Switching to unique administrator IDs for system level communication 

When you install IBM Connections, you provide a user name and password for a system user account that is created by the installer to handle application-to-application communication. The installer also creates a J2C authentication alias, named connectionsAdmin. The alias is filled with the specified user and maps that user to a set of application roles. If you want to map these roles to different system user accounts, create additional J2C authentication aliases and remap the roles.


Before starting

This is an optional configuration. Only complete one of these tasks if you want to map a different user ID to the system-level roles for one or more of the IBM Connections applications.


About this task

The connectionsAdmin is mapped to roles that perform the following tasks:

Table 1. Roles associated with connectionsAdmin

Role Description
dsx-admin Used by the Profiles and Communities applications to query their corresponding databases to retrieve user or community data. When other applications need user or community data, they use the connectionsAdmin user to authenticate with Profiles and Communities, and then request the data from Profiles and Communities.
search-admin Used by all applications to control which user IDs can query for seedlist information. The seedlist data is used to create the global index. The Search application uses the connectionsAdmin user ID to authenticate with the other applications, and then makes queries to them on a scheduled basis to keep the index up-to-date.
widget-admin Used by applications that make widgets available within the Communities application, such as Activities, Blogs, Files, and Wikis. People assigned to this role can run administrative commands that make changes to those managed applications, such as to create, delete, or modify membership information. The Communities application uses the connectionsAdmin user ID to authenticate with the other applications, and then passes the requests on to them.

In addition, the connectionsAdmin user is used by the Home page application to secure the messaging bus connection.

The connectionsAdmin does not represent the administrative user of an application; it represents a system-level user for application to application communication.

To map a different user ID to one of the default roles...


Procedure

  1. Perform one of the following tasks:

    • To specify a different system-level user ID for the dsx-admin, search-admin, or widget-admin roles: Create a J2C authentication alias on WAS by completing the following steps:

      1. From the IBM WAS admin console, expand Security, and then select Global security.

      2. In the Authentication area, expand Java Authentication and Authorization Service, and click J2C authentication data.

      3. Click New, and then enter an alias name, user ID, and password.

        • dsx-admin: If you are creating an alias for this role and plan to enable or have enabled single sign-on with a third-party authentication manager, specify a user ID that is present in the corporate directory, and not only in the WebSphere Identity Manager.

        • search-admin: If you are creating an alias for this role, specify an alias name with the syntax: search<application_name>Alias where <application_name> is the name of the application for which you want to create the alias. For example, searchBlogsAlias.

        • widget-admin: If you are creating an alias for this role, specify an alias name with the syntax: widget<application_name>Alias where <application_name> is the name of the application for which you want to create the alias. For example, widgetActivitiesAlias.

      4. Click OK, and then click Save

      5. Repeat steps c to d for each new role that you want to create.

      6. Save your changes.

    • To specify a different system-level user ID for the connectionsBus role: Map the user ID to a security setting in the service integration buses defined for IBM Connections by completing the following steps:

      1. From the WAS admin console, select Service integration -> Buses.

      2. Click the bus to which you want to map a different user ID.

          Note: All IBM Connections buses have names that begin with Connections.

      3. Click Security -> Users and groups in the bus connector role.

      4. Delete the existing user ID by selecting the check box next to the user ID and clicking Delete.

      5. To add the new user ID, click New, select User name, and then type the name of the new user ID.

      6. Click OK.

      7. Repeat steps b to f for each bus.

      8. Save the changes.

  2. If you are specifying a different system-level user ID for the widget-admin role: Edit the widget-config.xml configuration file for the application or applications affected by this change. To do so...

    1. From the profile_root\config\cells\<cellName>\LotusConnections-config directory, open the widget-config.xml file in a text editor.

    2. Change the remoteHandlerAuthenticationAlias attribute in the lifecycle element for the widgetDef (widget definition) corresponding to the application that is to be changed. Replace the current value with the name of the alias that you created; include the full name of the alias, which is likely to include a node name prefix.

    3. Repeat the previous step for each application for which you defined a new alias.

    4. Save the widget-config.xml file.

  3. If you are specifying a different system-level user ID for the dsx-admin, search-admin, or widget-admin roles: Map the user in the alias to the role you want by completing the following steps:

      Attention: For Activities, map the person that you are mapping to the widget-admin role to the person role as well.

      1. From the WAS admin console, expand Applications -> Application Types, and then select WebSphere enterprise applications. Find and click the link to the application that you want to configure.

      2. Click Security role to user/group mapping. Find the role that you created in the Role column, and then click Map users or Map groups.

      3. In the Search String box, type the name of the person or group you would like to assign to this role, and then click Search. If the user or group exists in the directory, it is found and displayed in the Available list.

      4. Select the user or group name from the Available box, and then move it into the Selected column by clicking the right arrow button.

      5. Repeat steps i and j to add additional people or groups.

      6. Repeat steps f through k to define access levels and assign people to any other aliases that you created.

      7. Click OK.

      8. Click OK, and then click Save to save the changes.

  4. If you are specifying a different system-level user ID for the dsx-admin role: Update the value of the corresponding attributes in the LotusConnection-config.xml file. To do so, start the wsadmin client , and then complete the following steps:

    1. Enter the following command to access the IBM Connections configuration file: execfile("connectionsConfig.py")

        If prompted to specify a service to connect to, type 1 to pick the first node in the list. Most commands can run on any node. If the command writes or reads information to or from a file using a local file path, pick the node where the file is stored. This information is not used by the wsadmin client when you are making configuration changes.

    2. Check out the IBM Connections configuration files:

        LCConfigService.checkOutConfig("<working_directory>","<cell_name>")

        where:

        • <working_directory> is the temporary working directory to which the configuration XML and XSD files are copied and are stored while you make changes to them. Use forward slashes to separate directories in the file path, even if you are using the Microsoft™ Windows™ operating system.

            AIX and Linux™ only: The directory must grant write permissions or the command does not run successfully.

        • <cell_name> is the name of the WAS cell hosting the IBM Connections application. This argument is case-sensitive, so type it with care. To obtain the cell name:print AdminControl.getCell()

        For example:

        • AIX or Linux:LCConfigService.checkOutConfig("/opt/temp","foo01Cell01")

        • Microsoft Windows:LCConfigService.checkOutConfig("c:/temp","foo01Cell01")

    3. Use the following commands to update the alias information: 

        LCConfigService.updateConfig("profiles.directory.service.extension.enabled",
 "true")

    4. Open the LotusConnections-config.xml file in a text editor, and then add the following values to the <sloc:serviceReference serviceName="directory"> element in the file: 

        <sloc:serviceReference serviceName="directory" 
communities_directory_service_extension_auth_alias="<alias_you_created>" 
communities_directory_service_extension_enabled="true" 
profiles_directory_service_extension_auth_alias="<alias_you_created>" 
/>

        where <alias_you_created> is the alias you created in Step 1.

    5. After making changes, check the configuration files back in and do so during the same wsadmin session in which you checked them out for the changes to take effect. See Apply common configuration property changes for information about how to save and apply your changes.

  5. Restart the application servers hosting the applications for which you created user roles.


Parent topic

Manage stored credentials


Related tasks


Install IBM Connections 3.0.1
Configure J2C authentication for Search
Specify different system users for widget life-cycle events
Synchronize LDAP directory changes with Profiles
Change references to administrative credentials
Update the messaging bus configuration when the connectionsAdmin user ID changes
Securing access to seedlist SPIs

Related reference
Roles


   

 

});

+

Search Tips   |   Advanced Search