Paul Kelsey : Software Engineer email@example.com
Vincent Perrin : Software IT Specialist firstname.lastname@example.org
Since WebSphere Portal 6.0, WebSphere Portal can be configured to authenticate
users against two or more user directories.
In this scenario, CA Siteminder is responsible for user authentication
with two separate LDAP and WebSphere Portal is also configured to authenticate
users against the same two user directories.
So, we will configure WebSphere Portal in federated repositories mode,
under a single realm.
The environment included the following items:
- IBM WebSphere
Portal 6.1 and WebSphere Application Server 184.108.40.206
- IBM HTTP Server
- IBM Tivoli Directory
Server 6.1 (pdoglinux.raleigh.ibm.com)
- Sun One Directory
- Netegrity Siteminder®
IBM® Tivoli Directory Server 6.1 :
- User Base Search: cn=users, o=ibm, c=us
- Groups: cn=groups, o=ibm, c=us
Sun One Directory 5.2.4 :
- User Base Search: ou=people, dc=raleigh,
- Groups: ou=groups, dc=raleigh, dc=ibm, dc=com
Installation and configuration
Refer to the topics from the WebSphere
Portal 6.1 Information Center and
Siteminder Documentation listed in the steps below for more detailed
instructions on the steps to install and configure the environment used
for this test.
1 Install and configure IBM Tivoli Directory
Server (ITDS) 6.1
2 Install Sun One Directory 5.2.4
3 Install WebSphere Portal 6.1, using the topic
“Setting up a stand-alone production server” in 6.1 Information Center
4 Enable security for WP 6.1 to IBM Tivoli Directory
Server (ITDS) 6.1, using the topic “Configuring the default federated
repository on Windows”
5 Remove the file system repositories.
Note : You must modify the WAS and Portal Admin user using the ConfigEngine
wp-change-was-admin-user and wp-change-portal-admin-user before removing
the file system repositories.
6 Using the WebSphere Admin Console, add a new
base entry for the configured federated repository to Sun One Directory
An alternative method for creating the second LDAP is to use ConfigEngine
wp-create-ldap task as shown in the wiki
as well as in the infocenter.
7 Install and configure the IBM HTTP Server
using the topic “Setting up a remote Web server with WebSphere Portal”
in WP 6.1 Information Center
8 Verify Portal Security with each LDAP and
IHS WAS Plugin.
9 Install and Configure Siteminder Policy Server
6.0 with Sun One Directory and ITDS, in the User Directories section of
10 Install Siteminder Web Agent on top of IHS
6.1 using the “SiteMinder® Web Agent Installation Guide”, in my
environment named portal61.
11 Install Siteminder Web Agent for WebSphere
on top of WP 6.1 using the “SiteMinder Agent for IBM WebSphere Guide”,
in my environment named was_portal61.
12 Create a siteminder Domain and associated
both user directories object to it.
13 Create a siteminder realm and one rule to
protect the portal context root, in my case/wps/myportal
Siteminder Admin Console :
Siteminder Realm Dialog Box:
You have to select the IHS Web Agent and /wps/myportal as resvource filter.
Siteminder Rule Dialog Box:
To protect the effective ressource /portal61/wps/myportal*for all action
14 Create a policy
In the Users tab, select the Sun One Directory and ITDS
In the Rules tab, add the rule you have created previously.
15 Now, you can try to log in into WebSphere
Portal through Siteminder Authentication process with users from both directories.
16 Open a new brower windows, enter http://[Hostname]/wps/myportal
17 You should be prompted and authenticated
by the Siteminder Web Agent, independant of which directory the user exists.
18 Siteminder Application Server Agent (TAI)
receives DN of logged-in user and is allowed to the protected portal page.