Manually configure WAS global security

 


If you will not be using the WebSphere Portal configuration tasks to set up WAS global security, make sure that WAS security is set up as described here. Only parameters that are required to have a certain value are discussed. Other settings can be set at the discretion.

Use these procedures only if the user registry configuration is one of the following situations:

Do not use this procedure if you plan to use a Member Manager database-only configuration. You must use the WebSphere Portal automated configuration task enable-security-cur to set up WAS security with a Member Manager database-only configuration. This task overwrites any settings in WAS.

Follow these steps to make sure that the WAS global security configuration will work with WebSphere Portal:

  1. From WAS Administrative Console, click...

    Security | Global Security

  2. Verify the following items. Other parameters do not affect WebSphere Portal.

    • Global Security is enabled.

    • Java 2 Security is disabled.

    • The Active Authentication Mechanism is LTPA.

    • The Active User Registry is one of the following options:

      • LDAP
      • Custom

  3. Click Security | Authentication Mechanisms | LTPA | Single Sign On (SSO).
  4. Verify the following items:

    • SSO is enabled.

    • Requires SSL should not be checked unless the portal is being configured for SSL connections from clients.

    • The Domain Name field should be set to a subset of the host name of the HTTP server that front-ends the portal. This will be used as the domain name of the LTPAToken cookie. This is not the LDAP server host name.

  5. If you use an LDAP directory or an LDAP directory plus Lookaside database WebSphere Member Manager configuration, click Security then click User Registries then click LDAP. A correct configuration is required to allow WAS to talk to the directory. For details on setting this up, refer to the WAS security configuration documentation. Once the configuration is correct, do the following steps:

    1. Copy the Base Distinguished Name (DN) value to the LDAPSuffix property value in the wpconfig.properties file.

    2. Copy an ID with permission to write to the directory to the LDAPAdminUid property in the wpconfig.properties file.

    3. Copy the password for the above ID to the LDAPAdminPassword property in the wpconfig.properties file. This is the password for the identity that is specified as the Bind Distinguished Name.

    4. Ignore Case should be selected.

    5. SSL should be enabled only if the connection from WAS to the directory is over SSL. See Set up LDAP over SSL for more information.

    6. In the Additional Properties section, click Advanced LDAP Settings. The search filters and other settings must be set for the directory.

      • In the User Filter field, the attribute that appears before =%v is the attribute value that is used to log in to the portal. For example, if users log in to the portal by entering an e-mail address, and the e-mail address of the users is mapped to the LDAP user object attribute "emailaddress," then the attribute value should be emailaddress. This attribute value might or might not also be the first RDN attribute of the DNs.

        The LDAPUserPrefix value in the wpconfig.properties file should always be the first RDN attribute of the DNs. The following table explains how these values should be set.
        Login Attribute First RDN Attribute of DNs WAS User Filter Attribute wpconfig.properties LDAPUserPrefix
        Uid uid uid uid
        Emailaddress uid Emailaddress uid

      • Copy the objectclass that is used for the User Filter value to the LDAPUserObjectClass property in the wpconfig.properties file.
      • Copy the objectclass that is used for the Group filter field to the LDAPGroupObjectClass property in the wpconfig.properties file.

    7. Run the secure-portal-ldap task as described in Configure WebSphere Portal for LDAP.

  6. If you use a custom user registry, follow these steps:

    1. Click Security then click User Registries then click Custom. Verify that Ignore Case is selected. Other parameters do not affect WebSphere Portal.

    2. Refer to the WebSphere Portal product documentation page at http://www.ibm.com/websphere/portal/library for further instructions. A whitepaper containing instructions for using WebSphere Portal with a custom user registry will be available soon.

 

See also