Authors Paul Kelsey : Software Engineer pkelsey@us.ibm.com Vincent Perrin : Software IT Specialist vincent.perrin@fr.ibm.com
Introduction Since WebSphere Portal 6.0, WebSphere Portal can be configured to authenticate users against two or more user directories. In this scenario, CA Siteminder is responsible for user authentication with two separate LDAP and WebSphere Portal is also configured to authenticate users against the same two user directories. So, we will configure WebSphere Portal in federated repositories mode, under a single realm.
Environment overview The environment included the following items: - IBM WebSphere Portal 6.1 and WebSphere Application Server 6.1.0.15
- IBM HTTP Server 6.1
- IBM Tivoli Directory Server 6.1 (pdoglinux.raleigh.ibm.com)
- Sun One Directory 5.2.4 (pdogwinxp.raleigh.ibm.com)
- Netegrity Siteminder® 6.0.2
LDAP hierachy
IBM® Tivoli Directory Server 6.1 : - User Base Search: cn=users, o=ibm, c=us
- Groups: cn=groups, o=ibm, c=us
Sun One Directory 5.2.4 : - User Base Search: ou=people, dc=raleigh, dc=ibm, dc=com
- Groups: ou=groups, dc=raleigh, dc=ibm, dc=com
Architecture
Installation and configuration
Refer to the topics from the WebSphere Portal 6.1 Information Center and Siteminder Documentation listed in the steps below for more detailed instructions on the steps to install and configure the environment used for this test.
1 Install and configure IBM Tivoli Directory Server (ITDS) 6.1
2 Install Sun One Directory 5.2.4
3 Install WebSphere Portal 6.1, using the topic “Setting up a stand-alone production server” in 6.1 Information Center
4 Enable security for WP 6.1 to IBM Tivoli Directory Server (ITDS) 6.1, using the topic “Configuring the default federated repository on Windows”
5 Remove the file system repositories.
Note : You must modify the WAS and Portal Admin user using the ConfigEngine wp-change-was-admin-user and wp-change-portal-admin-user before removing the file system repositories.
6 Using the WebSphere Admin Console, add a new base entry for the configured federated repository to Sun One Directory 5.2.4
An alternative method for creating the second LDAP is to use ConfigEngine wp-create-ldap task as shown in the Information Center.
7 Install and configure the IBM HTTP Server using the topic “Setting up a remote Web server with WebSphere Portal” in WP 6.1 Information Center
8 Verify Portal Security with each LDAP and IHS WAS Plugin.
9 Install and Configure Siteminder Policy Server 6.0 with Su
n One Directory and ITDS, in the User Directories section of Siteminder Administration.
10 Install Siteminder Web Agent on top of IHS 6.1 using the “SiteMinder® Web Agent Installation Guide”, in my environment named portal61.
11 Install Siteminder Web Agent for WebSphere on top of WP 6.1 using the “SiteMinder Agent for IBM WebSphere Guide”, in my environment named was_portal61.
12 Create a siteminder Domain and associated both user directories object to it.
13 Create a siteminder realm and one rule to protect the portal context root, in my case/wps/myportal
Siteminder Admin Console :
Siteminder Realm Dialog Box:
You have to select the IHS Web Agent and /wps/myportal as resvource filter.
Siteminder Rule Dialog Box:
To protect the effective ressource /portal61/wps/myportal*for all action (Get,Post, Put)
14 Create a policy
In the Users tab, select the Sun One Directory and ITDS
In the Rules tab, add the rule you have created previously.
15 Now, you can try to log in into WebSphere Portal through Siteminder Authentication process with users from both directories.
16 Open a new brower windows, enter http://[Hostname]/wps/myportal
17 You should be prompted and authenticated by the Siteminder Web Agent, independant of which directory the user exists.
18 Siteminder Application Server Agent (TAI) receives DN of logged-in user and is allowed to the protected portal page. |