Configure WebSphere Portal for Domino Directory

 


You can use the IBM Web Administration for iSeries tool for all of the WebSphere Portal configuration tasks. The wizard will create the necessary servers (HTTP and WAS), configures the server for Portal, configures the database for Portal, and configures the Portal server for security (LDAP). You can edit the Portal instance configuration manually after you have used the WebSphere Portal wizard.

Follow the steps below to edit...

/qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties

...and run the appropriate configuration tasks so that WebSphere Portal can work with the Domino LDAP server.

These instructions configure WebSphere Portal to work with Domino as an LDAP server only. To configure WebSphere Portal for the collaborative features that require Lotus Domino Server, refer to Configure WebSphere Portal to use Domino.

A configuration template might exist to support these instructions. Use the configuration template to update the wpconfig.properties file. according to the property descriptions and recommended values provided below. If you do not want to use a configuration template, simply follow the instructions below as written.

 

Steps for this task

  1. Ensure that the LDAP software is installed and any setup required by WebSphere Portal has been performed.

  2. Make a backup copy of...

    /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties

  3. Edit

    /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties

    ...and enter the values appropriate for the environment.

    Section Property Value
    WAS properties WasUserid

    The user ID for WAS security authentication. This should be the fully qualified distinguished name (DN). If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank.

    For LDAP configuration this value should not contain spaces.

    Recommended: cn=wpsbind,o=yourco.com

    Default LDAP value: uid=wpsbind,cn=users,dc=yourco,dc=com

    WasPassword

    The password for WAS security authentication. If a value is specified for WasPassword, a value must also be specified for WasUserid. If WasPassword is left blank, WasUserid must also be left blank.

    Recommended: No recommended value for this property.

    Default Value: <none>

    Portal configuration properties PortalAdminId

    The user ID for the WebSphere Portal administrator. This should be the fully qualified distinguished name (DN).

    For LDAP configuration this value should not contain spaces.

    Recommended: cn=<portaladminid>,o=yourco.com

    Default: <none>

    PortalAdminIdShort

    The short form of the user ID for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Recommended: <portaladminid>

    Default Value: <none>

    PortalAdminPwd

    The password for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Recommended: No recommended value for this property

    Default Value: <none>

    PortalAdminGroupId

    The group ID for the group to which the WebSphere Portal administrator belongs.

    Recommended: cn=wpsadmins

    Default Value: <none>

    PortalAdminGroupIdShort

    The short form of the group ID for the WebSphere Portal administrator, as defined in the PortalAdminGroupId property.

    Recommended: wpsadmins

    Default Value: <none>

    WebSphere Portal Security LTPA and SSO configuration LTPAPassword

    The password for the LTPA bind.

    Recommended: No recommended value for this property.

    Default Value:

    LTPATimeout

    Sets the time out for the LTPA bind.

    Recommended: 120

    Default Value: 120

    SSODomainName

    Single signon domain; for example, SSODomainName=yourcompany.com

    Recommended: SSODomainName

    Default Value:

    LDAP Properties Configuration LookAside

    The purpose of a Look Aside database is to store attributes which cannot be stored in the LDAP server. You can either install with LDAP only or with LDAP using a Look Aside database. To enable a Look Aside database, set this property to true. If you intend to use a Look Aside database, set this value before configuring security, as it cannot be configured after security is enabled.

    Using a Look Aside database may slow down performance.

    Recommended: false

    Default Value: false

    LDAPHostName

    The host information for the LDAP server that WebSphere Portal will use; for example, yourserver.yourcompany.com.

    Recommended: ldapserver_host_name

    Default Value: wpsldap.ibm.com

    LDAPPort

    The port number for the LDAP server that WebSphere Portal will use.

    Recommended Value (non-SSL): 389
    Recommended Value (SSL): 636

    Default Value: 389; (636 for SSL)

    LDAPAdminUId

    The LDAP administrator id; for example, LDAPAdminUId=cn=root.

    Recommended: cn=LDAP_admin_id

    Default Value: cn=root

    LDAPAdminPwd

    The LDAP administrator password.

    Recommended: ldap_admin_password

    Default Value: <none>

    LDAPServerType

    Type of LDAP Server to be used

    Recommended: DOMINO502

    Default Value: IBM_DIRECTORY_SERVER

    LDAPBindID

    User ID for LDAP Bind authentication

    Recommended: cn=wpsbind,o=yourco.com

    Default Value: uid=wpsbind,cn=users,dc=yourco,dc=com

    LDAPBindPassword

    Password for LDAP Bind authentication

    Recommended: bind_password

    Default Value:

    Advanced LDAP Configuration LDAPUserFilter

    This key is used to configure the user filter.

    Recommended: (&(|(cn=%v)(uid=%v))(objectclass=inetOrgPerson))

    Default Value: (&(uid=%v)(objectclass=inetOrgPerson))

    LDAPGroupFilter

    This key is used to configure the group filter.

    Recommended: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))

    Default Value: (&(cn=%v)(objectclass=groupOfUniqueNames))

    LDAPSuffix

    LDAP Suffix

    Recommended: <none>

    Default Value: <none>

    LdapUserPrefix

    DN prefix attribute name for user entries.

    Recommended: cn

    Default Value: uid

    LDAPUserSuffix

    DN suffix attribute name for user entries.

    Recommended: o=yourco.com

    Default Value: cn=users

    LdapGroupPrefix

    DN prefix attribute name for user entries.

    Recommended: cn

    Default Value: cn

    LDAPGroupSuffix

    DN suffix attribute name for group entries.

    Recommended: <none>

    Default Value: cn=groups

    LDAPUserObjectClass

    User object class corresponding to the directory.

    Recommended: inetOrgPerson

    Default Value: inetOrgPerson

    LDAPGroupObjectClass

    Group object class corresponding to the directory.

    Recommended: groupOfNames

    Default Value: groupOfUniqueNames

    LDAPGroupMember

    Specifies the attribute name of the membership attribute of the group objectclass.

    Recommended: member

    Default Value: uniqueMember

    LDAPsslEnabled

    Specifies whether secure socket communications is enabled to the LDAP server.

    Recommended Value (non-SSL): false

    Recommended Value (SSL): true

    Default Value: false

    Database configuration Dbuser

    The user ID for the database administrator.

    Value Type: Alphanumeric text string

    Default Value: ReplaceWithYourDbAdminId

    DbPassword The password for the database administrator.

    Value Type: Alphanumeric text string

    Default Value: ReplaceWithYourDbAdminPwd

    WmmDbUser The user ID for the database administrator.

    Value Type: Alphanumeric text string

    Default Value: ReplaceWithYourDbAdminId

    If you are migrating from a previous version of WebSphere Portal, this value must match the database user name for the WebSphere Member Services database from the previous WebSphere Portal version.

    WmmDbPassword The password for the database administrator.

    Value Type: Alphanumeric text string

    Default Value: ReplaceWithYourDbAdminPwd

    Do not change any other settings in this file.

  4. Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS and you did not disable WAS Global Security before installing WebSphere Portal. This step ensures that WebSphere Portal has the appropriate credentials to establish an SSL connection to the WAS administration client when portlets are manually deployed. Ensure that the following properties in the wpconfig.properties file have the values listed below:

    Section Property Value
    Credentials for WAS administration secure SOAP connection TrustStore

    Relative path to the trust file that contains public keys. The path name must start below the <was_root> directory.

    Recommended: trust_file_path

    Default Value: /etc/DummyClientTrustFile.jks

    TrustStorePwd

    Password for accessing the trust file.

    Recommended: trust_file_password

    Default Value: WebAS

    KeyStore

    Relative path to the key file that contains public keys. The path name must start below the <was_root> directory.

    Recommended: key_file_path

    Default Value: /etc/DummyClientKeyFile.jks

    KeyStorePwd

    Password for accessing the key file.

    Recommended: keystore_password

    Default Value: WebAS

  5. Optional If you installed WAS as part of the WebSphere Portal installation and you plan to use WAS single signon, ensure that the following additional properties in the wpconfig.properties file have the values listed below. If you installed WebSphere Portal onto a pre-existing instance of WAS, skip this step. Any pre-existing settings for WAS SSO are automatically detected and preserved when you run the appropriate task to configure security.

    Section Property Value
    WebSphere Portal Security LTPA and SSO Configuration SSOEnabled

    Specifies that the single signon function is enabled.

    Recommended: true

    Default Value: true

    SSORequiresSSL

    Specifies that single signon is enabled only when requests are over HTTPS Secure Sockets Layer (SSL) connections. Choose False unless SSL is already enabled for WebSphere Portal. In most cases, SSL for WebSphere Portal will not yet be in place. After SSL for WebSphere Portal is set up, change this value using the WAS administrative console.

    Recommended: False or True depending on the environment.

    Default Value: false

  6. Save the file.

  7. Start a 5250 session on the local machine where WebSphere Portal is installed.

  8. Enter STRQSH on the command line to start the Qshell Interpreter.

  9. Enter the following:

    cd /QIBM/UserData/WebAS5/Base/<instance>/PortalServer5/config

    where instance is the name of the portal server instance.

  10. Enter the following:

    WPSconfig.sh validate-ldap

    If the configuration task fails, validate the values in the wpconfig.properties file.

  11. Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS which had Global Security enabled or if you followed the steps in Manually configuring WAS Global Security.

    If you disabled WAS Global Security before installing WebSphere Portal, enable it now by running the following configuration task:

    This task configures WebSphere Portal for security but does not modify the WAS existing security settings.

    WPSconfig.sh secure-portal-ldap

    Check the output for any error messages before proceeding with any additional tasks. If any the configuration task fails, verify the values in the wpconfig.properties file.

  12. Perform this step only if you meet either of the following criteria:

    • You installed WebSphere Portal on a pre-existing instance of WAS which did not have Global Security enabled

    • You installed WAS as part of the WebSphere Portal installation

    Enter the following:

    WPSconfig.sh enable-security-ldap

    Check the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the wpconfig.properties file. Before running the task again, be sure to stop the WebSphere Portal application server by entering the following command from the /QIBM/ProdData/WebAS5/PME/bin directory and specify the WAS user ID and password (as defined by the WasUserid and WasPassword properties):

    stopServer -instance <instance> <was_app_server_name> -user <admin_userid> -password <admin_password>

  13. Perform this step only if you are using LDAP over SSL:

    1. If not already configured, configure WAS to use LDAP over SSL

      To configure WAS to use LDAP over SSL, use the WAS administrative console. WebSphere Portal should be stopped before doing this. Consult the WAS documentation to configure the SSL settings dialog. Verify that the settings are correct by restarting the administrative console and confirm that no LDAP traffic is sent to the directory's unencrypted port, by default port 389, on the LDAP directory server. All necessary certificate set up should have be done when Set up LDAP over SSL.

    2. Configure WebSphere Portal to use LDAP over SSL

      1. To configure WebSphere Portal to use LDAP over SSL, modify portal wmm.xml file :

        1. Change the LDAP port from 389 to the port on which the LDAP server is listening for LDAP over SSL traffic. By default, this value is 636. In the <ldapRepository...> stanza of the wmm.xml file, change the port number as desired:
          ldapPort="636"
        2. In the <ldapRepository...> stanza of the wmm.xml file, add the following key/value pairs: java.naming.security.protocol="ssl"

      2. Restart WebSphere Portal.

  14. Enter the following:

    cd /QIBM/ProdData/WebAS5/PME/bin

  15. Enter the following:

    startServer -instance <instance> <was_app_server_name>

    If you are running with security enabled on WAS, specify a user ID and password for security authentication when entering the command.

  16. Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS, do one of the following:

    • If you disabled Global Security before installing: Manually reactivate Global Security. From the WAS administrative console, select Security then click Global Security. Make the appropriate selections and click OK. Restart WebSphere Portal.

    • If you installed WebSphere Portal without configuring it during installation: Use the procedure below to manually deploy portlets.

      1. Ensure that WebSphere Portal is running.

      2. If the Qshell Interpreter is not running on the iSeries system, start it by entering the following on an OS/400 command line:

        STRQSH

      3. Enter the following:

        cd /QIBM/UserData/WebAS5/Base/<instance>/PortalServer5/config

        where instance is the name of the portal server instance.

      4. Enter the following command:

        installportlets.sh <portalAdminID> <portalAdminPassword> <portalHostName> <portalPortNumber>

        Where:

        • portalAdminID is the WebSphere Portal administrator ID.

        • portalAdminPassword is the WebSphere Portal administrator password specified during installation.

        • portalHostName is the host name of the machine where you installed WebSphere Portal. If WAS security is not enabled, you can use a value of localhost for this argument. Otherwise, use the fully qualified host name, such as hostname.yourco.com.

        • portalPortNumber is the port number used to access WebSphere Portal. This value is stored in the WpsHostPort property in the wpconfig.properties file.

        For example:

        installportlets.sh wpsadmin mypassword hostname.yourco.com 10009

  17. Perform this step only if you installed WebSphere Portal into a pre-existing SSO environment. Because you will not be given the option to import the existing token file, perform the following steps:

    • To import the SSO Token:

      1. In the WAS administrative console, select Security Then click Authentication Mechanisms Then click LTPA.

      2. Enter the LTPA token password in the Password field.

      3. Enter the password again in the Confirm password field.

      4. In the Key File Name field, enter the LTPA token file.
      5. Click Import Keys.

      6. Click Save.

    • To set the SSO Domain:

      1. In the WAS administrative console, select Security Then click Authentication Mechanisms Then click LTPA.

      2. Click Single Signon in Additional Properties.

      3. Enter the domain name in the Domain Name field.

      4. Click Ok.

  18. Access WebSphere Portal via http://<hostname.yourco.com>:<port_number>/wps/portal and verify that you can log in.

    Once security is enabled, type the fully qualified host name when accessing WebSphere Portal and the WAS administrative console.

 

Security is enabled

Once you have enabled security with the LDAP directory, you will need to provide the user ID and password required for security authentication on WAS when you perform certain administrative tasks with WAS. For example, to stop the WebSphere Portal application server, you would issue the following command:

stopServer -instance <instance> <was_app_server_name> -user <admin_userid> -password <admin_password>

 

Next steps

You have completed this step. Continue to the next step by choosing one of the following topics:

 

See also