You Are here:

20 -May -2012
Apache DS and WAS 6.1: Enabling security PDF Print E-mail
Written by Chintan Rajyaguru   
Saturday, 17 February 2007 18:00
This entry is a follow up on using Apache Directory Server (Apache DS) and WAS 6.1 to implement security. If you haven't already, review Apache DS installation and configuration here and how to create users and groups here. In this entry, I will describe how to configure WAS 6.1 to use Apache DS and enable security.

Starting v6.1, WebSphere separates administrative security from application security. The term administrative security means you need username and password to administer the server. This includes getting server status, stopping the server (somehow it doesn't include starting the server, you can start the server without supplying username and password) and administer the server through admin console or through wsadmin scripts. The term application security means you can protect resources in your application (e.g. you can protect /profile url), assign application security roles to those protected resources and map users or groups from ldap to those roles. It is important to note that starting WebSphere 6.1, you can choose to enable only administrative security or only application security or both. In previous versions you were required to enable or disable both at the same time. For now, we will only enable administrative security, we will talk about application security in the future when we have a sample application. This assumes that

  1. you have already created a WebSphere 6.1 profile with security disabled (if you want to know how to do that Send me an email)
  2. WAS is running
  3. you have installed Apache DS and created users and groups
  4. Apache DS ldap server is running
To enable administrative security,
  • Go to WAS admin console http://<host>:port/admin. For example, http://localhost:9060/admin
  • Click on Security > Secure administration, applications, and infrastructure
  • Select Standalone LDAP registry in Available realm definitions dropdown and click Configure
  • Enter the following values in the screen:
    • Primary administrative username: wasadmin (the admin user already created in ldap)
    • Select Server identity that is stored in the repository radio button (because we don't want WebSphere to generate an id for us)
    • Type of LDAP server: Custom (Apache DS is NOT one of the supported ldap servers)
    • Host: localhost
    • Port: 10389 (port on which Apache DS is listening)
    • Base distinguish name (DN): dc=example,dc=com (all our groups and users are under this base dn)
    • Bind distinguish name (DN): uid=wasadmin,ou=people,dc=example,dc=com (entry that uniquely identifies wasadmin user)
    • Bind password: <password for wasadmin user you used in when you created user in LDAP>
    • Leave default values for other options
    • Click Apply
    • Click Save directly to the master configuration link
  • Click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings link under Additional Properties section
    • User filter: (&(uid=%v)(objectclass=inetOrgPerson))
    • Group filter: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)))
    • User ID map: *:uid
    • Group ID map: groupOfNames:member;groupOfUniqueNames:uniqueMember
    • Click OK
    • Click Save directly to the master configuration link at the top of the page
  • Click OK and Save again
  • Click Security > Secure administration, applications, and infrastructure link on the left hand panel
  • Select Enable administrative security checkbox 
  • Unselect Enable application security checkbox
  • Unselect Java 2 security checkbox
  • Select Standalone LDAP registry in Available realm definitions dropdown and click Set as current button
  • Click Apply button 
  • Click Save directly to the master configuration link

We have enabled administrative security but the change will not take effect until we restart the server. Restart the server and go to admin console. Since security is enabled, you will be asked to accept a certificate and login using the WAS admin username and password you specified in ldap. From this point on, Apache DS must be running before you can administer the server.

Edit on Sunday Feb 18, 2007: Corrected the value of Bind distinguish name (DN): to read

Bind distinguish name (DN): uid=wasadmin,ou=people,dc=example,dc=com (entry that uniquely identifies wasadmin user)

Comments
Add New Search
Write comment
Name:
Email:
 
Website:
Title:
UBBCode:
[b] [i] [u] [url] [quote] [code] [img] 
 
 
:angry::0:confused::cheer:B):evil::silly::dry::lol::kiss::D:pinch:
:(:shock::X:side::):P:unsure::woohoo::huh::whistle:;):s
:!::?::idea::arrow:
 
Please input the anti-spam code that you can read in the image.

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
Last Updated on Sunday, 18 February 2007 12:21