Configure a stand-alone LDAP user registry over SSL on AIX in a clustered environment
Configure IBM WebSphere Portal to use a standalone LDAP user registry over SSL to store all user account information for secure authorization.In a clustered environment, start the dmgr and nodeagent and verify they are able to synchronize.
Configure a standalone LDAP user registry over SSL
We can use WP_PROFILE/ConfigEngine/config/helpers/wp_security_xxx.properties to ensure correct properties.
- Run backupConfig.sh
- Retrieve the SSL certificate from the port:
- Log in to the WAS admin console.
- Go to...
Security | SSL certificate and key management | SSL configurations
- Click the appropriate SSL configuration from the list. for example...
CellDefaultSSLSettings
Clustered environments: Ensure the setting for SSL configuration for outbound connection matches the SSL settings.
- Click Key stores and certificates.
- Click the appropriate truststore from the list; for example...
CellDefaultSSLSettings
- Click...
Signer certificates | Retrieve from port
...and then enter the following information:
- Host name used when attempting to retrieve the signer certificate from the SSL port.
- SSL Port used when attempting to retrieve the signer certificate.
- Alias the key store uses for the signer certificate.
- Click Retrieve signer information to retrieve the certificate from the port.
- Click OK and then click Save to save the changes to the master configuration.
- Edit wkplc.properties
- Set parameters under the Standalone security heading:
- standalone.ldap.id
- standalone.ldap.host
- standalone.ldap.port
- standalone.ldap.bindDN
- standalone.ldap.bindPassword
- standalone.ldap.ldapServerType
- standalone.ldap.userIdMap
- standalone.ldap.groupMemberIdMap
- standalone.ldap.userFilter
- standalone.ldap.groupFilter
- standalone.ldap.serverId
- standalone.ldap.serverPassword
- standalone.ldap.realm
- standalone.ldap.primaryAdminId
- standalone.ldap.primaryAdminPassword
- standalone.ldap.primaryPortalAdminId
- standalone.ldap.primaryPortalAdminPassword
- standalone.ldap.primaryPortalAdminGroup
- standalone.ldap.baseDN
- Set entity types parameters...
- Set group member parameters in wkplc.properties under the Group member attributes heading:
- standalone.ldap.gm.groupMemberName
- standalone.ldap.gm.objectClass
- standalone.ldap.gm.scope
- standalone.ldap.gm.dummyMember
- Set relative distinguished name (RDN ) parameters in wkplc.properties under the Default parent, RDN attribute heading:
- standalone.ldap.personAccountParent
- standalone.ldap.groupParent
- standalone.ldap.personAccountRdnProperties
- standalone.ldap.groupRdnProperties
- Set advanced parameters for SSL:
Required...
To enable the SSL configuration for the LDAP user registry, change the value of the standalone.ldap.sslEnabled parameter to true.
Optional...
- Save changes to wkplc.properties.
- Validate the LDAP server settings...
./ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo
In an environment configured with an LDAP with SSL, during the validation task, you will be prompted to add a signer to the truststore.
For example...
Add signer to the truststore now?
If you do, press y then Enter.
- Set the stand-alone LDAP user registry...
./ConfigEngine.sh wp-modify-ldap-security -DWasPassword=foo
- Stop and restart servers, dmgrs, and node agents.
- Check that all defined attributes are available in the configured LDAP user registry...
./ConfigEngine.sh wp-validate-standalone-ldap-attribute-config
See Adapting the attribute configuration
- Update the member names used by WCM with the corresponding members in the LDAP directory.
- Edit...
WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties
- Add the following lines to the file:
uid=wpsadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN
cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DNThe MemberFixerModule.properties file already contains lines for xyzadmin. We can ignore this line.
- Save the changes and close the file.
- Run...
./ConfigEngine.sh run-wcm-admin-task-member-fixer -DallLibraries=true -Dfix=true -DaltDn=update -DmismatchedId=update -DinvalidDn=update -DnoRealmDn=true -DPortalAdminPwd=wpsadmin
If the portal admin ID is not unique to your environment, either provide the fully qualified ID as the value for the PortalAdminID parameter in wkplc.properties or specify the fully qualified ID as part of the command.
For example, if the portal admin ID is wpsadmin and the LDAP directory contains wpsadmin as the ID for a different user, this task does not run successfully. Specify a fully qualified portal admin ID such as
uid=wpsadmin,cn=users,ou=test,o=retail,o=ibm
LDAP Value Standalone realm_name should match the value for standalone.ldap.realm in wkplc.properties. Federated realm_name should match the value for federated.realm in wkplc.properties. If value is empty, use defaultWIMFileBasedRealm.
- Update the SearchAdminUser alias to match the WebSphere Portal administrator information.
- Optional: Assign access to the Web content libraries.
- Log in as a portal administrator and navigate to...
Administration | Portal Content | Web Content Libraries | web_library | Set permissions
- Click the Edit Role icon for Editor.
- Add the group specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.
- Click Apply then Done.
- Update the SearchAdminUser alias to match the WebSphere Portal administrator information.
If you created a cluster, including additional nodes, and then completed the steps in this task, run update-jcr-admin on the secondary nodes.
Parent: Choose the stand-alone LDAP user registry on AIX in a clustered environment
Related:
Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation
Replace the search administrator user ID
Related:How to fix Portal Access Control settings after user/group external identifiers have changed