Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows
Enable WebSphere Application Server global security
If you will not be using the WebSphere Portal Express configuration tasks to set up WebSphere Application Server global security, you should make sure that WebSphere Application Server security is set up per this topic. Only parameters that are required to have a certain value are discussed. Other settings can be set at your discretion.
Only use this procedure if your user registry configuration is an LDAP without realm support:
Do not use this procedure if you plan to use the Member Manager configuration (database and LDAP with realm support). You must use the WebSphere Portal Express automated configuration tasks enable-security-wmmur-db and enable-security-wmmur-ldap to set up WebSphere Application Server security with the Member Manager user registry configuration. These tasks overwrite any settings in the WebSphere Application Server.
Follow these steps to make sure that your WebSphere Application Server global security configuration will work with WebSphere Portal Express:
- From WebSphere Application Server Administrative Console, click Security > Global security.
- Verify the following items. Other parameters do not affect WebSphere Portal Express.
- Global Security is enabled.
- Java 2 Security is disabled.
- The Active Authentication Mechanism is LTPA.
- The Active User Registry is an LDAP.
- Click Security > Global security > Authentication > > Authentication mechanisms > LTPA.
- In the Additional Properties section, click Single Sign On (SSO).
- Verify the following items:
- SSO is enabled.
- Requires SSL should not be checked unless configuring for SSL connections from clients.
- The Domain Name field should be set to a subset of the host name of the HTTP server that front-ends WebSphere Portal Express. This will be used as the domain name of the LtpaToken cookie. This is not the LDAP server host name.
- A correct configuration is required to allow WebSphere Application Server to talk to the directory. For details on setting this up, refer to the WebSphere Application Server
security configuration documentation. In addition, if you are using an IBM® Lotus® Domino® database for security then make sure that the Web inbound security attribute propagation option is disabled, where LtpaToken is generated by WebSphere Application Server so that Lotus Domino SSO can be maintained.
Unless you performed the WebSphere Application Server installation manually, the install program sets this token alone as the default. (LtpaToken2
is not supported by Lotus Domino).
Refer to the WebSphere Application Server Infocenter topic Implementing single sign-on to minimize Web user authentications for details about token types. Once the configuration is correct, do the following steps:
- Copy the Base Distinguished Name (DN) value to the LDAPSuffix property value in the wpconfig.properties file.
- Select Ignore Case.
- Enable SSL only if the connection from WebSphere Application Server to the directory is over SSL.
- In the Additional Properties section, click Advanced LDAP user registry settings. The search filters and other settings must be set for your directory.
- In the User Filter field, the attribute that appears before =%v is the attribute value that is used to log in.
For example, if users log in by entering an e-mail address, and the e-mail address of your users is mapped to the LDAP user object attribute "emailaddress,"
then the attribute value should be emailaddress. This attribute value might or might not also be the first RDN attribute of your DNs. The LDAPUserPrefix value in the wpconfig.properties file should always be the first RDN attribute of your DNs. The following table explains how these values should be set.
Login Attribute First RDN Attribute of DNs WebSphere Application Server User Filter Attribute Uid uid uid uid Emailaddress uid Emailaddress uid - Contact your LDAP Administrator for the objectclass necessary for the User Filter and Group Filter. Use the objectclass names you receive for the User Filter value of the LDAPUserObjectClass property, and for the Group Filter field of the LDAPGroupObjectClass property in the wpconfig.properties file.
- In the User Filter field, the attribute that appears before =%v is the attribute value that is used to log in.
For example, if users log in by entering an e-mail address, and the e-mail address of your users is mapped to the LDAP user object attribute "emailaddress,"
then the attribute value should be emailaddress. This attribute value might or might not also be the first RDN attribute of your DNs. The LDAPUserPrefix value in the wpconfig.properties file should always be the first RDN attribute of your DNs. The following table explains how these values should be set.
- Run the enable-security-ldap task. Go to LDAP user registry and select the appropriate LDAP server.
- If you use a custom user registry, follow these steps:
- Click Security > Global Security > User registries > Custom. Verify that Ignore Case is selected. Other parameters do not affect WebSphere Portal Express.
- Refer to the WebSphere Portal Express product documentation page at http://www.ibm.com/websphere/portal/library for further instructions. A Whitepaper containing instructions for using WebSphere Portal Express with a custom user registry will be available soon.