Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows
Plan
This section provides an overview of information to plan security for your IBM® WebSphere® Portal Express environment because WebSphere Portal Express and IBM WebSphere Application Server require some form of user registry.
What does authentication mean?
Authentication means that users identify themselves to gain access to the system. Users can identify themselves immediately upon entry to the system or they can be challenged by the system when they try to access a protected resource before identifying themselves. The user ID/password combination is the most common method of identifying a user to the system.You can have simultaneous, multiple logins using the same user ID and password, but these may result in a non-reliable behavior depending on the client or authentication method; therefore, IBM WebSphere Portal Express does not support simultaneous, multiple logins. After a user has been authenticated, the system can determine if that user is authorized to access the resources that are requested. See Authorization for more information on accessing resources.
See Authentication for additional information.
What is a user registry and what are my choices? How is a user repository different from a user registry?
A user registry holds user account information, such as a user ID and password that can be accessed during authentication. IBM WebSphere Application Server and IBM WebSphere Portal Express support three types of user registries:- Lightweight Directory Access Protocol (LDAP) user registry
- Custom user registry: A non-LDAP user registry provided by the customer.
- Database user registry: The user and group information is stored in the WebSphere Portal Express database. This user registry is also used for authentication and User and Group management if security is disabled.
If security is enabled, WebSphere Portal Express shares the same authentication registry as WebSphere Application Server.
A datastore that is used to store user account information is called a user registry. A datastore that is used to store user profile and preference information is called a user repository. Two different terms (user registry and user repository) are used because it is possible for the datastores to be different. However, it is also possible for a user registry and a user repository to be based on the same underlying datastore. For example, an LDAP directory typically contains user ID and password information but can also store additional profile information such as e-mail addresses and telephone numbers of users. Therefore, the LDAP directory is both a user registry and a user repository.
See User registries for additional information.
What LDAPs are supported in this release?
For supported LDAPs, see the Supported LDAP directories section in the appropriate Supported hardware and software file.
What is realm support and why would I want to use it?
A Realm allows you to group users from one or more LDAP trees of one user registry and expose them as a coherent user population to WebSphere Portal Express; this is also referred to as horizontal partitioning. Realms allow a flexible user management with various configuration options; for example, you can combine principals from one or more corporate LDAP tree. A realm must be mapped to a Virtual Portal to allow the realm's defined user population to login to the Virtual Portal. See Multiple virtual portals for more information. Realm membership is validated during authentication to ensure that a virtual portal can only be accessed by members of the corresponding realm. Therefore, users from one realm cannot access another realm unless they are also members of that group. For example, a wpsadmin will not be able to log in to a virtual portal unless the wpsadmin is a member of the corresponding realm. Multiple virtual portals can share the same user population by specifying the same realm relationship. Realms can overlap, which allows users to be members of more than one realm.
See Using multiple realms and user registries for additional information.
What is an Application group and why would I want to use it?
Application groups is a concept that allows you to define user groups within the database user registry with members (users or groups) contained in the LDAP user registry you configured. The benefit of application groups is that you can create Groups that are only used in IBM WebSphere Portal Express. You can use application groups in the following scenarios:- Read-only LDAP
- If you have a read-only LDAP, you cannot change the group membership of users and groups. If you need to define access rights for certain users that are in different groups, you can create an Application group for these users with the required access rights.
- Special group setup for WebSphere Portal Express
- In this scenario you need to setup a special group hierarchy that is only used by WebSphere Portal Express and not by other applications that access your LDAP. This can help you apply special access control rules just for WebSphere Portal Express as the roles apply to all members of the group as well.
Application groups only apply to WebSphere Portal Express; it does not apply to external security managers.
See Enabling application groups for additional information.
What is single sign-on and why would I want to use it?
The goal of single sign-on is to provide a secure method of authenticating a user one time within an environment and using that single authentication (for the duration of the session) as a basis for access to other applications, systems, and networks. In the context of IBM WebSphere Portal Express, there are two single sign-on realms; the realm from the client to portal and other web applications and the realm from the portal to the backend applications.
See Single sign-on and Portlet authentication for additional information.
What is a secure socket layer and why would I want to use it?
Configuring WebSphere Portal Express for SSL adds security to the client-portal exchange. It encrypts all traffic between the client browser and the server, so that no one can "eavesdrop" on the information that is exchanged over the network between the client browser and WebSphere Portal Express. In addition, assuming that the WebSphere Application Server is also configured to accept (or even require) SSL connections, the LTPA Token and other security and session information can be completely protected against hijack and replay attacks.
See Secure Socket Layer for additional information.
What are Federal Information Processing Standards and why would I want to use it?
Federal Information Processing Standards (FIPS) are standards and guidelines issued by the United States National Institute of Standards and Technology (NIST) for federal government computer systems. FIPS are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist. WebSphere Portal Express provides toleration for WebSphere Application Server's support of FIPS 140-2. WebSphere Application Server Version 6.0 and later integrates cryptographic modules such as Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE), which are FIPS 140-2 certified. Throughout the documentation and the product, the FIPS 140-2 certified IBM JSSE and JCE modules are referred to as IBMJSSEFIPS and IBMJCEFIPS, which distinguishes the FIPS-certified modules from the prior, non-certified IBM JSSE and IBM JCE modules. For more information on the FIPS certification process, to see a list of validated modules, or to check the status of current IBM submissions, see the Related Information below.
See FIPS compliance with WebSphere Portal Express for additional information.
- Authentication
This section describes what authentication is and the methods for login and authentication.