Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

---

 

Securing WSRP by SSL for a Producer portal

As a Producer, you can ensure security for the WSRP services that you provide by configuring your Producer portal for Secure Socket Layer (SSL) with Client Certificate Authentication.

J2EE allows only for one authentication mechanism per WAR file. To allow you to use SSL for WSRP and continue using other means of authentication for the rest of the portal, WSRP introduces a second WAR file for the Producer portal. This second WAR file is named wps_facade.war . It contains servlets that work as a facade interface Web application that channels the WSRP requests to the Producer's access points.

This allows you to simultaneously use both SSL client certificate authentication for the WSRP Producer portal and other method of authentication for the rest of the portal, for example form based authentication. You set this up as follows:

• Configure the primary portal WAR file for use of other means of authentication, for example form based authentication.

• Configure SSL client certificate authentication for the web.xml file of the facade WAR file for the WSRP Producer.

This second WAR file for the Producer requires a separate context root for the Producer. The default value for this second context root is wsrp to give the full context root http://my.portal.com:myport/wsrp. You can configure this context root as required. To do this, modify the property uri.context.path.facade to a different value in the Configuration Service. For details about how to change portal service configuration parameters refer to Setting configuration properties. Security notice: Do not use portlets that utilize the Credential Vault over WSRP in conjunction with SSL client certificate authentication. If you configure SSL client certificate authentication for WSRP services, the Consumer portal uses a proxy user ID to authenticate on behalf of its individual users. You configure the proxy user ID by consumer-side SSL client certificate. This means that the WSRP Consumer provides the individual personalization information to the WSRP Producer, but authenticates for all users by using the same identity information. Consequently, if a portlet on the Producer portal utilizes the Credential Vault, all users from one Consumer portal access the same credential slot and can read and override individual settings in the credential slot. Therefore, do not use portlets that utilize the Credential Vault over WSRP in conjunction with SSL client certificate authentication.

To configure the portal for securing WSRP services by Secure Socket Layer, proceed by the following steps:

1. Configure WebSphere Application Server for SSL support. For the latest information about configuring WebSphere Application Server for LDAP over SSL refer to http://www.redbooks.ibm.com/ and search for security handbook. Proceed as follows:

   1. Enable security.

   2. Enable SSL ID tracking. To do this, access the administrative console and click Application Servers > WebSphere_Portal > Web Container > Session Management, then enable SSL ID tracking.

   3. Configure your advanced LDAP security settings. Certificate-based authentication requires that you configure the authentication mechanism so that one of the following conditions apply:

      • WebSphere Application Server maps the entire Distinguished Name (DN) from the subject field of the certificate to a corresponding Distinguished Name in your LDAP. To use this option, set the mapping technique in the LDAP configuration panel to exact.

      • WebSphere Application Server maps the entry in the subject field to a different attribute than the Distinguished Name in your user registry. To use this option, set up the mapping technique in the LDAP configuration panel to use the certificate filter option. Using the certificate filter option allows you more flexibility in using other attributes than the Distinguished Name to identify the users. For example, the filter uid=${SubjectCN} maps the SubjectCN field of the client certificate to the uid attribute in your LDAP.

      If you use an LDAP with realm support on the Producer portal, define the certificateFilter attribute at the wmm tag in portal_server_root/wmm/wmm.xml, for example certificateFilter="uid=${SubjectCN}".

   4. Define a new virtual host alias. Click Environment > Virtual Hosts > default_host > Host Aliases > New, and define your SSL communication port. You can use an asterisk ( * ) as a wild card for the hostname.

2. If you use an external HTTP server, perform the following additional steps:

   1. Regenerate the plug-in. To do this, click Servers > Web Servers. Select the Web server and click Generate Plug-in. Update the HTTP server with the generated plug-in.

   2. Create the server certificates in the keystore of your HTTP server.

   3. Export the server certificates from the HTTP server. You will later give that information to the WSRP Consumer.

   4. Restart the HTTP server for the changes to take effect.

   5. Enable client certificate authentication in your Web server. For IBM HTTP Server (IHS), refer to http://www.redbooks.ibm.com/ and search for security handbook for the latest information about WebSphere Application Server.

3. Add new tags to the web.xml file. Proceed by the following steps:

   1. Edit the file web.xml. It is located in the directory was_config_root/cells/cellname/applications/wps.ear/deployments/wps/wps_facade.war/WEB-INF. If you have a portal cluster installation, perform this step on the Network Deployment server.

   2. Add a new login-config tag for the client certificate authentication method with a new unique ID. For example, this can be as follows:

      <login-config id="LoginConfig_your_id_number">
         <auth-method>CLIENT-CERT</auth-method>
         <realm-name>WPS_FACADE</realm-name>
      </login-config>

   3. Add new security-constraint tags with unique IDs for the WSRPBaseService, WSRPServiceDescriptionService, and WSRPPortletManagementService URL patterns. The following example shows the WSRPBaseService URL pattern:

      <security-constraint id="SecurityConstraint_your_id_number">
         <web-resource-collection id="WebResourceCollection_your_id_number">
            <web-resource-name></web-resource-name>
            <url-pattern>/WSRPBaseService</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
         </web-resource-collection>
         <auth-constraint id="AuthConstraint_your_id_number">
            <description></description>
            <role-name>All Role</role-name>
         </auth-constraint>
         <user-data-constraint id="UserDataConstraint_your_id_number">
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
      </security-constraint>

   4. Save your changes.

4. Update the affected parameters as required:

   1. If you want to enable Portal Access Control for the Producer portal, set the following property in theConfiguration Service to true: wsrp.security.enabled = true . For details about how to do this refer to Setting configuration properties.

   2. If the URLs of the WSRP ports have to point to different locations or use different ports, configure them accordingly. By default, the URLs of the WSRP ports are the same as the URLs by which the Web services WSDL document is addressed by Consumers. For details about how you can change these URLs refer to Setting the WSRP SOAP ports.

5. Restart the portal for the changes to take effect.

 

Parent topic:

Preparing security for a WSRP Producer portal

 

Related tasks
Securing WSRP by SSL for a Consumer portal Setting the WSRP SOAP ports

---