Enable OmniFind to retrieve WebSphere Portal Document Manager content

Page 4 of 8  Document options PDF - Fits A4 and Letter 2474 KB (51 pages) Get Adobe® Reader® Discuss My developerWorks needs you! Connect to your technical community Rate this tutorial Help us improve this content

Configuring streaming for content retrieval — with security enabled

This section of the tutorial describes how to configure streaming for content retrieval in an OmniFind Enterprise Edition search application when security is enabled in both WebSphere Application Server V6.1 (where the OmniFind Enterprise Edition search application is deployed) and WebSphere Application Server V6.0 (where the WebSphere Portal server is deployed).

The steps in this section describe how to utilize single sign-on through the Lightweight Third Party Authentication (LTPA) mechanism to authenticate users to the search application and the Portal Document Manager in the WebSphere Portal server. The result is that users can log in to the search application in WebSphere Application Server V6.1, perform a search, and click on any search result to retrieve the document from the Portal Document Manager without being prompted for a user ID and password for the WebSphere Portal server.

Section overview

Figure 29 depicts the tutorial sample configuration after you enable security in both WebSphere Application Server V6.0 and V6.1. The sample configuration makes the following assumptions:

• When you enable security in WebSphere Application Server V6.0, you use the custom registry, which is Portal WebSphere Member Manager (WMM) user registry.
• When you enable security in WebSphere Application Server V6.1, the default user account repository is the federated user repository and existing users are stored in an internal file-based repository in this federated user repository.
• The users in Figure 29 are already in the existing user registry and file-based repository.

Figure 30 depicts the sample configuration after you have added a user (uid=cjinwps, o=Default Organization) to a LDAP user repository (IBM Tivoli Directory Server) and added this LDAP user repository to the federated repository realm in WebSphere Application Server V6.1. This allows you to use this ID to log into the OmniFind Enterprise Edition search application in WebSphere Application Server V6.1 and click any search result link to retrieve the document from the Portal Document Manager in WebSphere Application Server V6.0 under the same user credential.

The high level tasks to configure streaming for content retrieval in an OmniFind Enterprise Edition search application with security enabled are:

• Enable security in both WebSphere Application Server V6.0 and V6.1
• Add a new user (cjinwps) to the LDAP repository
• Join the LDAP repository to the federated repository
• Configure the federated repository realm name
• Synchronize the LTPA key from WebSphere Application Server V6.1 to V6.0
• Configure the SSO token for the OmniFind Enterprise Edition search application
• Test content retrieval streaming with security single sign-on enabled
• Verify that content retrieval streaming with security single sign-on enabled works

Enable security in both WebSphere Application Server V6.0 and V6.1

Follow these steps to enable security in WebSphere Application Server V6.0 and V6.1:

1. Log into the WebSphere Application Server V6.0 administration console for the server instance where the WebSphere Portal server is deployed.
2. Go to Security -> Global Security (Figure 31).
3. Check Enable global security and click Apply.
   
   Figure 31. Global security
   
   
   
4. Save your changes to the master configuration.
5. Stop and restart the WebSphere Portal server for the change to take effect.
6. Log into the WebSphere Application Server V6.1 administration console for the server instance where the OmniFind Enterprise Edition search application is deployed.
7. Go to Security -> Secure administration, applications, and infrastructure (Figure 32).
8. Check Enable application security and click Apply.
   
   Figure 32. Enable application security
   
   
   
9. Save your changes to the master configuration.
10. Stop and restart the ESSearchServer instance for the change to take effect.

Back to top

Add a new user (cjinwps) to the LDAP repository

Follow these steps to add a new user named cjinwps to the LDAP repository:

1. If you have not started the IBM Tivoli Directory Server web administration tool, do so now.

   Go to a command line prompt and change directory to
   <IBM Tivoli Directory Server install directory>\appsrv\bin
   This is the location of the embedded WebSphere Application Server where the Web administration tool is deployed.

   Enter the command startServer server1 to start the server instance for the Web administration tool (Figure 33).
   
   Figure 33. Run the startServer server1 command
   
   
   
2. Go to the IBM Tivoli Directory Server V6 Web administration tool login console by entering its URL in the address field of a Web browser:
   http://<LDAP server hostname>:12100/IDSWebApp/IDSjsp/Login.jsp
3. On the login console (Figure 34), select the LDAP Hostname where the IBM Tivoli Directory Server instance is located and running. Enter the administration user name (usually cn=root) and password. Click Login.
   
   Figure 34. Tivoli Directory Server Web administration tool login
   
   
   
4. After logging in, go to Server administration -> Manage server properties (Figure 35).
   
   Figure 35. Manage server properties
   
   
   
5. Click on Suffixes
6. Follow these steps to create a root entry for the organization o=Default Organization:
   1. On the Manage server properties — Suffixes screen (Figure 36), enter o=Default Organization in the Suffix DN field and click Add.
      
      Figure 36. Manage server properties — Suffixes
      
      
      
   2. Go to Directory management -> Add an entry (Figure 37). For the Structural object classes, select organization and click Next.
      
      Figure 37. Add an entry
      
      
      
   3. On the next screen where you are asked to to select auxiliary object classes, just leave everything as it is and click Next.
   4. On the Enter the attributes screen (Figure 38), enter o=Default Organization in the Relative DN field and click Finish.
      
      Figure 38. Add an entry
      
      
      
   5. Go to Directory management -> Manage entries (Figure 39) and verify that the root organization entry has been added.
      
      Figure 39. Verify the root organization entry
      
      
      
7. Follow these steps to add an entry for a user named cjinwps under the root organization entry you just created:
   1. Go to Directory management -> Add an entry.
   2. Select inetOrgPerson and click Next.
   3. On the Select auxiliary object classes screen, just leave everything as it is and click Next.
   4. On the Enter the attributes screen (Figure 40), enter uid=cjinwps in the Relative DN field and o=Default Organization in the Parent DN field. Under Required attributes, enter Test WPS in the cn field and WPS in the sn field. Under Optional attributes, enter cjinwps in the uid field and the corresponding password in the userPassword field. Click Finish.
      
      Figure 40. Adding an entry
      
      
      

Back to top

Join the LDAP repository to the federated repository

Follow the steps below to add the LDAP repository to the federated repository in WAS 6.1. This enables the new user ID named cjinwps that you just created in the LDAP server to be found in the federated repository.

1. Log into the WebSphere Application Server V6.1 administration console for the server instance where the OmniFind Enterprise Edition search application is deployed.
2. Go to Security -> Secure administration, applications, and infrastructure (Figure 41).
3. Confirm that Federated repositories is set as the Current realm definition. If it is not, select Federated repositories from the Available realm definitions list and click Set as current.
4. Select Federated repositories from the Available realm definitions list and click Configure.
   
   Figure 41. Secure administration, applications, and infrastructure screen
   
   
   
5. From the next screen, click on Manage Repositories under Related Items to get to the Manage Repositories screen (Figure 42). Click Add.
   
   Figure 42. Manage repositories
   
   
   
6. On the Add new LDAP repository screen (Figure 43), enter LDAPV6Apollocj (or any other name that you want to use) as the Repository identifier. Select IBM Tivoli Directory Server Version 6 as the directory type. Enter the host name of the system where the LDAP server instance is created and running as the Primary host name. Enter the Bind distinguished name (usually cn=root) and the Bind password in the appropriate fields. Leave the default values for the other fields and click OK.
   
   Figure 43. Add the LDAP repository
   
   
   
7. You should now see the LDAP repository in the list of repositories (Figure 44). Save your changes to the master configuration.
8. Click the Federated repositories link.
   
   Figure 44. LDAP repository
   
   
   
9. On the Federated repositories configuration screen (Figure 45), click Add Base entry to Realm….
   
   Figure 45. Federated repositories
   
   
   
10. On the Repository reference screen (Figure 46), select LDAPV6Apollcocj as the repository and enter o=Default Organization for both fields that follow. Click OK.
    
    Figure 46. Repository reference screen
    
    
    
11. Save your changes to the master configuration.
12. Verify that you now see a new entry under the Repositories in the realm section of the Federated repositories configuration screen (Figure 47).
    
    Figure 47. Repositories in the realm
    
    
    
13. Now verify that the users in LDAP server can be searched. From the WebSphere Application Server V6.1 administration console go to Users and Groups -> Manage Users (Figure 48).
    
    Figure 48. Manage users
    
    
    
14. Click Search to retrieve all the users in the federated repository (Figure 49). Verify that you see the entry for the user you just added to the LDAP server. The Unique name should appear as: uid=cjinwps,o=Default Organization.
    
    Figure 49. Search for users results
    
    
    

Back to top

Configure federated repository realm name

Follow the steps below to configure the federated repository realm name. These steps ensure that the user ID named cjinwps in the federated repository and user ID named cjinwps in the Portal WMM registry are in the same realm. This is a requirement for single sign-on to work.

1. Log into the WebSphere Application Server V6.1 administration console for the server instance where the OmniFind Enterprise Edition search application is deployed.
2. Go to Security -> Secure administration, applications, and infrastructure.
3. Select Federated repositories from the Available realm definitions list and click Configure.
4. From the Federated repositories configuration screen (Figure 50), change the Realm name to WMMRealm and click OK. You need to use WMMRealm here because this is the realm associated with the Portal WMM registry. In any single sign-on scenario, the realm needs to be the same across WebSphere Application Server cells.
   
   Figure 50. Configure federated repository realm name
   
   
   
5. Save to the master configuration.

Back to top

Synchronize the LTPA key from WebSphere Application Server V6.1 to V6.0

1. Log into the WebSphere Application Server V6.1 administration console for the server instance where the OmniFind Enterprise Edition search application is deployed.
2. Go to Security -> Secure administration, applications, and infrastructure.
3. Select Authentication mechanisms and expiration.
4. Navigate to the Cross-cell single sign-on section (Figure 51). Enter a password of your choosing and a fully qualified key file name of your choosing (for example, C:\ExportedKey.txt). Click Export keys to export the LTPA key from WebSphere Application Server V6.1 to the specified file.
   
   Figure 51. Cross-cell single sign-on
   
   
   
5. Log into the WebSphere Application Server V6.0 administration console for the server instance where the WebSphere Portal server is deployed.
6. Go to Security -> Global Security (Figure 52). Confirm that Lightweight Third Party Authentication (LTPA) is selected as the active authentication mechanism and click LTPA under Authentication mechanisms on the right side of the screen.
   
   Figure 52. Global security
   
   
   
7. On the LTPA configuration screen (Figure 53), enter the same password you used to export the key out of WebSphere Application Server V6.1 and the name of the file that contains the exported key. Click Import keys to import the LTPA key into WebSphere Application Server V6.0.
   
   Figure 53. LTPA configuration
   
   
   
8. You also need to disable automatic key generation in WebSphere Application Server 6.1 so that the key will not get re-generated and thus get out of sync with the key imported into WebSphere Application Server V6.0.

   Log into the WebSphere Application Server V6.1 administration console for the server instance where the OmniFind Enterprise Edition search application is deployed.

9. Go to Security -> Secure administration, applications, and infrastructure.
10. Select Authentication mechanisms and expiration.
11. Navigate to the Key generation section (Figure 54) and click Key set groups.
    
    Figure 54. Key generation
    
    
    
12. On the Key set groups screen (Figure 55), click NodeLTPAKeySetGroup.
    
    Figure 55. Key set groups
    
    
    
13. On the NodeLTPAKeySetGroup screen (Figure 56), find the Key generation section. If Automatically generate keys is checked, clear the check box to disable it and click OK.
    
    Figure 56. NodeLTPAKeySetGroup key generation
    
    
    
14. Save to the master configuration.

Back to top

Configure the SSO token for the OmniFind Enterprise Edition search application

Follow the steps below to configure the name of the LTPA token in the search application’s configuration file. When single sign-on is enabled, a cookie is created that contains the LTPA token and gets inserted into the HTTP response. This LTPA token can then be passed to other WebSphere Application Server instances in the same domain and realm for authentication use, thus avoiding the need for the user to log in again.

Starting with Version 6.0, WebSphere Application Server creates a cookie with the name LtpaToken2 and adds it to each HTTP response. This token contains stronger encryption and also contains the authentication identity. This section explains how to configure the search application to use this token for single sign-on when security is enabled.

1. On the OmniFind Enterprise Edition server, go to:
   <OmniFind Enterprise Edition Install Directory>\installedApps\ESSearchApplication.ear\ESSearchApplication.war\WEB-INF
2. Edit the config.properties file.
3. Find the ssoCookieName property and change its value to LtpaToken2. This tells the search application to look for the LTPA cookie named LtpaToken2 in the HTTP response. If such a cookie is found, the search application goes through the single sign-on route.

   ssoCookieName=LtpaToken2

   
   
4. Remove the values of the vbr.stream.username and vbr.stream.password properties. Because you enabled security and single sign-on, you no longer need the Portal Document Manager user and password information specified in the OmniFind Enterprise Edition search application configuration.

   vbr.stream.username= vbr.stream.password=

   
   

Back to top

Test content retrieval streaming with security single sign-on enabled

The security single sign-on configuration is now complete. Make sure to stop and restart both the portal server and the OmniFind Enterprise Edition search server (ESSearchServer) instance, so that all the above changes take effect.

Follow these steps to test that content retrieval streaming with security single sign-on enabled is working:

1. Go to the ESSearchApplication login screen and log in with the cjinwps user ID and the password specified in the IBM Tivoli Directory Server user entry (Figure 59).
   
   Figure 59. ESSearchApplication log in
   
   
   
2. After logging in, do a search against the Portal Document Manager data source.
3. Click on one of the links in the search results to verify that you can retrieve the document from the Portal Document Manager.

Back to top

Verify that content retrieval streaming with security single sign-on enabled works

You can verify that streaming worked by examining the detailed log generated by the OmniFind Enterprise Edition search application and the SystemOut.log from the portal server.

1. Look at the ESSearchApplication.0.log file in the <OmniFind Node Root>\logs directory. At the bottom of the file you should see log entries similar to the sample shown in Listing 3.
   
   Listing 3. Sample entries from ESSearchApplication.0.log
   

   Jan 12, 2009 7:33:21 PM com.ibm.es.searchui.actions.BaseAction INFO: getConfigurationProperties - cookies: JSESSIONID=0000Sv-xwZpuxiCgVPUoemgbFdI:-1;LtpaToken2=2I2RqWQn M30u/0t4G7YjHQAsKmjAASV/4PG5QmgcvM1AUo5jgTbkC1HNjhRXBUlxrEm FUwh886lQnUOd2Uagnx/45ZTkMUL8AA55TJdlODhgUn4VPL6cMSk9ScNQS WDNIt6S7poJt/fM20Whb0p7LfcD69nBKfCfpBhY26Cl0xfVgnWjVmRSOZDmC HhPIMdXtRRymcE8pCoy1A469zeT79euViUO49mTzLBwDF0fz99GFtx6nmL3 u/UzQtNw1wMxOJ0IjO+26LyIodxd3yq68ztBgG+EmmjurC4VvP+nnr4Rr+vFK atd+fyYq14iZsf780zYo2i YP8DdJQ8QAGmG3CNYO0BiWFYuWPDzshepptCHIVHNI+AME3kFLY3ze Ygu6TrwwqXQvG2VXBaiAfQZzoQ+thHErjInKRexMIIS19AA/EF5tro7csjsws 20MUCMi0e8/dhZDrvsE5+T0bpSgQK22y0fYyNVE6wqMAci6qJvhDGOeRfs SdveQ+VBlwPZGFoL4xN970Mi8kMp5w0PbyuRY+DFmiFpvf8auYsgbBmttJ7+ BEZFeBLbwyGe+h6moqXymMLOxntYurqGaltKKBQ45t4GK/G4XZt7ZVVp QzPyjfV5lbmwyKc5ecIR/u2hFyh7yrRMDw20/qpY4QsAP9oa3ytq05/oUEioz N5sPmk=; Jan 12, 2009 7:33:21 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - parsing URL Jan 12, 2009 7:33:21 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - mode: direct Jan 12, 2009 7:33:21 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - jndiFactory: Jan 12, 2009 7:33:21 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - jndiProvider: Jan 12, 2009 7:33:21 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - userName: Jan 12, 2009 7:33:21 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - logging on to the repository Jan 12, 2009 7:33:22 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - creating AuthBundle with token: 2I2RqWQnM30u/0t4G7YjHQAsKmjAASV/4PG5QmgcvM1AUo5jgTbk C1HNjhRXBUlxrEmFUwh886lQnUOd2Uagnx/45ZTkMUL8AA55TJdlO DhgUn4VPL6cMSk9ScNQSWDNIt6S7poJt/fM20Whb0p7LfcD69nBKf CfpBhY26Cl0xfVgnWjVmRSOZDmCHhPIMdXtRRymcE8pCoy1A469ze T79euViUO49mTzLBwDF0fz99GFtx6nmL3u/UzQtNw1wMxOJ0IjO+26Ly Iodxd3yq68ztBgG+EmmjurC4VvP+nnr4Rr+vFKatd+fyYq14iZsf780z Yo2iYP8DdJQ8QAGmG3CNYO0BiWFYuWPDzshepptCHIVHNI+AM E3kFLY3zeYgu6TrwwqXQvG2VXBaiAfQZzoQ+thHErjInKRexMIIS19A A/EF5tro7csjsws20MUCMi0e8/dhZDrvsE5+T0bpSgQK22y0fYyNVE6 wqMAci6qJvhDGOeRfsSdveQ+VBlwPZGFoL4xN970Mi8kMp5w0Pbyu RY+DFmiFpvf8auYsgbBmttJ7+BEZFeBLbwyGe+h6moqXymMLOxnt YurqGaltKKBQ45t4GK/G4XZt7ZVVpQzPyjfV5lbmwyKc5ecIR/u2hFyh7 yrRMDw20/qpY4QsAP9oa3ytq05/oUEiozN5sPmk= Jan 12, 2009 7:33:23 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - logged on to repository: SharedPDMConnector Jan 12, 2009 7:33:24 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - requesting page #: 1 as a stream Jan 12, 2009 7:33:24 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - set response header [Content-Type]: application/pdf Jan 12, 2009 7:33:24 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - set response header [Content-Disposition]: inline;filename="OmniFindEnterprise850_qsg_en.pdf" Jan 12, 2009 7:33:24 PM com.ibm.es.searchui.fetch.ESFetchServlet INFO: writeFileToStream - returning content Jan 12, 2009 7:33:24 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - logging off of repository Jan 12, 2009 7:33:24 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: in modified code Jan 12, 2009 7:33:24 PM com.ibm.es.searchui.fetch.ESFetchServlet FINE: retrieveContentAsStream - freeing user instance Jan 12, 2009 7:33:24 PM com.ibm.es.searchui.fetch.ESFetchServlet INFO: doGet – returning

   
   
2. On the portal server, look at the SystemOut.log file under the <WebSphere Portal server install directory>\log directory. You should see log entries similar to what is shown in Listing 4 (due to the length of the lines in the sample, it is contained on a separate page).

Back to top

	Page 4 of 8