Configure WebSphere Portal for IBM Directory Server

 

+
Search Tips   |   Advanced Search

Use the IBM Web Administration for iSeries tool when configuring WebSphere Portal instances. The wizard creates the necessary servers (HTTP and WAS), configures the server for Portal, configures the database for Portal, configures security (LDAP) for Portal, and deploys the portlets installed with the WebSphere Portal product. You can edit the Portal instance configuration manually after you have used the WebSphere Portal wizard.

Follow the steps below to edit the file...

/qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties

...and run the appropriate configuration tasks so that WebSphere Portal can work with the LDAP server.

A configuration template might exist to support these instructions. Use the configuration template to update...

/qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties

...as described in Use configuration templates, according to the property descriptions and recommended values provided below. If you do not want to use a configuration template, simply follow the instructions below as written.

Password considerations:

For security reasons, not leave passwords in the wpconfig.properties file. Specify the required passwords on the command line rather than update the wpconfig.properties file. For example:

Steps for this task

  1. Ensure that the LDAP software is installed and any setup required by WebSphere Portal has been performed.

  2. Locate the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file and create a backup copy before changing any values.

  3. Edit the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file and enter the values appropriate for the environment.
    Note the following:

    • Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.

    • You can also modify the wpconfig.properties file locally on the iSeries system by entering the following on an OS/400 command line:

      EDTF '/qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties'

    • Some values, shown in italics below, may need to be modified to the specific environment.

    Section Property Value
    WAS WasUserid

    Description: The user ID for WAS security authentication. This should be the fully qualified distinguished name (DN). If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank.

    For LDAP configuration this value should not contain spaces.

    Recommended Value: uid=wpsbind,cn=users,dc=yourco,dc=com

    Default LDAP value: uid=wpsbind,cn=users,dc=yourco,dc=com

    WasPassword

    Description: The password for WAS security authentication. If a value is specified for WasPassword, a value must also be specified for WasUserid. If WasPassword is left blank, WasUserid must also be left blank.

    Recommended Value: No recommended value for this property.

    Default Value: <none>

    WebSphere Portal configuration PortalAdminId

    Description: The fully-qualifed name of the WebSphere Portal administrator. This should be the fully qualified distinguished name (DN).

    For LDAP configuration this value should not contain spaces.

    Recommended Value: uid=<portaladminid>,cn=users,dc=yourco,dc=com

    Default value: <none>

    PortalAdminIdShort

    Description: The short form of the user ID for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Recommended Value: <portaladminid>

    Default Value: <none>

    PortalAdminPwd

    Description: The password for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Recommended Value: No recommended value for this property

    Default Value: <none>

    PortalAdminGroupId

    Description: The group ID for the group to which the WebSphere Portal administrator belongs.

    Recommended Value: uid=wpsadmins,cn=groups,dc=yourco,dc=com

    Default Value: <none>

    PortalAdminGroupIdShort

    Description: The short form of the group ID for the WebSphere Portal administrator, as defined in the PortalAdminGroupId property.

    Recommended Value: wpsadmins

    Default Value: <none>

    WebSphere Portal Security LTPA configuration LTPAPassword

    Description: The password for the LTPA bind.

    Recommended Value: No recommended value for this property.

    Default Value:

    LTPATimeout

    Description: Sets the time out for the LTPA bind.

    Recommended Value: 120

    Default Value: 120

    SSODomainName

    Description: Single signon domain; for example, SSODomainName=yourcompany.com

    Recommended Value: SSODomainName

    Default Value:

    LDAP Properties Configuration LookAside

    Description: The purpose of a Look Aside database is to store attributes which cannot be stored in the LDAP server. You can either install with LDAP only or with LDAP using a Look Aside database. To enable a Look Aside database, set this property to true. If you intend to use a Look Aside database, set this value before configuring security, as it cannot be configured after security is enabled.

    Using a Look Aside database may slow down performance.

    Recommended Value: false

    Default Value: false

    LDAPHostName

    Description: The host information for the LDAP server that WebSphere Portal will use; for example, yourserver.yourcompany.com.

    Recommended Value: ldapserver_host_name

    Default Value: wpsldap.ibm.com

    LDAPPort

    Description: The port number for the LDAP server that WebSphere Portal will use.

    Recommended Value (non-SSL): 389
    Recommended Value (SSL): 636

    Default Value: 389; (636 for SSL)

    LDAPAdminUId

    Description: The LDAP access ID; for example, LDAPAdminUId=cn=root. This is the ID that WebSphere Portal (Member Manager) will use to access the LDAP directory. This does not have to be the root admin id for the directory, simply an ID that has sufficient privileges to the directory to allow the operations that WebSphere Portal will perform.

    If WebSphere Portal will only read from the directory, not make updates, an ID with read privileges to the directory is sufficient. If WebSphere Portal will update the directory (create users or make user profile updates to the directory) then an ID with write privileges is required.

    Recommended Value: cn=LDAP_admin_id

    Default Value: cn=root

    LDAPAdminPwd

    Description: The LDAP access password.

    Recommended Value: ldap_admin_password

    Default Value: <none>

    LDAPServerType

    Description: Type of LDAP Server to be used.

    Recommended Value: IBM_DIRECTORY_SERVER

    Default Value: IBM_DIRECTORY_SERVER

    LDAPBindID

    Description: User ID for LDAP Bind authentication

    Recommended Value: uid=wpsbind,cn=users,dc=yourco,dc=com

    Default Value: uid=wpsbind,cn=users,dc=yourco,dc=com

    LDAPBindPassword

    Description: Password for LDAP Bind authentication

    Recommended Value: bind_password

    Default Value: <none>

    Advanced LDAP Configuration
    LDAPUserFilter

    Description: This key is used to configure the user filter.

    Recommended Value: (&(uid=%v)(objectclass=groupOfUniqueNames))

    Default Value: (&(uid=%v)(objectclass=groupOfUniqueNames))

    LDAPGroupFilter

    Description: This key is used to configure the group filter.

    Recommended Value: (&(cn=%v)(objectclass=groupOfUniqueNames))

    Default Value: (&(cn=%v)(objectclass=groupOfUniqueNames))

    LDAPSuffix

    Description: LDAP Suffix

    Recommended Value: dc=yourco,dc=com

    Default Value: dc=yourco,dc=com

    LdapUserPrefix

    Description: DN prefix attribute name for user entries.

    Recommended Value: uid

    Default Value: uid

    LDAPUserSuffix

    Description: DN suffix attribute name for user entries.

    Recommended Value: cn=users

    Default Value: cn=users

    LdapGroupPrefix

    Description: DN prefix attribute name for user entries.

    Recommended Value: cn

    Default Value: cn

    LDAPGroupSuffix

    Description: DN suffix attribute name for group entries.

    Recommended Value: cn=groups

    Default Value: cn=groups

    LDAPUserObjectClass

    Description: User object class corresponding to the directory.

    Recommended Value: inetOrgPerson

    Default Value: inetOrgPerson

    LDAPGroupObjectClass

    Description: Group object class corresponding to the directory.

    Recommended Value: groupOfUniqueNames

    Default Value: groupOfUniqueNames

    LDAPGroupMember

    Description: Specifies the attribute name of the membership attribute of the group objectclass.

    Recommended Value: uniqueMember

    Default Value: uniqueMember

    LDAPsslEnabled

    Description: Specifies whether secure socket communications is enabled to the LDAP server.

    Recommended Value (non-SSL): false

    Recommended Value (SSL): true

    Default Value: false

    Database configuration Dbuser

    Description: The user ID for the database administrator.

    Value Type: Alphanumeric text string

    Default Value: ReplaceWithYourDbAdminId

    DbPassword Description: The password for the database administrator.

    Value Type: Alphanumeric text string

    Default Value: ReplaceWithYourDbAdminPwd

    WmmDbUser Description: The user ID for the database administrator.

    Value Type: Alphanumeric text string

    Default Value: ReplaceWithYourDbAdminId

    If you are migrating from a previous version of WebSphere Portal, this value must match the database user name for the WebSphere Member Services database from the previous WebSphere Portal version.

    WmmDbPassword Description: The password for the database administrator.

    Value Type: Alphanumeric text string

    Default Value: ReplaceWithYourDbAdminPwd

    Do not change any other settings in this file.

  4. Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS and you did not disable WAS Global Security before installing WebSphere Portal. This step ensures that WebSphere Portal has the appropriate credentials to establish an SSL connection to the WAS administration client when portlets are manually deployed. Ensure that the following properties in the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file have the values listed below:

    Section Property Value
    Credentials for WAS administration secure SOAP connection TrustStore

    Description: Relative path to the trust file that contains public keys. The path name must start below the <was_root> directory.

    Recommended Value: trust_file_path

    Default Value: /etc/DummyClientTrustFile.jks

    TrustStorePwd

    Description: Password for accessing the trust file.

    Recommended Value: trust_file_password

    Default Value: WebAS

    KeyStore

    Description: Relative path to the key file that contains public keys. The path name must start below the <was_root> directory.

    Recommended Value: key_file_path

    Default Value: /etc/DummyClientKeyFile.jks

    KeyStorePwd

    Description: Password for accessing the key file.

    Recommended Value: keystore_password

    Default Value: WebAS

  5. Optional If you installed WAS as part of the WebSphere Portal installation and you plan to use WAS single signon, ensure that the following additional properties in the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file have the values listed below. If you installed WebSphere Portal onto a pre-existing instance of WAS, skip this step. Any pre-existing settings for WAS SSO are automatically detected and preserved when you run the appropriate task to configure security.

    Section Property Value
    WebSphere Portal Security LTPA and SSO Configuration SSOEnabled

    Description: Specifies that the single signon function is enabled.

    Recommended Value: true

    Default Value: true

    SSORequiresSSL

    Description: Specifies that single signon is enabled only when requests are over HTTPS Secure Sockets Layer (SSL) connections. Choose False unless SSL is already enabled for WebSphere Portal. In most cases, SSL for WebSphere Portal will not yet be in place. After SSL for WebSphere Portal is set up, change this value using the WAS administrative console.

    Recommended Value: False or True depending on the environment.

    Default Value: false

  6. Save the file.

  7. Start a 5250 session on the local machine where WebSphere Portal is installed.

  8. Enter STRQSH on the command line to start the Qshell Interpreter.

  9. Enter the following:

    cd /QIBM/UserData/WebAS5/Base/<instance>/PortalServer5/config

    where instance is the name of the portal server instance.

  10. Enter the following:

    WPSconfig.sh validate-ldap

    If the configuration task fails, validate the values in the wpconfig.properties file.

  11. Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS which had Global Security enabled or if you followed the steps in Manually configuring WAS Global Security.

    If you disabled WAS Global Security before installing WebSphere Portal, enable it now by running the following configuration task:

    This task configures WebSphere Portal for security but does not modify the WAS existing security settings.

    WPSconfig.sh secure-portal-ldap

    Check the output for any error messages before proceeding with any additional tasks. If any the configuration task fails, verify the values in the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file.

  12. Perform this step only if you meet either of the following criteria:

    • You installed WebSphere Portal on a pre-existing instance of WAS which did not have Global Security enabled

    • You installed WAS as part of the WebSphere Portal installation

    Enter the following:

    WPSconfig.sh enable-security-ldap

    Check the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file. Before running the task again, be sure to stop the WebSphere Portal application server by entering the following command from the /QIBM/ProdData/WebAS5/PME/bin directory and specify the WAS user ID and password (as defined by the WasUserid and WasPassword properties):

    stopServer -instance <instance> <was_app_server_name> -user <admin_userid> -password <admin_password>

  13. Perform this step only if you are using LDAP over SSL:

    1. If not already configured, configure WAS to use LDAP over SSL

      To configure WAS to use LDAP over SSL, use the WAS administrative console. WebSphere Portal should be stopped before doing this. Consult the WAS documentation to configure the SSL settings dialog. Verify that the settings are correct by restarting the administrative console and confirm that no LDAP traffic is sent to the directory's unencrypted port, by default port 389, on the LDAP directory server. All necessary certificate set up should have be done when Set up LDAP over SSL.

    2. Configure WebSphere Portal to use LDAP over SSL

      1. To configure WebSphere Portal to use LDAP over SSL, modify portal wmm.xml file :

        1. Change the LDAP port from 389 to the port on which the LDAP server is listening for LDAP over SSL traffic. By default, this value is 636. In the <ldapRepository...> stanza of the wmm.xml file, change the port number as desired:
          ldapPort="636"
        2. In the <ldapRepository...> stanza of the wmm.xml file, add the following key/value pairs: java.naming.security.protocol="ssl"

      2. Restart WebSphere Portal.

  14. Enter the following:

    cd /QIBM/ProdData/WebAS5/PME/bin

  15. Enter the following:

    startServer -instance <instance> <was_app_server_name>

    If you are running with security enabled on WAS, specify a user ID and password for security authentication when entering the command.

  16. Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS, do one of the following:

    • If you disabled Global Security before installing: Manually reactivate Global Security. From the WAS administrative console, select Security then click Global Security. Make the appropriate selections and click OK. Restart WebSphere Portal.

    • If you installed WebSphere Portal without configuring it during installation: Use the procedure below to manually deploy portlets.

      1. Ensure that WebSphere Portal is running.

      2. If the Qshell Interpreter is not running on the iSeries system, start it by entering the following on an OS/400 command line:

        STRQSH

      3. Enter the following:

        cd /QIBM/UserData/WebAS5/Base/<instance>/PortalServer5/config

        where instance is the name of the portal server instance.

      4. Enter the following command:

        installportlets.sh <portalAdminID> <portalAdminPassword> <portalHostName> <portalPortNumber>

        Where:

        • portalAdminID is the WebSphere Portal administrator ID.

        • portalAdminPassword is the WebSphere Portal administrator password specified during installation.

        • portalHostName is the host name of the machine where you installed WebSphere Portal. If WAS security is not enabled, you can use a value of localhost for this argument. Otherwise, use the fully qualified host name, such as hostname.yourco.com.

        • portalPortNumber is the port number used to access WebSphere Portal. This value is stored in the WpsHostPort property in the /QIBM/UserData/WebAS5/Base/<instance>/PortalServer5/config/wpconfig.properties file.

        For example:

        installportlets.sh wpsadmin mypassword hostname.yourco.com 10009

  17. Perform this step only if you installed WebSphere Portal into a pre-existing SSO environment. Because you will not be given the option to import the existing token file, perform the following steps:

    • To import the SSO Token:

      1. In the WAS administrative console, select Security Then click Authentication Mechanisms Then click LTPA.

      2. Enter the LTPA token password in the Password field.

      3. Enter the password again in the Confirm password field.

      4. In the Key File Name field, enter the LTPA token file.
      5. Click Import Keys.

      6. Click Save.

    • To set the SSO Domain:

      1. In the WAS administrative console, select Security Then click Authentication Mechanisms Then click LTPA.

      2. Click Single Signon in Additional Properties.

      3. Enter the domain name in the Domain Name field.

      4. Click Ok.

  18. Access WebSphere Portal via http://<hostname.yourco.com>:<port_number>/wps/portal and verify that you can log in.

    Once security is enabled, type the fully qualified host name when accessing WebSphere Portal and the WAS administrative console.

 

Security is enabled

Once you have enabled security with the LDAP directory, you will need to provide the user ID and password required for security authentication on WAS when you perform certain administrative tasks with WAS. For example, to stop the WebSphere Portal application server, you would issue the following command:

stopServer -instance <instance> <was_app_server_name> -user <admin_userid> -password <admin_password>

 

Next steps

You have completed this step. Continue to the next step by choosing one of the following topics:

 

See also

  • Verifying LDAP

  • LDAP