Back

 

WebSphere Portal - Active Directory (AD)

 

+
Search Tips   |   Advanced Search

 

Contents

  1. Overview
  2. Install Active Directory
  3. Configure WebSphere Portal for Active Directory
  4. Verify Active Directory LDAP

 

Overview

 

Active Directory structure

LDAP suffix dc=yourco,
dc=com
user prefix cn
user suffix cn=users
group prefix cn
group suffix cn=users
Portal admin DN cn=wpsadmin,
cn=users,
dc=yourco,
dc=com
Portal admin group cn=wpsadmins,
cn=users,
dc=yourco,
dc=com

 

Active Directory and SSL

If we set up WebSphere Portal with AD as the user registry and without SSL enabled, we cannot set passwords in sign up or user creation correctly. We would need to manually reset passwords on AD. However, it is recommended that we first get LDAP (non-SSL) successfully working before setting up LDAP over SSL. This allows us to verify that the directory is responding to LDAP requests before setting it up for SSL.

SSL adds a layer of complexity because one has to deal with certificates and other SSL-related requirements. SSL will also slow down a Portal system. If we do decide to configure SSL between Portal and AD, grab some baseline performance metrics. For example, how long does it take to log on before AD w/SSL vs log on time w/o SSL.

 

IBM Web Administration for iSeries

The instructions below demonstrate the use of command-line utilities to configure WebSphere Portal with Active Directory. Note that we can alternately use the...

Create WebSphere Portal

...wizard that is part of...

IBM Web Administration for iSeries

...to configure Active Directory with WebSphere Portal. The IBM Web Administration for iSeries tool runs in a web browser, and allows one to...

 

Install Active Directory

Active Directory (AD) should be installed and configured before we install WebSphere Portal. AD is included with the Windows 2000 Server operating system.

  1. See the WebSphere Portal requirements for supported versions of AD.

  2. Install Windows 2000 Server

  3. Install Microsoft SP2 or SP3.

  4. Review AD documentation

To enable SSL, perform the following additional configuration...

  1. Install Internet Information Services...

    Control Panel | Add/Remove Programs | Add/Remove Windows Components | Internet Information Services (IIS) | Next

  2. Install Certificate Services...

    Control Panel | Add/Remove Programs | Add/Remove Windows Components | Certificate Services | Next | Stand-alone root CA | Next

  3. If 128-bit encryption is required, install the Windows 2000 High Encryption Pack

 

Configure WebSphere Portal for AD

 

Create the portal administrator user in AD

If the wpsadmin user does not exist in the directory.

  1. Use the Windows administrative tools to create a new user: wpsadmin

  2. Set the password for the wpsadmin user.

  3. Activate the wpsadmin user account using the Windows administrative tools.

 

Add preferredLanguage attribute to AD schema

The preferredLanguage attribute must be added to the AD schema to create and modify portal users.

  1. If the Windows 2000 Support Tool is not installed, install it from the directory...

    \SUPPORT\TOOLS

    ...on the Windows 2000 Setup CD.

  2. Register Schmmgmt.dll before you access the Active Directory Schema snap-in. At the command prompt, type...

    Regsvr32 schmmgmt.dl

  3. Add the Active Directory Schema Snap-in using the following steps:

    1. From the Windows Start Menu...

      Programs | Windows 2000 Support Tools | Security Administration Tools

      You can also access the tool by clicking Start | Run, and then typing mmc.

    2. From the console, select Add/Remove Snap-in

    3. From the Standalone tab, click Add.

    4. Select Active Directory Schema from the list of Available Standalone Snap-ins.

    5. Click Add to add the snap-in to the console.

  4. Configure the Active Directory Schema Snap-in using the following steps:

    1. From the Security Administration Tools console, right-click on Active Directory Schema and select Operations Master.

    2. Select "The Schema may be modified on this Domain Controller", and click OK to save this change.

  5. Create the preferredLanguage attribute

    1. From the Security Administration Tools console, expand Active Directory Schema | Attributes.

    2. Right-click on Attributes, and select Create Attribute.

    3. Click Continue to access the new attribute properties.

    4. Enter the following values in Create New Attribute:

      Field name Value
      Common Name preferredLanguage
      LDAP Display Name preferredLanguage
      Unique X500 Object ID 2.16.840.1.113730.1.39
      Syntax Case Insensitive String

    5. Click OK to create the preferredLanguage attribute.

  6. Add the preferredLanguage attribute to the user object class using the following steps:

    1. From the Security Administration Tools console, expand...

      AD Schema | Classes

    2. Double-click on user to open the user properties.

    3. Select the Attributes tab.

    4. In the Optional section, click on Add to add a new schema object.

    5. Select preferredLanguage from the list of objects, and click OK to add this object.

  7. Add the preferredLanguage mapping to the Member Manager XML file using the following steps:

    1. cd to...

      $WP_ROOT/PortalServer/config/templates/wmm

      ...and edit...

      wmmLDAPAttributes_ACTIVE_DIRECTORY.xml

    2. Add the following attribute map tag: 

          <attributeMap    wmmAttributeName="preferredLanguage"
                     pluginAttributeName="preferredLanguage"
                     applicableMemberTypes="Person"
                     dataType="String"
                     valueLength="128"
                     multiValued="false" />

    3. Save and close the text file before configuring WebSphere Portal.

 

Tweak wpconfig.properties

Configuring WebSphere Portal for AD involves tweaking properties in the file...

/qibm/userdata/webas5/base/instance/portalserver5/config/wpconfig.properties

...and then running the appropriate configuration tasks.

We can use the security_active_directory.properties.html configuration template for help determine values for the wpconfig.properties file.

You can use ldapsearch to validate LDAP settings.

  1. Ensure that the LDAP software is installed and any setup required by WebSphere Portal has been performed.

  2. Make a copy of...

    /qibm/userdata/webas5/base/instance/portalserver5/config/wpconfig.properties

    ...and create a backup copy before changing any values.

  3. Edit...

    /qibm/userdata/webas5/base/instance/portalserver5/config/wpconfig.properties

    ...file and enter the values appropriate for the environment.

     

    WAS properties

    Property Value
    WasUserid

    The user ID for WAS security authentication.

    Fully qualified distinguished name (DN). For example...

    cn=wasadmin,cn=users,dc=setgetweb,dc=com

    If a value is specified for WasUserid, a value must also be specified for WasPassword. If WasUserid is left blank, WasPassword must also be left blank.

    Talue should not contain spaces.

    Recommended: cn=wpsbind,cn=users,dc=yourco,dc=com
    Default LDAP value: uid=wpsbind,cn=users,dc=yourco,dc=com

    WasPassword

    Recommended: none
    Default: none

     

    Portal configuration properties

    PortalAdminId

    User ID for the WebSphere Portal administrator.

    Fully qualified distinguished name (DN). For example...

    cn=wpsadmin,cn=users,dc=setgetweb,dc=com

    Default value: none
    PortalAdminIdShort The short form of the user ID for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Recommended: wpsadmin
    Default: none

    PortalAdminPwd

    Password for the WebSphere Portal administrator, as defined in the PortalAdminId property.

    Recommended: none.
    Default: none

    PortalAdminGroupId

    The group ID for the group to which the WebSphere Portal administrator belongs.

    Recommended: cn=wpsadmins,cn=groups,dc=yourco,dc=com
    Default: none

    PortalAdminGroupIdShort

    The short form of the group ID for the WebSphere Portal administrator, as defined in the PortalAdminGroupId property.

    Recommended: wpsadmins
    Default: none

     

    WebSphere Portal Security LTPA and SSO configuration

    LTPAPassword

    Password for the LTPA bind.

    Recommended: password
    Default:

    LTPATimeout

    Sets the time out for the LTPA bind.

    Recommended: 120
    Default: 120

    SSODomainName

    Single signon domain; for example, SSODomainName=yourcompany.com

    Recommended: SSODomainName
    Default:

     

    LDAP Properties Configuration

    LookAside

    The purpose of a Look Aside database is to store attributes which cannot be stored in the LDAP server. We can either install with LDAP only or with LDAP using a Look Aside database. To enable a Look Aside database, set this property to true. If we intend to use a Look Aside database, set this value before configuring security, as it cannot be configured after security is enabled.

    In the LDAP configuration of WebSphere Portal, an LDAP directory is used as both a user registry and a user repository. However, there are the following use cases where the LDAP directory cannot or should not be used to store all the profile information:

    1. The LDAP is read-only
    2. The LDAP should be kept completely free from attributes that are specific to WebSphere Portal

    In these cases, we can use the Member Manager database as a database user repository for storing additional profile information; this is referred to as an LDAP with Lookaside.

    The Lookaside database attributes must be defined prior to running the enable security task. The Member Manager database is used as both a user registry and a user repository.

    Using a Look Aside database may slow down performance.

    Recommended: false
    Default: false

    LDAPHostName

    The host information for the LDAP server that WebSphere Portal will use; for example

    server1.acme.com.

    Recommended: none
    Default: wpsldap.ibm.com

    LDAPPort

    Port number for the LDAP server that WebSphere Portal will use.

    Recommended (non-SSL): 389
    Default: 389; (636 for SSL)

    LDAPAdminUId LDAP administrator id. For example,...

    LDAPAdminUId=cn=Administrator

    Recommended:
    Default: cn=root

    LDAPAdminPwd LDAP administrator password.

    Recommended:
    Default: none

    LDAPServerType Type of LDAP Server to be used

    Recommended: ACTIVE_DIRECTORY
    Default: IBM_DIRECTORY_SERVER

    LDAPBindID User ID for LDAP Bind authentication

    Recommended:
    Default: uid=wpsbind,cn=users,dc=yourco,dc=com

    For example...

    cn=wpsbind,cn=users,dc=setgetweb,dc=com
    LDAPBindPassword

    Password for LDAP Bind authentication

    Recommended:
    Default:

     

    Advanced LDAP Configuration

    LDAPUserFilter Key is used to configure the user filter.

    Recommended:

    (&(|(cn=%v)(samAccountName=%v))(objectclass=user))

    Default:

    (&(uid=%v)(objectclass=inetOrgPerson))
    LDAPGroupFilter Key is used to configure the group filter.

    Recommended:

    (&(cn=%v)(objectclass=group))

    Default:

    (&(cn=%v)(objectclass=groupOfUniqueNames))
    LDAPSuffix LDAP Suffix

    Recommended:
    Default: dc=yourco,dc=com

    For example...

    dc=setgetweb,dc=com
    LdapUserPrefix DN prefix attribute name for user entries.

    Recommended: cn
    Default: uid

    LDAPUserSuffix DN suffix attribute name for user entries.

    Recommended: cn=users
    Default: cn=users

    LdapGroupPrefix DN prefix attribute name for user entries.

    Recommended: cn
    Default: cn

    LDAPGroupSuffix

    DN suffix attribute name for group entries.

    Recommended: cn=groups
    Default: cn=groups

    LDAPUserObjectClass

    User object class corresponding to the directory.

    Recommended: user
    Default: inetOrgPerson

    LDAPGroupObjectClass

    Group object class corresponding to the directory.

    Recommended: group
    Default: groupOfUniqueNames

    LDAPGroupMember

    Specifies the attribute name of the membership attribute of the group objectclass.

    Recommended: member
    Default: uniqueMember

    LDAPsslEnabled

    Specifies whether secure socket communications is enabled to the LDAP server.

    Recommended Value (non-SSL): false
    Recommended Value (SSL): true
    Default: false

     

    Database configuration

    Dbuser

    The user ID for the database administrator.

    Value Type: Alphanumeric text string
    Default: ReplaceWithYourDbAdminId

    DbPassword Password for the database administrator.

    Value Type: Alphanumeric text string
    Default: ReplaceWithYourDbAdminPwd

    WmmDbUser User ID for the database administrator.

    Value Type: Alphanumeric text string
    Default: ReplaceWithYourDbAdminId

    If we are migrating from a previous version of WebSphere Portal, this value must match the database user name for the WebSphere Member Services database from the previous WebSphere Portal version.

    WmmDbPassword Password for the database administrator.

    Value Type: Alphanumeric text string
    Default: ReplaceWithYourDbAdminPwd

    Do not change any other settings in this file.

  4. Perform this step only if we installed WebSphere Portal on a pre-existing instance of WAS and we did not disable WAS Global Security before installing WebSphere Portal. This step ensures that WebSphere Portal has the appropriate credentials to establish an SSL connection to the WAS administration client when portlets are manually deployed. Ensure that the following properties in the file...

    /qibm/userdata/webas5/base/instance/portalserver5/config/wpconfig.properties

    ...have the values listed below...

    Section Property Value
    Credentials for WAS administration secure SOAP connection TrustStore

    Relative path to the trust file that contains public keys. The path name must start below the <was_root> directory.

    Recommended: trust_file_path
    Default: /etc/DummyClientTrustFile.jks

    TrustStorePwd

    Password for accessing the trust file.

    Recommended: trust_file_password
    Default: WebAS

    KeyStore

    Relative path to the key file that contains public keys. The path name must start below the <was_root> directory.

    Recommended: key_file_path
    Default: /etc/DummyClientKeyFile.jks

    KeyStorePwd

    Password for accessing the key file.

    Recommended: keystore_password
    Default: WebAS

  5. Optional. If we installed WAS as part of the WebSphere Portal installation and we plan to use WAS single signon, ensure that the following additional properties in the wpconfig.properties file have the values listed below. If we installed WebSphere Portal onto a pre-existing instance of WAS, skip this step. Any pre-existing settings for WAS SSO are automatically detected and preserved when we run the appropriate task to configure security.

    Section Property Value
    WebSphere Portal Security LTPA and SSO Configuration SSOEnabled

    Specifies that the single signon function is enabled.

    Recommended: true
    Default: true

    SSORequiresSSL

    Specifies that single signon is enabled only when requests are over HTTPS SSL connections. Choose False unless SSL is already enabled for WebSphere Portal. In most cases, SSL for WebSphere Portal will not yet be in place. After SSL for WebSphere Portal is set up, change this value using the WAS administrative console.

    Recommended: False or True depending on the environment.
    Default: false

  6. Save the file.

  7. Start a 5250 session on the local machine where WebSphere Portal is installed.

  8. Enter STRQSH on the command line to start the Qshell Interpreter.

  9. Enter the following:

    cd /QIBM/UserData/WebAS5/Base/instance/PortalServer5/config

    where instance is the name of the portal server instance.

  10. Enter the following:

    WPSconfig.sh validate-ldap

    If the configuration task fails, validate the values in the wpconfig.properties file.

  11. This task configures WebSphere Portal for security but does not modify the WAS existing security settings.

    Perform this step only if we installed WebSphere Portal on a pre-existing instance of WAS which had Global Security enabled or if we followed the steps in Manually configuring WAS Global Security. If we disabled WAS Global Security before installing WebSphere Portal, enable it now by running the following configuration task:

    WPSconfig.sh secure-portal-ldap

    Check the output for any error messages before proceeding with any additional tasks. If any the configuration task fails, verify the values in the file...

    /qibm/userdata/webas5/base/instance/portalserver5/config/wpconfig.properties

  12. Perform this step only if we meet either of the following criteria:

    • We installed WebSphere Portal on a pre-existing instance of WAS which did not have Global Security enabled

    • We installed WAS as part of the WebSphere Portal installation

    Enter the following:

    WPSconfig.sh enable-security-ldap

    Check the output for any error messages before proceeding with any additional tasks. If the configuration task fails, verify the values in the file...

    /qibm/userdata/webas5/base/instance/portalserver5/config/wpconfig.properties

    Before running the task again, stop the WebSphere Portal application server...

STRQSH
cd /QIBM/ProdData/WebAS5/PME/bin
stopServer -instance WebSpherePortal WebSpherePortal -user admin_userid -password admin_password ADMU0116I: Tool information is being logged in file /QIBM/UserData/WebAS5/Base/WebSphere_Portal/logs/WebSpherePortal/stopServer.log ADMU3100I: Reading configuration for server:WebSpherePortal ADMU3201I: Server stop request issued. Waiting for stop status. ADMU4000I: Server WebSpherePortal stop completed.

  • If we are using wmm.xml to store Member Manager configuration information, we need to modify wmm.xml and make the following changes:

    1. Change the wmmGernateExtId value from true to false. By default this value is true. But for AD this value needs to be set to false. In the <ldapRepository...> stanza of the wmm.xml file, change the value as follows:

      wmmGenerateExtId="false"

    2. In wmm.xml search for all occurrences of "ibm-appUUIDAux" and remove them.

  • Perform this step only if we are using LDAP over SSL:

    1. If not already configured, configure WAS to use LDAP over SSL

      To configure WAS to use LDAP over SSL, use the WAS administrative console. WebSphere Portal should be stopped before doing this. Consult the WAS documentation to configure the SSL settings dialog. Verify that the settings are correct by restarting the administrative console and confirm that no LDAP traffic is sent to the directory's unencrypted port, by default port 389, on the LDAP directory server. All necessary certificate set up should have be done when Set up LDAP over SSL.

    2. Enable Member Manager to use SSL by importing the CA root certificate to cacerts. Do this by using the following command or by using the WAS IKeyMan GUI tool to import the CA root certificate into cacerts. The default password for cacerts is changeit.

      keytool -import -file rootcert.cer -keystore was_root/java/jre/lib/security/cacerts

    3. Extract the certificate from the DummyServerKeyFile.jks using the IKeyMan tool. Then add the certificate to the cacerts file.

    4. Configure WebSphere Portal to use LDAP over SSL

      1. To configure WebSphere Portal to use LDAP over SSL, modify portal wmm.xml file:

        1. Change the LDAP port from 389 to the port on which the LDAP server is listening for LDAP over SSL traffic. By default, this value is 636. In the <ldapRepository...> stanza of the wmm.xml file, change the port number as desired:

          ldapPort="636"

        2. In the <ldapRepository...> stanza of the wmm.xml file, add the following key/value pair:

          java.naming.security.protocol="ssl"

      2. Restart WebSphere Portal.

      3. If we are using resource-pme.xml to store Member Manager configuration information, we need to use the WAS administrative console to change the port number and add a new attribute.

        1. To change LDAP Port Number, open the WAS administrative console and choose...

          Member Manager Provider | MembershipProvider | LDAP Profile Repositories | <LDAP Repository Name>

          Change Port to the SSL port being used (default is 636).

        2. To add the java.naming.security.protocal customer property, open the WAS administrative console and choose...

          Member Manager Provider | MembershipProvider | LDAP Profile Repositories | <LDAP Repository Name> | Custom Properties | New

          and enter java.naming.security.protocol for Name and ssl for Value.

        3. Click Ok to see the updated Custom Properties.

        4. After applying the change, if we open the resource-pme.xml, we see the property has been added: 

          <propertySet xmi:id="J2EEResourcePropertySet_1">

    <resourceProperties xmi:id="J2EEResourceProperty_1" 
                        name="java.naming.security.protocol" 
                        type="java.lang.String" 
                        value="ssl" 
                        description="JNDI env property that specifies the security protocol."/>

    <resourceProperties xmi:id="J2EEResourceProperty_2" 
                        name="java.naming.security.authentication" 
                        type="java.lang.String" 
                        value="simple" 
                        description="JNDI env property that specifies the type of authentication."/>

</propertySet>

      4. Restart WebSphere Portal.

  • At this point when using AD users cannot log in to WebSphere Portal using a shortname. Users must use a full first and last name to log in. In order to allow users to log in using a shortname, we must reconfigure a filter in WAS. Use the following steps as a guide to configure a filter.

    1. In the WAS console, select...

      Security | User Registries | LDAP | Advanced LDAP Settings

    2. Change the user filter from...

      (&(cn=%v)(objectclass=user))

      ...to...

      (&(sAMAccountName=%v)(objectclass=user))

  • Enter the following:

    cd /QIBM/ProdData/WebAS5/PME/bin

  • Enter the following:

    stopServer -instance instance appserver

    If we are running with security enabled on WAS, we must specify a user ID and password for security authentication when entering the command.

  • Perform this step only if we installed WebSphere Portal on a pre-existing instance of WAS, do one of the following:

  • Perform this step only if we installed WebSphere Portal into a pre-existing SSO environment. Because we will not be given the option to import the existing token file, perform the following steps:

  • Access WebSphere Portal via...

    http://<hostname.yourco.com>:<port_number>/wps/portal

    ...and verify that we can log in.

    Once security is enabled, we must type the fully qualified host name when accessing WebSphere Portal and the WAS administrative console.

     

    Security is enabled

    Once we have enabled security with the LDAP directory, we will need to provide the user ID and password required for security authentication on WAS when we perform certain administrative tasks with WAS. For example, to stop the WebSphere Portal application server, we would issue the following command:

    stopServer -instance instance appserver -user admin_userid -password admin_password

     

    Verify LDAP

    For AD we should be able to create users through WebSphere Portal, but it is not possible to set passwords for new users. We will need to log on using an existing or default userid and password. If login is successful, AD should be correctly set up.

    The content resulting from logon may vary according to user role. If we do not receive an error message, we can assume that the LDAP server is functioning properly.