Administer > Manage instances > WCS instance > Configure directory services (LDAP) with WCS


Enable security with federated repositories

Overview

To use WCS with LDAP configure WAS Administrative Security with Federated Repositories. The WCS Integration Wizard can be used to configure this. The federated repositories consist of one or more LDAP servers and a built-in, file-based repository.

If the federated repository contains only a WebSphere file-based user registry, there are alternate instructions

Before starting the WebSphere Commerce integration wizard...


Procedure

  1. Open the WCS integration wizard.

      cd $WC_INSTALL/bin/
      ./WCIntegrationWizard.sh

  2. Verify the prerequisites for the wizard and click Next.

  3. Select the WCS instance name, enter and confirm the database password, and click Next.

  4. For the integration task select...

    WebSphere Application Server security with Federated Repositories

  5. Enter the information specific to the LDAP server to configure LDAP as the user repository for the WCS instance.

    The following fields are available, depending on the LDAP server configuration:

    • LDAP type
    • LDAP host name
    • LDAP port
    • Optional: Enable SSL option
    • Truststore file path (Java Key Store format)
    • Truststore password and verification
    • LDAP administrator DN
    • LDAP administrator password and verification
    • WCS root organization DN
    • WCS default organization DN
    • User RDN prefix
    • User object class
    • Organization object class
    • Organizational unit object class

    Each field is described in...

    WC_INSTALL/components/ldap/properties/vmm.properties

    After entering the information specific to the LDAP server, click Next.

  6. Enter the information specific to your LDAP server to configure WAS security for the WCS instance.

    The following fields are available, depending on the LDAP server configuration:

    • Realm name
    • WAS primary administrative user. This user should not exist on the LDAP server or federated repositories. p>
    • WAS primary administrative user password and verification
    • LDAP base DN
    • LDAP bind DN
    • LDAP bind DN password and verification
    • LDAP user search filter string

    After WAS Administrative Security is enabled, WAS primary administrative user can log on to the WAS Administrative Console. If WAS Administrative Security is already enabled, specify the existing primary administrative user. If WAS Administrative Security is not currently enabled, specify a user that does not exist in any of the federated repositories (LDAP server or WAS file repository) to create it in the WAS file repository...

    wasprofile\config\cells\localhost\fileRegistry.xml

    This ensures that the primary administrative user can log on to the WAS Administrative Console, even when the LDAP server is unavailable.

  7. Optional: You can enable application security if it is required. However, it is not a recommended approach due to performance implications.

    To enable application security, select...

    Enable Application Security

    ...and complete the following fields:

    • WCS RunAs ID DN
    • WCS RunAs ID DN password and verification

  8. Click Next and verify the summarized information.

  9. Click Next and Finish to complete the WCS integration wizard.

  10. Verify that the configuration is complete by searching for the "Feature 'ldap' enablement completed successfully." string in the log file:

    • WC_INSTALL/instances/instance/logs/enableldap_timestamp.log

  11. Restart WAS appservers, dmgr, and node agents


Enable WAS security with Federated Repositories and SSO using the command line

  1. Encrypt your password:

    cd WC_INSTALL/bin
    ./wcs_encrypt.sh db_password
    Add the ASCII encrypted string to properties file in the following step.

  2. Copy...

    components/ldap/properties/vmm.properties

    ...to...

    WC_installdir/instance_name/properties/vmm.properties

  3. Modify the file as appropriate.

  4. Run the following command:

    config_ant.bat -buildfile WC_installdir/components/common/xml/enableFeature.xml -DinstanceName=instance_name -DfeatureName=ldap -DdbUserPassword=db_password

  5. WebSphere Commerce supports various LDAP server types when enabling WebSphere Application Server security with Federated Repositories.

    The WCIntegrationWizard supports the following LDAP server types:

    IBM Tivoli Directory Server
    Lotus Domino Enterprise Directory Server
    Sun Java System Directory Server
    Windows Active Directory
    Novell eDirectory

    To use another LDAP Version 3 compliant server type, enable it using command line by completing the following steps:

    • Copy...

      components/ldap/properties/vmm.properties

      ...to...

      instance_name/properties/vmm.properties

      ...and modify the file accordingly, for example...

      #-----------------------------------------------------------------
      # Licensed Materials - Property of IBM
      #
      # WebSphere Commerce #
      # (C) Copyright IBM Corp. 2006, 2010 All Rights Reserved.
      #
      # US Government Users Restricted Rights - Use, duplication or
      # disclosure restricted by GSA ADP Schedule Contract with
      # IBM Corp.
      #-----------------------------------------------------------------
      
      # LDAP server type
      #     Accepted values: (IDS, DOMINO, SUNONE, AD, NDS, CUSTOM)
      #         IDS = IBM Directory Server
      #         DOMINO = IBM Lotus Domino
      #         SUNONE = Sun Java System Directory Server
      #         AD = Microsoft Windows Active Directory
      #         NDS = Novell Directory Services
      #         CUSTOM = Custom 
      #--------------------------------------------------------
      vmm.ldapType=IDS
      
      # Fully qualified LDAP server host name
      #--------------------------------------------------------
      vmm.ldapHost=wcinstall08.torolab.ibm.com
      
      # LDAP server port number
      #--------------------------------------------------------
      vmm.ldapPort=389
      
      # Specifies whether the LDAP server requires an SSL connection
      # 	Accepted values are: (true, false)
      #--------------------------------------------------------
      vmm.ldapWithSSL=false
      
      # The keystore file path for SSL commnication to LDAP
      #--------------------------------------------------------
      vmm.keystorePath=
      
      # The keystore password 
      # (To avoid decrypting warnings in the log, it is strongly recommended to use 
      # the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
      # command without the merchant key option.)
      #--------------------------------------------------------
      vmm.keystorePassword=
      
      # LDAP search base distinguished name
      #--------------------------------------------------------
      vmm.baseDN=o=root organization
      
      # LDAP administrator distinguished name
      #--------------------------------------------------------
      vmm.ldapAdminDN=cn=root
      
      # LDAP administrator password
      # (To avoid decrypting warnings in the log, it is strongly recommended to use 
      # the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
      # command without the merchant key option.)
      #--------------------------------------------------------
      vmm.ldapAdminPassword=EaDPFd9VAf0=
      
      # LDAP user search filter
      #--------------------------------------------------------
      vmm.ldapUserFilter=(&(uid=%v)(objectclass=inetOrgPerson))
      
      # LDAP user prefix (for example, uid)
      #--------------------------------------------------------
      vmm.userPrefix=uid
      
      # LDAP organization prefix (for example, o)
      #--------------------------------------------------------
      vmm.orgPrefix=o
      
      # LDAP organizational unit prefix (for example, ou)
      #--------------------------------------------------------
      vmm.orgUnitPrefix=ou
      
      # LDAP user object class (for example,  inetOrgPerson)
      #--------------------------------------------------------
      vmm.userObjClass=inetOrgPerson
      
      # LDAP organization object class
      #  (for example, organization)
      #--------------------------------------------------------
      vmm.orgObjClass=organization
      
      # LDAP organizational unit object class
      # (for example,  organizationalUnit)
      #--------------------------------------------------------
      vmm.orgUnitObjClass=organizationalUnit
      
      # LDAP bind distinguished name
      #--------------------------------------------------------
      vmm.bindDN=cn=root
      
      # LDAP bind password
      # (To avoid decrypting warnings in the log, it is strongly recommended to use 
      # the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
      # command without the merchant key option.)
      #--------------------------------------------------------
      vmm.bindPassword=EaDPFd9VAf0=
      
      # A full DN that maps to the WebSphere Commerce root organization
      #--------------------------------------------------------
      vmm.rootOrgDN=o=root organization
      
      # A full DN that maps to the WebSphere Commerce default organization
      #--------------------------------------------------------
      vmm.defaultOrgDN=o=wcivtteam,o=root organization
      
      # Specifies the property names to use to log into the application server.
      # This field takes multiple login properties, delimited by a semicolon (;).
      # For example, uid;mail. All login properties are searched during login.
      # If multiple entries or no entries are found, an exception is thrown.
      # For example, if you specify the login properties as uid;mail and the login ID as Bob,
      # the search filter searches for uid=Bob or mail=Bob. When the search returns a single entry,
      # then authentication can proceed. Otherwise, an exception is thrown.
      #--------------------------------------------------------
      vmm.ldapLoginProp=uid;cn
      
      # The realm name, default to WC__Realm.
      #--------------------------------------------------------
      vmm.realmName=myrealm
      
      # The primary admin user id for the administrative security.
      # If global security is already enabled, input the primary user
      # currently using.
      # Otherwise, input a user which does not exist in the federated
      # repositories, the tool will create it into the WebSphere Application
      # Server built-in file base user repository.
      #--------------------------------------------------------
      vmm.primaryAdminId=configadmin
      
      # The primary admin user password for the administrative security.
      # (To avoid decrypting warnings in the log, it is strongly recommended to use 
      # the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
      # command without the merchant key option.)
      #--------------------------------------------------------
      vmm.primaryAdminPwd=Ua4xMY1lGEqYbwa0gxDxGg==
      
      # Specifies whether to enable application security. (Accepted values are: true / false)
      #--------------------------------------------------------
      vmm.enableAppSecurity=true
      
      
      # The WAS security user ID (The RunAs User ID, only required
      #  when vmm.enableAppSecurity=true )
      #--------------------------------------------------------
      vmm.securityID=cn=rudy,o=wcivtteam,o=root organization
      
      # The WAS security user password (The RunAs user password,
      #  only required when vmm.enableAppSecurity=true)
      # (To avoid decrypting warnings in the log, it is strongly recommended to use 
      # the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
      # command without the merchant key option.)
      #--------------------------------------------------------
      vmm.securityPwd=xK36ck80s6GCL9+YsULolg==
      

    • Run the following command for LDAP:

      config_ant.bat -buildfile WC_installdir/components/common/xml/enableFeature.xml -DinstanceName=instance_name -DfeatureName=ldap -DdbUserPassword=db_password


Previous topic: Set up LDAP over SSL


Next topic: Replication for LDAP


+

Search Tips   |   Advanced Search