Add realm support on Windows in a clustered environment

A realm is a group of users from one or more user registries that form a coherent group within WebSphere Portal. Realms are mapped to Virtual Portals When configuring realm support, you can perform these steps for each base entry that exists in your LDAP and/or database user registry to create multiple realm support. Before configuring realm support, add all LDAP user registries and/or database user registries, to the federated repository.

To create multiple realms, create all required base entries within your LDAP user registries and/or database user registries. Base entry names must be unique within the federated repository.

In a single server environment the WebSphere_Portal and server1 servers can be either stopped or started.

In a clustered environment stop all appservers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.

To add realm support to the user registry model:

  1. Edit

      profile_root/ConfigEngine/properties/wkplc.properties

    .

  2. Set the following parameters in wkplc.properties under the VMM realm configuration heading:

  3. Save changes to wkplc.properties.

  4. Run...

      ConfigEngine.bat wp-create-realm -DWasPassword=password task, from the profile_root/ConfigEngine directory, to add a new realm to the Virtual Member Manager configuration.

      For multiple realms, first verify the federated repository contains the required unique base entries. If not...

      1. Cycle the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers

      2. Update wkplc.properties with the base entry information

      3. Rerun the wp-create-realm task

      4. Repeat until all realms are created

    • Propagate the security changes:

      Option Description
      Standalone

      1. cd profile_root/bin
        stopServer.bat server1 -username admin_userid -password admin_password

      2. cd profile_root/bin
        stopServer.bat WebSphere_Portal -username admin_userid -password admin_password

      3. cd profile_root/bin
        startServer.bat server1

      4. cd profile_root/bin
        startServer.bat WebSphere_Portal

      Cluster

      1. cd dmgr_profile/bin
        stopManager.bat-username admin_userid -password admin_password

      2. cd profile_root/bin
        stopNode.bat-username admin_userid -password admin_password

      3. cd profile_root/bin
        stopServer.bat WebSphere_Portal -username admin_userid -password admin_password

      4. cd dmgr_profile/bin
        startManager.bat

      5. cd profile_root/bin
        startNode.bat

      6. cd profile_root/bin
        startServer.bat WebSphere_Portal

    • Enter a value for the following parameters under the VMM realm configuration heading:

    • Run...

        ConfigEngine.bat wp-modify-realm-defaultparents -DWasPassword=password task, from the profile_root/ConfigEngine directory, to update the default parents per entity type and realm.

        Cycle the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers before rerunning this task for any additional entity types and realms.

      • Propagate the security changes:

        Option Description
        Standalone

        1. cd profile_root/bin
          stopServer.bat server1 -username admin_userid -password admin_password

        2. cd profile_root/bin
          stopServer.bat WebSphere_Portal -username admin_userid -password admin_password

        3. cd profile_root/bin
          startServer.bat server1

        4. cd profile_root/bin
          startServer.bat WebSphere_Portal

        Cluster

        1. cd dmgr_profile/bin
          stopManager.bat-username admin_userid -password admin_password

        2. stopNode.bat-username admin_userid -password admin_password from the profile_root/bin directory

        3. cd profile_root/bin
          stopServer.bat WebSphere_Portal -username admin_userid -password admin_password

        4. cd dmgr_profile/bin
          startManager.bat

        5. startNode.bat, from the profile_root/bin directory

        6. cd profile_root/bin
          startServer.bat WebSphere_Portal

      • Optional: To add additional base entries to the realm configuration; for example, if you had two additional base entries (base entry 1 and base entry 2) to add to the realm you just created, you would update wkplc.properties with the information from base entry 1 and then run this task. Then you would update the properties file with the information for base entry 2 and then run this task:

        1. Edit

            profile_root/ConfigEngine/properties/wkplc.properties

          .

        2. Enter a value for the following parameters under the VMM realm configuration heading:

        3. Save changes to wkplc.properties.

        4. Run...

            ConfigEngine.bat wp-add-realm-baseentry -DWasPassword=password task, from the profile_root/ConfigEngine directory, to add an additional LDAP base entries to the realm configuration.

          • Cycle all necessary servers to propagate changes.

      • If you change the default realm, replace the WAS and WebSphere Portal administrator user ID.

        1. Create a new user to replace the current WAS administrative user.

        2. Create a new user to replace the current WebSphere Portal administrative user.

        3. Create a new group to replace the current group.

        4. Run...

            ConfigEngine.bat wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword task, from the profile_root/ConfigEngine directory, to replace the old WAS administrative user with the new user.

            Provide the full distinguished name for the newAdminId and newAdminGroupId parameters.

            This task verifies the user against a running server instance.

            If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

          • Verify that the task completed successfully.

            In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

          • Run...

              ConfigEngine.bat wp-change-portal-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup

            ...to replace the old WebSphere Portal administrative user with the new user.

            Provide the full distinguished name for the newAdminId and newAdminGroupId parameters.

            This task verifies the user against a running server instance.

            If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

          • Verify that the task completed successfully.

            In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

      • Optional: Set the realm created as the default realm:

        Only users defined in base entries that exist in the default realm are able to log into WebSphere Portal. For users that cannot log in to WebSphere Portal, verify the base entry that contains the user exists in the default realm. To see what base entries are part of the default realm run the task wp-query-realm-baseentry. If the default realm is missing the base entry, run wp-add-realm-baseentry.

        1. Edit

            profile_root/ConfigEngine/properties/wkplc.properties

          .

        2. For defaultRealmName, type the realmName use as the default.

        3. Save changes to wkplc.properties.

        4. Run...

            ConfigEngine.bat wp-default-realm -DWasPassword=password task, from the profile_root/ConfigEngine directory, to set this realm as the default realm.

          • Cycle all necessary servers to propagate changes.

      • Query realm for a list base entries:

        1. Edit

            profile_root/ConfigEngine/properties/wkplc.properties

          .

        2. For realmName, set the name of the realm to query.

        3. Save changes to wkplc.properties.

        4. Run...

            ConfigEngine.bat wp-query-realm-baseentry -DWasPassword=password task, from the profile_root/ConfigEngine directory, to list the base entries for a specific realm.

      • Enable the full distinguished name login if the short names are not unique for the realm:

        1. Edit

            profile_root/ConfigEngine/properties/wkplc.properties

          .

        2. Enter a value for realmName or leave blank to update the default realm.

        3. Save changes to wkplc.properties.

        4. Run...

            ConfigEngine.bat wp-modify-realm-enable-dn-login -DWasPassword=password task, located in the profile_root/ConfigEngine directory, to enable the distinguished name login.

            After running this task to enable the full distinguished name login, you can run...

              ConfigEngine.bat wp-modify-realm-disable-dn-login -DWasPassword=password task to disable the feature.

            • Cycle all necessary servers to propagate changes.

If you performed these steps after creating the clustered environment, run enable-jcr-security on the secondary node.


Parent topic:

Configure the default federated repository on Windows in a clustered environment


Related tasks


Enable LDAP security after cluster creation


Related information


User IDs and passwords