Add realm support on IBM i in a clustered environment
A realm is a group of users from one or more user registries that form a coherent group within IBM WebSphere Portal. A realm must be mapped to a Virtual Portal to allow the defined users to log in to the Virtual Portal. When configuring realm support, complete these steps for each base entry that exists in the LDAP and/or database user registry to create multiple realm support.Before configuring realm support, add all LDAP user registries and/or database user registries that you will use to create a single realm or multiple realms, to the federated repository. If we are going to create multiple realms, create all required base entries within the LDAP user registries and/or database user registries. All base entry names must be unique within the federated repository.
In a clustered environment, start the dmgr and nodeagent and verify they are able to synchronize.
Add realm support to the user registry model:
- Run backupConfig.sh
- Edit wkplc.properties
- Create a new realm with default base entry.
Set the following required parameters under the VMM realm configuration heading:
- Save changes to wkplc.properties.
- Run the ConfigEngine.sh wp-create-realm -DWasPassword=foo task, from WP_PROFILE/ConfigEngine, to add a new realm to the Virtual Member Manager configuration.
To create multiple realms, ensure that the federated repository contains the required unique base entries. Stop and restart the appropriate servers for the installation environment, and then update wkplc.properties with the base entry information and rerun the wp-create-realm task. Repeat these steps until all realms are created.
- Stop and restart servers, dmgrs, and node agents.
- Set the parent person, parent group, and parent organization values for your new realm...
- Update the default parents per entity type and realm...
./ConfigEngine.sh wp-modify-realm-defaultparents -DWasPassword=foo
If you have to re-run this task to add additional entity types and realms, first stop and restart the appropriate appservers
- Stop and restart servers, dmgrs, and node agents.
- Add any additional base entries to the realm configuration.
For example, if you have two additional base entries (base entry 1 and base entry 2) to add to the realm you just created, update wkplc.properties with the information from base entry 1 and then run this task. Then update the properties file with the information for base entry 2 and then run this task:
- Edit wkplc.properties
- Set value for new base entry under VMM realm configuration heading:
- Save changes to wkplc.properties.
- Add your LDAP base entry to the realm configuration...
WP_PROFILE/ConfigEngine,
./ConfigEngine.sh wp-add-realm-baseentry -DWasPassword=foo
- Stop and restart all necessary servers to propagate the changes.
- Optional: Set the realm you created as the default realm:
Only users defined in base entries that exist in the default realm are able to log into WebSphere Portal. If you find that a user cannot log in to WebSphere Portal, check to see if the base entry containing the user exists in the default realm. To see what base entries are part of the default realm...
wp-query-realm-baseentry
If the default realm is missing the base entry, run the wp-add-realm-baseentry task to add the base entry to the default realm.
- Edit wkplc.properties
- For defaultRealmName, type the realmName property value to use as the default realm.
- Save changes to wkplc.properties.
- Run the ConfigEngine.sh wp-default-realm -DWasPassword=foo task, from WP_PROFILE/ConfigEngine, to set this realm as the default realm.
- Stop and restart all necessary servers to propagate the changes.
To query a realm for a list of its base entries:
- Edit wkplc.properties
- For realmName, set the name of the realm to query.
- Save changes to wkplc.properties.
- Run the ConfigEngine.sh wp-query-realm-baseentry -DWasPassword=foo task, from WP_PROFILE/ConfigEngine, to list the base entries for a specific realm.
- If you change the default realm, replace the WAS and WebSphere Portal administrator user ID:
- Create a new user in the Manage Users and Groups portlet to replace the current WAS administrative user.
- Create a new user in the Manage Users and Groups portlet to replace the current WebSphere Portal administrative user.
- Create a new group in the Manage Users and Groups portlet to replace the current group.
- Run the ConfigEngine.sh wp-change-was-admin-user -DWasUser=adminid -DWasPassword=foo -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroupid task, from WP_PROFILE/ConfigEngine, to replace the old WAS admin user ID and group ID with the new user and group.
Provide the full DN for the newAdminId and newAdminGroupId parameters.
This task verifies the user against a running server instance. If the server is stopped, to skip the validation...
-Dskip.ldap.validation=true
- Verify the task completed successfully. Stop and restart all required servers.
- Run the ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=foo -DnewAdminId=newadminid -DnewAdminPw=newpassword -DnewAdminGroupId=newadmingroupid task to replace the old WebSphere Portal admin user ID and group ID with the new user and group.
Provide the full DN for the newAdminId and newAdminGroupId parameters.
This task verifies the user against a running server instance. If the server is stopped, to skip the validation...
-Dskip.ldap.validation=true
- Verify the task completed successfully. Stop and restart all required servers.
To enable the full distinguished name login if the short names are not unique for the realm:
Run this task if the administrator name is in conflict with another user name in the attached repository. This command allows the Administrator to log in using the fully distinguished name instead of the short name.
- Edit wkplc.properties
- Enter a value for realmName or leave blank to update the default realm.
- Save changes to wkplc.properties.
- Run the ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=foo task, located in the WP_PROFILE/ConfigEngine, to enable the distinguished name login.
After running this task to enable the full distinguished name login, we can run the ConfigEngine.sh wp-modify-realm-disable-dn-login -DWasPassword=foo task to disable the feature.
- Stop and restart all necessary servers to propagate the changes.
If you created a cluster, including additional nodes, and then completed the steps in this task, run update-jcr-admin on the secondary nodes.
Parent: Configure the default federated repository on IBM i in a clustered environment
Related:
Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation