Enable step-up authentication and/or the Remember me cookie

 

+

Search Tips   |   Advanced Search

 

Step-up authentication provides authentication levels for pages and portlets.

The Remember me cookie is an encrypted HTTP cookie that presents personalized portlets and pages in a public area without asking the user to manually authenticate.

Together, these two features allow remembered users to view anonymous pages and portlets with a standard or identified authentication level. By providing a valid Remember me cookie, a user can also be allowed to access protected pages and portlets that require the identified authentication level. If the authentication level is set to authenticated, the user will have to provide a user ID and password to view the page or portlet.

Log on to the admin console and navigate to...

Verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.

For IBM WAS 7.0, navigate to...


Enable step-up authentication and/or the Remember me cookie

The Remember me cookie does not extend the Portal Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.

Step-up authentication is not supported by the Web Content authoring portlet or when delivering content using a local or remote Web Content Viewer portlet.

Step-up authentication requires the LtpaToken2 for single sign-on.

  1. Choose one of the following configuration options:

    Option Description
    Enable both step-up authentication and the Remember me cookie

    This option creates the standard, identified, and authenticated authentication levels.

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Set enable_rememberme to true in the 'Step-up Authentication and Remember Me Config' properties section.

    3. Save changes to wkplc.properties.

    4. Run...

        cd profile_root/ConfigEngine
        ./ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=password -Dsua_user=user_name -Dsua_serversecret_password=password

    You can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line.

    Enable only step-up authentication

    This option creates the standard and authenticated authentication levels.

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Set enable_rememberme to false in the 'Step-up Authentication and Remember Me Config' properties section.

    3. Save changes to wkplc.properties.

    4. Run...

        cd profile_root/ConfigEngine
        ./ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=password

    Enable only the Remember me cookie Run...

      cd profile_root/ConfigEngine
      ./ConfigEngine.sh enable-rememberme -DWasUserid=wasuser -DWasPassword=password -Dsua_user=user_name -Dsua_serversecret_password=password

    You can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. Values entered on the command line will overwrite values in wkplc.properties.

  2. Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in wkplc.properties.

  3. Propagate the security changes:

    Option Description
    Standalone environment

      cd profile_root/bin
      ./stopServer.sh server1 -username admin_userid -password admin_password
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
      ./startServer.sh server1
      ./startServer.sh WebSphere_Portal

    Clustered environment

      cd dmgr_profile_root\bin
      ./stopManager.sh -username admin_userid -password admin_password
      cd profile_root/bin
      ./stopNode.sh -username admin_userid -password admin_password
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
      cd dmgr_profile_root\bin
      ./startManager.sh
      cd profile_root/bin
      ./startNode.sh
      ./startServer.sh WebSphere_Portal

  4. Optional: Create the identified authentication level:

    See the "Step-up authentication properties" file.

    1. From the admin console, click...

    2. Click WP StepUpConfigService in the table.

    3. Click Custom Properties under Additional Properties.

    4. Click the value for the sua.authLevel.enable property.

    5. Add identified to the Value field so that you have the following: authenticated, identified.

    6. Click Apply.

    7. Click the Save link in the Messages box.

    8. Click Save.

  5. Propagate the security changes:

    Option Description
    Standalone environment

      cd profile_root/bin
      ./stopServer.sh server1 -username admin_userid -password admin_password
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
      ./startServer.sh server1
      ./startServer.sh WebSphere_Portal

    Clustered environment

      cd dmgr_profile_root\bin
      ./stopManager.sh -username admin_userid -password admin_password
      cd profile_root/bin
      ./stopNode.sh -username admin_userid -password admin_password
      ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
      cd dmgr_profile_root\bin
      ./startManager.sh
      cd profile_root/bin
      ./startNode.sh
      ./startServer.sh WebSphere_Portal

  6. To change the authentication level on a page or portlet:

    1. Click...

        Administration | Access | Resource Permissions | [Pages | Portlets]

      • Locate the page or portlet you want to change and click the Authentication Level link.

      • Choose one of the following levels:

        The following Authentication Levels are provided out-of-the-box. If you customized your step-up authentication, you may have different levels.

        Standard

        Set the Authentication Level to Standard if you want anonymous and identified users to view the page or portlet. The Standard level has the following two states based on the access control setting for the page or portlet:

        • If anonymous users have access to the page or portlet, no authentication is required.

        • If only authenticated users have access to the page or portlet, authentication is required.

        Identified (if enabled)

        Set the Authentication Level to Identified if you want anonymous users to login and identified users to view the page or portlet.

        Authenticated

        Set the Authentication Level to Authenticated if you want anonymous and identified users to login to view the page or portlet.


Parent topic:

Secure environment on AIX


Related reference


Step-up authentication properties
Remember me properties