Portal, V6.1

---

 

Configure eTrust SiteMinder to perform authorization

You can configure Computer Associates eTrust SiteMinder to perform authorization independently from configuring it to perform authentication. However, if you use eTrust SiteMinder to perform authorization for IBM WebSphere Portal, you should also use it to perform authentication. Using eTrust SiteMinder to perform only authorization is not supported at this time.

Perform the following steps to configure eTrust SiteMinder for authorization:

1. Optional: In eTrust SiteMinder version 5.5 and higher, the configuration for eTrust SiteMinder Web Agents, including shared secrets, is centrally administered and can be dynamic. You may create a new custom agent to ensure a static shared secret. Follow these steps to create a custom agent in eTrust SiteMinder:

   1. Open the eTrust SiteMinder Administration console.

   2. Select Agent Types from the View > Agent Types menu.

   3. Right-click Agent Types, and select Create Agent Type from the pop-up menu.

   4. Enter a Name and an Action for the new agent type. Other fields are optional.

   5. Click OK.

   6. Select Agents from the View > Agents menu.

   7. Right-click Agent, and select Create Agent to create an agent object of the new agent type.

2. Optional

   Ensure that users are no longer created through WebSphere Portal. If you use eTrust SiteMinder, you probably have a user provisioning process for creating and updating users and groups and administering group membership. You will probably want to continue using that user provisioning process instead of managing your directory through WebSphere Portal. WebSphere Portal creates entries in the directory in two ways:

   • Administrators can create entries with the Manage Users and Groups portlet

   • Users can create entries with the self-registration screen

3. Edit wkplc_comp.properties file:

   Option	Description
   Windows	in WP_PROFILE\ConfigEngine\properties directory
   UNIX	in WP_PROFILE/ConfigEngine/properties directory

4. Enter only the following parameters in the wkplc_comp.properties file under the Namespace management parameters heading:

   1. For wp.ac.impl.EACserverName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACcellName and wp.ac.impl.EACappname must also be set.

   2. For wp.ac.impl.EACcellName, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACserverName and wp.ac.impl.EACappname must also be set.

   3. For wp.ac.impl.EACappname, type the Namespace context information to further distinguish externalized portal role names from other role names in the namespace.

      If set, wp.ac.impl.EACcellName and wp.ac.impl.EACserver must also be set.

   4. For wp.ac.impl.reorderRoles, type false to keep the role order or true to reorder the roles by resource type first.

5. Enter the following parameters in the wkplc_comp.properties file under the Netegrity SiteMinder heading:

   1. For wp.ac.imp.SMDomain, type the eTrust SiteMinder Domain containing all externalized resources.

   2. For wp.ac.impl.SMScheme, type the eTrust SiteMinder Authentication scheme object name to use when creating realms.

   3. For wp.ac.impl.SMAgent, type the agent name that is created on eTrust SiteMinder for a specific external security manager instance.

   4. For wp.ac.impl.SMAgentPwd, type the password for wp.ac.impl.SMAgent.

   5. For wp.ac.impl.SMadminId, type the administrative user ID that eTrust SiteMinder will use to access the eTrust SiteMinder policy server.

   6. For wp.ac.impl.SMAdminPwd, type the password for wp.ac.impl.SMadminId.

   7. For wp.ac.impl.SMUserDir, type the eTrust SiteMinder User Directory object referencing the LDAP user registry.

   8. For wp.ac.impl.SMFailover, type true if more than one server is listed in wp.ac.impl.SMServers or type false if no additional servers are available for failover.

   9. For wp.ac.impl.SMServers, type a comma-delimited list of servers for the eTrust SiteMinder agent.

6. If any of the policy servers listed in the wp.ac.impl.SMServers parameter are configured to use ports other than the defaults, you can customize the following values for each server listed:

   • ipaddress.accountingPort=44441

   • ipaddress.authenticationPort=44442

   • ipaddress.authorizationPort=44443

   • ipaddress.connectionMax=30

   • ipaddress.connectionMin=10

   • ipaddress.connectionStep=5

   • ipaddress.timeout=60

   Where ipaddress is the specific server IP listed in the wp.ac.impl.SMServers parameter.

7. Save changes to the wkplc_comp.properties file.

8. Run the following task to configure eTrust SiteMinder for authorization:

   Option	Description
   Windows	ConfigEngine.bat enable-sm-authorization -Dwp.ac.impl.SmAgentPw=wpsadmin -Dwp.ac.impl.SmAdminPw=wpsadmin from the WP_PROFILE\ConfigEngine directory
   UNIX	./ConfigEngine.sh enable-sm-authorization -Dwp.ac.impl.SmAgentPw=wpsadmin -Dwp.ac.impl.SmAdminPw=wpsadmin from the... WP_PROFILE/ConfigEngine ...directory

9. To stop and restart the server1 and WebSphere_Portal servers:

   1. Open a command prompt and change to the following directory:

      • Windows: WP_PROFILE\bin

      • UNIX: WP_PROFILE/bin

   2. Stop the WAS:

      • Windows: stopServer.bat server1 -username adminid -password passwd

      • UNIX: ./stopServer.sh server1 -username adminid -password passwd

   3. Stop the WebSphere_Portal server:

      • Windows: stopServer.bat WebSphere_Portal -username adminid -password passwd

      • UNIX: ./stopServer.sh WebSphere_Portal -username adminid -password passwd

   4. Start the WAS:

      • Windows: startServer.bat server1

      • UNIX: ./startServer.sh server1

   5. Start the WebSphere_Portal server:

      • Windows: startServer.bat WebSphere_Portal

      • UNIX: ./startServer.sh WebSphere_Portal

10. If users other than the administrator are allowed to externalize resources, add those users to the eTrust SiteMinder realm representing the Administrator of EXTERNAL_ACCESS_CONTROL.

11. Perform the following steps from the Resource Permissions portlet:

    1. Select a resource type.

    2. Click the Assign Access icon for the specific resource.

    3. Click the Edit Role icon for a role that you want to externalize.

    4. Click Add to explicitly assign at least one user or group to your chosen role for the resource.

    5. Select the specific users or user groups by clicking on Search for Users or User Groups or clicking on the pull down for the Search by option where the default is set to All available. Click OK.

    6. An informational message box should display the message that members were successfully added to the role.

    7. Optional

       Explicitly assign additional roles. If you do not assign at least one user or group to each role type for the resource use the external security manager interface to create this role type later. For example, if you do not assign any users or groups to the Editor role type for the resource, then use the external security manager interface to create the Editor role type later.

    8. Click the Externalize icon for the resource. These steps move every role that is defined for each resource you assigned to the eTrust SiteMinder Policy Domain. One policy is defined for each externalized role.

12. Add users and groups to the eTrust SiteMinder policies corresponding to the appropriate roles.

 

Parent topic

Configure eTrust SiteMinder

---