AIX - Enabling step-up authentication and/or the Remember me cookie

 

+

Search Tips   |   Advanced Search

 

Step-up authentication provides authentication levels for pages and portlets.

The Remember me cookie is an encrypted HTTP cookie allows you to present personalized portlets and pages in a public area without asking the user to manually authenticate.

Together, these two features allow remembered users to view anonymous pages and portlets with a standard or identified authentication level.

By providing a valid Remember me cookie, a user can also be allowed to access protected pages and portlets that require the identified authentication level. If the authentication level is set to authenticated, the user will have to provide a user ID and password to view the page or portlet.

Log on to the WAS console and navigate to...

Security | Secure administration, applications, and infrastructure | Web security | Single sign-on (SSO)

Verify...

• Interoperability Mode
• Web inbound security attribute propagation

...are enabled.

The Remember me cookie does not extend the Portal Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.

Step-up authentication is not supported by the WCM authoring portlet or when delivering content using a local or remote Web Content Viewer portlet.

Step-up authentication requires LtpaToken2 for single sign-on

1. Choose one of the following configuration options:

   Option	Description
   Enable both step-up authentication and the Remember me cookie This option creates the standard, identified, and authenticated authentication levels.	To enable step-up authentication and the Remember me cookie: Edit... WP_PROFILE/ConfigEngine/properties/wkplc.properties Set enable_rememberme to true in the 'Step-up Authentication and Remember Me Config' properties section. Save changes to the wkplc.properties file. cd WP_PROFILE/ConfigEngine. ./ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=wpsadmin -Dsua_user=user_name -Dsua_serversecret_password=wpsadmin You can define the sua_user and sua_serversecret_password parameters either in the wkplc.properties file or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in the wkplc.properties file.
   Enable only step-up authentication This option creates the standard and authenticated authentication levels.	Perform the following steps to enable only step-up authentication: Edit... WP_PROFILE/ConfigEngine/properties/wkplc.properties In the 'Step-up Authentication and Remember Me Config' properties section, set... enable_rememberme=false Save changes to the wkplc.properties file. cd WP_PROFILE/ConfigEngine. ./ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=wpsadmin -Dsua_user=user_name -Dsua_serversecret_password=wpsadmin You can define the sua_user and sua_serversecret_password parameters either in the wkplc.properties file or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in the wkplc.properties file.
   Enable only the Remember me cookie	cd WP_PROFILE/ConfigEngine. ./ConfigEngine.sh enable-rememberme -DWasUserid=wasuser -DWasPassword=wpsadmin -Dsua_user=user_name -Dsua_serversecret_password=wpsadmin You can define the sua_user and sua_serversecret_password parameters either in the wkplc.properties file or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in the wkplc.properties file.

2. Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in the wkplc.properties file.

3. To propagate the security changes:

   Option	Description
   Stand-alone environment	cd WP_PROFILE/bin ./stopServer.sh server1 -username adminid -password passwd ./stopServer.sh WebSphere_Portal -username adminid -password passwd ./startServer.sh server1 ./startServer.sh WebSphere_Portal
   Clustered environment	cd dmgr_profile_root\bin ./stopManager.sh cd WP_PROFILE/bin ./stopNode.sh -username adminid -password passwd ./stopServer.sh server1 -username adminid -password passwd ./stopServer.sh WebSphere_Portal -username adminid -password passwd cd dmgr_profile_root\bin ./startManager.sh cd WP_PROFILE/bin ./startNode.sh ./startServer.sh server1 ./startServer.sh WebSphere_Portal

4. Optional

   To create the identified authentication level:

   1. From the WAS Administrative Console, click Resources > Resource Environment > Resource Environment Providers.

   2. Click WP StepUpConfigService in the table.

   3. Click Custom Properties under Additional Properties.

   4. Click the value for the sua.authLevel.enable property.

   5. Add identified to the Value field so that you have the following: authenticated, identified.

   6. Click Apply.

   7. Click the Save link in the Messages box.

   8. Click Save.

5. To propagate the security changes:

   Option	Description
   Stand-alone environment	cd WP_PROFILE/bin ./stopServer.sh server1 -username adminid -password passwd ./stopServer.sh WebSphere_Portal -username adminid -password passwd ./startServer.sh server1 ./startServer.sh WebSphere_Portal
   Clustered environment	cd dmgr_profile_root\bin ./stopManager.sh cd WP_PROFILE/bin ./stopNode.sh -username adminid -password passwd ./stopServer.sh server1 -username adminid -password passwd ./stopServer.sh WebSphere_Portal -username adminid -password passwd cd dmgr_profile_root\bin ./startManager.sh cd WP_PROFILE/bin ./startNode.sh ./startServer.sh server1 ./startServer.sh WebSphere_Portal

6. To change the authentication level on a page or portlet:

   1. Click Administration.

   2. Click Resource Permissions under Access.

   3. Click either the Pages link or the Portlets link.

   4. Locate the page or portlet you want to change and click the Authentication Level link.

   5. Choose one of the following levels:

      The following Authentication Levels are provided out-of-the-box. If you customized your step-up authentication, you may have different levels.

      Standard

      Set the Authentication Level to Standard if you want anonymous and identified users to view the page or portlet.

      Identified (if enabled)

      Set the Authentication Level to Identified if you want anonymous users to login and identified users to view the page or portlet.

      Authenticated

      Set the Authentication Level to Authenticated if you want anonymous and identified users to login to view the page or portlet.

 

Parent topic

Securing your environment on AIX

 

Related reference

Step-up authentication properties
Remember me properties