Configure WebSphere Portal for Novell eDirectory
Use the IBM Web Administration for iSeries tool when configuring WebSphere Portal instances. The wizard creates the necessary servers (HTTP and WAS), configures the server for Portal, configures the database for Portal, configures security (LDAP) for Portal, and deploys the portlets installed with the WebSphere Portal product. You can edit the Portal instance configuration manually after you have used the WebSphere Portal wizard.
Follow the steps below to edit the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file and run the appropriate configuration tasks so that WebSphere Portal can work with the LDAP server.
Note: A configuration template might exist to support these instructions. Use the configuration template to update the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file, as described in Use configuration templates, according to the property descriptions and recommended values provided below. If you do not want to use a configuration template, simply follow the instructions below as written.
Password considerations: For security reasons, not leave passwords in the wpconfig.properties file. Specify the required passwords on the command line rather than update the wpconfig.properties file. For example:
- WPSconfig.sh task_name [-Dpassword_property_key=password_value]
- WPSconfig.sh validate-ldap -DPortalAdminPwd=password -DLDAPAdminPwd=password -DLDAPBindPassword=password -DWasPassword=password -DLTPAPassword=password
Steps for this task
- Ensure that the LDAP software is installed and any setup required by WebSphere Portal has been performed.
- Locate the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file and create a backup copy before changing any values.
- Edit the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file and enter the values appropriate for the environment.
Note the following:
- Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.
- You can also modify the wpconfig.properties file locally on the iSeries system by entering the following on an OS/400 command line:
EDTF '/qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties'- Some values, shown in italics below, may need to be modified to the specific environment.
Section Property Value WAS properties WasUserid Description: The user ID for WAS security authentication. This should be the fully qualified distinguished name (DN). If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank.
For LDAP configuration this value should not contain spaces.
Recommended Value: uid=wpsbind,ou=people,o=yourco.com
Default LDAP value: uid=wpsbind,cn=users,dc=yourco,dc=com
WasPassword Description: The password for WAS security authentication. If a value is specified for WasPassword, a value must also be specified for WasUserid. If WasPassword is left blank, WasUserid must also be left blank.
Recommended Value: No recommended values for this property.
Default Value: <none>
Portal configuration properties PortalAdminId Description: The user ID for the WebSphere Portal the administrator. This should be the fully qualified distinguished name (DN).
For LDAP configuration this value should not contain spaces.
Recommended Value: uid=<portaladminid>,ou=people,o=yourco.com
Default value: <none>
PortalAdminIdShort Description: The short form of the user ID for the WebSphere Portal administrator, as defined in the PortalAdminId property.
Recommended Value: <portaladminid>
Default Value: <none>
PortalAdminPwd Description: The password for the WebSphere Portal administrator, as defined in the PortalAdminId property.
Recommended Value: No recommended value for this property
Default Value: <none>
PortalAdminGroupId Description: The group ID for the group to which the WebSphere Portal administrator belongs.
Recommended Value: cn=wpsadmins,cn=groups,dc=yourco,dc=com
Default Value: <none>
PortalAdminGroupIdShort Description: The short form of the group ID for the WebSphere Portal administrator, as defined in the PortalAdminGroupId property.
Recommended Value: wpsadmins
Default Value: <none>
WebSphere Portal Security LTPA and SSO configuration LTPAPassword Description: The password for the LTPA bind.
Recommended Value: No recommended value for this property.
Default Value:
LTPATimeout Description: Sets the time out for the LTPA bind.
Recommended Value: 120
Default Value: 120
SSODomainName Description: Single signon domain; for example, SSODomainName=yourcompany.com
Recommended Value: SSODomainName
Default Value:
LDAP Properties Configuration LookAside Description: The purpose of a Look Aside database is to store attributes which cannot be stored in the LDAP server. You can either install with LDAP only or with LDAP using a Look Aside database. To enable a Look Aside database, set this property to true. If you intend to use a Look Aside database, set this value before configuring security, as it cannot be configured after security is enabled.
Using a Look Aside database may slow down performance.
Recommended Value: false
Default Value: false
LDAPHostName Description: The host information for the LDAP server that WebSphere Portal will use; for example, yourserver.yourcompany.com.
Recommended Value: ldapserver_host_name
Default Value: wpsldap.ibm.com
LDAPPort Description: The port number for the LDAP server that WebSphere Portal will use.
Recommended Value (non-SSL): 389
Recommended Value (SSL): 636Default Value: 389; (636 for SSL)
LDAPAdminUId Description: The LDAP administrator id; for example, LDAPAdminUId=cn=root.
Recommended Value: cn=LDAP_admin_id
Default Value: cn=root
LDAPAdminPwd Description: The LDAP administrator password.
Recommended Value: ldap_admin_password
Default Value: <none>
LDAPServerType Description: Type of LDAP Server to be used
Recommended Value: NDS
Default Value: IBM_DIRECTORY_SERVER
LDAPBindID Description: User ID for LDAP Bind authentication
Recommended Value: uid=wpsbind,ou=people,o=yourco.com
Default Value: uid=wpsbind,cn=users,dc=yourco,dc=com
LDAPBindPassword Description: Password for LDAP Bind authentication
Recommended Value: bind_password
Default Value:
Advanced LDAP Configuration LDAPUserFilter Description: This key is used to configure the user filter.
Recommended Value: (&(uid=%v)(objectclass=inetOrgPerson))
Default Value: (&(uid=%v)(objectclass=inetOrgPerson))
LDAPGroupFilter Description: This key is used to configure the group filter.
Recommended Value: (&(cn=%v)(objectclass=groupOfUniqueNames))
Default Value: (&(cn=%v)(objectclass=groupOfUniqueNames))
LDAPSuffix Description: LDAP Suffix
Recommended Value: o=yourco.com
Default Value: dc=yourco,dc=com
LdapUserPrefix Description: DN prefix attribute name for user entries.
Recommended Value: uid
Default Value: uid
LDAPUserSuffix Description: DN suffix attribute name for user entries.
Recommended Value: ou=people
Default Value: cn=users
LdapGroupPrefix Description: DN prefix attribute name for user entries.
Recommended Value: cn
Default Value: cn
LDAPGroupSuffix Description: DN suffix attribute name for group entries.
Recommended Value: ou=groups
Default Value: cn=groups
LDAPUserObjectClass Description: User object class corresponding to the directory.
Recommended Value: inetOrgPerson
Default Value: inetOrgPerson
LDAPGroupObjectClass Description: Group object class corresponding to the directory.
Recommended Value: groupOfNames
Default Value: groupOfUniqueNames
LDAPGroupMember Description: Specifies the attribute name of the membership attribute of the group objectclass.
Recommended Value: uniqueMember
Default Value: uniqueMember
LDAPsslEnabled Description: Specifies whether secure socket communications is enabled to the LDAP server.
Recommended Value (non-SSL): false
Recommended Value (SSL): true
Default Value: false
Database configuration Dbuser Description: The user ID for the database administrator.
Value Type: Alphanumeric text string
Default Value: ReplaceWithYourDbAdminId
DbPassword Description: The password for the database administrator. Value Type: Alphanumeric text string
Default Value: ReplaceWithYourDbAdminPwd
WmmDbUser Description: The user ID for the database administrator. Value Type: Alphanumeric text string
Default Value: ReplaceWithYourDbAdminId
If you are migrating from a previous version of WebSphere Portal, this value must match the database user name for the WebSphere Member Services database from the previous WebSphere Portal version.
WmmDbPassword Description: The password for the database administrator. Value Type: Alphanumeric text string
Default Value: ReplaceWithYourDbAdminPwd
Do not change any other settings in this file.
- Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS and you did not disable WAS Global Security before installing WebSphere Portal. This step ensures that WebSphere Portal has the appropriate credentials to establish an SSL connection to the WAS administration client when portlets are manually deployed. Ensure that the following properties in the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file have the values listed below:
Section Property Value Credentials for WAS administration secure SOAP connection TrustStore Description: Relative path to the trust file that contains public keys. The path name must start below the <was_root> directory.
Recommended Value: trust_file_path
Default Value: /etc/DummyClientTrustFile.jks
TrustStorePwd Description: Password for accessing the trust file.
Recommended Value: trust_file_password
Default Value: WebAS
KeyStore Description: Relative path to the key file that contains public keys. The path name must start below the <was_root> directory.
Recommended Value: key_file_path
Default Value: /etc/DummyClientKeyFile.jks
KeyStorePwd Description: Password for accessing the key file.
Recommended Value: keystore_password
Default Value: WebAS
- Optional If you installed WAS as part of the WebSphere Portal installation and you plan to use WAS single signon, ensure that the following additional properties in the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file have the values listed below. If you installed WebSphere Portal onto a pre-existing instance of WAS, skip this step. Any pre-existing settings for WAS SSO are automatically detected and preserved when you run the appropriate task to configure security.
Section Property Value WebSphere Portal Security LTPA and SSO Configuration SSOEnabled Description: Specifies that the single signon function is enabled.
Recommended Value: true
Default Value: true
SSORequiresSSL Description: Specifies that single signon is enabled only when requests are over HTTPS Secure Sockets Layer (SSL) connections. Choose False unless SSL is already enabled for WebSphere Portal. In most cases, SSL for WebSphere Portal will not yet be in place. After SSL for WebSphere Portal is set up, change this value using the WAS administrative console.
Recommended Value: False or True depending on the environment.
Default Value: false
- Save the file.
- Start a 5250 session on the local machine where WebSphere Portal is installed.
- Enter STRQSH on the command line to start the Qshell Interpreter.
- Enter the following:
cd /QIBM/UserData/WebAS5/Base/<instance>/PortalServer5/configwhere instance is the name of the portal server instance.
- Enter the following:
WPSconfig.sh validate-ldapIf the configuration task fails, validate the values in the wpconfig.properties file.
- Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS which had Global Security enabled or if you followed the steps in Manually configuring WAS Global Security.
If you disabled WAS Global Security before installing WebSphere Portal, enable it now by running the following configuration task:
This task configures WebSphere Portal for security but does not modify the WAS existing security settings.
WPSconfig.sh secure-portal-ldapCheck the output for any error messages before proceeding with any additional tasks. If any the configuration task fails, verify the values in the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file.
- Perform this step only if you meet either of the following criteria:
- You installed WebSphere Portal on a pre-existing instance of WAS which did not have Global Security enabled
- You installed WAS as part of the WebSphere Portal installation
Enter the following:
WPSconfig.sh enable-security-ldapCheck the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the /qibm/userdata/webas5/base/<instance>/portalserver5/config/wpconfig.properties file. Before running the task again, be sure to stop the WebSphere Portal application server by entering the following command from the /QIBM/ProdData/WebAS5/PME/bin directory and specify the WAS user ID and password (as defined by the WasUserid and WasPassword properties):
stopServer -instance <instance> <was_app_server_name> -user <admin_userid> -password <admin_password>
- Perform this step only if you are using LDAP over SSL:
- If not already configured, configure WAS to use LDAP over SSL
To configure WAS to use LDAP over SSL, use the WAS administrative console. WebSphere Portal should be stopped before doing this. Consult the WAS documentation to configure the SSL settings dialog. Verify that the settings are correct by restarting the administrative console and confirm that no LDAP traffic is sent to the directory's unencrypted port, by default port 389, on the LDAP directory server. All necessary certificate set up should have be done when Set up LDAP over SSL.
Configure WebSphere Portal to use LDAP over SSL
- To configure WebSphere Portal to use LDAP over SSL, modify portal wmm.xml file :
- Change the LDAP port from 389 to the port on which the LDAP server is listening for LDAP over SSL traffic. By default, this value is 636. In the <ldapRepository...> stanza of the wmm.xml file, change the port number as desired:
ldapPort="636"- In the <ldapRepository...> stanza of the wmm.xml file, add the following key/value pairs: java.naming.security.protocol="ssl"
- Restart WebSphere Portal.
- Enter the following:
cd /QIBM/ProdData/WebAS5/PME/bin- Enter the following:
startServer -instance <instance> <was_app_server_name>If you are running with security enabled on WAS, specify a user ID and password for security authentication when entering the command.
- Perform this step only if you installed WebSphere Portal on a pre-existing instance of WAS, do one of the following:
- If you disabled Global Security before installing: Manually reactivate Global Security. From the WAS administrative console, select Security Global Security. Make the appropriate selections and click OK. Restart WebSphere Portal.
- If you installed WebSphere Portal without configuring it during installation: Use the procedure below to manually deploy portlets.
- Ensure that WebSphere Portal is running.
- If the Qshell Interpreter is not running on the iSeries system, start it by entering the following on an OS/400 command line:
STRQSH- Enter the following:
cd /QIBM/UserData/WebAS5/Base/<instance>/PortalServer5/configwhere instance is the name of the portal server instance.
- Enter the following command:
installportlets.sh <portalAdminID> <portalAdminPassword> <portalHostName> <portalPortNumber>Where:
- portalAdminID is the WebSphere Portal administrator ID.
- portalAdminPassword is the WebSphere Portal administrator password specified during installation.
- portalHostName is the host name of the machine where you installed WebSphere Portal. If WAS security is not enabled, you can use a value of localhost for this argument. Otherwise, use the fully qualified host name, such as hostname.yourco.com.
- portalPortNumber is the port number used to access WebSphere Portal. This value is stored in the WpsHostPort property in the /QIBM/UserData/WebAS5/Base/<instance>/PortalServer5/config/wpconfig.properties file.
For example:
installportlets.sh wpsadmin mypassword hostname.yourco.com 10009
- Perform this step only if you installed WebSphere Portal into a pre-existing SSO environment. Because you will not be given the option to import the existing token file, perform the following steps:
- To import the SSO Token:
- In the WAS administrative console, select Security Authentication Mechanisms LTPA.
- Enter the LTPA token password in the Password field.
- Enter the password again in the Confirm password field.
- In the Key File Name field, enter the LTPA token file.
- Click Import Keys.
- Click Save.
- To set the SSO Domain:
- In the WAS administrative console, select Security Authentication Mechanisms LTPA.
- Click Single Signon in Additional Properties.
- Enter the domain name in the Domain Name field.
- Click Ok.
- Access WebSphere Portal via http://<hostname.yourco.com>:<port_number>/wps/portal and verify that you can log in.
Once security is enabled, type the fully qualified host name when accessing WebSphere Portal and the WAS administrative console.
Security is enabled
Once you have enabled security with the LDAP directory, you will need to provide the user ID and password required for security authentication on WAS when you perform certain administrative tasks with WAS. For example, to stop the WebSphere Portal application server, you would issue the following command:
stopServer -instance <instance> <was_app_server_name> -user <admin_userid> -password <admin_password>
Next steps
You have completed this step. Continue to the next step by choosing one of the following topics:
See also
Verifying LDAP LDAP