Manually configure WAS global security
If you will not be using the WebSphere Portal configuration tasks to set up WAS global security, make sure that WAS security is set up as described here. Only parameters that are required to have a certain value are discussed. Other settings can be set at the discretion.
Use these procedures only if the user registry configuration is one of the following situations:
- LDAP only
- LDAP + Lookaside database (if the LoginAttribute is stored in LDAP)
- Some non-LDAP custom store that you have created
Do not use this procedure if you plan to use a Member Manager database-only configuration. You must use the WebSphere Portal automated configuration task enable-security-cur to set up WAS security with a Member Manager database-only configuration. This task overwrites any settings in WAS.
Follow these steps to make sure that the WAS global security configuration will work with WebSphere Portal:
- From WAS Administrative Console, click...
Security | Global Security
- Verify the following items. Other parameters do not affect WebSphere Portal.
- Global Security is enabled.
- Java 2 Security is disabled.
- The Active Authentication Mechanism is LTPA.
- The Active User Registry is one of the following options:
- LDAP
- Custom
- Click Security | Authentication Mechanisms | LTPA | Single Sign On (SSO).
- Global Security is enabled.
- Verify the following items:
- SSO is enabled.
- Requires SSL should not be checked unless the portal is being configured for SSL connections from clients.
- The Domain Name field should be set to a subset of the host name of the HTTP server that front-ends the portal. This will be used as the domain name of the LTPAToken cookie. This is not the LDAP server host name.
- If you use an LDAP directory or an LDAP directory plus Lookaside database WebSphere Member Manager configuration, click Security
User Registries
LDAP. A correct configuration is required to allow WAS to talk
to the directory. For details on setting this up, refer
to the WAS security configuration documentation. Once the configuration is correct, do the following steps:
- Copy the Base Distinguished Name (DN) value to the LDAPSuffix property value in the
wpconfig.properties file.
- Copy an ID with permission to write to the directory to the LDAPAdminUid property in the wpconfig.properties file.
- Copy the password for the above ID to the LDAPAdminPassword property in the
wpconfig.properties file. This is the password for the identity that is specified as the Bind
Distinguished Name.
- Ignore Case should be selected.
- SSL should be enabled only if the connection from WAS to the directory is over SSL. See Set
up LDAP over SSL for more information.
- In the Additional Properties section, click Advanced LDAP Settings. The search filters and
other settings must be set for the
directory.
- In the User Filter field, the attribute that appears before =%v is the attribute value that is
used to log in to the portal. For example, if users log in to the portal by entering an e-mail address, and the e-mail address of the users is mapped to the LDAP user object attribute "emailaddress," then the attribute value
should be emailaddress. This attribute value might or might not also be the first RDN attribute of the DNs.
The LDAPUserPrefix value in the wpconfig.properties file should always be the first RDN attribute of the DNs. The following table explains how these values should be set.
Login Attribute First RDN Attribute of DNs WAS User Filter Attribute wpconfig.properties LDAPUserPrefix Uid uid uid uid Emailaddress uid Emailaddress uid - Copy the objectclass that is used for the User Filter value to the LDAPUserObjectClass property in the wpconfig.properties file.
- Copy the objectclass that is used for the Group filter field to the LDAPGroupObjectClass property in the wpconfig.properties file.
- In the User Filter field, the attribute that appears before =%v is the attribute value that is
used to log in to the portal. For example, if users log in to the portal by entering an e-mail address, and the e-mail address of the users is mapped to the LDAP user object attribute "emailaddress," then the attribute value
should be emailaddress. This attribute value might or might not also be the first RDN attribute of the DNs.
- Run the secure-portal-ldap task as described in Configure WebSphere Portal for LDAP.
- Copy the Base Distinguished Name (DN) value to the LDAPSuffix property value in the
wpconfig.properties file.
- If you use a custom user registry, follow these steps:
- Click Security User Registries
Custom. Verify that Ignore Case is selected.
Other parameters do not affect WebSphere Portal.
- Refer to the WebSphere Portal product documentation page at http://www.ibm.com/websphere/portal/library for further instructions. A whitepaper containing instructions for using WebSphere Portal with a custom user registry will be available soon.
- Click Security
See also