Configuring MobileFirst administration security with an external LDAP repository

You can configure MobileFirst administration security to enable connecting out to an external LDAP repository. The configuration is common for both WebSphere® Application Server Liberty profile and full profile.

Before you begin

This procedure involves configuring the LDAP parameters for connecting to the external user registry server. Before you begin, ensure the LDAP server is working and consult your LDAP administrator to obtain the required configuration information.

About this task

Important:

When the LDAP repository configuration is enabled, a default user for MobileFirst administration is not automatically created. Instead, you must specify the administration user name and password that are stored in the LDAP repository. This information is required by WebSphere Application Server Liberty profile and a server farm of WebSphere Application Server full profile.

If the runtime to be deployed in the pattern is configured to use LDAP for application authentication, make sure that the LDAP server configured in the runtime is the same as the LDAP server that is configured for the MobileFirst Administration; different LDAP servers are not supported. Also, the protocol and port for LDAP connection must be identical. For example, if connections from the runtime to the LDAP server are configured to use the SSL protocol and port is 636, connections from the MobileFirst Administration to the LDAP server must use the SSL protocol and port 636 as well.

Procedure

  1. Build a pattern with any topology you need. For more information, see the following topics:
  2. Mandatory for AIX®: In IBM® PureApplication® System running on Power®, the MobileFirst Platform DB node needs to use the AIX-specific add-on component "Default AIX add disk" to replace the "Default add disk" component in the template to support the jfs2 file system:
    1. In the Pattern Builder, select the MobileFirst Platform DB node.
    2. Click the Add a Component Add-on button (the button is visible above the component box when you hover the cursor over the MobileFirst Platform DB node).
    3. From the Add Add-ons list, select Default AIX add disk. The component is added as the lowest component of the MobileFirst Platform DB node.
    4. Select the Default AIX add disk component and specify the following attributes:
      DISK_SIZE_GB
      Storage size (measured in GB) to be extended to the DB server. Example value: 10.
      FILESYSTEM_TYPE
      Supported file system in AIX. Default value: jfs2.
      MOUNT_POINT
      Align with the attribute Mount point for instance owner in the Database Server component in the MobileFirst Platform DB node. Example value: /dbinst.
      VOLUME_GROUP
      Example value: group1. Contact your IBM PureApplication System administrator for the correct value.
    5. In the MobileFirst Platform DB node, select the Default add disk component, and then click the bin icon to delete it.
    6. Save the pattern.
  3. Configure MobileFirst Server administration:
    1. In IBM PureApplication System, in the dashboard, click Patterns > Virtual System Patterns. The Virtual System Patterns page opens.
    2. On the Virtual System Patterns page, use the Search field to find and select the pattern you created, and then click Open to open the Pattern Builder page.
    3. In the MobileFirst Platform Server node (or the DmgrNode node when using the MobileFirst Platform (WAS ND) template), select the MFP Server Administration component. The properties of the selected component are displayed next to the canvas.
    4. Supply the following LDAP information in the fields provided:
      admin_user
      User ID of the account that has MobileFirst Server administration privilege. This value is stored in the LDAP repository. Not required if the MobileFirst Server is to be deployed on a single node of WebSphere Application Server full profile.
      admin_password
      Admin user password. This value is stored in the LDAP repository. Not required if the MobileFirst Server is to be deployed on a single node of WebSphere Application Server full profile.
      LDAP_TYPE
      LDAP server type of your user registry. One of the following values:
      None
      LDAP connection is disabled. When this is set, all the other LDAP parameters are treated as placeholders only.
      TivoliDirectoryServer
      Select this if the LDAP repository is an IBM Tivoli® Directory Server.
      ActiveDirectory
      Select this if the LDAP repository is a Microsoft Active Directory.
      Default value: None.
      LDAP_IP
      LDAP server IP address.
      LDAP_SSL_PORT
      LDAP port for secure connection.
      LDAP_PORT
      LDAP port for non-secure connection.
      BASE_DN
      Base DN.
      BIND_DN
      Bind DN.
      BIND_PASSWORD
      Bind DN password.
      REQUIRE_SSL
      Select true for secure connection to the LDAP server. Default value: false.
      USER_FILTER
      LDAP user filter that applies when searching the existing user registry for users.
      GROUP_FILTER
      LDAP group filter that applies when searching the existing user registry for groups.
      LDAP_REPOSITORY_NAME
      LDAP server name.
      CERT_FILE_PATH
      Target path of the uploaded LDAP server certification.
      mfpadmin
      Admin role for MobileFirst Server. One of the following values:
      None
      No user.
      AllAuthenticatedUsers
      Authenticated users
      Everyone
      All users.
      Default value: None. For more information about security roles, see Configuring user authentication for MobileFirst Server administration.
      mfpdeployer
      Deployer role for MobileFirst Server. One of the following values:
      None
      No user.
      AllAuthenticatedUsers
      Authenticated users
      Everyone
      All users.
      Default value: None. For more information about security roles, see Configuring user authentication for MobileFirst Server administration.
      mfpmonitor
      Monitor role for MobileFirst Server. One of the following values:
      None
      No user.
      AllAuthenticatedUsers
      Authenticated users
      Everyone
      All users.
      Default value: None. For more information about security roles, see Configuring user authentication for MobileFirst Server administration.
      mfpoperator
      Operator role for MobileFirst Server. One of the following values:
      None
      No user.
      AllAuthenticatedUsers
      Authenticated users
      Everyone
      All users.
      Default value: None. For more information about security roles, see Configuring user authentication for MobileFirst Server administration.
  4. Optional: Configure the LDAP SSL connection. This step is required only if you set REQUIRE_SSL to true in the previous step to use secure connections to the LDAP server:
    1. From the Assets toolbar, expand Software Components, and then drag and drop an Additional file component onto the MobileFirst Platform Server node in the canvas. Rename the component "MobileFirst LDAP Cert", for example.
    2. Hover the cursor over the newly added component, and then click the Move up and Move down buttons to adjust the position of the component in the node. Make sure that it is placed between the MFP Server Prerequisite component and the MFP Server Administration component.
    3. Click the MobileFirst LDAP Cert component. The properties of the selected component are displayed next to the canvas. Upload the LDAP certification artifact in the Additional file field by clicking the Browse button to locate it
    4. In the Target path field, specify the full path for storing the artifact including its file name; for example, /opt/tmp/tdscert.der.
    5. In the MobileFirst Platform Server node (or the DmgrNode node when using the MobileFirst Platform (WebSphere Application Server Network Deployment), select the MFP Server Administration component, and then click the Add reference button next to the CERT_FILE_PATH field. In the pop-up window, click the component-level parameter tab. From the Component list, select MobileFirst LDAP Cert. In the Output attribute list, select target_path. Click the ADD button to refresh the Output value field, and then click OK.
  5. Configure and launch the pattern deployment. On the Deploy Pattern page, in the Nodes list, you can adjust your LDAP configurations by clicking MobileFirst Platform Server (or DmgrNode when using the MobileFirst Platform (WAS ND) template) and then expanding MFP Server Administration. For more information about pattern deployment, see the "Configure and launch the pattern deployment" step in one of the following topics depending on the topology you selected when creating the pattern;
  6. Access the MobileFirst Operations Console. Use the administrator user name and password to log in to the MobileFirst Operations Console through your LDAP configuration. For more information, see the "Access the MobileFirst Operations Console:" step in one of the following topics depending on the topology you selected when creating the pattern;
Parent topic: Deploying MobileFirst Server on IBM PureApplication System