Linux:

         portal_server_root/config/

       • Windows:

         portal_server_root\config\

       • i5/OS:

         portal_server_root_user/config/

    5. Enter the appropriate command to run the configuration task for your specific operating system:

       • Linux:

         ./WPSconfig.sh action-memberfixer-altDN-mismatchedId -DPortalAdminPwd=password

       • Windows:

         WPSconfig action-memberfixer-altDN-mismatchedId -DPortalAdminPwd=password

       • i5/OS:

         WPSconfig.sh  -profileName profile_root action-memberfixer-altDN-mismatchedId -DPortalAdminPwd=password

         where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

 

Security is enabledOnce you have enabled security with your LDAP directory, you will need to provide the user ID and password required for security authentication on WebSphere Application Server when you perform certain administrative tasks with WebSphere Application Server. For example, to stop the WebSphere Portal Express application server, you would issue the following command:

• Enter the following command:

  • Linux:

    ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password

  • Windows:

    stopServer.bat WebSphere_Portal -user admin_userid -password admin_password

  • i5/OS:

    stopServer.sh WebSphere_Portal -profileName profile_root -user admin_userid -password admin_password

    where profile_root is the name of the WebSphere Application Server profile where WebSphere Portal Express is installed; for example, wp_profile.

 

Parent topic:

Configuring LDAP server for non-realm support

---