+

Search Tips   |   Advanced Search

Enable federated security

We can use the Configuration Wizard to configure WebSphere Portal to use a federated LDAP for security.

The primary Configuration Wizard options are based on the target configuration topology, such as a stand-alone server or a cluster. The federated security option is included with both Set Up a Stand-alone Server and Set Up a Cluster. For the stand-alone server topology, run the federated security option after database transfer. For the cluster topology, run the federated security option after creating the cluster, but before adding more nodes.

Worksheet

When we set up the federated security, we answer questions about the desired configuration. Some fields apply to all federated security configurations. Some fields are required based on the environment. The remaining fields are advanced and do not apply to most configurations.


Minimal required fields

The following table lists the fields unique to the LDAP configuration. We might be prompted for additional information about system or user IDs and passwords defined during the portal installation process.

The Enable Federated Security option modifies wimconfig.xml. Make a backup copy of this file before running ConfigEngine tasks.

    WP_PROFILE/config/cells/CellName/wim/config/wimconfig.xml

The following parameters must be unique to the environment:

  • PortalAdminId
  • Bind DN
  • Administrator DN from LDAP

Field Label Property Your Value
LDAP Repository federated.ldap.id
LDAP host name federated.ldap.host
LDAP port federated.ldap.port
Base DN federated.ldap.baseDN
Bind DN

federated.ldap.bindDN
Bind password federated.ldap.bindPassword


Use an administrator from the LDAP

If we select to use an administrator from the LDAP server, then provide additional information about the LDAP group and ID.

Field Label Property Your Value
Administrator group DN from LDAP newAdminGroupId
Administrator DN from LDAP

newAdminId
Administrator password from LDAP newAdminPw
Default parent for group

groupParent
Default parent for PersonAccount personAccountParent


Advanced fields

Click Advanced on the Customize values page to see the advanced properties. Default values are provided for advanced fields that are required.

Field Label Property Your Value
LDAP group objectclasses federated.ldap.et.group.objectClass
LDAP group objectclasses for creating groups federated.ldap.et.group.objectClassForCreate
LDAP group search bases federated.ldap.et.group.searchBases
LDAP PersonAccount objectclasses federated.ldap.et.personaccount.objectClasses
LDAP PersonAccount objectclasses for creating users federated.ldap.et.personaccount.objectClassesForCreate
LDAP search bases for the PersonAccount federated.ldap.gm.personaccount.searchBases
Group dummy member federated.ldap.gm.dummyMember
Group member attribute federated.ldap.gm.groupMemberName
Group object class federated.ldap.gm.objectClas
GM member attribute scope federated.ldap.gm.scope
Membership attribute name federated.ldap.gc.name
GC member attribute scope federated.ldap.gc.scope
Certificate filter federated.ldap.certificateFilter
Certificate map mode federated.ldap.certificatMapMode
Group RDN attribute groupRdnProperties
PersonAccount RDN attribute personAccoutnRdnProperties
Application server SSL configuration federated.ldap.sslConfiguration


Nested or dynamic group support

If we need nested group support, then the wizard provides defaults values for some of the advanced fields. The default values are based on the LDAP server selection. Click Advanced to see the fields to verify the defaults. Nested or dynamic group support fields include: Group member attribute, Membership attribute name, LDAP group objectclasses, and GC member attribute scope.

Enable federated security

After we answer questions and provide information about the LDAP, the wizard generates a custom configuration procedure.

Depending on the environment, the wizard generates a configuration process. The following steps reflect all possible steps in the configuration process. The steps do not represent a literal configuration. The steps are provided as a reference.

If we click View Step Command, we can see the task and properties associated with each step in the wizard.

  1. Manual Step: Retrieve the SSL certificate from the SSL port.

      Condition
      Select to configure SSL enabled LDAP.

      ConfigEngine task
      none

  2. Validate the LDAP server settings.

      Condition
      none

      ConfigEngine task
      validate-federated-ldap

  3. Add an LDAP user registry to the default federated repository.

      Condition
      none

      ConfigEngine task
      wp-create-ldap
      recycle-dmgr-if-cluster

  4. Update the user registry where new users and groups are stored.

      Condition
      none

      ConfigEngine task
      wp-set-entitytypes

  5. Register the WAS scheduler tasks.

      Condition
      none

      ConfigEngine task
      stop-portal-server
      start-portal-server
      reregister-scheduler-tasks

  6. Replace the file-based WebSphere Portal and WebSphere Application Server users and groups with users and groups from the LDAP server.

      Condition
      Select to use an administrator and administrator group stored in the LDAP.

      ConfigEngine task
      wp-change-portal-admin-user
      wp-change-was-admin-user

  7. Recycle the servers after a security change.

      Condition
      None

      ConfigEngine task
      recyle-servers-after-security-change

  8. Update the search administration user.

      Condition
      Select to use an administrator and administrator group stored in the LDAP.

      ConfigEngine task
      start-portal-server
      action-fixup-after-security-change-portal-wp.search.webscanner

  9. After we change the security model, the servers need to be restarted. Restart the portal server.

      Condition
      none

      ConfigEngine task
      recycle-servers-after-security-change
      start-portal-server

  10. Verify that all defined attributes are available in the configured LDAP user registry.

      Condition
      none

      ConfigEngine task
      wp-validate-federated-ldap-attribute-config

  11. Manual Step: Update the appropriate MemberFixerModule.properties file with the values for the LDAP users.

      Condition
      Select to use an administrator and administrator group stored in the LDAP.

      ConfigEngine task
      none

  12. Run the member fixer tool.

      Condition
      Select to use an administrator and administrator group stored in the LDAP.

      ConfigEngine task
      run-wcm-admin-task-member-fixer

  13. Restart the WebSphere Portal Server.

      Condition
      none

      ConfigEngine task
      stop-portal-server
      start-portal-server

  14. Manual Step: Map attributes to ensure proper communication between WebSphere Portal and the LDAP server.

      Condition
      none

      ConfigEngine task
      none


Parent User registry