Integrating community membership with Portal security

Configure the Virtual Member manager to integrate information from IBM® Connections communities with your WebSphere® Portal environment.

Starting with version 6.1, IBM WebSphere Application Server uses a component that is called Virtual Member manager (VMM) to manage information about community membership. VMM provides an interface that enables communication between WebSphere Portal and any repository, whether federated repositories, a stand-alone repository, or your own custom user registry. You can configure VMM to recognize IBM Connections as a repository so that Portal can access community user and group information from IBM Connections communities. For example, after VMM is configured, users can select IBM Connections private or public communities as groups when they assign security roles or access rights.

For more information about the architecture of VMM, see the article Virtual Member Manager Integration from the IBM Knowledge Center.

For more information about configuring a user repository for VMM, see the article Setting up a custom user repository from the IBM Knowledge Center.

After you configure IBM Connections to work with VMM, user can

  • Search for IBM Connections public and private communities by name (represented as groups in WebSphere)
  • Resolve public and private community membership for particular users (represented as group membership in WebSphere)
  • Display the WebSphere users that are members of IBM Connections public or private community

The following are some known limitations:

  • When you use the VMM get operation to get a single identifier and querying by name, instead of using the unique externalID, nothing is returned if more than one community name matches the query.
  • The operation to display WebSphere users that are members of a particular IBM Connections community can have a performance impact for large groups.
  • Tivoli® Directory Integrator is suggested for populating user data into Connections. When you use the profile data population wizard, a user's email might not be populated into the Communities database. A user might not appear in the proper communities until they log in to Communities, used a feature from the Communities service, or their profile is synchronized with Tivoli Directory Integrator.

Prerequisites

Note: The VMM adapter uses the externalId field to map the user object ID field from the LDAP server to identify users and determine community membership for logged in users. This action helps to control access for Community pages based on community membership in IBM Connections. WebSphere Portal must be configured to use the same LDAP that was used to import users into the People database for the Connections Profiles service. So that the externalId between the two servers matches. Other WebSphere Portal components such as Social Rendering and the integrated person card require the externalId between the two servers to match as well.
To configure the VMM to recognize an IBM Connections repository, the following actions must be true:
  • IBM WebSphere Portal must be installed and verified
  • IBM Connections must be installed and verified to work
  • Hidden email is supported. In the 3.0.1.1 refresh, it is not mandatory any longer to enable the email.
  • Single sign-on must be configured between Connections and Portal. Follow the steps in Configuring single sign-on.
  • IBM Connections and IBM WebSphere Portal must share a common LDAP.
  • Import the SSL certificate from IBM WebSphere Portal server to IBM Connections. Follow the steps in Importing a certificate to support SSL with the following differences:
    • Log in to the WebSphere Application Server Integrated Solutions Console for the Connections server, rather than the Portal server.
    • Enter the host, port, and alias for the Portal server. For example:
      Host : portal.example.com
Port : 10025 (SOAP default port on Portal. Please specify appropriate port if non default is used)
Alias : Portal Certificate (Admin can choose any appropriate alias)
  • Update the VMM schema so that PersonAccount on the Portal server includes personCorrelationAttribute. Use this attribute to specify the corresponding person relative distinguished name attribute. For example, ibm-primaryEmail. For more information about name attributes for different directories, see the article on Attribute mapping for Profiles in the IBM Knowledge Center. In a clustered environment, run this command on the Deployment manager. To open the scripting interface, refer to the article Opening a console window for interactive scripting in the IBM Knowledge Center. Enter the following commands in the scripting interface
    $AdminTask addIdMgrPropertyToEntityTypes {-name <personCorrelationAttribute> -dataType string -entityTypeNames PersonAccount}
    . Then, enter the following command
    $AdminConfig save
    . For example, if the personCorrelationAttribute matches ibm-entryUuid, use: 
    $AdminTask addIdMgrPropertyToEntityTypes {-name ibm-entryUuid -dataType string -entityTypeNames PersonAccount} 

$AdminConfig save
    Note: Portal must be running while you run this command. Restart the server to apply the changes.

Configuring the IBM Connections repository to work with VMM

Complete these tasks to configure the IBM Connections User Repository adapter. When configuration is complete, you can verify that it is working by logging in to WebSphere Portal as an administrator. Open the Users and Groups portlet from the Administration tab. Search for groups that must be present as communities in your IBM Connections deployment. If you find the correct groups and the members of the groups are listed, the deployment is successful.

Note: Make sure that you configured Common Directory Services when you installed the portlets. Common Directory Services are a requirement for configuring the VMM adapter.