Authors
Paul Kelsey : Software Engineer pkelsey@us.ibm.com
Vincent Perrin : Software IT Specialist vincent.perrin@fr.ibm.com
Introduction
Since WebSphere Portal 6.0, WebSphere Portal can be configured to authenticate
users against two or more user directories.
In this scenario, CA Siteminder is responsible for user authentication
with two separate LDAP and WebSphere Portal is also configured to authenticate
users against the same two user directories.
So, we will configure WebSphere Portal in federated repositories mode,
under a single realm.
Environment overview
The environment included the following items:
- IBM WebSphere Portal 6.1 and
WebSphere Application Server 6.1.0.15
- IBM HTTP Server 6.1
- IBM Tivoli Directory Server
6.1 (pdoglinux.raleigh.ibm.com)
- Sun One Directory 5.2.4 (pdogwinxp.raleigh.ibm.com)
- Netegrity Siteminder® 6.0.2
LDAP hierachy
IBM® Tivoli Directory Server 6.1 :
- User Base Search: cn=users, o=ibm, c=us
- Groups: cn=groups, o=ibm, c=us
Sun One Directory 5.2.4 :
- User Base Search: ou=people, dc=raleigh, dc=ibm, dc=com
- Groups: ou=groups, dc=raleigh, dc=ibm, dc=com
Architecture
Installation and configuration
Refer to the topics from the WebSphere
Portal 6.1 Information Center and Siteminder
Documentation listed in the steps below for more detailed instructions
on the steps to install and configure the environment used for this test.
1 Install and configure IBM Tivoli Directory
Server (ITDS) 6.1
2 Install Sun One Directory 5.2.4
3 Install WebSphere Portal 6.1, using the topic
“Setting up a stand-alone production server” in 6.1 Information Center
4 Enable security for WP 6.1 to IBM Tivoli Directory
Server (ITDS) 6.1, using the topic “Configuring the default federated
repository on Windows”
5 Remove the file system repositories.
Note : You must modify the WAS and Portal Admin user using the ConfigEngine
wp-change-was-admin-user and wp-change-portal-admin-user before removing
the file system repositories.
6 Using the WebSphere Admin Console, add a new
base entry for the configured federated repository to Sun One Directory
5.2.4
An alternative method for creating the second LDAP is to use ConfigEngine
wp-create-ldap task as shown in the Information
Center.
7 Install and configure the IBM HTTP Server
using the topic “Setting up a remote Web server with WebSphere Portal”
in WP 6.1 Information Center
8 Verify Portal Security with each LDAP and
IHS WAS Plugin.
9 Install and Configure Siteminder Policy Server
6.0 with Su n One Directory and ITDS, in the User Directories section of
Siteminder Administration.
10 Install Siteminder Web Agent on top of IHS
6.1 using the “SiteMinder® Web Agent Installation Guide”, in my
environment named portal61.
11 Install Siteminder Web Agent for WebSphere
on top of WP 6.1 using the “SiteMinder Agent for IBM WebSphere Guide”,
in my environment named was_portal61.
12 Create a siteminder Domain and associated
both user directories object to it.
13 Create a siteminder realm and one rule to
protect the portal context root, in my case/wps/myportal
Siteminder Admin Console :
Siteminder Realm Dialog Box:
You have to select the IHS Web Agent and /wps/myportal as resvource filter.
Siteminder Rule Dialog Box:
To protect the effective ressource /portal61/wps/myportal*for all action
(Get,Post, Put)
14 Create a policy
In the Users tab, select the Sun One Directory and ITDS
In the Rules tab, add the rule you have created previously.
15 Now, you can try to log in into WebSphere
Portal through Siteminder Authentication process with users from both directories.
16 Open a new brower windows, enter http://[Hostname]/wps/myportal
17 You should be prompted and authenticated
by the Siteminder Web Agent, independant of which directory the user exists.
18 Siteminder Application Server Agent (TAI)
receives DN of logged-in user and is allowed to the protected portal page.
|