<<

. 63
( 87 .)



>>

However, the changes to the LDIF are so great that it is easier to add the
wpsadmin and wpsbind users and wpsadmins group using the Windows
Active Directory Users and Groups administrative tool.


Con¬guring WebSphere Portal for Your LDAP Server
Now that your LDAP server is all set up, you need to con¬gure WebSphere
Portal server to work with it by using the following steps:
P1: FCH
WY009-19 WY009-BenNatan-v1.cls May 13, 2004 22:21




376 Chapter 19


1. Ensure that WebSphere security is disabled. If it is not, do the
following:
a. Copy the template security disable.properties ¬le from
<wps_root>\config\helpers to <wps_root>\config.
b. Modify the properties based on your values.
c. Open a command prompt and change the directory to
<wps_root>\config.
d. Enter.
WPSconfig -DparentProperties "<wps_ root>\config\security_disable" -
DSaveParentProperties=true
e. Upon completion enter WPScon¬g disable-security.
2. In <wps_root>\config\helpers, ¬nd the appropriate template
and copy it to <wps_root>\config. For IBM Directory Server, use
security_ibm_dir_server.properties, Sun One Directory;
use security_ibm_dir_server.properties, and Microsoft
Active Directory; and security_active_directory
.properties.
3. In the template, assign the properties values based on Tables 19-1 to
19-3. The values assigned in Table 19-1 are those we used to access
each LDAP.
4. Save the ¬le as ldap.properties.
5. Ensure that WebSphere Application Server is running but WebSphere
Portal has stopped functioning.

Table 19-1 WebSphere Application Server Properties
PROPERTY VALUE

IBM WINDOWS
DIRECTORY 2000 ACTIVE
PROPERTY DESCRIPTION SERVER 5.1 SUN ONE 5.2 DIRECTORY
WasUserid The fully quali¬ed uid=wpsbind, uid=wpsbind, cn=wpsbind,
name of the cn=users, ou=people, cn=users,
WebSphere dc=rigorcon- dc=rigorcon- dc=rigor-
Application sultants, sultants, consultants,
Server security dc=com dc=com dc=com
ID with no
spaces

WasPassword The password
for WebSphere
Application
Server security ID
P1: FCH
WY009-19




Table 19-2 WebSphere Portal Properties Con¬guration
PROPERTY VALUE
WY009-BenNatan-v1.cls




IBM WINDOWS
DIRECTORY 2000 ACTIVE
PROPERTY DESCRIPTION SERVER 5.1 SUN ONE 5.2 DIRECTORY
PortalAdminId The fully quali¬ed uid=wpsadmin, uid=wpsadmin, cn=wpsadmin,
name of the cn=users, ou=people, cn=users,
WebSphere Portal dc=rigorconsultants, dc=rigorconsultants, dc=rigorconsultants,
Administrators dc=com dc=com dc=com
with no spaces

PortalAdminShort Short form of the wpsadmin wpsadmin wpsadmin
WebSphere Portal
Administrator ID

PortalAdminGroupId The fully quali¬ed uid=wpsadmins, uid=wpsadmins, cn=wpsadmins,
group ID from cn=groups, ou=groups, cn=users,
the group to which dc=rigorconsultants, dc=rigorconsultants, dc=rigorconsultants,
the WebSphere dc=com dc=com dc=com
Portal Administrator
belongs

PortalAdminGroupIDShort The short form wpsadmins wpsadmins wpsadmins
of the WebSphere
Portal Administrator
group ID
Implementing Authentication for Large Enterprises
377
May 13, 2004
22:21
P1: FCH
WY009-19




378
Table 19-3 LDAP Properties Con¬guration
PROPERTY VALUE

IBM WINDOWS
DIRECTORY 2000 ACTIVE
PROPERTY DESCRIPTION SERVER 5.1 SUN ONE 5.2 DIRECTORY
WY009-BenNatan-v1.cls




LookAside States whether false false false
you are using a
look-aside
database, which
stores attributes
that cannot be
stored in your
LDAP server

sandbox2 sandbox2 sandbox2
LDAPHostName LDAP server
.rigorconsultants .rigorconsultants .rigorconsultants
host Name
.com .com .com

LDAPPort The port number 389 389 636
that the LDAP
server uses

LDAPAdminUid The LDAP cn=ldsadmin cn=ldsadmin cn=ldsadmin
administrator Id

LDAPAdminPwd The LDAP
administrator Id
password

LDAPServerType Type of LDAP server IBM DIRECTORY SERVER IPLANET ACTIVE DIRECTORY
May 13, 2004
22:21
P1: FCH
WY009-19




LDAPBindId The user Id for uid=wpsbind, uid=wpsbind, cn=wpsbind,
LDAP Bind cn=users, ou=people, cn=users,
WY009-BenNatan-v1.cls




authentication dc=rigorconsultants, dc=rigorconsultants, dc=rigorconsultants,
dc=com dc=com dc=com

LDAPSuf¬x The LDAP suf¬x dc=rigorconsultants, dc=rigorconsultants, dc=rigorconsultants,
dc=com dc=com dc=com

LdapUserPre¬x User pre¬x uid uid cn

LDAUserSuf¬x User suf¬x cn=users ou=People cn=users


LDAPGroupPre¬x Group pre¬x cn cn cn

LDAPGroupSuff Suf¬x Group suf¬x cn=groups ou=groups cn=users

LDAPUserObjectClass User object class inOrgPerson inOrgPerson user

LDAPGroupObjectClass Group object class groupOfUniqueNames groupOfUniqueNames group

LDAPGroupMember The attribute uniqueMember uniqueMember member
name of the
membership
attribute of
your group
objectclass

LDAPsslEnabled Is LDAP SSL false false true
enabled?




379
May 13, 2004
22:21
P1: FCH
WY009-19 WY009-BenNatan-v1.cls May 13, 2004 22:21




380 Chapter 19


6. In the command prompt (you should still be in the directory
<wps_root>\config), enter WPScon¬g - DparentProperties=
“<wps™root>\con¬g \ldap.properties” -
DSaveParentProperties=true.
7. Test your con¬guration settings by entering WPScon¬g validate-
ldap. If the test is unsuccessful, recheck your con¬guration settings.
8. If it is successful, run WPScon¬g secure-portal-ldap. If you are using
Active Directory or you have enabled SSL, there are a few more steps
that will be discussed in the next section. Do not try to implement an
SSL con¬guration (unless you are implementing Active Directory)
without getting a non-SSL con¬guration to work.
9. Validate that your LDAP is properly con¬gured by logging into
WebSphere Portal and adding a user under Portal Administration
functions. Go to the LDAP Web Administrator and check the new
user entry.


Enabling WebSphere Portal to Access Your
LDAP Server over SSL
At times you may want information traveling between your WebSphere
Portal server and LDAP to be encrypted. For instance if your LDAP servers
are spread over multiple geographical locations and are accessed through
the Internet, you would want to ensure that sensitive information such as
user IDs and passwords is not hijacked, manipulated, or viewed by unau-
thorized persons. A method to ensure privacy is to enable WebSphere Ap-
plication Server and WebSphere Portal to access the LDAP server with SSL
enabled. Of course, this assumes that you have also enabled SSL between
the Web Browser and your Web server.
SSL is a security protocol that supports data encryption, authentication,
and data integrity veri¬cation. An SSL operation consists of an initiation
and a data transfer. At the initiation stage, the client/server and the server
try to set up the session and connection state by coming to an agreement on
encryption and authentication. Agreement is made once the protocol ver-
sion is chosen, the encryption algorithm chosen, and both parties have au-
thenticated each other (optional). Upon successful initiation stage, data will
be transferred using public-key encryption. Data required for the public-
key encryption (including keys) is done through certi¬cates. Certi¬cates
need to be created for each component and stored on each counterparts™
key database. Certi¬cates can be obtained from a certi¬cate authority (CA)
such as Verisign or they can be self-signed. Usually you use self-sign if you
have two internal servers communicating with each other as in this instance.
Thus to get WAS and WP to access LDAP over SSL, you need the LDAP
P1: FCH
WY009-19 WY009-BenNatan-v1.cls May 13, 2004 22:21




Implementing Authentication for Large Enterprises 381


server certi¬cates in the WAS and WP key storage ¬les. The certi¬cate trust
chain can consist of one self-signed certi¬cate or a CA where the CA has
con¬rmed the identity and validity of the certi¬cate.


Setting Up the Server Certi¬cates
Do the following to set up an LDAP server (except Active Directory) over
SSL:
1. This step applies to users who need to generate a self-signed
certi¬cate. If you are importing a CA certi¬cate (which is in
base64-encoded ASCII data and has a .arm extension), skip to step 2.
a. Execute your security key management utility such as gsk6ikm.
b. Create a CMS Key Database ¬le or open an existing ¬le and create
a new self-signed certi¬cate using X.509 version 3 format and
1024-bit key size. Assign the certi¬cate a label and remember it.

<<

. 63
( 87 .)



>>