+

Search Tips   |   Advanced Search

Portal, V6.1

 

i5/OS - Enabling step-up authentication and/or the Remember me cookie

Step-up authentication provides authentication levels for pages and portlets. The Remember me cookie is an encrypted HTTP cookie that supports state-of-the-art authentication, which allows you to present personalized portlets and pages in a public area without asking the user to manually authenticate. Together, these two features allow remembered users to view anonymous pages and portlets with a standard or identified authentication level. By providing a valid Remember me cookie, a user can also be allowed to access protected pages and portlets that require the identified authentication level. If the authentication level is set to authenticated, the user will have to provide a user ID and password to view the page or portlet. Log on to the IBM WebSphere Application Server Administrative Console and navigate to...

Security > Secure administration, applications, and infrastructure > Web security > Single sign-on (SSO). Verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.

To enable step-up authentication and/or the Remember me cookie:

The Remember me cookie does not extend the Portal Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.

Step-up authentication is not supported by the Web Content authoring portlet or when delivering content using a local or remote Web Content Viewer portlet.

Step-up authentication requires the LtpaToken2 for single sign-on; see Implementing single sign-on to minimize Web user authentications for details.

  1. Choose one of the following configuration options:

    Option Description
    Enable both step-up authentication and the Remember me cookie

    This option creates the standard, identified, and authenticated authentication levels.

    		To enable step-up authentication and the Remember me cookie:

    1. Edit wkplc.properties located in WP_PROFILE/ConfigEngine/properties.

    2. Set enable_rememberme to true in the 'Step-up Authentication and Remember Me Config' properties section.

    3. Save changes to the wkplc.properties file.

    4. Run the ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=wpsadmin -Dsua_user=user_name -Dsua_serversecret_password=wpsadmin

      ... from the WP_PROFILE/ConfigEngine.

    You can define the sua_user and sua_serversecret_password parameters either in the wkplc.properties file or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in the wkplc.properties file.

    Enable only step-up authentication

    This option creates the standard and authenticated authentication levels.

    		Perform the following steps to enable only step-up authentication:

    1. Edit wkplc.properties located in WP_PROFILE/ConfigEngine/properties.

    2. Set enable_rememberme to false in the 'Step-up Authentication and Remember Me Config' properties section.

    3. Save changes to the wkplc.properties file.

    4. Run the ConfigEngine.sh enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=wpsadmin -Dsua_user=user_name -Dsua_serversecret_password=wpsadmin

      ... from the WP_PROFILE/ConfigEngine.

    You can define the sua_user and sua_serversecret_password parameters either in the wkplc.properties file or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in the wkplc.properties file.

    Enable only the Remember me cookie Run the ConfigEngine.sh enable-rememberme -DWasUserid=wasuser -DWasPassword=wpsadmin -Dsua_user=user_name -Dsua_serversecret_password=wpsadmin

    ... from the WP_PROFILE/ConfigEngine.

    You can define the sua_user and sua_serversecret_password parameters either in the wkplc.properties file or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in the wkplc.properties file.

  2. Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in the wkplc.properties file.

  3. To propagate the security changes:

    Option Description
    Stand-alone environment cd WP_PROFILE/bin
    ./stopServer.sh server1 -username adminid -password passwd
    ./stopServer.sh WebSphere_Portal -username adminid -password passwd
    ./startServer.sh server1
    ./startServer.sh WebSphere_Portal
    Clustered environment cd dmgr_profile_root\bin
    ./stopManager.sh
    cd WP_PROFILE/bin
    ./stopNode.sh -username adminid -password passwd
    ./stopServer.sh server1 -username adminid -password passwd
    ./stopServer.sh WebSphere_Portal -username adminid -password passwd
    cd dmgr_profile_root\bin
    ./startManager.sh
    cd WP_PROFILE/bin
    ./startNode.sh
    ./startServer.sh server1
    ./startServer.sh WebSphere_Portal

  4. Optional

    To create the identified authentication level:

    1. From the WAS Administrative Console, click Resources > Resource Environment > Resource Environment Providers.

    2. Click WP StepUpConfigService in the table.

    3. Click Custom Properties under Additional Properties.

    4. Click the value for the sua.authLevel.enable property.

    5. Add identified to the Value field so that you have the following: authenticated, identified.

    6. Click Apply.

    7. Click the Save link in the Messages box.

    8. Click Save.

  5. To propagate the security changes:

    Option Description
    Stand-alone environment cd WP_PROFILE/bin
    ./stopServer.sh server1 -username adminid -password passwd
    ./stopServer.sh WebSphere_Portal -username adminid -password passwd
    ./startServer.sh server1
    ./startServer.sh WebSphere_Portal
    Clustered environment cd dmgr_profile_root\bin
    ./stopManager.sh
    cd WP_PROFILE/bin
    ./stopNode.sh -username adminid -password passwd
    ./stopServer.sh server1 -username adminid -password passwd
    ./stopServer.sh WebSphere_Portal -username adminid -password passwd
    cd dmgr_profile_root\bin
    ./startManager.sh
    cd WP_PROFILE/bin
    ./startNode.sh
    ./startServer.sh server1
    ./startServer.sh WebSphere_Portal

  6. To change the authentication level on a page or portlet:

    1. Click Administration.

    2. Click Resource Permissions under Access.

    3. Click either the Pages link or the Portlets link.

    4. Locate the page or portlet you want to change and click the Authentication Level link.

    5. Choose one of the following levels:

      The following Authentication Levels are provided out-of-the-box. If you customized your step-up authentication, you may have different levels.

      Standard

      Set the Authentication Level to Standard if you want anonymous and identified users to view the page or portlet.

      Identified (if enabled)

      Set the Authentication Level to Identified if you want anonymous users to login and identified users to view the page or portlet.

      Authenticated

      Set the Authentication Level to Authenticated if you want anonymous and identified users to login to view the page or portlet.

 

Parent topic

Securing your environment on i5/OS

 

Related reference


Step-up authentication properties
Remember me properties