Configuring application login security in the embedded web application server

If the system is configured to use the embedded web application server, configure application login security settings to specify information that enables users to be authenticated when they log in to administer the system or when they log in to applications. If the system is configured to use WebSphere® Application Server, authentication must be configured through WebSphere Application Server global security settings.

About this task

If you installed a Lightweight Directory Access Protocol (LDAP) server or a secure LDAP (LDAPS) server, you can configure the system to use the LDAP user registry to authenticate users. To ensure that the configuration is set up correctly, you can test the system's ability to connect to the LDAP server. You can also test the validity of user names and group names in the LDAP user registry.

Before you configure embedded application login security, you must gather information about your LDAP server. The configuration data depends on the type of LDAP product that you use and how it is configured in your environment.

Restriction: All data source servers that you include in the Watson Content Analytics system must refer to the same LDAP server.

Procedure

To configure application login security:

  1. Click Security to open the Security view.
  2. In the application login security area, click Actions > Configure application login settings.
  3. On the Configure Application Login Settings page, select the check boxes to require users to log in and to use the LDAP server to authenticate users.
    Tip: You can select a check box to allow the default Watson Content Analytics administrator ID to access all applications without adding that ID to your LDAP user registry.
  4. Specify information about the LDAP server that you installed to support login authentication:
    • You must identify the host name, port, and any credentials that are required to access the server. For the supported LDAP server types, the typical default port is 389.
    • If your LDAP server supports encrypted communication through transport layer security, you must configure SSL and server transport settings before you select the Use LDAP over SSL (LDAPS) check box. For details, see Configuring SSL and server transport settings for the embedded web application server.
    • The format of the base DN depends on your LDAP server configuration, but here are some examples of common formats:
      • If you use Microsoft Active Directory, a typical format for the user name is CN=Administrator,CN=Users,DC=analytics,DC=location,DC=org,DC=com. In UPN format, this user name is shown as Administrator@analytics.location.org.com.
      • If you use IBM® Lotus® Domino®, a typical format for the user name is cn=admin,o=analytics. In the Domino server, this user name is shown as admin/analytics.
      • If you use IBM Tivoli® Directory Server, a typical format for the user name is uid=administrator,o=analytics.
    • If you plan to support SSO authentication, specify the realm name of the user repository that you plan to associate with the Watson Content Analytics embedded application server. If you use WebSphere Application Server, the realm name is configured in the global security settings. If the repository is a federated repository, the realm name is configured in the federated repositories settings.
    • Specify whether entries in the LDAP registry are to be recursively searched, and whether the application server is to reuse connections to the LDAP server.
    • Specify how long the registry is to be searched before the request expires. Use m to indicate minutes and s to indicate seconds. For example, specify time values like 2m, 120s, or 1m30s.
  5. Click Test LDAP Server Connection. To be able to find user and group entries in the LDAP registry, the search server must successfully connect to the LDAP server.
  6. Specify filters for searching the user registry to find user names and group names, filters for mapping a user name or group name to an LDAP entry, and a filter for identifying which groups a user is a member of. After you specify LDAP filter properties, test that the configuration settings are valid for your LDAP server:
    1. To test the User filter and User ID map values, click Test User Filters, and then enter a valid user name and password. If the login is succsessful, then the configuration of LDAP user filters is likely correct.
    2. To test the Group filter value, click Test Group Filters, and then enter a valid group name. If the system can retrieve information about the group, then the configuration of LDAP group filters is likely correct.
    3. To test the system's ability to retrieve information about the groups that a member belongs to, click Test Group Information, and then enter a valid user name (not a fully qualified distinguished name). This action tests the interaction of values in the Group member ID map, Group ID map, User ID map, and User filter fields.
    Tip: The default values for these filters depend on the type of LDAP server that you select. If you change the filter values and then change the LDAP server type, the filter values that you specify persist. To reset the filter values to the default values for a specific LDAP server type, click Restore preset values.
  7. Optional: Configure the LTPA tokens and key file to support single sign-on (SSO) authentication for searching sources that are crawled by crawlers that support SSO. For details, see Configuring SSO support in the embedded web application server.
  8. Restart the Watson Content Analytics system:

    esadmin system stopall
    esadmin system startall

Related tasks:
Configuring SSO support in the embedded web application server
Related reference:
Crawler setup requirements to support security
Related information:
Starting the embedded application server in safe mode