If the system is configured to use the embedded web application
server, configure application login security settings to specify information
that enables users to be authenticated when they log in to administer
the system or when they log in to applications. If the system is configured
to use WebSphere® Application
Server, authentication
must be configured through WebSphere Application
Server global
security settings.
About this task
If you installed a Lightweight Directory Access Protocol (LDAP) server or a secure LDAP (LDAPS)
server, you can configure the system to use the LDAP user registry to authenticate users. To
ensure that the configuration is set up correctly, you can test the system's ability to connect
to the LDAP server. You can also test the validity of user names and group names in the LDAP
user registry.
Before you configure embedded application login security, you must gather information about your
LDAP server. The configuration data depends on the type of LDAP product that you use and how
it is configured in your environment.
Restriction: All data source servers that you include in the Watson Content Analytics system must refer to the same LDAP server.
Procedure
To configure application login security:
- Click Security to open
the Security view.
- In the application login security area, click .
- On the Configure Application Login Settings page, select the check
boxes to require users to log in and to use the LDAP server to authenticate users.
Tip: You can select a check box to allow the default Watson Content Analytics administrator ID to access all applications
without adding that ID to your LDAP user registry.
- Specify information about the LDAP server that you installed to support login
authentication:
- You must identify the host name, port, and any credentials that are required to
access the server. For the supported LDAP server types, the typical default port is
389.
- If your LDAP server supports encrypted communication through transport layer
security, you must configure SSL and server transport settings before you select the
Use LDAP over SSL (LDAPS) check box. For details, see Configuring SSL and server transport settings for the embedded web application server.
- The format of the base DN depends on your LDAP server configuration, but
here are some examples of common formats:
- If you use Microsoft Active Directory, a typical format for the user name is
CN=Administrator,CN=Users,DC=analytics,DC=location,DC=org,DC=com.
In UPN format, this user name is shown as
Administrator@analytics.location.org.com.
- If you use IBM® Lotus® Domino®, a typical format for
the user name is cn=admin,o=analytics. In the Domino
server, this user name is shown as admin/analytics.
- If you use IBM Tivoli® Directory Server, a typical format for
the user name is uid=administrator,o=analytics.
- If you plan to support SSO authentication, specify the realm name of the user
repository that you plan to associate with the Watson Content Analytics embedded application server. If you use
WebSphere Application
Server, the realm name is configured in the
global security settings. If the repository is a federated repository, the realm name
is configured in the federated repositories settings.
- Specify whether entries in the LDAP registry are to be recursively searched, and
whether the application server is to reuse connections to the LDAP server.
- Specify how long the registry is to be searched before the request expires. Use
m to indicate minutes and s to
indicate seconds. For example, specify time values like 2m,
120s, or 1m30s.
- Click Test LDAP Server Connection. To be able to find user and group entries in the LDAP registry, the search server must
successfully connect to the LDAP server.
- Specify filters for searching the user registry to find user names and group names,
filters for mapping a user name or group name to an LDAP entry, and a filter for
identifying which groups a user is a member of. After you specify LDAP filter properties,
test that the configuration settings are valid for your LDAP server:
- To test the User filter and User ID
map values, click Test User Filters, and then
enter a valid user name and password. If the login is succsessful, then the configuration of LDAP user filters is
likely correct.
- To test the Group filter value, click Test Group
Filters, and then enter a valid group name. If the system can retrieve information about the group, then the
configuration of LDAP group filters is likely correct.
- To test the system's ability to retrieve information about the groups that a member
belongs to, click Test Group Information, and then enter a
valid user name (not a fully qualified distinguished name). This action tests the interaction of values in the Group member ID
map, Group ID map, User ID
map, and User filter fields.
Tip: The default values for these filters depend on the type of LDAP server
that you select. If you change the filter values and then change the LDAP server type,
the filter values that you specify persist. To reset the filter values to the default
values for a specific LDAP server type, click Restore preset
values.
- Optional: Configure the LTPA tokens and key file to support single sign-on (SSO) authentication
for searching sources that are crawled by crawlers that support SSO. For details, see Configuring SSO support in the embedded web application server.
- Restart the Watson Content Analytics system:
esadmin system stopall
esadmin system startall