Switch to unique administrator IDs for system level communication

Switch to unique administrator IDs for system level communication

Create extra J2C authentication aliases and remap the roles.
This task is optional. Complete this task only to map a different user ID to the system-level roles for one or more Connections applications.
When you install Connections, we are prompted by the installation wizard to provide credentials for a user account for application-to-application communication. The installation wizard also creates a J2C authentication alias called connectionsAdmin. This alias is associated with the new user account and maps that account to a set of application roles. To map these roles to different system user accounts, create extra J2C authentication aliases and remap the roles.
The connectionsAdmin is mapped to roles that carry out the following tasks:

Role Description
dsx-admin Used by the Profiles and Communities applications to retrieve user or community data. When other applications need user or community data, they use the connectionsAdmin user to authenticate with Profiles and Communities and then request the data from Profiles and Communities.
search-admin Used by all applications to control which user IDs can query seedlist information. The seedlist data is used to create the global index. The Search application uses the connectionsAdmin user ID to authenticate with the other applications and queries them on a scheduled basis to update the index.
widget-admin Used by applications, such as Activities, Blogs, Files, and Wikis, that make widgets available within the Communities application. Users that are assigned to this role can run administrative commands on managed applications. The Communities application uses the connectionsAdmin user ID to authenticate with the other applications and then passes the requests to them.
The connectionsAdmin user is also used by the Home page application to secure the messaging bus connection.
The connectionsAdmin does not represent the administrative user of an application; it represents a system-level user for application to application communication. To map a different user ID to one of the default roles:

Complete either set of the following substeps:

Specify a different system-level user ID for the dsx-admin, search-admin, or widget-admin roles:

From the IBM WAS console, expand...
Security | Global security | Authentication area | Java Authentication and Authorization Service | J2C authentication data

Enter an alias name, user ID, and password.

dsx-admin: If we use single sign-on, specify a user ID that is present in the corporate directory, and not only in WebSphere Identity Manager.
search-admin: Specify an alias with the syntax: searchapplication_nameAlias where application_name is the name of the application for which to create the alias. For example: searchBlogsAlias.

widget-admin: Specify an alias name with the syntax: widgetapplication_nameAlias where application_name is the name of the application for which to create the alias. For example: widgetActivitiesAlias.

Click OK and then click Save

Repeat steps c to d for each new role to create.

Save the changes.

Specify a different system-level user ID for the connectionsBus role:

From the WAS console, select...
Service integration | Buses

Click the bus to which to map a different user ID.
All Connections buses have names that begin with Connections.

Click...
Security | bus connector role | Users and groups

Delete the existing user ID by selecting the check box next to the user ID and clicking Delete.

To add the new user ID, click New, select User name, and then type the name of the new user ID.

Click OK.

Repeat steps b to f for each bus.

Save the changes.

Map the user in the alias to the role:
For Activities, map the account that we are mapping to the widget-admin role to the person role as well.

From the WAS console, expand...
Applications | Application Types | WebSphere enterprise applications | application | Security role to user/group mapping

Find the role that you created in the Role column and then click...
Map users or Map groups

In the Search String box, type the name of the user or group you would like to assign to this role and then click Search.
If the user or group exists in the directory, it is displayed in the Available list.

Select the user or group name from the Available box and then move it into the Selected column.

Repeat steps i and j to add extra users or groups.

Repeat steps f through k to define access levels and assign people to any other aliases that you created.

Click OK.

Click OK and then click Save to save the changes.

(widget-admin role only) Edit the widget-config.xml file for each application that is affected:
Check out each file by using wsadmin.sh and the Jython script interpreter.

From the profile_root\config\cells\cellName\LotusConnections-config directory, open the widget-config.xml file in a text editor.

Change the remoteHandlerAuthenticationAlias attribute in the lifecycle element for the widgetDef (widget definition) that corresponds to the application. Replace the current value with the name of the alias that you created. Include the full name of the alias, including the node name prefix, if it is present.

Repeat the previous step for each application for which you defined a new alias.

Save the widget-config.xml file.

(dsx-admin role only) Update the value of the corresponding attributes in LotusConnections-config.xml.
To do so, start the wsadmin client, and then complete the following steps:

Access the Connections configuration file:
execfile("connectionsConfig.py")
LCConfigService.checkOutConfig("/tmp","cell_name")

To determine cellname: print AdminControl.getCell()

Update the alias information:

LCConfigService.updateConfig("profiles.directory.service.extension.enabled", "true")

Open the LotusConnectiosn-config.xml file in a text editor and add the following values to the <sloc:serviceReference serviceName="directory"> element:
<sloc:serviceReference serviceName="directory" communities_directory_service_extension_auth_alias="<alias_you_created>" communities_directory_service_extension_enabled="true" profiles_directory_service_extension_auth_alias="<alias_you_created>" />where alias_you_created is the alias you created in Step 1.

Check in the configuration files during the same wsadmin session in which you checked them out. See Applying common configuration property changes.

Restart the application servers that host the applications for which you created user roles.

Parent topic:
Manage stored credentials

Related:
Apply common configuration property changes
Change references to administrative credentials

Role	Description
dsx-admin	Used by the Profiles and Communities applications to retrieve user or community data. When other applications need user or community data, they use the connectionsAdmin user to authenticate with Profiles and Communities and then request the data from Profiles and Communities.
search-admin	Used by all applications to control which user IDs can query seedlist information. The seedlist data is used to create the global index. The Search application uses the connectionsAdmin user ID to authenticate with the other applications and queries them on a scheduled basis to update the index.
widget-admin	Used by applications, such as Activities, Blogs, Files, and Wikis, that make widgets available within the Communities application. Users that are assigned to this role can run administrative commands on managed applications. The Communities application uses the connectionsAdmin user ID to authenticate with the other applications and then passes the requests to them.