Configuring WebSphere Portal - Express for Multiplatforms V5.0.2 (iSeries) with Single sign-on

This example is for users that are not familiar with the Web serving environment. It describes all the steps necessary to get iSeries™ Access for Web running in a WebSphere^® Portal web serving environment with single sign-on (SSO) enabled. It also describes how to verify that the setup is working.

When configuration is completed, the default setting for the iSeries Access portlets authentication option is Use authenticated WebSphere credential. This option enables iSeries Access portlets to automatically access i5/OS^® resources using the authenticated WebSphere Portal user. It is not necessary to configure i5/OS credentials (user profile name and password) for each of the iSeries Access portlets when this type of SSO environment is enabled. iSeries Access portlets use Enterprise Identity Mapping (EIM) to map the authenticated WebSphere Portal user to an i5/OS user profile. The mapped i5/OS user profile is used to authorize the user to i5/OS resources using standard i5/OS object level security. Configuring your portal environment consists of these steps:

Configure the EIM environment. See the "Configuring Enterprise Identity Mapping" topic for information about how to do this.
Start the IBM^® Web Administration for iSeries interface (also known as IBM HTTP Server). See step 1.
Create an HTTP Web server, create a WebSphere Application Server V5.0 for iSeries Web application server, and deploy WebSphere Portal. See step 2.
Configure iSeries Access for Web. See step 3.
Use a browser to access iSeries Access for Web. See step 4.

Steps to configure the portal environment:

Start the IBM Web Administration for iSeries interface.
1. Start a 5250 session to the system.
2. Sign on with a user profile that has at least these special authorities: *ALLOBJ, *IOSYSCFG, *JOBCTL, and *SECADM.
3. Run the following command to start the web administration interface job: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
4. Minimize the 5250 session.
Create an HTTP web server, create a WebSphere Application Server V5.0 for iSeries Web application server, and deploy WebSphere Portal:
1. Open a browser to: http://<system_name>:2001
2. Log in with a user profile that has, at least these special authorities: *ALLOBJ, *IOSYSCFG, *JOBCTL, and *SECADM.
3. Select IBM Web Administration for iSeries.
4. Select the Setup tabbed page.
5. Under Common Tasks and Wizards, select Create WebSphere Portal.
6. The Create WebSphere Portal page opens. Select Next.
7. The Create a WebSphere Application Server for the Portal - Specify Name page opens. In the Application server name field, enter iwawps5sso, then select Next.
8. The Select HTTP Server Type page opens. Select Create a new HTTP server (powered by Apache), then select Next.
9. The Create a new HTTP server (powered by Apache) page opens.
  - For HTTP server name, specify IWAWPS5SSO.
  - For Port, specify 4038.
  After entering the values, select Next.
10. The Specify Internal Ports Used by the Application Server page opens. For First port in range, change the default value to 41038, then select Next.
11. The Create DB2^® Database for Portal page opens. Select Next.
12. The Specify User to Own the Portal Database page opens. The page defaults to use an existing user profile, wpsdbuser.
  - If you know the password for this user profile, enter it.
  - Otherwise, select Create a new user on this local system and follow the prompts.
  In this example, we assume you use the existing user (default option). After specifying the user profile, select Next.
13. The "Create a default URL path, portal path, and personalized path" page opens. Leave the default values for the fields displayed. Select Next.
14. The Configure Proxy Information for Content Access Service page opens. Select Next.
15. The Deploy Default Portlets page opens. Select Business portlets for deployment. De-select all other optional portlets, including iSeries Access portlets. Select Next.
16. The Secure Application Server and WebSphere Portal with LDAP page opens. Select Yes, secure this server using LDAP, then specify these values:
  - For LDAP server host name, specify the fully qualified host name of the LDAP server to contain the WebSphere active user registry. For example, MYISERIES.MYCOMPANY.COM
  - For LDAP Port, specify the port number of the LDAP server to contain the WebSphere active user registry. For example, 389.
  Select Next.
17. The LDAP Authentication page opens. Specify these values:
  - For LDAP administrator DN, specify the distinguished name of the LDAP administrator. For example: cn=administrator
  - For LDAP administrator password, specify the password of the LDAP administrator. For example, myadminpwd.
  Select Next.
18. The LDAP Configuration Parameters page opens. Select Next.
19. The LDAP Administrative Group and Administrative User page opens. For Password and Confirm Password, enter the desired password for the portal administrator user id.
  Select Next.
20. The Web Server Single Signon (SSO) Configuration Parameters page opens. Specify one of these:
  - If no other servers are part of the SSO domain, select Limit SSO domain to this Web server's hostname.
  - If other servers are part of the SSO domain, select Include other Web servers in your SSO environment and provide your SSO domain name, for example, MYCOMPANY.COM.
  Select Next.
21. If an SSO domain name was provided on the previous page, the "Configure Lightweight Third Party Authentication (LTPA) for Web Server Single Signon (SSO) Environment" page opens. For LTPA password and Confirm Password, enter the desired password for LTPA authentication.
  Select Next.
22. The Configure Identity Token SSO for Web to i5/OS Access page opens. Select Configure Identity Tokens then specify the following values:
  - For LDAP server host name, specify the fully qualified host name of the LDAP server hosting the EIM domain created during EIM setup. For example, MYISERIES.MYCOMPANY.COM.
  - For LDAP Port, specify the port number of the LDAP server hosting the EIM domain created during EIM setup. For example, 389.
  - For LDAP administrator DN, specify the distinguished name of the LDAP administrator. For example: cn=administrator.
  - For LDAP administrator password, specify the password of the LDAP administrator. For example, myadminpwd.
  Select Next.
23. The Configure Identity Token EIM Domain Information page opens. Specify these values:
  - For EIM Domain Name, select the name of the EIM domain created during EIM setup. For example, EimDomain.
  - For Source Registry Name, select the name of the EIM source registry created during EIM setup. For example, WebSphereUserRegistry.
  Select Next.
24. The Configure Look-Aside Database page opens. Select Next.
25. The Summary page opens. Select Finish.
26. The Web page is re-displayed. The Manage/Application Servers tabbed page is active. Under Instance/Server, iwawps5sso/iwawps5sso – WAS, V5 (portal) is listed with a status of Creating. From this Web page, you can manage the WebSphere application server.
  Use the refresh icon next to the Creating status to refresh the page, if the page does not periodically refresh.
  When the process completes, the status is updated to Running.
  Minimize the browser window.
Configure iSeries Access for Web.
1. Restore the 5250 session window.
2. To see the WebSphere application server running, Enter this command: WRKACTJOB SBS(QEJBAS5)
3. Verify that IWAWPS5SSO is listed as a job running under the QEJBAS5 subsystem. iSeries Access for Web requires WebSphere Portal to be running before it can be configured.
4. To see the HTTP server running, run this command: WRKACTJOB SBS(QHTTPSVR)
5. Verify that IWAWPS5SSO is listed as a running job. There will likely be multiple jobs of this name running.
6. iSeries Access for Web portlets are configured using a command provided by the software product. Two different commands are provided, a CL command and a QShell script command. Both commands provide and perform the same function. Use the command you prefer.
  - To use the CL command, follow these steps:
    1. Configure iSeries Access for Web portlets using the following command:
```
CFGACCWEB2 APPSVRTYPE (*WP50) WASINST(iwawps5sso) 
           WPUSRID(wpsadmin) WPPWD(wpsadmin) 
           WPURL('<system_name>:4038/wps/config') WPDFTPAG(*CREATE)
```
      These are the parameters used:
      
      APPSVRTYPE
      
      Tells the command which Web application server environment to configure.
      
      WASINST
      
      Tells the command which instance of the Web application server to configure.
      
      WPUSRID
      
      Tells the command what WebSphere Portal administrative user ID to use to make the configuration change.
      
      WPPWD
      
      The password for the user ID entered with the WPUSRID parameter.
      
      WPURL
      
      Access the WebSphere Portal configuration servlet so that the configuration changes can be made.
      
      WPDFTPAG
      
      Tells the command to create the default iSeries Access portlet pages and deploy portlets to those pages.
      
      For help on this command and the parameters, press F1.
    2. Several messages similar to these will be displayed:
      - Configuring iSeries Access for Web.
      - Preparing to perform the configuration changes.
      - Calling WebSphere to perform the configuration changes.
      - iSeries Access for Web command has completed.
      - Refer to the following log file for additional success/failure information: /QIBM/UserData/Access/Web2/wp50/iwawps5sso/logs/cfgwps50iwa.logRefer to the following log file for additional success/failure information: /QIBM/UserData/Access/Web2/wp50/iwawps5sso/logs/cfgwps50iwapage.log
      - iSeries Access for Web command has completed.
    3. Press F3 or Enter when the command completes to exit the display session.
  - To use the QShell script command, follow these steps:
    1. Start the QShell environment using the following command: QSH
    2. Make the iSeries Access for Web directory the current directory. Run this command:
```
cd /QIBM/ProdData/Access/Web2/install 
```
    3. Configure iSeries Access for Web portlets using the following command:
```
cfgaccweb2 -appsvrtype *WP50 -wasinst iwawps5sso –wpusrid wpsadmin            -wppwd wpsadmin –wpurl <system_name>:4038/wps/config            -wpdftpag *CREATE
```
      These are the parameters used:
      
      -appsvrtype
      
      Tells the command which Web application server environment to configure.
      
      -wasinst
      
      Tells the command which instance of the Web application server to configure.
      
      –wpusrid
      
      Tells the command what WebSphere Portal administrative user ID to use to make the configuration change.
      
      -wppwd
      
      The password for the user ID entered with the WPUSRID parameter.
      
      –wpurl
      
      Access the WebSphere Portal configuration servlet so that the configuration changes can be made.
      
      -wpdftpag
      
      Tells the command to create the default iSeries Access portlet pages and deploy portlets to those pages.
      
      For help on this command and the parameters, specify the -? parameter.
    4. Several messages similar to these will be displayed:
      - Configuring iSeries Access for Web.
      - Preparing to perform the configuration changes.
      - Calling WebSphere to perform the configuration changes.
      - iSeries Access for Web command has completed.
      - Refer to the following log file for additional success/failure information: /QIBM/UserData/Access/Web2/wp50/iwawps5sso/logs/cfgwps50iwa.logRefer to the following log file for additional success/failure information: /QIBM/UserData/Access/Web2/wp50/iwawps5sso/logs/cfgwps50iwapage.log
      - iSeries Access for Web command has completed.
    5. Press F3 when the command completes to exit the QShell session.
7. If the command were to fail or indicate an error, refer to the log files:
  - /QIBM/UserData/Access/Web2/logs/cmds.log
    High level, cause and recovery information; translated
  - /QIBM/UserData/Access/Web2/logs/cmdstrace.log
    Detailed command flow for IBM Software Service; English only
  - /QIBM/UserData/Access/Web2/wp50/iwawps5sso/logs/cfgwps50iwa.log
    Details deploying portlets.
    
    This file might be in EBCDIC.
  - /QIBM/UserData/Access/Web2/wp50/iwawps5sso/logs/cfgwps50iwapage.log
    Details creating portal pages.
    
    This file might be in EBCDIC.
8. Signoff the 5250 session window.
9. Close the 5250 session window.
Use a browser to access iSeries Access for Web.
1. Open a web browser to the following addresses to access WebSphere Portal and iSeries Access for Web portlets: http://<system_name>:4038/wps/portal.
2. Log in to WebSphere Portal using wpsadmin for the user ID and password.
3. The Portal page opens. Select the My iSeries tabbed page. You might need to move the tab bar to the right to see the My iSeries tab.
4. Navigate to the various sub-pages of the My iSeries tabbed page.
5. Close the browser window.

By following these steps, you completed these tasks:

Configured an EIM environment to enable mapping of WebSphere Portal user identities to i5/OS user profiles.
Created a WebSphere application server named iwawps5sso.
Deployed the WebSphere Portal to the iwawps5sso WebSphere Web application server.
Created an HTTP server named IWAWPS5SSO.
Configured iSeries Access for Web portlets to WebSphere Portal.
Verified that iSeries Access for Web portlets can be accessed from a web browser.

In this example, only the CFGACCWEB2 command is used to configure iSeries Access for Web. For more information about using all the iSeries Access for Web CL commands, use the CL command finder.

Parent topic:

Examples for configuring a new portal environment

Related concepts
Single sign-on considerations