Add realm support
A realm is a group of users from one or more user registries that form a coherent group within IBM WebSphere Portal. A realm must be mapped to a Virtual Portal to allow the defined users to log in to the virtual portal. When we configure realm support, complete these steps for each base entry that exists in the LDAP and database user registry to create multiple realm support.
Before configuring realm support, add all LDAP user registries and database user registries to the federated repository.
To create multiple realms, create all required base entries within the LDAP user registries and database user registries. All base entry names must be unique within the federated repository.
In a stand-alone server environment, we can complete this task when the servers are either stopped or started. In a clustered environment, start the deployment manager and node agent and verify they are able to synchronize.
- Use backupConfig task to create backup of the IBM WebSphere Portal configuration.
- Edit WP_PROFILE/ConfigEngine/properties/wkplc.properties
- In the VMM realm section, set:
- realmName
- securityUse
- delimiter
- addBaseEntry
For example
realmName=myAdminRealm
securityUse=active
delimiter=/
addBaseEntry=ou=admins,dc=myco,dc=com...or...
realmName=RealmExt
securityUse=active
delimiter=/
addBaseEntry=dc=external,dc=ad
- Save the changes.
- Add a realm to the VMM configuration: Repeat these steps until all realms are created.
cd WP_PROFILE/ConfigEngine
./ConfigEngine.sh wp-create-realm -DWasPassword=foo
To create multiple realms, ensure the federated repository contains the correct unique base entries. Stop and restart the appropriate servers for the installation environment, and then update wkplc.properties with the base entry information and rerun the wp-create-realm task.
- Stop and restart the appropriate servers to propagate the changes.
- Edit wkplc.properties and set:
- realmName
- realm.personAccountParent
- realm.groupParent
- realm.orgContainerParent
- Update the default parents per entity type and realm:
./ConfigEngine.sh wp-modify-realm-defaultparents -DWasPassword=foo
- Stop and restart the appropriate servers to propagate the changes.
- To create more entity types and realms, rerun the wp-modify-realm-defaultparents task
- To add multiple base entries to a realm, for example...
dc=internal,dc=ad
dc=external,dc=ad...first update wkplc.properties with the information for dc=internal,dc=ad, and run the following task. Then, update the wkplc.properties with the information for dc=external,dc=ad, and re-run task.
- realmName
- addBaseEntry
Task...
./ConfigEngine.sh wp-add-realm-baseentry -DWasPassword=foo
- Stop and restart all necessary servers to propagate your changes.
- If we changed the default realm, replace the WAS and portal administrator IDs:
- Use the Manage Users and Groups portlet to create a user to replace the current WAS administrative user.
- Use the Manage Users and Groups portlet to create a user to replace the current WebSphere Portal administrative user.
- Use the Manage Users and Groups portlet to create a group to replace the current group.
- Replace the old WAS administrative user ID and group ID with the new user and group:
./ConfigEngine.sh wp-change-was-admin-user \ -DWasUser=adminid \ -DWasPassword=foo \ -DnewAdminId=newadminid \ -DnewAdminPw=newpassword \ -DnewAdminGroupId=newadmingroupid
- Verify the task completed successfully. Stop and restart all servers.
- Replace the old WebSphere Portal administrative user ID and group ID with the new user and group:
./ConfigEngine.sh wp-change-portal-admin-user \ -DWasPassword=foo \ -DnewAdminId=newadminid \ -DnewAdminPw=newpassword \ -DnewAdminGroupId=newadmingroupid
We provide the full DN for the newAdminId and newAdminGroupId parameters.
Additional parameter for stopped servers: This task verifies the user against a running server instance. If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.
- Verify the task completed successfully.
- Stop and restart all servers.
- To set the realm created as the default realm:
Only users defined in base entries that exist in the default realm are able to log in to WebSphere Portal. If a user cannot log in to WebSphere Portal, check whether the base entry containing the user exists in the default realm. We can run the wp-query-realm-baseentry task to see what base entries are part of the default realm. If the default realm is missing the base entry, run the wp-add-realm-baseentry task to add the base entry to the default realm.
- Open wkplc.properties.
- For defaultRealmName, type the realmName property value to use as the default realm.
- Save the changes.
- Set this realm as the default realm:
./ConfigEngine.sh wp-default-realm -DWasPassword=foo
- Stop and restart all necessary servers to propagate your changes.
- To query a realm for a list of its base entries:
- Open wkplc.properties.
- For realmName, type the name of the realm to query.
- Save the changes.
- To list the base entries for a specific realm:
./ConfigEngine.sh wp-query-realm-baseentry -DWasPassword=foo
To enable the full distinguished name login if the short names are not unique for the realm:
Run this task if the administrator short name is in conflict with another user name in the attached repository. This command allows the Administrator to log in using the fully distinguished name instead of the short name.
- Edit wkplc.properties and set a value for realmName.
Leave blank to update the default realm.
- Save the changes.
- List the base entries for a specific realm:
./ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=foo
To disable the feature, run wp-modify-realm-disable-dn-login task
- Stop and restart all necessary servers to propagate your changes.
Parent User registry