Connecting ICFM to a Microsoft Windows Active Directory repository

You can configure a federated WebSphere® Application Server repository that communicates with a Microsoft Windows Active Directory server LDAP user registry.

About this task

The examples in the procedure are based on the following Active Directory server LDAP configuration:
  • Base DN – DC=icfm,DC=ibm,DC=com
  • User DN – DC=icfm,DC=ibm,DC=com
  • Group DN – DC=icfm,DC=ibm,DC=com
  • Group object class – group
  • Member attribute – member

Procedure

To connect ICFM to a Microsoft Windows Active Directory server repository:

  1. Create the following groups in LDAP:
    • TriageAnalysts
    • Investigators
    • Supervisors
    • Monitors
    • Admins
    • TriageTeam
    • InvestigationTeam
    • SupervisorTeam
  2. Create the following groups in the fcco-values.yamlfci-values.yaml file:
    Property Name Description
    GROUP_ANALYST Specify the LDAP group mapped to the Triage Analyst role.
    GROUP_INVESTIGATOR Specify the LDAP group mapped to the Investigator role.
    GROUP_SUPERVISOR Specify the LDAP group mapped to the Supervisor role.
    GROUP_ADMIN Specify the LDAP group mapped to the Administrator role.
    GROUP_DATA_SCIENTIST Specify the LDAP group mapped to the Data Scientist role.
    LDAP_PROFILE_DISPLAYNAME Specify the LDAP property that maps to the user's display name.
    LDAP_PROFILE_EMAIL Specify the LDAP property that maps to the user's email address.
    LDAP_PROFILE_GROUPS Specify the LDAP property that maps to the user's groups.
    LDAP_PROFILE_ID Specify the LDAP property that maps to the user's ID.
    LDAP_SERVER_BINDDN Specify the Admin connection DN.
    LDAP_SERVER_SEARCHBASE Specify the base DN from which to search for users by username.
    LDAP_SERVER_URL Specify the URL to connect to the LDAP server.
    LDAP_SERVER_USERNAME_MAPPING Specify the LDAP property that maps to the user's name that they use when logging in (typically this is the same as the user's ID).
    LDAP_SERVER_BINDCREDENTIALS Specify the base64-encoded password for LDAP_SERVER_BINDDN.

    1. "ibm-nestedgroup" needs to be to added top level groups. So "cn=InvestigationTeam" and "cn=Investigators" need object classes "ibm-nestedgroup". second level "cn=All_Tenant2_Investigators" do not have to add classes "ibm-nestedgroup" unless it has third level subgroup under.

    2. "ibm-memberGroup" needs to be to added top level groups. So "cn=InvestigationTeam" and "cn=Investigators" need to add "ibm-memberGroup" attribute with a value of "cn=All_Tenant2_Investigators,ou=Tenant2,ou=Groups,ou=cfm,o=ibm,c=us"

  4. Restart the server.
  5. Log on to the WebSphere administrative console by using the WebSphere Application Server administrator user name and password:

    https://host_name:9043/ibm/console/

    Where host_name is the host name of the ICFM Core server (single server) or the Analytics server for a three-server installation.

    The WebSphere Application Server administrator user name and password are set with the WAS.ADMIN.ACCOUNT and WAS.ADMIN.ACCOUNT.PWD properties in the /icfminstall/cfm20/topology/CFM.x.properties file when the server is first installed.

  6. Request a Microsoft Active Directory server certificate and signer certificates (root and intermediate CA certificates) from the Active Directory administrator.
  7. Upload Microsoft Windows Active Directory Server signer certificates, including root and intermediate certificates, to the /tmp directory on the ICFM server (Analytics server in a three-server environment).
  8. If you want to set up secure communications, add IBM Security Directory Server signer certificates:
    1. From the WebSphere administrative console, select Security > SSL certificate and key management.
    2. In the Related Items section, click Key stores and certificates.
    3. Click CellDefaultTrustStore.
    4. In the Additional properties section, click Signer certificates and then click Add.
    5. On the Add signer certificate page, enter the following information:
      Table 1. Signer Certificate Values
      Field Name Value
      Alias Signer certificate
      File name ad_root.cert
      Data type Base64-encoded ASCII data

      Then click OK.

    6. Repeat Step 8.e for all the signer certificates (server, root, and intermediate).
    7. Click Save to save the changes to the master configuration.
  9. Select Security > Global security.
  10. In the User account repository section, select Federated repositories from the Available realm definitions field and click Configure.
  11. On the Federated repositories page, click Manage repositories.
  12. On the Manage repositories page, select Add > LDAP repository.
  13. In the General Properties section on the new LDAP repository page, enter values for the properties as listed in the following table.
    Table 2. LDAP General Properties
    Field Name Value
    Repository identifier ICFM_LDAP
    Directory type Microsoft Windows Active Directory
    Primary host name The fully qualified host name of the Microsoft Windows Active Directory Server LDAP instance. Do not enter an IP address. For example, enter ldap.ibm.com.
    Port The server port or server secure port number on which the Active Directory server LDAP instance is listening. For example, enter 386 or 636.
    Bind distinguished name

    For example: CF=Administrator,CN=Users,DC=cfm,CF=ibm,DC=com

    Depending on how Active Directory is configured, the format might be Administrator@ibm.com.
    Bind password Password for the bind distinguished name.
    Federated repository properties for login uid

    Accept all other default values.

  14. Click Apply and Save to save your changes.
  15. From the Manage repositories page, select the newly created ICFM_LDAP repository from the repository list.
  16. In the Additional Properties section on the ICFM_LDAP page, select Federated repositories entity types to LDAP object classes mapping.
  17. Verify LDAP object classes mapping as shown in the following table:
    Entity Type Object Classes
    Group group
    OrgContainer organization;organizationalUnit;domain;container
    PersonAccount user
  18. Navigate back to the ICFM_LDAP configuration (Global security > Federated repositories > Manage repositories > ICFM_LDAP).
  19. In the Additional Properties section, select Group attribute definition.
  20. In the Additional Properties section, select Member attributes.
  21. Verify that member is listed with direct Scope and group Object Class.
  22. Navigate back to the Federated repositories page (Global security > Federated repositories).
  23. From the Federated repositories page, click Add repositories (LDAP, customer, etc).
  24. On the Repository reference page, select ICFM_LDAP as the repository and enter one of the following values for the Unique distinguished name of the base (or parent) enty in federated repositories field:
  25. Click OK and Save to save your changes.

    The newly created repository is now displayed in the table.

  26. In the Additional Properties section, select Supported entity types.
  27. From the Supported entity types page, select the Group entity type.
  28. Change the base entry for the default parent:DC=cfm,DC=ibm,DC=com
  29. Click Apply and Save to save your changes.
  30. Repeat Steps 27 to 29 for the OrgContainer and PersonAccount entity types.
  31. Navigate back to the Federated repositories page (Global security > Federated repositories).
  32. Select the default repository with the unique distinguished name o=defaultWIMFileBasedRealm and then click Remove.
  33. Click Save to save your changes.
  34. In the General Properties section, change the realm name to the following value:
    • DC=cfm,DC=ibm,DC=com

    Then, enter the Primary administrative user name. This user name must be a user in the LDAP repository that was added to the WebSphere Application Server federated repository configuration.

  35. Click Apply and Save to save your changes. Then, log out of the WebSphere administrative console.
  36. On the Data server, enter the following commands: 
    db2 GRANT SECADM ON DATABASE TO USER CFMADMIN;
db2 GRANT DBADM ON DATABASE TO USER CFMADMIN
  37. To activate the user registry configuration changes, you must stop and start WebSphere Application Server.
    • For a single server topology, do the following:
      1. SSH to server as the root user.
      2. Change to the /opt/IBM/icfm/2.0/bin directory.
      3. Run the following command to stop the ICFM application:
        ./icfm.1.ctl-all.sh stop was_admin_password
        Where was_admin_password is the WebSphere administrator password. The password is set with the WAS.ADMIN.ACCOUNT.PWD property-value pair in the /cfm20/topology/CFM.1.properties file.
      4. Restart the Linux server.
      5. Run the following command to start the ICFM application:
        ./icfm.1.ctl-all.sh start was_admin_password
    • For a three-server topology, do the following:
      1. SSH to server (Data, Analytics, and Core) as the root user.
      2. Change to the /opt/IBM/icfm/2.0/bin directory.
      3. Run the following command to stop the ICFM application:
        ./icfm.3.ctl-server_name-all.sh stop was_admin_password
        Where:
        • was_admin_password is the WebSphere administrator password. The password is set with the WAS.ADMIN.ACCOUNT.PWD property-value pair in the /cfm20/topology/CFM.3.properties file.
        • server_name is the server name. The server name is data, analytics, and core for Data, Analytics, and Core servers, respectively.
      4. Restart the Linux servers - Data, Analytics, and Core.
      5. Run the following command to start the ICFM application:
        ./icfm.3.ctl-server_name-all.sh start was_admin_password
  38. Update the user and group mappings in WebSphere Application Server.
    1. Log on to the WebSphere administrative console by using the WebSphere Application Server administrator username and password:
    2. Navigate to WebSphere Application Server > Applications > Application Types > Websphere enterprise applications > CounterFraud_DataImportEAR > Security role to user/group mapping > Administrator > Map Groups.
    3. Click Search.
    4. In the Available list, click the items that are displayed in the Selectedlist, and click the right arrow to add the items again.
    5. Click OK.
    6. Repeat steps b through e for each entry on the CounterFraud_DataImportEAR page. Click OK and click Save.
    7. Repeat steps b through f for every ICFM application that is listed on the Enterprise Applications page.
    8. Navigate to WebSphere Application Server > Servers > Server Types > WebSphere application servers. Click the ICFMServer check box and click Restart.