Enable security with federated repositories

Administer > Manage instances > WCS instance > Configure directory services (LDAP) with WCS

Enable security with federated repositories

Overview

To use WCS with LDAP configure WAS Administrative Security with Federated Repositories. The WCS Integration Wizard can be used to configure this. The federated repositories consist of one or more LDAP servers and a built-in, file-based repository.
If the federated repository contains only a WebSphere file-based user registry, there are alternate instructions
Before starting the WebSphere Commerce integration wizard...

Verify the WAS administrative server is running.

If the WCS Server is managed by a WAS dmgr, make sure the following are started:

dmgr server
node agent on local WCS machine.
WCS appserver on the local WCS machine.

Verify the database is started.

If WAS security has already been enabled using an Operating System registry, you should disable WAS security.

If you are planning to setup WCS to connect with multiple LDAP servers, understand the sample configuration steps in Federate two LDAP servers with a common root organization.

Procedure

Open the WCS integration wizard.

cd $WC_INSTALL/bin/
./WCIntegrationWizard.sh

Verify the prerequisites for the wizard and click Next.

Select the WCS instance name, enter and confirm the database password, and click Next.

For the integration task select...

WebSphere Application Server security with Federated Repositories

Enter the information specific to the LDAP server to configure LDAP as the user repository for the WCS instance.
The following fields are available, depending on the LDAP server configuration:

LDAP type
LDAP host name
LDAP port
Optional: Enable SSL option
Truststore file path (Java Key Store format)
Truststore password and verification
LDAP administrator DN
LDAP administrator password and verification
WCS root organization DN
WCS default organization DN
User RDN prefix
User object class
Organization object class
Organizational unit object class

Each field is described in...

WC_INSTALL/components/ldap/properties/vmm.properties

After entering the information specific to the LDAP server, click Next.

Enter the information specific to your LDAP server to configure WAS security for the WCS instance.
The following fields are available, depending on the LDAP server configuration:

Realm name
WAS primary administrative user. This user should not exist on the LDAP server or federated repositories. p>
WAS primary administrative user password and verification
LDAP base DN
LDAP bind DN
LDAP bind DN password and verification
LDAP user search filter string

After WAS Administrative Security is enabled, WAS primary administrative user can log on to the WAS Administrative Console. If WAS Administrative Security is already enabled, specify the existing primary administrative user. If WAS Administrative Security is not currently enabled, specify a user that does not exist in any of the federated repositories (LDAP server or WAS file repository) to create it in the WAS file repository...

wasprofile\config\cells\localhost\fileRegistry.xml

This ensures that the primary administrative user can log on to the WAS Administrative Console, even when the LDAP server is unavailable.

Optional: You can enable application security if it is required. However, it is not a recommended approach due to performance implications.
To enable application security, select...

Enable Application Security

...and complete the following fields:

WCS RunAs ID DN
WCS RunAs ID DN password and verification

Click Next and verify the summarized information.

Click Next and Finish to complete the WCS integration wizard.

Verify that the configuration is complete by searching for the "Feature 'ldap' enablement completed successfully." string in the log file:

WC_INSTALL/instances/instance/logs/enableldap_timestamp.log

Restart WAS appservers, dmgr, and node agents

Enable WAS security with Federated Repositories and SSO using the command line
Encrypt your password:

cd WC_INSTALL/bin
./wcs_encrypt.sh db_password
Add the ASCII encrypted string to properties file in the following step.

Copy...

components/ldap/properties/vmm.properties

...to...

WC_installdir/instance_name/properties/vmm.properties

Modify the file as appropriate.

Run the following command:

config_ant.bat -buildfile WC_installdir/components/common/xml/enableFeature.xml -DinstanceName=instance_name -DfeatureName=ldap -DdbUserPassword=db_password
WebSphere Commerce supports various LDAP server types when enabling WebSphere Application Server security with Federated Repositories.
The WCIntegrationWizard supports the following LDAP server types:

IBM Tivoli Directory Server
Lotus Domino Enterprise Directory Server
Sun Java System Directory Server
Windows Active Directory
Novell eDirectory

To use another LDAP Version 3 compliant server type, enable it using command line by completing the following steps:
Copy...

components/ldap/properties/vmm.properties

...to...

instance_name/properties/vmm.properties

...and modify the file accordingly, for example...
#-----------------------------------------------------------------
# Licensed Materials - Property of IBM
#
# WebSphere Commerce #
# (C) Copyright IBM Corp. 2006, 2010 All Rights Reserved.
#
# US Government Users Restricted Rights - Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with
# IBM Corp.
#-----------------------------------------------------------------

# LDAP server type
#     Accepted values: (IDS, DOMINO, SUNONE, AD, NDS, CUSTOM)
#         IDS = IBM Directory Server
#         DOMINO = IBM Lotus Domino
#         SUNONE = Sun Java System Directory Server
#         AD = Microsoft Windows Active Directory
#         NDS = Novell Directory Services
#         CUSTOM = Custom 
#--------------------------------------------------------
vmm.ldapType=IDS

# Fully qualified LDAP server host name
#--------------------------------------------------------
vmm.ldapHost=wcinstall08.torolab.ibm.com

# LDAP server port number
#--------------------------------------------------------
vmm.ldapPort=389

# Specifies whether the LDAP server requires an SSL connection
# 	Accepted values are: (true, false)
#--------------------------------------------------------
vmm.ldapWithSSL=false

# The keystore file path for SSL commnication to LDAP
#--------------------------------------------------------
vmm.keystorePath=

# The keystore password 
# (To avoid decrypting warnings in the log, it is strongly recommended to use 
# the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
# command without the merchant key option.)
#--------------------------------------------------------
vmm.keystorePassword=

# LDAP search base distinguished name
#--------------------------------------------------------
vmm.baseDN=o=root organization

# LDAP administrator distinguished name
#--------------------------------------------------------
vmm.ldapAdminDN=cn=root

# LDAP administrator password
# (To avoid decrypting warnings in the log, it is strongly recommended to use 
# the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
# command without the merchant key option.)
#--------------------------------------------------------
vmm.ldapAdminPassword=EaDPFd9VAf0=

# LDAP user search filter
#--------------------------------------------------------
vmm.ldapUserFilter=(&(uid=%v)(objectclass=inetOrgPerson))

# LDAP user prefix (for example, uid)
#--------------------------------------------------------
vmm.userPrefix=uid

# LDAP organization prefix (for example, o)
#--------------------------------------------------------
vmm.orgPrefix=o

# LDAP organizational unit prefix (for example, ou)
#--------------------------------------------------------
vmm.orgUnitPrefix=ou

# LDAP user object class (for example,  inetOrgPerson)
#--------------------------------------------------------
vmm.userObjClass=inetOrgPerson

# LDAP organization object class
#  (for example, organization)
#--------------------------------------------------------
vmm.orgObjClass=organization

# LDAP organizational unit object class
# (for example,  organizationalUnit)
#--------------------------------------------------------
vmm.orgUnitObjClass=organizationalUnit

# LDAP bind distinguished name
#--------------------------------------------------------
vmm.bindDN=cn=root

# LDAP bind password
# (To avoid decrypting warnings in the log, it is strongly recommended to use 
# the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
# command without the merchant key option.)
#--------------------------------------------------------
vmm.bindPassword=EaDPFd9VAf0=

# A full DN that maps to the WebSphere Commerce root organization
#--------------------------------------------------------
vmm.rootOrgDN=o=root organization

# A full DN that maps to the WebSphere Commerce default organization
#--------------------------------------------------------
vmm.defaultOrgDN=o=wcivtteam,o=root organization

# Specifies the property names to use to log into the application server.
# This field takes multiple login properties, delimited by a semicolon (;).
# For example, uid;mail. All login properties are searched during login.
# If multiple entries or no entries are found, an exception is thrown.
# For example, if you specify the login properties as uid;mail and the login ID as Bob,
# the search filter searches for uid=Bob or mail=Bob. When the search returns a single entry,
# then authentication can proceed. Otherwise, an exception is thrown.
#--------------------------------------------------------
vmm.ldapLoginProp=uid;cn

# The realm name, default to WC__Realm.
#--------------------------------------------------------
vmm.realmName=myrealm

# The primary admin user id for the administrative security.
# If global security is already enabled, input the primary user
# currently using.
# Otherwise, input a user which does not exist in the federated
# repositories, the tool will create it into the WebSphere Application
# Server built-in file base user repository.
#--------------------------------------------------------
vmm.primaryAdminId=configadmin

# The primary admin user password for the administrative security.
# (To avoid decrypting warnings in the log, it is strongly recommended to use 
# the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
# command without the merchant key option.)
#--------------------------------------------------------
vmm.primaryAdminPwd=Ua4xMY1lGEqYbwa0gxDxGg==

# Specifies whether to enable application security. (Accepted values are: true / false)
#--------------------------------------------------------
vmm.enableAppSecurity=true


# The WAS security user ID (The RunAs User ID, only required
#  when vmm.enableAppSecurity=true )
#--------------------------------------------------------
vmm.securityID=cn=rudy,o=wcivtteam,o=root organization

# The WAS security user password (The RunAs user password,
#  only required when vmm.enableAppSecurity=true)
# (To avoid decrypting warnings in the log, it is strongly recommended to use 
# the ASCII encrypted string generated from the /bin/wcs_encrypt.bat 
# command without the merchant key option.)
#--------------------------------------------------------
vmm.securityPwd=xK36ck80s6GCL9+YsULolg==
Run the following command for LDAP:

config_ant.bat -buildfile WC_installdir/components/common/xml/enableFeature.xml -DinstanceName=instance_name -DfeatureName=ldap -DdbUserPassword=db_password
Previous topic: Set up LDAP over SSL

Next topic: Replication for LDAP

+
Search Tips | Advanced Search