This section provides an overview of information to plan security for your IBM® Lotus® Quickr™ for WebSphere Portal environment because Lotus Quickr and IBM WebSphere® Application Server require some form of user registry.
What does authentication mean?
Authentication means that users identify themselves to gain access to the system. Users can identify themselves immediately upon entry to the system or they can be challenged by the system when they try to access a protected resource before identifying themselves. The user ID/password combination is the most common method of identifying a user to the system.
You can have simultaneous, multiple logins using the same user ID and password, but these may result in a non-reliable behavior depending on the client or authentication method; therefore, IBM Lotus Quickr for WebSphere Portal does not support simultaneous, multiple logins.
After a user has been authenticated, the system can determine if that user is authorized to access the resources that are requested. See Authorization for more information on accessing resources.
What is a user registry and what are my choices? How is a user repository different from a user registry?
User registries store user account information, such as user ID and password, that can be accessed during authentication. User repositories store user profiles and preference information. A user registry or repository is used to:
- Authenticate a user using basic authentication, identity assertion, or client certificates
- Retrieve user and group information to perform security-related administrative functions such as mapping users and groups to security roles
What is the out-of-box security option and why would I want to use it?
By default, IBM Lotus Quickr for WebSphere Portal is installed with a federated repository with a built-in file repository. The federated repository allows you to add various user registries, realm support for Virtual Portals, and/or property extensions to create a single, working unit. The available user registries that you can add to the federated repository are LDAP user registries, database user registries, and custom user registries.
Using the built-in file repository is not recommended in a production environment. After adding another repository and choosing the administrative users from that repository, you should remove the file repository.
What LDAPs are supported in this release?
For supported LDAPs, see the Supported LDAP directories section in the appropriate Lotus Quickr system requirements
What is realm support and why would I want to use it?
A realm is a collection of users or groups from one or more branches of your repository tree. Those branches can be part of a single repository, for example an LDAP user registry, or it can be a combination of multiple user registries. A realm is then mapped to a Virtual Portal to allow the realm's user population to log in to the Virtual Portal. This functionality allows you to define areas within Lotus Quickr that only a limited set of users can access.
What is single sign-on and why would I want to use it?
The goal of single sign-on is to provide a secure method of authenticating a user one time within an environment and using that single authentication (for the duration of the session) as a basis for access to other applications, systems, and networks. In the context of IBM Lotus Quickr for WebSphere Portal, there are two single sign-on realms; the realm from the client to portal and other web applications and the realm from the portal to the backend applications.
What is a secure socket layer and why would I want to use it?
Configuring Lotus Quickr for SSL adds security to the client-portal exchange. It encrypts all traffic between the client browser and the server, so that no one can "eavesdrop" on the information that is exchanged over the network between the client browser and Lotus Quickr. In addition, assuming that the WebSphere Application Server is also configured to accept (or even require) SSL connections, the LTPA Token and other security and session information can be completely protected against hijack and replay attacks.
Can I change user registries after I create content?
If user registries are changed after content is created, the previously existing content might become orphaned or otherwise inaccessible. For this reason, it is best to implement your final security strategy before creating content. You should consider this issue when planning your security strategy.
Parent topic: Security considerations: qp85