Add realm support on Solaris in a clustered environment

A realm is a group of users from one or more user registries that form a coherent group within WebSphere Portal. Realms are mapped to Virtual Portals When configuring realm support, you can perform these steps for each base entry that exists in your LDAP and/or database user registry to create multiple realm support. Before configuring realm support, add all LDAP user registries and/or database user registries, to the federated repository.

To create multiple realms, create all required base entries within your LDAP user registries and/or database user registries. Base entry names must be unique within the federated repository.

In a single server environment the WebSphere_Portal and server1 servers can be either stopped or started.

In a clustered environment stop all appservers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.

To add realm support to the user registry model:

  1. Edit...

      profile_root/ConfigEngine/properties/wkplc.properties

  2. Set the following parameters in wkplc.properties under the VMM realm configuration heading:

  3. Save changes to wkplc.properties.

  4. Add the new realm to the Virtual Member Manager configuration...

      cd profile_root/ConfigEngine
      ./ConfigEngine.sh wp-create-realm -DWasPassword=password

    For multiple realms, first verify the federated repository contains the required unique base entries. If not...

    1. Cycle the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers

    2. Update wkplc.properties with the base entry information

    3. Rerun the wp-create-realm task

    4. Repeat until all realms are created

  5. Propagate the security changes:

    Option Description
    Standalone

    1. cd profile_root/bin
      ./stopServer.sh server1 -username admin_userid -password admin_password

    2. cd profile_root/bin
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password

    3. cd profile_root/bin
      ./startServer.sh server1

    4. cd profile_root/bin
      ./startServer.sh WebSphere_Portal

    Cluster

    1. cd dmgr_profile/bin
      ./stopManager.sh-username admin_userid -password admin_password

    2. cd profile_root/bin
      ./stopNode.sh -username admin_userid -password admin_password

    3. cd profile_root/bin
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password

    4. cd dmgr_profile/bin
      ./startManager.sh

    5. cd profile_root/bin
      ./startNode.sh

    6. cd profile_root/bin
      ./startServer.sh WebSphere_Portal

  6. Enter a value for the following parameters under the VMM realm configuration heading:

  7. Update the default parents per entity type and realm...

      cd profile_root/ConfigEngine
      ./ConfigEngine.sh wp-modify-realm-defaultparents -DWasPassword=password

    Cycle the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers before rerunning this task for any additional entity types and realms.

  8. Propagate the security changes:

    Option Description
    Standalone

    1. cd profile_root/bin
      ./stopServer.sh server1 -username admin_userid -password admin_password

    2. cd profile_root/bin
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password

    3. cd profile_root/bin
      ./startServer.sh server1

    4. cd profile_root/bin
      ./startServer.sh WebSphere_Portal

    Cluster

    1. cd dmgr_profile/bin
      ./stopManager.sh-username admin_userid -password admin_password

    2. ./stopNode.sh -username admin_userid -password admin_password

      ...from...

        profile_root/bin

    3. cd profile_root/bin
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password

    4. cd dmgr_profile/bin
      ./startManager.sh

    5. ./startNode.sh

      ...from...

        profile_root/bin

    6. cd profile_root/bin
      ./startServer.sh WebSphere_Portal

  9. Optional: To add additional base entries to the realm configuration; for example, if you had two additional base entries (base entry 1 and base entry 2) to add to the realm you just created, you would update wkplc.properties with the information from base entry 1 and then run this task. Then you would update the properties file with the information for base entry 2 and then run this task:

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Enter a value for the following parameters under the VMM realm configuration heading:

    3. Save changes to wkplc.properties.

    4. Run...

        ./ConfigEngine.sh wp-add-realm-baseentry -DWasPassword=password

      ...from...

        profile_root/ConfigEngine

      ...to add additional LDAP base entries to the realm configuration.

    5. Cycle all necessary servers to propagate changes.

  10. If you change the default realm, replace the WAS and WebSphere Portal administrator user ID.

    1. Create a new user to replace the current WAS administrative user.

    2. Create a new user to replace the current WebSphere Portal administrative user.

    3. Create a new group to replace the current group.

    4. Replace the old WAS administrative user with the new user...

        cd profile_root/ConfigEngine
        ./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword

      Provide the full distinguished name for the newAdminId and newAdminGroupId parameters.

      This task verifies the user against a running server instance.

      If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

    5. Verify that the task completed successfully.

      In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

    6. To replace the old WebSphere Portal administrative user with the new user...

        ./ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup

      Provide the full distinguished name for the newAdminId and newAdminGroupId parameters.

      This task verifies the user against a running server instance.

      If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

    7. Verify that the task completed successfully.

      In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

  11. Optional: Set the realm created as the default realm:

    Only users defined in base entries that exist in the default realm are able to log into WebSphere Portal. For users that cannot log in to WebSphere Portal, verify the base entry that contains the user exists in the default realm. To see what base entries are part of the default realm run the task wp-query-realm-baseentry. If the default realm is missing the base entry, run wp-add-realm-baseentry.

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. For defaultRealmName, type the realmName use as the default.

    3. Save changes to wkplc.properties.

    4. Set this realm as the default realm...

        cd profile_root/ConfigEngine
        ./ConfigEngine.sh wp-default-realm -DWasPassword=password

    5. Cycle all necessary servers to propagate changes.

  12. Query realm for a list base entries:

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. For realmName, set the name of the realm to query.

    3. Save changes to wkplc.properties.

    4. List base entries for realm...

        cd profile_root/ConfigEngine
        ./ConfigEngine.sh wp-query-realm-baseentry -DWasPassword=password

  13. Enable the full distinguished name login if the short names are not unique for the realm:

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Enter a value for realmName or leave blank to update the default realm.

    3. Save changes to wkplc.properties.

    4. Enable distinguished name login...

        cd profile_root/ConfigEngine
        ./ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=password

      To disable the feature...

        ./ConfigEngine.sh wp-modify-realm-disable-dn-login -DWasPassword=password task

    5. Cycle all necessary servers to propagate changes.

If you performed these steps after creating the clustered environment, run enable-jcr-security on the secondary node.


Parent topic:

Configure the default federated repository on Solaris in a clustered environment


Related tasks


Enable LDAP security after cluster creation


Related information


User IDs and passwords