Windows stand-alone: Add realm support
A realm is a group of users from one or more user registries that form a coherent group within WebSphere Portal. Realms allow flexible user management with various configuration options. A realm must be mapped to a Virtual Portal to allow the defined users to log in to the Virtual Portal. When configuring realm support, you can perform these steps for each base entry that exists in LDAP and/or database user registry to create multiple realm support.
Before configuring realm support, add all LDAP user registries and/or database user registries, that you will use to create a single realm or multiple realms, to the federated repository. If you are going to create multiple realms, create all required base entries within LDAP user registries and/or database user registries. All base entry names must be unique within the federated repository.
In single server environments, you do not have to start or stop the WebSphere_Portal and server1 servers to complete the following steps. In clustered environments, stop all application servers on system, including WebSphere_Portal, then start the nodeagent and dmgr servers before you begin any of the following steps.
Add realm support to user registry model:
- Prior to configuring security, use the IBM WAS backupConfig task to create and store a backup of the portal configuration; see backupConfig command for information.
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- Required: Enter a value under the VMM realm configuration heading:
realmName
securityUse
delimiter
addBaseEntry
- Save changes to wkplc.properties.
- Run the ConfigEngine.bat wp-create-realm -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine, to add a new realm to the Virtual Member Manager configuration.
To create multiple realms, ensure that federated repository contains the required unique base entries. Stop and restart the appropriate servers for installation environment, and then update wkplc.properties with the base entry information and rerun the wp-create-realm task. Repeat these steps until all realms are created.
- Stop and restart the appropriate servers to propagate the changes.
- Enter a value under the VMM realm configuration heading and then save changes:
realmName
realm.personAccountParent
realm.groupParent
realm.orgContainerParent
- Run the ConfigEngine.bat wp-modify-realm-defaultparents -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine, to update the default parents per entity type and realm.
Important: Stop and restart the appropriate servers for installation environment before rerunning this task for any additional entity types and realms.
- Stop and restart the appropriate servers to propagate the changes.
- Optional. Add additional base entries to the realm configuration; for example, if you had two additional base entries (base entry 1 and base entry 2) to add to the realm you just created, you would update wkplc.properties with the information from base entry 1 and then run this task. Then you would update the properties file with the information for base entry 2 and then run this task:
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- Enter a value under the VMM realm configuration heading:
realmName
addBaseEntry
- Save changes to wkplc.properties.
- Run the ConfigEngine.bat wp-add-realm-baseentry -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine, to add an additional LDAP base entries to the realm configuration.
- Stop and restart all necessary servers to propagate changes.
- Optional. To replace the WAS and WebSphere Portal administrator user ID; this step is required if you change the default realm:
- Create a new user in the Manage Users and Groups portlet to replace the current WAS administrative user.
- Create a new user in the Manage Users and Groups portlet to replace the current WebSphere Portal administrative user.
- Create a new group in the Manage Users and Groups portlet to replace the current group.
- Run the ConfigEngine.bat wp-change-was-admin-user -DWasPassword=foo -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroupid task, from the WP_PROFILE/ConfigEngine, to replace the old WAS administrative user ID and group ID with the new user and group.
You must provide the full distinguished name (DN) for the newAdminId and newAdminGroupId parameters. Additional parameter for stopped servers: This task verifies the user against a running server instance. If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.
- Verify that the task completed successfully. In a clustered environment, restart the dmgr, the node agent(s), and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.
- Run the ConfigEngine.bat wp-change-portal-admin-user -DWasPassword=foo -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroupid task to replace the old WebSphere Portal administrative user ID and group ID with the new user and group.
You must provide the full distinguished name (DN) for the newAdminId and newAdminGroupId parameters.
Additional parameter for stopped servers: This task verifies the user against a running server instance. If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.
- Verify that the task completed successfully. In a clustered environment, restart the dmgr, the node agent(s), and WebSphere_Portal servers. In a standalone environment, restart the server1 and WebSphere_Portal servers.
- Optional. To set the realm you created as the default realm:
Only users defined in base entries that exist in the default realm are able to log into WebSphere Portal. If you find that a user cannot log in to WebSphere Portal, check to see if the base entry that contains the user exists in the default realm. You can run the wp-query-realm-baseentry task to see what base entries are part of the default realm. If the default realm is missing the base entry, run the wp-add-realm-baseentry task to add the base entry to the default realm.
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- For defaultRealmName, type the realmName property value you want to use as the default realm.
- Save changes to wkplc.properties.
- Run the ConfigEngine.bat wp-default-realm -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine, to set this realm as the default realm.
- Stop and restart all necessary servers to propagate changes.
- Optional. To query a realm for a list of its base entries:
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- For realmName, type the name of the realm you want to query.
- Save changes to wkplc.properties.
- Run the ConfigEngine.bat wp-query-realm-baseentry -DWasPassword=foo task, from the WP_PROFILE/ConfigEngine, to list the base entries for a specific realm.
- Optional. To enable the full distinguished name login if the short names are not unique for the realm:
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- Enter a value for realmName or leave blank to update the default realm.
- Save changes to wkplc.properties.
- Run the ConfigEngine.bat wp-modify-realm-enable-dn-login -DWasPassword=foo task, located in the WP_PROFILE/ConfigEngine, to enable the distinguished name login.
After running this task to enable the full distinguished name login, you can run the ConfigEngine.bat wp-modify-realm-disable-dn-login -DWasPassword=foo task to disable the feature.
- Stop and restart all necessary servers to propagate changes.
Parent
Configure the default federated repository