Configuring global security in WebSphere Lombardi Edition V7.2 using Tivoli Directory Server V6.3

Learn how to configure global security in IBM® WebSphere® Lombardi® Edition V7.2 using an LDAP server. This helps enterprise users to log in and use the various applications in Lombardi Edition and allows the IT department better access control. This tutorial uses IBM Tivoli® Directory Server V6.3 as the LDAP server and IBM DB2® as the database.

Ashok Iyengar (ashoki@us.ibm.com), Executive IT Specialist, IBM China

Ashok Iyengar photoAshok Iyengar is a member of the IBM Software Services for WebSphere (ISSW) Pre-sales Tech Team. He has worked extensively with the WebSphere Business Integration platform doing proof of concepts, pilots, and architecture design. He enjoys writing. Ashok’s latest book is WebSphere Business Integration Primer.



26 January 2011

Also available in Chinese Portuguese

Introduction

WebSphere Lombardi Edition V7.2 (hereafter called Lombardi Edition) offers better integration options to WebSphere Process Server, iLOG, FileNet, and DB2®. A Lightweight Directory Access Protocol (LDAP) server is a directory repository that stores user information (such as user IDs and passwords) and authenticates users. This tutorial shows how to configure global security in Lombardi Edition using an LDAP server. This enables enterprise users in the LDAP to log in and use the various applications in Lombardi Edition and allows the IT department better access control. The LDAP server used in this example is Tivoli Directory Server V6.3, which is using DB2 as its database.

Objectives

In this tutorial, you will learn how to:

  • Install and configure Tivoli Directory Server.
  • Create and import an LDAP Data Interchange Format (LDIF) file.
  • Configure WebSphere security using federated repositories.

Prerequisites

You need to be familiar with:

  • WebSphere Lombardi Edition V7.2
  • An LDAP server and LDAP schema
  • A relational database system like DB2

System requirements

You need WebSphere Lombardi Edition V7.2 running on a distributed platform with access to DB2 V9.7.1. You have the option to install Tivoli Directory Server V6.3 on a Windows® server or a Linux platform.

Duration

2 hours


Installing Lombardi Edition V7.2

This tutorial assumes that you have successfully installed WebSphere Lombardi Edition 7.2. In this tutorial, <WLE_HOME> refers to C:\IBM\Lombardi720.

  1. Go to <WLE_HOME>/AppServer/profiles/Lombardi/bin. Use the serverStatus utility to find out if server1 is running. Enter the command serverStatus -all.
  2. Make sure you can bring up the Integrated Soluto findions Console commonly known as the WebSphere Administrative Console. The default URL is http://<HOST_NAME>:9060/ibm/console.
    1. If you can log in using tw_user as the user ID and password, it will confirm that server1 is working correctly.
    2. You may now log off.

Installing Tivoli Directory Server V6.3

The assumption is that you have a DB2 installation and an instance of WebSphere Application Server (hereafter called Application Server).

Note: Tivoli Directory Server V6.3 server is not supported on Windows XP. You may use a Windows server or a Linux machine.

  1. Go to the TDS source folder, <TDS_SOURCE>/TDS/tds. Invoke install_tds.exe. After the Welcome screen and the license agreement, the Tivoli Directory Server installation wizard detects the DB2 instance on the system.
  2. Choose Custom installation as shown in Figure 1 because you will not be installing all of the features.
    Figure 1. Tivoli Directory Server installation type choices
    Tivoli Directory Server installation type choices
  3. You can de-select Embedded WebSphere Application Server from the feature list as shown in Figure 2 because you will use an existing instance of Application Server. DB2 should already be unselected.
    Figure 2. Tivoli Directory Server installation features
    Tivoli Directory Server installation features
  4. The Tivoli Directory Server install wizard detects any and all Application Server instances.
  5. From the list of instance it picked up, we decided to use the embedded AppServer under Lombardi Edition V7.2, as shown in Figure 3.
    Figure 3. Choosing WebSphere Application Server
    Choosing WebSphere Application Server
  6. On the Summary screen, click Install.
  7. When the installation is complete, click Finish. You will notice that the Tivoli Directory Server Instance Administration Tool is being launched.

The next step is to create a directory server instance and an administrator for that instance.


Creating a Tivoli Directory Server instance

  1. Launch the Tivoli Directory Directory Instance Administration Tool, if it is not started already (Start > All Programs > IBM Tivoli Directory Server 6.3 > Instance Administration Tool).
  2. Click Create an instance.
  3. Create a new directory server instance rather than the default one because it offers better control.
  4. Create a user named dsrdbm01 and use that user in the directory instance details screen as shown in Figure 4. Provide an encryption seed string.
    Figure 4. Creating a new directory server instance
    Creating a new directory server instance
  5. Name the DB2 instance DSRDBM01.
    1. Make sure the box is checked to Listen on all configured IP addresses.
    2. Accept the default port settings. The unsecure server port is 389 and the secure one is 636. The unsecure administration port is 3538 and the secure administration port is 3539.
  6. Choose to configure the Administrator Distinguished Name (DN) and password and database. We recommend that you keep the default Administrator DN of cn=root. You have to provide a password, as shown in Figure 5.
    Figure 5. Configuring administration DN and password
    Configuring administration DN and password
  7. Provide a database user name and password:
    1. Create an associated database named DSRDBM01.
    2. Choose to create a universal DB2 database and provide the database installation location.
  8. On the settings verification page, click Finish.
  9. After the configuration is done and the servers have been started, you see a new entry in the Instance Administration Tool as shown in Figure 6.
    Figure 6. Configuring administration DN and password
    Configuring administration DN and password

Configuring Tivoli Directory Server V6.3

You can bring up the instance administration tool, also known as the Tivoli Directory Server Configuration Tool, to manage LDAP suffixes and perform LDIF-related tasks.

  1. In the Tivoli Directory Server Configuration Tool, click Manage suffixes.
    1. In the Suffix DN field, enter dc=ibm,dc=com and click Add.
    2. Click OK.
    3. If the server is already running, you are asked to stop the server. Click Yes.
  2. Expand LDIF tasks. Click Import LDIF data.
    1. Click the Browse button and find the ldif file to import.
    2. If you import the provided sample WLEUsers.ldif file, the message says 22 entries were successfully imported.
    3. Click OK.
  3. Figure 7 shows a view of the imported LDAP tree. Notice that all of the default Lombardi Edition users, groups, and others exist under DN: dc=ibm,dc=com.
    Figure 7. LDAP tree under DN: dc=ibm, dc=com
    Configuring administration DN and password

Configuring the Tivoli Directory Server as an additional repository in Lombardi Edition

Before you start, remember to back up the security.xml file. It is located in <WLE_HOME>/AppServer/profiles/AppSrv01/config/cells/<CELL_NAME>.

  1. Go to <WLE_HOME>/AppServer/profiles/Lombardi/bin. Use the serverStatus utility to ensure that server1 is running.
  2. Bring up the WebSphere Administrative Console. Log in using tw_user as the user ID and password.
  3. Expand Security and click Global security.
    1. In the User account repository section, Federated repositories should already be selected.
    2. Click Configure, as shown in Figure 8.
      Figure 8. Specifying the realm
      Specifying the realm
  4. Under Related Items, click Manage repositories. Click Add to add a new repository, Tivoli Directory Server.
  5. Enter the following values:
    1. Give the repository an identifier, such TDS.
    2. The directory type is IBM Tivoli Directory Server
    3. Enter the primary host name. This is the machine where TDS is running.
    4. Leave the port as 389.
    5. The login properties is uid.
    6. Leave the remaining default settings as shown in Figure 9.
    7. Click Apply.
    Figure 9. LDAP configuration
    LDAP configuration
  6. Under Additional Properties, click LDAP entity types.
  7. Click Group.
    1. In ObjectClasses, enter groupOfUniqueNames (this is case sensitive).
    2. In Search bases, enter dc=ibm,dc=com. If you remember, that is the suffix you created in LDAP.
    3. Click OK.
  8. Click PersonAccount.
    1. In ObjectClasses, enter inetOrgPerson (this is case sensitive).
    2. Click OK.

    You will see the Object Classes changes in the LDAP entity types screen.

    Tip: You will need a DN suffix to work with. We recommend that you use a simple suffix like dc=<COMPANY_NAME>,dc-com. This suffix also becomes the root of your LDIF file.

  9. Back on the Federated repositories screen, click Add Base entry to Realm.
    1. Enter the suffix (dc=ibm,dc=com) as the distinguished name of a base entry that uniquely identifies entries in the realm. It means that anything with “dc=ibm,dc=com” will be sent to LDAP.
    2. You may choose to add it as the base entry in this repository. It specifies that when searching the LDAP directory, start here.
    3. Click OK.
  10. You now see the new repository, TDS, added to the federated repository list along with the base entry.
    Figure 10. TDS repository
    TDS respository
  11. Click OK and save the changes to the master repository.
  12. Go back to the Global security screen.
    1. Under Authentication, expand Web and SIP security.
    2. Click Single sign-on (SSO).
    3. Check the Enabled box.
    4. Enter ibm.com for the Domain name. This specifies the domain name that contains a set of hosts to which SSO applies.
    5. Check the box for Web inbound security attribute propagation.
    6. Click OK.

Verifying the security settings

For the security changes to take effect, you have to restart Lombardi Edition server1.

  1. Log out of the Integrated Solutions Console.
    1. Stop and start the Lombardi Edition servers. At a minimum, you need to restart server1.
    2. An easy way to do that is via the command line. In a command window, go to <WLE_HOME>/AppServer/profiles/Lombardi/bin.
    3. To stop, enter stopServer server1.
    4. To start, enter startServer server1.
  2. Bring up the Integrated Solutions Console again and log in using tw_user as the user ID and password.

    Tip: If you cannot log in, you can replace <WLE_HOME>/profiles/<PROFILE_NAME>/config/cells/<CELL_NAME>/security.xml with the backup copy and restart the server.

    Or:

    Use the wsadmin command: wsadmin –conntype none. At the wsadmin prompt, enter securityoff, then exit.

  3. Go to Users and Groups > Manage Users.
    1. Search for the wild character * on User ID.
    2. You now see users from all the repositories.

    Figure 11 shows the user IDs from both repositories: internal and TDS.

    Warning: You cannot have the same user ID in two repositories. In this example, you see that there are two of tw_admin, tw_author, tw_portal_admin, and tw_runtime_server. You will have to delete one of those duplicate entries, most likely the one in the new LDAP schema. We recommend that to keep the original users in the file-based repository. The other option is to use a standalone LDAP configuration rather than a federated repository.

    Figure 11. User search results
    User search results
  4. Optionally, as a quick workaround, you can go to Users and Groups > Administrative user roles.
    1. Click Add.
    2. Highlight Administrator role.
    3. Search for users using the wild character *.
    4. Choose admin and map it to the administrator role. Click OK.

    You see two users (tw_user and admin) in Administrator role. That means you can now log into the Integrated Solutions Console using the admin user ID from Tivoli Directory Server.

  5. You may log out and test by logging back into the Integrated Solutions Console using admin as the user ID.
  6. A better test is to bring up Lombardi Process Center (http://<WLE_HOST>:19086/ProcessCenter) or Lombardi Process Portal (http://<WLE_HOST>:19086/portal), and log in using admin (or any other user from LDAP). Figure 12 shows a screenshot of admin logged into Lombardi Process Portal.
    Figure 12. User search results
    User search results

That is it. The next steps, if necessary, are to configure single sign-on (SSO) between Lombardi Edition and other applications like WebSphere Portal.


Other considerations

You can follow the usual WebSphere global security configuration procedure for enabling security in Lombardi Edition V7.2 with any LDAP server. If you are familiar with configuring security in WebSphere Process Server, the steps are similar. The most interesting task might be getting the LDAP server set up and populated with an LDIF file. Remember to work with a simple DN suffix, something that matches the enterprise’s domain.

If you are using federated repositories, remember that you cannot have the same user ID in two user repositories.


Appendix: WLEUsers.ldif

If you notice, tw_user is not found in the LDIF file. The reason for that is we decided to use federated repositories, which in this case is a combination of two repositories: internal file-based and Tivoli Directory Server. Also note that tw_user is a key built-in user ID in the file-based realm.

You can easily modify the LDIF file shown in Listing 1 to suit any DN suffix. The only requirement is that the suffix needs to be created in LDAP before you can import the file.

Listing 1. WLEUsers.ldif
##
# Make sure the suffix dc=ibm,dc=com exists before importing this ldif file
##
dn: dc=ibm,dc=com
objectclass: domain
objectclass: top
## Add lines according to this schema that corresponds to your suffix
dc: ibm,dc=com
dc: ibm

dn: cn=users,dc=ibm,dc=com
objectclass: container
objectclass: top
cn: users

dn: cn=groups,dc=ibm,dc=com
objectclass: top
objectclass: container
cn: groups

## WLE default users. Do not change
dn: uid=tw_admin,cn=users,dc=ibm,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: tw_admin
userpassword: tw_admin
sn: admin
givenName: tw
cn: tw_admin

dn: uid=tw_author,cn=users,dc=ibm,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: tw_author
userpassword: tw_author
sn: author
givenName: tw
cn: tw_author

dn: uid=tw_webservice,cn=users,dc=ibm,dc=com
objectclass: organizationalPerson
objectclass: person
objectclass: top
objectclass: inetOrgPerson
uid: webservice
userpassword: tw_webservice
sn: webservice
givenName: tw
cn: tw_webservice

dn: uid=tw_portal_admin,cn=users,dc=ibm,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: tw_portal_admin
userpassword: tw_portal_admin
sn: admin
givenName: tw_portal
cn: tw_portal_admin

dn: uid=tw_runtime_server,cn=users,dc=ibm,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: tw_runtime_server
userpassword: tw_runtime_server
sn: server
givenName: tw_runtime
cn: tw_runtime_server


## WAS admin user
dn: uid=admin,cn=users,dc=ibm,dc=com
objectclass: organizationalPerson
objectclass: person
objectclass: top
objectclass: inetOrgPerson
uid: admin
userpassword: admin
sn: admin
givenName: admin
cn: admin


# WLE default groups. Do not change
dn: cn=tw_admins,cn=groups,dc=ibm,dc=com
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=tw_admin,cn=users,dc=ibm,dc=com
uniquemember: uid=admin,cn=users,dc=ibm,dc=com
cn: tw_admins

dn: cn=tw_authors,cn=groups,dc=ibm,dc=com
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=tw_admin,cn=users,dc=ibm,dc=com
uniquemember: uid=tw_author,cn=users,dc=ibm,dc=com
cn: tw_authors

dn: cn=tw_portal_admins,cn=groups,dc=ibm,dc=com
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=tw_portal_admin,cn=users,dc=ibm,dc=com
cn: tw_portal_admins

dn: cn=Debug,cn=groups,dc=ibm,dc=com
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=tw_admin,cn=users,dc=ibm,dc=com
cn: Debug

dn: cn=tw_allusers,cn=groups,dc=ibm,dc=com
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=tw_admin,cn=users,dc=ibm,dc=com
uniquemember: uid=tw_author,cn=users,dc=ibm,dc=com
uniquemember: uid=tw_webservice,cn=users,dc=ibm,dc=com
uniquemember: uid=tw_portal_admin,cn=users,dc=ibm,dc=com
uniquemember: uid=admin,cn=users,dc=ibm,dc=com
cn: tw_allusers

## Additional users and groups that can be customized
dn: uid=tw_user1,cn=users,dc=ibm,dc=com
objectclass: organizationalPerson
objectclass: person
objectclass: top
objectclass: inetOrgPerson
uid: tw_user1
userpassword: tw_user1
sn: user1
givenName: tw
cn: tw_user1

dn: uid=tw_user2,cn=users,dc=ibm,dc=com
objectclass: organizationalPerson
objectclass: person
objectclass: top
objectclass: inetOrgPerson
uid: tw_user2
userpassword: tw_user2
sn: user2
givenName: tw
cn: tw_user2

dn: uid=tw_user3,cn=users,dc=ibm,dc=com
objectclass: organizationalPerson
objectclass: person
objectclass: top
objectclass: inetOrgPerson
uid: tw_user3
userpassword: tw_user3
sn: user3
givenName: tw
cn: tw_user3

dn: cn=tw_users,cn=groups,dc=ibm,dc=com
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=tw_user1,cn=users,dc=ibm,dc=com
uniquemember: uid=tw_user2,cn=users,dc=ibm,dc=com
uniquemember: uid=tw_user3,cn=users,dc=ibm,dc=com
cn: tw_users

dn: uid=tw_manager1,cn=users,dc=ibm,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: tw_manager1
userpassword: tw_manager1
sn: manager1
givenName: tw
cn: tw_manager1

dn: uid=tw_manager2,cn=users,dc=ibm,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: tw_manager2
userpassword: tw_manager2
sn: manager2
givenName: tw
cn: tw_manager2

dn: cn=tw_managers,cn=groups,dc=ibm,dc=com
objectclass: groupOfUniqueNames
objectclass: top
uniquemember: uid=tw_manager1,cn=users,dc=ibm,dc=com
uniquemember: uid=tw_manager2,cn=users,dc=ibm,dc=com
cn: tw_managers

Conclusion

This tutorial showed how to install and configure an LDAP server, specifically Tivoli Directory Server. It then described how to import an LDIF file and configure WebSphere global security using federated repositories. The procedure is the same if you use any other LDAP server and you can import the same LDIF file into any LDAP server.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Business process management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Business process management, WebSphere, Tivoli, Security, Tivoli (service management)
ArticleID=619543
ArticleTitle=Configuring global security in WebSphere Lombardi Edition V7.2 using Tivoli Directory Server V6.3
publish-date=01262011