+

Search Tips   |   Advanced Search

Configure a stand-alone LDAP user registry over SSL on IBM i in a clustered environment


Configure IBM WebSphere Portal to use a standalone LDAP user registry over SSL to store all user account information for secure authorization.

In a clustered environment, start the dmgr and nodeagent and verify they are able to synchronize.


Configure a standalone LDAP user registry over SSL

We can use WP_PROFILE/ConfigEngine/config/helpers/wp_security_xxx.properties to ensure correct properties.

  1. Run backupConfig.sh

  2. Retrieve the SSL certificate from the port:

    1. Log in to the WAS admin console.

    2. Go to...

        Security | SSL certificate and key management | SSL configurations

    3. Click the appropriate SSL configuration from the list. for example...

        CellDefaultSSLSettings

      Clustered environments: Ensure the setting for SSL configuration for outbound connection matches the SSL settings.

    4. Click Key stores and certificates.

    5. Click the appropriate truststore from the list; for example...

        CellDefaultSSLSettings

    6. Click...

      ...and then enter the following information:

    7. Click Retrieve signer information to retrieve the certificate from the port.

    8. Click OK and then click Save to save the changes to the master configuration.

  3. Edit wkplc.properties

  4. Set parameters under the Standalone security heading:

  5. Set entity types parameters...

  6. Set group member parameters in wkplc.properties under the Group member attributes heading:

  7. Set relative distinguished name (RDN ) parameters in wkplc.properties under the Default parent, RDN attribute heading:

  8. Set advanced parameters for SSL:

    Required...

    To enable the SSL configuration for the LDAP user registry, change the value of the standalone.ldap.sslEnabled parameter to true.

    Optional...

  9. Save changes to wkplc.properties.

  10. Run the ConfigEngine.sh validate-standalone-ldap -DWasPassword=foo task to validate the LDAP server settings.

    In an environment configured with an LDAP with SSL, during the validation task, you will be prompted to add a signer to the truststore.

    For example...

      Add signer to the truststore now?

    If you do, press y then Enter.

  11. Run the ConfigEngine.sh wp-modify-ldap-security -DWasPassword=foo task, from WP_PROFILE/ConfigEngine, to set the standalone LDAP user registry.

  12. Stop and restart servers, dmgrs, and node agents.

  13. Run the ConfigEngine.sh wp-validate-standalone-ldap-attribute-config -DWasPassword=foo task, from WP_PROFILE/ConfigEngine, to check that all defined attributes are available in the configured LDAP user registry.

    See Adapting the attribute configuration

  14. Update the member names used by WCM with the corresponding members in the LDAP directory.

    1. Edit...

        WP_PROFILE/PortalServer/wcm/shared/app/config/wcmservices/MemberFixerModule.properties

    2. Add the following lines to the file:
      uid=wpsadmin,o=defaultWIMFileBasedRealm -> portal_admin_DN 
      cn=contentauthors,o=defaultWIMFileBasedRealm -> content_authors_group_DN

      The MemberFixerModule.properties file already contains lines for xyzadmin. We can ignore this line.

    3. Save the changes and close the file.

    4. Run the ConfigEngine.sh run-wcm-admin-task-member-fixer -DallLibraries=true -Dfix=true -DaltDn=update -DmismatchedId=update -DinvalidDn=update -DnoRealmDn=true -DPortalAdminPwd=wpsadmin task, located in the WP_PROFILE/ConfigEngine.

      If the portal admin ID is not unique to your environment, either provide the fully qualified ID as the value for the PortalAdminID parameter in wkplc.properties or specify the fully qualified ID as part of the command.

      For example, if the portal admin ID is wpsadmin and the LDAP directory contains wpsadmin as the ID for a different user, this task does not run successfully. Specify a fully qualified portal admin ID such as

        uid=wpsadmin,cn=users,ou=test,o=retail,o=ibm

      LDAP Value
      Standalone realm_name should match the value for standalone.ldap.realm in wkplc.properties.
      Federated realm_name should match the value for federated.realm in wkplc.properties. If value is empty, use defaultWIMFileBasedRealm.

  15. Update the SearchAdminUser alias to match the WebSphere Portal administrator information.

  16. Optional: Assign access to the Web content libraries.

    1. Log in as a portal administrator and navigate to...

        Administration | Portal Content | Web Content Libraries | web_library | Set permissions

    2. Click the Edit Role icon for Editor.

    3. Add the group specified for content_authors_group_DN as an Editor for the Intranet and Internet libraries.

    4. Click Apply then Done.

  17. Update the SearchAdminUser alias to match the WebSphere Portal administrator information.

If you created a cluster, including additional nodes, and then completed the steps in this task, run update-jcr-admin on the secondary nodes.


Parent: Choose the stand-alone LDAP user registry on IBM i in a clustered environment
Related:
Start and stop servers, dmgrs, and node agents
Enable LDAP security after cluster creation
Replace the search administrator user ID
Related:

How to fix Portal Access Control settings after user/group external identifiers have changed