White Papers
Abstract
You can configure Content Platform Engine to use VMM repositories.
Content
1 Overview
IBM virtual member manager (VMM) comes with IBM WebSphere Server as a system component. It is used to perform JAAS authentication by WebSphere Federated Repository (which is a type of WebSphere login module). VMM repositories are equivalent to WebSphere federated repositories.
Besides serving as a WebSphere authentication provider, Content Platform Engine uses VMM as a virtual directory service. Additionally, when you use WebSphere as the hosting application server, it enables Content Platform Engine to retrieve users and groups from VMM for authorization.
There are four types of VMM repositories:
VMM provides the following benefits to Content Platform Engine.
• Support for heterogeneous directory services, such as Active Directory, Tivoli Directory Server, etc.
• Support for heterogeneous repositories, such as LDAP repositories and file repository.
In Content Platform Engine 5.2, a new directory service provider, called VMM Provider, is implemented to retrieve users and groups from VMM repositories. VMM Provider is only used with WebSphere Application Server version 7.0 or above.
1.1 References
Content Platform Engine VMM Provider online documentation: https://www.ibm.com/docs/en/filenet-p8-platform/5.2.0?topic=manager-overview-virtual-member
Online documentation for WebSphere 8.5.5:
https://www.ibm.com/docs/en/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/twim_managing_realm.html
1.2 Supported VMM Repositories
Support of using WebSphere VMM as a Content Platform Engine directory was added in the Content Platform Engine 5.2.0 release. In 5.2.0, this support was restricted to LDAP-based repositories only, and only the set of LDAP repositories that have been qualified by WebSphere. The list of LDAP servers supported by WebSphere is available at: http://www-01.ibm.com/support/docview.wss?uid=swg27036471
Starting in 5.2.0 FP3, this support is extended to include:
• File-based user repositories
• Custom user repositories
Note: Support for database-based user repositories is not included in the list of types that we intend to add in 5.2.0.3. This is because we do not currently have a use case for database-based user repositories, and the WebSphere team does not recommend their use for production environments.
Custom LDAP repositories (i.e., the LDAP v3 compatible directories that are not in the WebSphere qualification matrix at this URL: https://www.ibm.com/support/pages/node/713027) are only supported if explicitly qualified by IBM. As of Content Platform Engine 5.2.1 Fix Pack 2 two directories are supported that are not on the WebSphere qualification list: OpenLDAP and Oracle Unified Directory.
For the pure custom user repositories, an adapter which implements the com.ibm.wsspi.wim.Repository interface must be provided by you or by a 3rd party. While IBM will support these custom configurations, you must be prepared to work with the vendor who provided the custom adapter implementation, as well as the vendor providing the underlying user repository. Issues may arise requiring changes to either the adapter or the underlying user repository. However, IBM support cannot take responsibility for these types of issues.
2 VMM Repository Limitations
• The file-based repository can be used by approximately 1000 users and 50 groups. The number of groups defined and the number of users per group affects the performance of searching for the group membership of a user.
• Not all VMM repositories support server-side sorting. To keep the behavior the same, VMM Provider only retrieves first N principals from VMM repositories for Principal Search. In other words, it does not retrieve the entire search result set. The value of N is defined by the page size of findUsers() or findGroups() method in Content Platform Engine’s Realm class. Thus, VMM Provider only returns the first page of search result for Principal Search.
3 Configure LDAP Repository with Content Platform Engine
This section demonstrates how to configure Content Platform Engine to connect to a directory server through VMM. The directory server in this case serves as an LDAP repository of VMM.
Content Platform Engine 5.2 and WebSphere 7.0 are used in this document. It assumes that you know generally how to configure Content Platform Engine. Use normal procedures to configure Content Platform Engine. The following subsections focus only on the parts related to VMM settings.
3.1 Create LDAP Repository
You can use IBM FileNet Configuration Manager to create VMM’s LDAP repository. The following screen capture shows the Configure LDAP task.
1. Select the Configure LDAP task and specify your VMM settings. Ensure the value of WebSphere Application Server LDAP repository type is Federated repositories. Select the check box named Set as current active user registry.
2. Save and run this task. A VMM repository using the specified LDAP will be created in WebSphere server.
3. Restart WebSphere server.
4. Log in to WebSphere Administrative Console as a local WebSphere administrative user, and navigate to Security > Global security > Federated repositories.
5. Verify that only the following two repositories are in the realm. If there are other unrelated repositories in the list, delete them, save the change, and restart WebSphere server.
Note: Keep file repository in the list, because you still need to use the local WebSphere administrative user.
3.2 Configure Content Platform Engine Bootstrap User
1. Select the Configure Bootstrap and Text Extraction task in FileNet Configuration Manager. Specify your bootstrap user name and password. Ensure the user comes from the directory server you configured above. Save and run this task.
2. Configure and run the Deploy Application task in FileNet Configuration Manager.
3.3 Configure VMM Provider
This procedure assumes you are creating a new P8Domain. If you have an existing P8Domain using another directory service provider, and if it is for a development or test environment, you can drop the tables in GCD database and create a new domain and object stores. If it is a production environment, contact IBM Lab Services to migrate the directory service on the existing domain.
1. Log in to Administration Console for Content Platform Engine (ACCE), and start creating a new P8Domain. (You must use ACCE and not FileNet Enterprise Manager.)
2. Specify the domain name and optionally the documentation URL.
3. In the Type drop-down list, select IBM Virtual Member Manager.
4. Do not specify any LDAP settings for VMM Provider (such as User Base DN, User Search Filter, and so on). Click Finish to create the domain.
There are no generic configuration instructions to cover all types of directories through custom LDAP repository. This section provides an example configuration to be used with OpenLDAP. Due to variations in schema and functionality, the exact settings required for other directory types are likely to vary. Consult your directory server documentation for details.
The schema of OpenLDAP is very similar to that of Sun Java Directory Server. So the approach is to specify the same settings as Sun Java repository, and then map "External" parameter to a different value for OpenLDAP.
1. Login to WebSphere Administrative Console, and navigate to: Security > Global security > Federated repositories > Manage repositories. Click "Add" button and select "LDAP repository".
2. Select "Custom" from the dropdown list for "Directory type", and fill other fields as usual. Click "Apply", and then “Save”.
3. Under Security > Global security > Federated repositories > Manage repositories, click “OpenLDAP Rep”.
4. In the new page under “Additional Properties”, click the first link (i.e., "Performance").
5. Configure the following settings. Click "Apply", and then “Save”.
6. Under Security > Global security > Federated repositories > Manage repositories, click “OpenLDAP Rep”. In the new page under “Additional Properties”, click the second link (i.e. “Federated repositories entity types to LDAP object classes mapping”).
7. In the new page, click “New” button, and then fill in the following settings for Group. Click "Apply", and then “Save”.
8. Under Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep > Federated repositories entity types to LDAP object classes mapping, click “New” button, and then fill in the following settings for OrgContainer (the separator is semi-colon). Click "Apply", and then “Save”.
9. Under Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep > Federated repositories entity types to LDAP object classes mapping, click “New” button, and then fill in the following settings for PersonAccount. Click "Apply", and then “Save”.
10. At this point, the “entity types” page looks like the following.
11. Navigate to Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep. Click the third link (i.e. “Federated repositories property names to LDAP attributes mapping”) under “Additional Properties”.
12. Click “Add” button and then select “Unsupported”.
13. Specify the following settings. Click "Apply", and then “Save”.
14. Repeat steps 12 and 13 to create the following unsupported property mapping.
15. Under Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep > Federated repositories property names to LDAP attributes mapping, click “Add” button and select “Supported”.
16. Specify the following settings. Click "Apply", and then “Save”.
17. Under Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep > Federated repositories property names to LDAP attributes mapping, click “Add” button and select “External”.
18. Specify the following settings. Click "Apply", and then “Save”.
19. At this point, the “Federated repositories property names to LDAP attributes mapping” page looks like the following.
20. Navigate to Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep. Click the fourth link (i.e, “Group attribute definition”) under “Additional Properties”. Then click “Member attributes” under “Additional Properties”.
21. Click “New” button, and then specify the following settings. Click "Apply", and then “Save”.
22. Navigate to Security > Global security > Federated repositories, and click button "Add repositories (LDAP, customer, etc)...".
23. For the Repository field in the new page, click the drop down arrow and select "OpenLDAP Rep". Also specify value for field "Unique distinguished name of the base (or parent) entry in federated repositories", for example "dc=example, dc=com".
24. At this point the page should look like the following. Click "Apply", and then “Save”.
25. Restart your WebSphere server.
5 Configure File Repository with Content Platform Engine
5.1 Create File Repository
WebSphere automatically creates a file repository during its installation. This means that you will skip the Configure LDAP task in FileNet Configuration Manager.
This section assumes that file repository is the only VMM repository used in your WebSphere server. Use the steps below to verify it.
Follow these instructions if you need to create users and groups in file repository:
1. Log in to WebSphere Administrative Console as a local WebSphere administrative user.
2. Navigate to Security > Global security > Federated repositories > Supported entity types.
3. In the column Base Entry for the Default parent, verify the values for Groups and PersonAccount are o=defaultWIMFileBasedRealm. If they are not, change them and restart WebSphere Application Server.
4. Navigate to Users and Groups > Manage Users and click Create… .
5. Create your users. The following screen shot shows an example.
6. Navigate to Users and Groups > Manager Groups, and click Create… to create groups.
5.2 Configure Content Platform Engine Bootstrap User
Same as Section 3.2, except that the bootstrap user must come from file repository instead of LDAP repository.
5.3 Configure VMM Provider
Same as Section 3.3.
6 Configure Custom Repository with Content Platform Engine
6.1 Create Custom Repository
Instead of creating the repository in FileNet Configuration Manager, you must use WebSphere commands. That means that you will need to skip the Configure LDAP task in FileNet Configuration Manager.
Follow the link below to download a sample custom repository and deploy it:
The sample JAR file comes with source code files which can be extracted by unzipping it. You can use it as a starting point to write your own custom repository.
After configuring the sample custom repository, follow these instructions if you need to create users and groups in it.
1. Log in to WebSphere Administrative Console as a local WebSphere administrative user.
2. Navigate to Security > Global security > Federated repositories > Supported entity types.
3. Click the Group link. Change the value of Base entry for the default parent to o=sampleFileRepository.
4. Make the same change for the PersonAccount link, as shown in the following screen shot:
Note: You do not need to change the value of OrgContainer.
5. Restart WebSphere Application Server, and log in to your WebSphere Administrative Console again.
6. Navigate to Users and Groups > Manager Users, and click Create… to create users.
7. Navigate to Users and Groups > Manager Groups, and click Create… to create groups.
6.2 Configure Content Platform Engine Bootstrap User
Same as Section 3.2, except that the bootstrap user comes from the custom repository instead of LDAP repository.
6.3 Configure VMM Provider
Same as Section 3.3.
IBM virtual member manager (VMM) comes with IBM WebSphere Server as a system component. It is used to perform JAAS authentication by WebSphere Federated Repository (which is a type of WebSphere login module). VMM repositories are equivalent to WebSphere federated repositories.
Besides serving as a WebSphere authentication provider, Content Platform Engine uses VMM as a virtual directory service. Additionally, when you use WebSphere as the hosting application server, it enables Content Platform Engine to retrieve users and groups from VMM for authorization.
There are four types of VMM repositories:
| File repository | A file-based repository that comes with a WebSphere installation. After installation, your WebSphere server automatically has a file repository ready, with a local WebSphere administrative user created in it. |
| LDAP repository | LDAP repositories must be configured manually. |
| Database repository | Database with a specific predefined schema for VMM. It must be created and configured manually. |
| Custom repository | A repository implemented to meet any special requirements. |
VMM provides the following benefits to Content Platform Engine.
• Support for heterogeneous directory services, such as Active Directory, Tivoli Directory Server, etc.
• Support for heterogeneous repositories, such as LDAP repositories and file repository.
In Content Platform Engine 5.2, a new directory service provider, called VMM Provider, is implemented to retrieve users and groups from VMM repositories. VMM Provider is only used with WebSphere Application Server version 7.0 or above.
1.1 References
Content Platform Engine VMM Provider online documentation: https://www.ibm.com/docs/en/filenet-p8-platform/5.2.0?topic=manager-overview-virtual-member
Online documentation for WebSphere 8.5.5:
https://www.ibm.com/docs/en/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/twim_managing_realm.html
1.2 Supported VMM Repositories
Support of using WebSphere VMM as a Content Platform Engine directory was added in the Content Platform Engine 5.2.0 release. In 5.2.0, this support was restricted to LDAP-based repositories only, and only the set of LDAP repositories that have been qualified by WebSphere. The list of LDAP servers supported by WebSphere is available at: http://www-01.ibm.com/support/docview.wss?uid=swg27036471
Starting in 5.2.0 FP3, this support is extended to include:
• File-based user repositories
• Custom user repositories
Note: Support for database-based user repositories is not included in the list of types that we intend to add in 5.2.0.3. This is because we do not currently have a use case for database-based user repositories, and the WebSphere team does not recommend their use for production environments.
Custom LDAP repositories (i.e., the LDAP v3 compatible directories that are not in the WebSphere qualification matrix at this URL: https://www.ibm.com/support/pages/node/713027) are only supported if explicitly qualified by IBM. As of Content Platform Engine 5.2.1 Fix Pack 2 two directories are supported that are not on the WebSphere qualification list: OpenLDAP and Oracle Unified Directory.
For the pure custom user repositories, an adapter which implements the com.ibm.wsspi.wim.Repository interface must be provided by you or by a 3rd party. While IBM will support these custom configurations, you must be prepared to work with the vendor who provided the custom adapter implementation, as well as the vendor providing the underlying user repository. Issues may arise requiring changes to either the adapter or the underlying user repository. However, IBM support cannot take responsibility for these types of issues.
2 VMM Repository Limitations
• The file-based repository can be used by approximately 1000 users and 50 groups. The number of groups defined and the number of users per group affects the performance of searching for the group membership of a user.
• Not all VMM repositories support server-side sorting. To keep the behavior the same, VMM Provider only retrieves first N principals from VMM repositories for Principal Search. In other words, it does not retrieve the entire search result set. The value of N is defined by the page size of findUsers() or findGroups() method in Content Platform Engine’s Realm class. Thus, VMM Provider only returns the first page of search result for Principal Search.
3 Configure LDAP Repository with Content Platform Engine
This section demonstrates how to configure Content Platform Engine to connect to a directory server through VMM. The directory server in this case serves as an LDAP repository of VMM.
Content Platform Engine 5.2 and WebSphere 7.0 are used in this document. It assumes that you know generally how to configure Content Platform Engine. Use normal procedures to configure Content Platform Engine. The following subsections focus only on the parts related to VMM settings.
3.1 Create LDAP Repository
You can use IBM FileNet Configuration Manager to create VMM’s LDAP repository. The following screen capture shows the Configure LDAP task.
1. Select the Configure LDAP task and specify your VMM settings. Ensure the value of WebSphere Application Server LDAP repository type is Federated repositories. Select the check box named Set as current active user registry.
2. Save and run this task. A VMM repository using the specified LDAP will be created in WebSphere server.
3. Restart WebSphere server.
4. Log in to WebSphere Administrative Console as a local WebSphere administrative user, and navigate to Security > Global security > Federated repositories.
5. Verify that only the following two repositories are in the realm. If there are other unrelated repositories in the list, delete them, save the change, and restart WebSphere server.
Note: Keep file repository in the list, because you still need to use the local WebSphere administrative user.
3.2 Configure Content Platform Engine Bootstrap User
1. Select the Configure Bootstrap and Text Extraction task in FileNet Configuration Manager. Specify your bootstrap user name and password. Ensure the user comes from the directory server you configured above. Save and run this task.
2. Configure and run the Deploy Application task in FileNet Configuration Manager.
3.3 Configure VMM Provider
This procedure assumes you are creating a new P8Domain. If you have an existing P8Domain using another directory service provider, and if it is for a development or test environment, you can drop the tables in GCD database and create a new domain and object stores. If it is a production environment, contact IBM Lab Services to migrate the directory service on the existing domain.
1. Log in to Administration Console for Content Platform Engine (ACCE), and start creating a new P8Domain. (You must use ACCE and not FileNet Enterprise Manager.)
2. Specify the domain name and optionally the documentation URL.
3. In the Type drop-down list, select IBM Virtual Member Manager.
4. Do not specify any LDAP settings for VMM Provider (such as User Base DN, User Search Filter, and so on). Click Finish to create the domain.
4 Configure Custom LDAP Repository with Content Platform Engine
In addition to the directory servers listed in link: https://www.ibm.com/support/pages/node/713027, WebSphere also supports other directory services through Custom LDAP Repository, as long as they are compliant with LDAP V3 specification RFC 2251.
There are no generic configuration instructions to cover all types of directories through custom LDAP repository. This section provides an example configuration to be used with OpenLDAP. Due to variations in schema and functionality, the exact settings required for other directory types are likely to vary. Consult your directory server documentation for details.
The schema of OpenLDAP is very similar to that of Sun Java Directory Server. So the approach is to specify the same settings as Sun Java repository, and then map "External" parameter to a different value for OpenLDAP.
4.1 Create Custom LDAP Repository in WebSphere
In WebSphere version 7.0, custom LDAP repository needs to be configured manually by using wsadmin scripting tool. To avoid the complicated manual steps, this section demonstrates how to configure it in WebSphere Administrative Console by using WebSphere 8.5.5.
1. Login to WebSphere Administrative Console, and navigate to: Security > Global security > Federated repositories > Manage repositories. Click "Add" button and select "LDAP repository".
2. Select "Custom" from the dropdown list for "Directory type", and fill other fields as usual. Click "Apply", and then “Save”.
3. Under Security > Global security > Federated repositories > Manage repositories, click “OpenLDAP Rep”.
4. In the new page under “Additional Properties”, click the first link (i.e., "Performance").
5. Configure the following settings. Click "Apply", and then “Save”.
6. Under Security > Global security > Federated repositories > Manage repositories, click “OpenLDAP Rep”. In the new page under “Additional Properties”, click the second link (i.e. “Federated repositories entity types to LDAP object classes mapping”).
7. In the new page, click “New” button, and then fill in the following settings for Group. Click "Apply", and then “Save”.
8. Under Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep > Federated repositories entity types to LDAP object classes mapping, click “New” button, and then fill in the following settings for OrgContainer (the separator is semi-colon). Click "Apply", and then “Save”.
9. Under Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep > Federated repositories entity types to LDAP object classes mapping, click “New” button, and then fill in the following settings for PersonAccount. Click "Apply", and then “Save”.
10. At this point, the “entity types” page looks like the following.
11. Navigate to Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep. Click the third link (i.e. “Federated repositories property names to LDAP attributes mapping”) under “Additional Properties”.
12. Click “Add” button and then select “Unsupported”.
13. Specify the following settings. Click "Apply", and then “Save”.
14. Repeat steps 12 and 13 to create the following unsupported property mapping.
15. Under Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep > Federated repositories property names to LDAP attributes mapping, click “Add” button and select “Supported”.
16. Specify the following settings. Click "Apply", and then “Save”.
17. Under Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep > Federated repositories property names to LDAP attributes mapping, click “Add” button and select “External”.
18. Specify the following settings. Click "Apply", and then “Save”.
19. At this point, the “Federated repositories property names to LDAP attributes mapping” page looks like the following.
20. Navigate to Security > Global security > Federated repositories > Manage repositories > OpenLDAP Rep. Click the fourth link (i.e, “Group attribute definition”) under “Additional Properties”. Then click “Member attributes” under “Additional Properties”.
21. Click “New” button, and then specify the following settings. Click "Apply", and then “Save”.
22. Navigate to Security > Global security > Federated repositories, and click button "Add repositories (LDAP, customer, etc)...".
23. For the Repository field in the new page, click the drop down arrow and select "OpenLDAP Rep". Also specify value for field "Unique distinguished name of the base (or parent) entry in federated repositories", for example "dc=example, dc=com".
24. At this point the page should look like the following. Click "Apply", and then “Save”.
25. Restart your WebSphere server.
4.2 Configure Content Platform Engine Bootstrap User
Same as Section 3.2.
4.3 Configure VMM Provider
Same as Section 3.3.
5 Configure File Repository with Content Platform Engine
5.1 Create File Repository
WebSphere automatically creates a file repository during its installation. This means that you will skip the Configure LDAP task in FileNet Configuration Manager.
This section assumes that file repository is the only VMM repository used in your WebSphere server. Use the steps below to verify it.
- Log in to the WebSphere Administrative Console as a local WebSphere administrative user, and navigate to Security > Global security > Federated repositories.
- Verify that only the following file repository is in the realm. If there are other unrelated repositories in the list, delete them, save the change, and restart WebSphere Application Server.
Follow these instructions if you need to create users and groups in file repository:
1. Log in to WebSphere Administrative Console as a local WebSphere administrative user.
2. Navigate to Security > Global security > Federated repositories > Supported entity types.
3. In the column Base Entry for the Default parent, verify the values for Groups and PersonAccount are o=defaultWIMFileBasedRealm. If they are not, change them and restart WebSphere Application Server.
4. Navigate to Users and Groups > Manage Users and click Create… .
5. Create your users. The following screen shot shows an example.
6. Navigate to Users and Groups > Manager Groups, and click Create… to create groups.
5.2 Configure Content Platform Engine Bootstrap User
Same as Section 3.2, except that the bootstrap user must come from file repository instead of LDAP repository.
5.3 Configure VMM Provider
Same as Section 3.3.
6 Configure Custom Repository with Content Platform Engine
6.1 Create Custom Repository
Instead of creating the repository in FileNet Configuration Manager, you must use WebSphere commands. That means that you will need to skip the Configure LDAP task in FileNet Configuration Manager.
Follow the link below to download a sample custom repository and deploy it:
After configuring the sample custom repository, follow these instructions if you need to create users and groups in it.
1. Log in to WebSphere Administrative Console as a local WebSphere administrative user.
2. Navigate to Security > Global security > Federated repositories > Supported entity types.
3. Click the Group link. Change the value of Base entry for the default parent to o=sampleFileRepository.
4. Make the same change for the PersonAccount link, as shown in the following screen shot:
Note: You do not need to change the value of OrgContainer.
5. Restart WebSphere Application Server, and log in to your WebSphere Administrative Console again.
6. Navigate to Users and Groups > Manager Users, and click Create… to create users.
7. Navigate to Users and Groups > Manager Groups, and click Create… to create groups.
6.2 Configure Content Platform Engine Bootstrap User
Same as Section 3.2, except that the bootstrap user comes from the custom repository instead of LDAP repository.
6.3 Configure VMM Provider
Same as Section 3.3.
Related Information
[{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2.1","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2.0","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
06 May 2021
UID
swg27041331