Security options


Overview

Security is enabled by default for the WAS dmgr; WebSphere Portal will not attempt to change the security settings in the dmgr cell when a node is federated. Any existing security configuration of a stand-alone WebSphere Portal is replaced with the security settings of the dmgr cell when it joins that cell. If you remove the node from the dmgr cell, the original security settings are reinstated.


Default security settings

The default security that is enabled on the dmgr profiles and WebSphere Portal profiles installation is the Virtual Member Manager (VMM) federated security with a single file-based repository configured. If you plan to add the standalone node into a dmgr cell, there is no need to modify this default security setting on a WebSphere Portal node when the purpose of that node is to join a dmgr cell and run as part of a cluster. During federation, the standalone environment security settings are replaced with the dmgr security settings. The original standalone environment security settings are preserved and will revert back to the original settings if you remove the node from the cluster. If administrative security is disabled during installation of the dmgr or is disabled after the dmgr is installed, it must be enabled prior to executing the security configuration tasks on the WebSphere Portal cluster members.


Security options for a cluster

For the cluster, you can use:

VMM security options...

.or you can use standalone LDAP security.

WebSphere Portal provides a number of security tasks, which can be used to modify the WAS security settings and make the required updates to the WebSphere Portal configuration in a single step. As soon as a WebSphere Portal node is federated into a dmgr cell, all executed WebSphere Portal security tasks will update the security configuration on the dmgr cell. Run security tasks after federating the WebSphere Portal node because the Deployment Manager cell does not contain the configuration resources required to run the security tasks.

Configure security before configuring additional nodes. If you need to update security configuration after you created clustered environment, you will need to run an additional task to update the security settings on the secondary nodes.

IBM recommends against using the file-based repository in a production environment as updates are only possible through the WAS administrative console, not through portal user management. These updates are sent to each node in the cell using dmgr file synchronization. This can be time consuming for large volumes of users and groups. Also, synchronization does not occur at the same time for all nodes in a cell, so there are time windows when the nodes in the cell have differing security definitions. Another reason the file-based repository is not recommended in a production environment is that the Users and Groups portlet is not available. You must remove the file-based repository and replace it with a stand-alone LDAP user registry or a federated LDAP user registry to have access to the Users and Groups portlet.


Parent

Cluster considerations


Related tasks

Enable LDAP security after cluster creation

 


+

Search Tips   |   Advanced Search