Secure WSRP by SSL for a Producer portal

 

+

Search Tips   |   Advanced Search

 

As a Producer, ensure security for WSRP services by configuring SSL with Client Certificate Authentication.

J2EE allows only for one authentication mechanism per WAR file. To allow you to use SSL for WSRP and continue using other means of authentication for the rest of the portal, WSRP introduces a second WAR file for the Producer portal. This second WAR file is named wps_facade.war .

It contains servlets that work as a facade interface Web application that channels the WSRP requests to the Producer's access points.

This allows you to simultaneously use both SSL client certificate authentication for the WSRP Producer portal and other method of authentication for the rest of the portal, for example form based authentication.

You set this up as follows:

• Configure the primary portal WAR file for use of other means of authentication, for example form based authentication.

• Configure SSL client certificate authentication for the web.xml file of the facade WAR file for the WSRP Producer.

This second WAR file for the Producer requires a separate context root for the Producer. The default value for this second context root is wsrp to give the full context root...

http://my.portal.com:myport/wsrp

You can configure this context root as required. To do this, modify the property uri.context.path.facade to a different value in the portal Config Service in the administrative console. For details about how to change portal service configuration parameters refer to the topic about setting configuration properties.

Security notice: Do not use portlets that utilize the Credential Vault over WSRP in conjunction with SSL client certificate authentication. If you configure SSL client certificate authentication for WSRP services, the Consumer portal uses a proxy user ID to authenticate on behalf of its individual users. You configure the proxy user ID by consumer-side SSL client certificate. This means that the WSRP Consumer provides the individual personalization information to the WSRP Producer, but authenticates for all users by using the same identity information. Consequently, if a portlet on the Producer portal utilizes the Credential Vault, all users from one Consumer portal access the same credential slot and can read and override individual settings in the credential slot. Therefore, do not use portlets that utilize the Credential Vault over WSRP in conjunction with SSL client certificate authentication.

To configure the portal for securing WSRP services by SSL...

1. Configure WAS for SSL support.

   For the latest information about configuring WAS for LDAP over SSL go to www.redbooks.ibm.com and search for security handbook.

   Proceed as follows:

   1. Enable security.

   2. Enable SSL ID tracking.

      For WAS v6.1:

      Servers | Application Servers | WebSphere_Portal | Web Container Settings | Web Container | Session Management | SSL ID tracking

      For WAS v7:

      Servers | Server Types | WebSphere appservers | WebSphere_Portal | Web Container Settings | Web Container | Session Management | SSL ID tracking

   3. Configure advanced LDAP security settings.

      Certificate-based authentication requires that you configure the authentication mechanism so that one of the following conditions apply:

      • WAS maps the entire Distinguished Name from the subject field of the certificate to a corresponding Distinguished Name in your LDAP.

        To use this option, set the mapping technique in the LDAP configuration panel to exact.

      • WAS maps the entry in the subject field to a different attribute than the Distinguished Name in the user registry.

        To use this option, set up the mapping technique in the LDAP configuration panel to use the certificate filter option. Using the certificate filter option allows you more flexibility in using other attributes than the Distinguished Name to identify the users. For example, the filter...

        uid=${SubjectCN}

        ...maps the SubjectCN field of the client certificate to the uid attribute in your LDAP.

   4. Define a new virtual host alias, go to...
      Environment | Virtual Hosts | default_host | Host Aliases | New

      ...and define your SSL communication port. You can use an asterisk ( * ) as a wild card for the host name.

2. If you use an external HTTP server, perform the following additional steps:

   1. Regenerate the plug-in....

      For WAS v6.1:

      Click Servers | Web Servers

      For WAS v7:

      Click Servers | Server Types | Web Servers

   2. Select the Web server and click Generate Plug-in.

   3. Update the HTTP server with the generated plug-in.

   4. Create the server certificates in the keystore of your HTTP server.

   5. Export the server certificates from the HTTP server. You will later give that information to the WSRP Consumer.

   6. Restart the HTTP server for the changes to take effect.

   7. Enable client certificate authentication in your Web server. For IBM HTTP Server (IHS), refer to http://www.redbooks.ibm.com/ and search for security handbook for the latest information about WAS.

3. Add new tags to the web.xml file. Proceed by the following steps:

   1. Edit the file web.xml. It is located in...
      was_config_root/cells/cellname/applications/wps.ear/deployments/wps/wps_facade.war/WEB-INF

      If you have a cluster installation, perform this step on the Network Deployment server.

   2. Add a new login-config tag for the client certificate authentication method with a new unique ID. For example, this can be as follows:

      <login-config id="LoginConfig_your_id_number">
         <auth-method>CLIENT-CERT</auth-method>
         <realm-name>WPS_FACADE</realm-name>
      </login-config>
      

   3. Add new security-constraint tags with unique IDs for the WSRPBaseService, WSRPServiceDescriptionService, and WSRPPortletManagementService URL patterns. The following example shows the WSRPBaseService URL pattern:

      <security-constraint id="SecurityConstraint_your_id_number">
         <web-resource-collection id="WebResourceCollection_your_id_number">
            <web-resource-name></web-resource-name>
            <url-pattern>/WSRPBaseService</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
         </web-resource-collection>
         <auth-constraint id="AuthConstraint_your_id_number">
            <description></description>
            <role-name>All Role</role-name>
         </auth-constraint>
         <user-data-constraint id="UserDataConstraint_your_id_number">
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
      </security-constraint>
      

   4. Save changes.

4. Update the affected parameters as required:

   1. To enable Portal Access Control for the Producer portal, set the following property to true in the portal Config Service in the administrative console: wsrp.security.enabled = true. For details about how to do this refer to the topic about setting configuration properties.

   2. If the URLs of the WSRP ports have to point to different locations or use different ports, configure them accordingly. By default, the URLs of the WSRP ports are the same as the URLs by which the Web services WSDL document is addressed by Consumers.

      For details about how you can change these URLs refer to the topic about setting the WSRP SOAP ports.

5. Restart the portal for the changes to take effect.

Parent topic:

Prepare security for a WSRP Producer portal

Related information

http://www.redbooks.ibm.com/

---