+

Search Tips   |   Advanced Search


Enable step-up authentication and/or the Remember me cookie

Step-up authentication provides authentication levels for pages and portlets. The Remember me cookie is an encrypted HTTP cookie that supports state-of-the-art authentication, which allows you to present personalized portlets and pages in a public area without asking the user to manually authenticate. Together, these two features allow remembered users to view anonymous pages and portlets with a standard or identified authentication level. By providing a valid Remember me cookie, a user can also be allowed to access protected pages and portlets that require the identified authentication level. If the authentication level is set to authenticated, the user will have to provide a user ID and password to view the page or portlet. Log on to the admin console and navigate to Security > Secure administration, applications, and infrastructure > Web security > Single sign-on (SSO). Verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.

For IBM WAS 7.0, navigate to Security > Global security > Web and SIP security > Single sign-on (SSO).


Enable step-up authentication and/or the Remember me cookie

The Remember me cookie does not extend the Portal Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.

Step-up authentication is not supported by the Web Content authoring portlet or when delivering content using a local or remote Web Content Viewer portlet.

Step-up authentication requires the LtpaToken2 for single sign-on; see Implementing single sign-on to minimize Web user authentications for details.

  1. Choose one of the following configuration options:

    Option Description
    Enable both step-up authentication and the Remember me cookie

    This option creates the standard, identified, and authenticated authentication levels.

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Set enable_rememberme to true in the 'Step-up Authentication and Remember Me Config' properties section.

    3. Save changes to wkplc.properties.

    4. Run...

        ConfigEngine.bat enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=password -Dsua_user=user_name -Dsua_serversecret_password=password

      ...from the profile_root/ConfigEngine directory.

    You can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. Values entered on the command line will overwrite values in wkplc.properties.

    Enable only step-up authentication

    This option creates the standard and authenticated authentication levels.

    1. Edit...

        profile_root/ConfigEngine/properties/wkplc.properties

    2. Set enable_rememberme to false in the 'Step-up Authentication and Remember Me Config' properties section.

    3. Save changes to wkplc.properties.

    4. Run...

        ConfigEngine.bat enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=password

      ...from the profile_root/ConfigEngine directory.

    Enable only the Remember me cookie Run...

      ConfigEngine.bat enable-rememberme -DWasUserid=wasuser -DWasPassword=password -Dsua_user=user_name -Dsua_serversecret_password=password

    , from the profile_root/ConfigEngine directory.

    You can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. Values entered on the command line will overwrite values in wkplc.properties.

  2. Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in wkplc.properties.

  3. Propagate the security changes:

    Option Description
    Standalone

    1. cd profile_root/bin
      stopServer.bat server1 -username admin_userid -password admin_password

    2. cd profile_root/bin
      stopServer.bat WebSphere_Portal -username admin_userid -password admin_password

    3. cd profile_root/bin
      startServer.bat server1

    4. cd profile_root/bin
      startServer.bat WebSphere_Portal

    Cluster

    1. cd dmgr_profile/bin
      stopManager.bat-username admin_userid -password admin_password

    2. cd profile_root/bin
      stopNode.bat-username admin_userid -password admin_password

    3. cd profile_root/bin
      stopServer.bat WebSphere_Portal -username admin_userid -password admin_password

    4. cd dmgr_profile/bin
      startManager.bat

    5. cd profile_root/bin
      startNode.bat

    6. cd profile_root/bin
      startServer.bat WebSphere_Portal

  4. Optional: Create the identified authentication level:

    See the "Step-up authentication properties" file.

    1. From the admin console, click Resources > Resource Environment > Resource Environment Providers.

    2. Click WP StepUpConfigService in the table.

    3. Click Custom Properties under Additional Properties.

    4. Click the value for the sua.authLevel.enable property.

    5. Add identified to the Value field so that you have the following: authenticated, identified.

    6. Click Apply.

    7. Click the Save link in the Messages box.

    8. Click Save.

  5. Propagate the security changes:

    Option Description
    Standalone cd profile_root/bin
    ./stopServer.sh server1 -username admin_userid -password admin_password
    ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
    ./startServer.sh server1
    ./startServer.sh WebSphere_Portal
    Cluster cd dmgr_profile/bin
    ./stopManager.sh-username admin_userid -password admin_password
    cd profile_root/bin
    ./stopNode.sh -username admin_userid -password admin_password
    ./stopServer.sh WebSphere_Portal -username admin_userid -password admin_password
    cd dmgr_profile/bin
    ./startManager.sh
    cd profile_root/bin
    ./startNode.sh
    ./startServer.sh WebSphere_Portal

  6. To change the authentication level on a page or portlet:

    1. Click Administration.

    2. Click Resource Permissions under Access.

    3. Click either the Pages link or the Portlets link.

    4. Locate the page or portlet you want to change and click the Authentication Level link.

    5. Choose one of the following levels:

      The following Authentication Levels are provided out-of-the-box. If you customized your step-up authentication, you may have different levels.

      Standard

      Set the Authentication Level to Standard if you want anonymous and identified users to view the page or portlet. The Standard level has the following two states based on the access control setting for the page or portlet:

      • If anonymous users have access to the page or portlet, no authentication is required.

      • If only authenticated users have access to the page or portlet, authentication is required.

      Identified (if enabled)

      Set the Authentication Level to Identified if you want anonymous users to login and identified users to view the page or portlet.

      Authenticated

      Set the Authentication Level to Authenticated if you want anonymous and identified users to login to view the page or portlet.


Parent topic:

Secure environment on Windows


Related reference


Step-up authentication properties
Remember me properties