+

Search Tips   |   Advanced Search


Add an LDAP user registry over SSL on Solaris in a clustered environment

Add an LDAP user registry over SSL to the default federated repository to store user account information for secure authorization. You can add multiple LDAP user registries to the default federated repository.

In a single server environment the WebSphere_Portal and server1 servers can be either stopped or started.

In a clustered environment stop all appservers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.

Perform the following steps, on the primary node only, to add an LDAP user registry over SSL to the default federated repository; repeat these steps for each additional LDAP user registry:

Use the wp_add_federated_xxx.properties helper file, located in...

...when performing this task to ensure the correct properties are entered. In the instructions below, when the step refers to wkplc.properties, use the wp_add_federated_xxx.properties helper file.

  1. Choose one of the following options to specify the LDAP server's SSL certificate in the default client trust store:

    Option Description
    Server trust store To add the certificate to the trust store:

    1. Log in to the admin console.

    2. Navigate to...

    3. Click the appropriate SSL configuration from the list; for example, NodeDefaultSSLSettings.

    4. Click Key stores and certificates.

    5. Click the appropriate trust store from the list; for example, NodeDefaultTrustStore.

    6. Click Signer certificates, click Add, and then enter the following information:

      • Alias the key store uses for the signer certificate.

      • File name where the signer certificate is located.

    7. Click OK and then click Save to save the changes to the master configuration.

    To retrieve the certificate from the port:

    1. Log in to the admin console.

    2. Navigate to...

    3. Click the appropriate SSL configuration from the list; for example, NodeDefaultSSLSettings.

    4. Click Key stores and certificates.

    5. Click the appropriate trust store from the list; for example, NodeDefaultTrustStore.

    6. Click Signer certificates, click Retrieve from port, and then enter the following information:

      • Host name used when attempting to retrieve the signer certificate from the SSL port.

      • SSL Port used when attempting to retrieve the signer certificate.

      • Alias the key store uses for the signer certificate.

    7. Click Retrieve signer information to retrieve the certificate from the port.

    8. Click OK and then click Save to save the changes to the master configuration.

    Client trust store

    This task may report an error or fail but it will successfully update the trust store so the error message can be ignored.

    See Secure installation for client signer retrieval.

    During the validation task, you may receive the following prompt: "Add signer to the trust store now?". Type y and then press Enter.

    Run...

      retrieveSigners

    ...from the profile_root/bin directory; see retrieveSigners command.

    In a deployed environment, run the retrieveSigners task, for any federated node, against the Deployment Manager.

    This task may report an error or fail but it will successfully update the trust store so the error message can be ignored.

    To update the trust store properties file:

    1. Edit the ssl.client.props file, located in the profile_root\properties directory.

    2. Change the com.ibm.ssl.trustStore parameter and the related trust store parameters to match the trust file specified in the SSL configuration.

      For example, enter com.ibm.ssl.trustStore=${CONFIG_ROOT}\cells\wpsbvt\nodes\wpsbvt\trust.p12 to use the default trust store.

    3. Save changes.

  2. Edit...

      profile_root/ConfigEngine/properties/wkplc.properties

  3. Set the following parameters in wkplc.properties under the VMM Federated LDAP Properties heading:

  4. Set a value for the following required entity types parameters in wkplc.properties under the LDAP entity types heading:

  5. Set a value for the following required group member parameters in wkplc.properties under the Group member attribute heading:

  6. Enter a value for the following parameters to enable Secure Socket Layers (SSL): Required parameters:

    Optional parameters:

  7. Save changes to wkplc.properties.

  8. If WCM is installed with the Intranet and Internet Site Templates, set the following parameters in wkplc_comp.properties under the Web Content Management attribute heading...

    • WcmContentAuthorsGroupId
    • WcmContentAuthorsGroupCN

  9. Validate the LDAP server settings...

      ./ConfigEngine.sh validate-federated-ldap -DWasPassword=password

    Note that if you have not deleted the default file repository, WasPassword is the value entered during installation and not a value found in your LDAP user registry.

  10. Add an LDAP user registry to the default federated repository...

      cd profile_root/ConfigEngine
      ./ConfigEngine.sh wp-create-ldap -DWasPassword=password

    Users who are not in an LDAP do not have awareness and cannot see if other users are online. This can happen if install WebSphere Portal and then enable a Federated LDAP or Federated database user repository that does not contain that user. Also, users who sign up using the Self Care portlet do not have awareness.

  11. Propagate the security changes:

    Option Description
    Standalone

    1. cd profile_root/bin
      ./stopServer.sh server1 -username admin_userid -password admin_password

    2. cd profile_root/bin
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password

    3. cd profile_root/bin
      ./startServer.sh server1

    4. cd profile_root/bin
      ./startServer.sh WebSphere_Portal

    Cluster

    1. cd dmgr_profile/bin
      ./stopManager.sh-username admin_userid -password admin_password

    2. cd profile_root/bin
      ./stopNode.sh -username admin_userid -password admin_password

    3. cd profile_root/bin
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password

    4. cd dmgr_profile/bin
      ./startManager.sh

    5. cd profile_root/bin
      ./startNode.sh

    6. cd profile_root/bin
      ./startServer.sh WebSphere_Portal

  12. Optional: Create additional base entries within the LDAP user registry. Repeat these steps for each base entry that you want to create for multiple realm support:

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Enter a value for the following parameters under the VMM repository base entry configuration heading to create additional base entries within the LDAP user registry to use when creating realms:

    3. Save changes to wkplc.properties.

    4. Run...

        ./ConfigEngine.sh wp-create-base-entry -DWasPassword=password

      ...from...

        profile_root/ConfigEngine

      ...to create a base entry in a repository.

    5. Cycle all necessary servers to propagate changes.

  13. Optional: Run...

      ./ConfigEngine.sh wp-query-repository -DWasPassword=password

    ...from

      profile_root/ConfigEngine

    ...to list the names and types of configured repositories.

  14. Run...

      ./ConfigEngine.sh wp-validate-federated-ldap-attribute-config -DWasPassword=password

    ...from...

      profile_root/ConfigEngine

    ...to check that all defined attributes are available in the configured LDAP user registry.

    After configuring LDAP, you can adapt the attribute configuration

  15. Perform the following steps to update the user registry where new users and groups are stored:

    For multiple LDAP user registries and/or a database user registry, only run this task for the user registry that you want to define as the default user registry where new users and groups are stored.

    During installation, the default file repository creates a default value in the personAccountRdnProperties and groupRdnProperties parameters.

    To change the default value, run this task twice; once to clear the default value and once to add the new value.

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Enter a value for the following parameters under the VMM supported entity types configuration heading:

    3. Save changes to wkplc.properties.

    4. Run...

        ./ConfigEngine.sh wp-set-entitytypes -DWasPassword=password

      ...from...

        profile_root/ConfigEngine

      ...to delete the old attributes before adding the new attributes.

    5. Cycle all necessary servers to propagate changes.

  16. Enable the full distinguished name login if the short names are not unique for the realm:

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Enter a value for realmName or leave blank to update the default realm.

    3. Save changes to wkplc.properties.

    4. Enable distinguished name login...

        cd profile_root/ConfigEngine
        ./ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=password

      To disable the feature...

        ./ConfigEngine.sh wp-modify-realm-disable-dn-login -DWasPassword=password task

    5. Cycle all necessary servers to propagate changes.

  17. Configure your Web server over SSL. Navigate to Configuring WebSphere Portal > Additional security features > Configuring SSL > Setting up SSL.

  18. Log on to the admin console and navigate to Security > SSL certificate and key management. Click the Use the United States Federal Information Processing Standard (FIPS) algorithms. check box to enable FIPS.

  19. Enable TLS in your internet browser, located under Tools > Options > Advanced.

  20. Optional: Run the Member Fixer task to update the member names used by Web Content Management with the corresponding members in the LDAP directory. This step ensures that access to the Web content libraries for the Intranet and Internet Site Templates for the contentAuthors group is correctly mapped to the appropriate group in the LDAP directory.

    Required if you ran configure-express when installing portal.

    1. Edit...

      profile_root/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties

    2. Add the following lines to the file:

      uid=xyzadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN
      cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN

      Replace portal_admin_DN with the distinguished name of the portal administrator and content_authors_group_DN with the distinguished name of the content authors group used during LDAP configuration.

    3. Save changes and close the file.

    4. Run...

        cd profile_root/ConfigEngine
        ./ConfigEngine.sh action-express-memberfixer -DmemberfixerRealm=realm_name -DPortalAdminPwd=password -DWasPassword=password

      Where realm_name...


      Table 2. Value for realm_name when running the Member Fixer task to update the member names used by Web Content Management

      LDAP Type Value
      Standalone Matches the value of standalone.ldap.realm in wkplc.properties.
      Federated Matches the value of federated.realm in wkplc.properties.

      If the value for federated.realm is empty, use defaultWIMFileBasedRealm.

  21. If you have created any additional WCM libraries, run the Web content member fixer task to update the member names used by the libraries.

  22. Optional: This step is required in a production environment. Before removing the file system repository, perform the following steps to replace the WAS and WebSphere Portal administrator user ID with users that exists in the LDAP user registry:

    Before changing the user ID and password, review Special characters in user ID and passwords located under Planning for WebSphere Portal.

    If you run these tasks after you create the cluster, run them on all nodes in the cluster.

    1. Run...

        ./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword

      ...from...

        profile_root/ConfigEngine

      ...to replace the old WAS administrative user with the new user.

      Provide the full distinguished name for the newAdminId and newAdminGroupId parameters.

    2. Verify that the task completed successfully.

      In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

    3. Run...

        ./ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup

      to replace the old WebSphere Portal administrative user with the new user.

      This task verifies the user against a running server instance.

      If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

    4. Verify that the task completed successfully.

      In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

  23. Optional: This step is required in a production environment. Remove the file system repository if you do not use it. The federated file system user repository that was the default security setting might not be required after federating the user repository. If the file system repository is no longer needed, removing it can help prevent conflicts created by duplicate user identities existing in multiple repositories. See Deleting the repository for information under the Configuring WebSphere Portal > Managing the user registry > Deleting the user registry configurations section of the Information Center.

If you performed these steps after creating the clustered environment, run the enable-jcr-security task on the secondary node; see Enabling LDAP security after cluster creation.


Parent topic:

Configure a federated LDAP user registry on Solaris in a clustered environment


Related tasks


Enable LDAP security after cluster creation


Related information


User IDs and passwords