+

Search Tips   |   Advanced Search

Enable step-up authentication, the Remember me cookie, or both on Solaris


We can choose to enable either step-up authentication or the Remember me cookie individually or we can choose to use these features together.

Log on to the WAS admin console and go to...

Verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.

We can use step-up authentication with IBM WSRP extensions. The authentication level defined for portlets on the Producer portal is automatically set on the Consumer portal when it consumes WSRP services. If you apply step-up authentication mechanisms on the Producer, users are also challenged for stronger authentication credentials on the Consumer portal as required.
To use step-up authentication with an IBM WSRP extension, ensure your environment meets the following requirements:

Important: The Remember me cookie does not extend the Portal Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.

Web Content Manager note: The authoring portlet and the web content viewer do not fully support step-up authentication or the Remember me cookie. However, the user name component is aware of the Remember me cookie. If the Remember me cookie is set on a request and a user not logged in, the user name component does not use the anonymous user design for the response but instead uses the user name design complete with the name or distinguished name of the user specified by the Remember me cookie.

Restriction: Step-up authentication requires the LtpaToken2 for single sign-on; see Implementing single sign-on to minimize web user authentications for details. To enable step-up authentication and/or the Remember me cookie:

  1. Choose one of the following configuration options:

    Option Steps
    Enable both step-up authentication and the Remember me cookie

    By default, this task enables the following authentication levels:

    • standard

    • identified

    • authenticated

    To enable step-up authentication and the Remember me cookie:

    1. Edit wkplc.properties, located in...

        WP_PROFILE/ConfigEngine/properties

    2. Set enable_rememberme to true in the 'StepUp Authentication' properties section.

    3. Save the changes to wkplc.properties.

    4. ./ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=foo -Dsua_user=user_name -Dsua_serversecret_password=foo

    We can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in wkplc.properties.

    Enable only step-up authentication

    By default, this task enables the following authentication levels:

    • standard

    • authenticated

    To enable only step-up authentication:

    1. Edit wkplc.properties, located in...

        WP_PROFILE/ConfigEngine/properties

    2. Set enable_rememberme to false in the 'StepUp Authentication' properties section.

    3. Save the changes to wkplc.properties.

    4. ./ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=foo
    Enable only the Remember me cookie ./ConfigEngine.sh enable-rememberme -DWasUserid=wasuser -DWasPassword=foo -Dsua_user=user_name -Dsua_serversecret_password=foo

    We can define the sua_user and sua_serversecret_password parameters either in wkplc.properties or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in wkplc.properties.

  2. Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in wkplc.properties.

  3. Stop and restart servers, dmgrs, and node agents.

  4. To change the authentication level on a page or portlet:

    1. Click Administration.

    2. Click Resource Permissions under Access.

    3. Click either the Pages link or the Portlets link.

    4. Locate the page or portlet to change and click the Authentication Level link.

    5. Choose one of the following levels:

      The following Authentication Levels are provided out-of-the-box. If you customized the step-up authentication, you may have different levels.

        Standard

        Set the Authentication Level to Standard if you want anonymous and identified users to view the page or portlet. The Standard level has the following two states based on the access control setting for the page or portlet:

        • If anonymous users have access to the page or portlet, no authentication is required.

        • If only authenticated users have access to the page or portlet, authentication is required.

        Identified (available if enable_rememberme=true)

        Set the Authentication Level to Identified to control whether or not content is displayed to an unauthenticated user based on the existence of a persistent HTTP cookie. This option is intended for pages and portlets that are visible to anonymous users. An example is the Remember me on this computer option during login. This option generates the com.ibm.portal.RememberMe cookie.

        If a user previously authenticated to WebSphere Portal and then returns with the com.ibm.portal.RememberMe cookie, the user is "identified" and the content displays without the user having to log in. If a user attempts to access WebSphere Portal without the com.ibm.portal.RememberMe cookie, the user is asked to authenticate before the content is displayed.

        CAUTION:

        Do not set the Access level to identified for the Login portlet. This action causes problems when logging into WebSphere Portal.

        Authenticated

        Set the Authentication Level to Authenticated if you want anonymous and identified users to login to view the page or portlet.


Parent: Solaris: Enable step-up authentication, the Remember me cookie, or both