Add realm support on i5/OS in a clustered environment

A realm is a group of users from one or more user registries that form a coherent group within WebSphere Portal. Realms are mapped to Virtual Portals When configuring realm support, you can perform these steps for each base entry that exists in your LDAP and/or database user registry to create multiple realm support. Before configuring realm support, add all LDAP user registries and/or database user registries, to the federated repository.

To create multiple realms, create all required base entries within your LDAP user registries and/or database user registries. Base entry names must be unique within the federated repository.

In a single server environment the WebSphere_Portal and server1 servers can be either stopped or started.

In a clustered environment stop all appservers on the system including WebSphere_Portal and server1 and then start the nodeagent and deployment manager servers before starting the following task.

To add realm support to the user registry model:

1. Edit...
   profile_root/ConfigEngine/properties/wkplc.properties

2. Set the following parameters in wkplc.properties under the VMM realm configuration heading:
   • realmName
   • securityUse
   • delimiter
   • addBaseEntry

3. Save changes to wkplc.properties.

4. Run...
   ConfigEngine.sh wp-create-realm -DWasPassword=password task, from profile_root/ConfigEngine, to add a new realm to the Virtual Member Manager configuration.

   For multiple realms, first verify the federated repository contains the required unique base entries. If not...

   1. Cycle the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers

   2. Update wkplc.properties with the base entry information

   3. Rerun the wp-create-realm task

   4. Repeat until all realms are created
   • Propagate the security changes:

     Option	Description
     Standalone	stopServer server1 -username admin_userid -password admin_password ...from... profile_root/bin stopServer WebSphere_Portal -username admin_userid -password admin_password ...from... profile_root/bin startServer server1 ...from... profile_root/bin startServer WebSphere_Portal ...from... profile_root/bin
     Cluster	stopManager-username admin_userid -password admin_password, from the DMGR_PROFILE/bin stopNode -username admin_userid -password admin_password from the profile_root/bin directory stopServer WebSphere_Portal -username admin_userid -password admin_password ...from... profile_root/bin startManager, from the DMGR_PROFILE/bin startNode ...from... profile_root/bin startServer WebSphere_Portal ...from... profile_root/bin

   • Enter a value for the following parameters under the VMM realm configuration heading:
     • realmName
     • realm.personAccountParent
     • realm.groupParent
     • realm.orgContainerParent

   • Run...
     ConfigEngine.sh wp-modify-realm-defaultparents -DWasPassword=password task, from profile_root/ConfigEngine, to update the default parents per entity type and realm.

     Cycle the deployment manager, the node agent(s), server1, and the WebSphere_Portal servers before rerunning this task for any additional entity types and realms.

     • Propagate the security changes:

       Option	Description
       Standalone	stopServer server1 -username admin_userid -password admin_password ...from... profile_root/bin stopServer WebSphere_Portal -username admin_userid -password admin_password ...from... profile_root/bin startServer server1 ...from... profile_root/bin startServer WebSphere_Portal ...from... profile_root/bin
       Cluster	stopManager-username admin_userid -password admin_password, from the DMGR_PROFILE/bin stopNode -username admin_userid -password admin_password from the profile_root/bin directory stopServer WebSphere_Portal -username admin_userid -password admin_password ...from... profile_root/bin startManager, from the DMGR_PROFILE/bin startNode ...from... profile_root/bin startServer WebSphere_Portal ...from... profile_root/bin

     • Optional: To add additional base entries to the realm configuration; for example, if you had two additional base entries (base entry 1 and base entry 2) to add to the realm you just created, you would update wkplc.properties with the information from base entry 1 and then run this task. Then you would update the properties file with the information for base entry 2 and then run this task:

       1. Edit...
          profile_root/ConfigEngine/properties/wkplc.properties

       2. Enter a value for the following parameters under the VMM realm configuration heading:
          • realmName
          • addBaseEntry

       3. Save changes to wkplc.properties.

       4. Run...
          ConfigEngine.sh wp-add-realm-baseentry -DWasPassword=password task, from...
          profile_root/ConfigEngine

          ...to add additional LDAP base entries to the realm configuration.

          • Cycle all necessary servers to propagate changes.

     • If you change the default realm, replace the WAS and WebSphere Portal administrator user ID.

       1. Create a new user to replace the current WAS administrative user.

       2. Create a new user to replace the current WebSphere Portal administrative user.

       3. Create a new group to replace the current group.

       4. Run...
          ConfigEngine.sh wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword task, from...
          profile_root/ConfigEngine

          ...to replace the old WAS administrative user with the new user.

          Provide the full distinguished name for the newAdminId and newAdminGroupId parameters.

          This task verifies the user against a running server instance.

          If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

          • Verify that the task completed successfully.

            In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

          • Run...
            ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroup

            ...to replace the old WebSphere Portal administrative user with the new user.

            Provide the full distinguished name for the newAdminId and newAdminGroupId parameters.

            This task verifies the user against a running server instance.

            If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.

          • Verify that the task completed successfully.

            In a clustered environment, restart the deployment manager, the node agent(s), server1, and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.

     • Optional: Set the realm created as the default realm:

       Only users defined in base entries that exist in the default realm are able to log into WebSphere Portal. For users that cannot log in to WebSphere Portal, verify the base entry that contains the user exists in the default realm. To see what base entries are part of the default realm run the task wp-query-realm-baseentry. If the default realm is missing the base entry, run wp-add-realm-baseentry.

       1. Edit...
          profile_root/ConfigEngine/properties/wkplc.properties

       2. For defaultRealmName, type the realmName use as the default.

       3. Save changes to wkplc.properties.

       4. Run...
          ConfigEngine.sh wp-default-realm -DWasPassword=password task, from...
          profile_root/ConfigEngine

          ...to set this realm as the default realm.

          • Cycle all necessary servers to propagate changes.

     • Query realm for a list base entries:

       1. Edit...
          profile_root/ConfigEngine/properties/wkplc.properties

       2. For realmName, set the name of the realm to query.

       3. Save changes to wkplc.properties.

       4. Run...
          ConfigEngine.sh wp-query-realm-baseentry -DWasPassword=password task, from...
          profile_root/ConfigEngine

          ...to list the base entries for a specific realm.

     • Enable the full distinguished name login if the short names are not unique for the realm:

       1. Edit...
          profile_root/ConfigEngine/properties/wkplc.properties

       2. Enter a value for realmName or leave blank to update the default realm.

       3. Save changes to wkplc.properties.

       4. Run...
          ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=password task, located in profile_root/ConfigEngine, to enable the distinguished name login.

          After running this task to enable the full distinguished name login, you can run...

          ConfigEngine.sh wp-modify-realm-disable-dn-login -DWasPassword=password task to disable the feature.
          • Cycle all necessary servers to propagate changes.

If you performed these steps after creating the clustered environment, run enable-jcr-security on the secondary node.

Parent topic:

Configure the default federated repository on i5/OS in a clustered environment

Related tasks

Enable LDAP security after cluster creation

Related information

User IDs and passwords

---