Configure LDAP on Websphere Application Server 8.5

The default configuration and deployment of IFS Applications on Websphere Application Server 8.5 uses custom user registry as the mode of authentication.  This document will lay out steps that must be followed when Standalone LDAP registry is used as the mode of authentication. There are many LDAP servers that are  commercially available. The following configuration is based on Microsoft Active Directory.

The configuration given below is valid for Websphere Application Server 8.5 running on both Windows and Unix environments.

Prerequisites

It is assumed that the LDAP structure for the organization is already in place. You will have to contact the system administrator to get the information necessary such as LDAP user groups etc. Also a basic knowledge about LDAP is required.

All the users who require connectivity to IFS Applications must be available in the same LDAP domain. In addition to this all the user must be granted  the same LDAP role. For example all the test users that we tested with belonged to an LDAP role called CN=Org.Employees.TST.Staff.EN,OU=Staff,OU=TST,OU=Employees,OU=Organizational,OU=ENGroups,DC=testnet,DC=testworld,DC=com. This is required later during application deployment when J2EE roles are mapped to LDAP roles.

All the LDAP users must have a corresponding Foundation1 user in the database. The Directory Id of the Foundation1 user must be the same as the LDAP user name.

Contents

Configure Websphere Application Server

  1. Start Websphere application server
    1. Open Administrative Console
    2. Log in to the Admin console.
    3. Go to Security > Global Security.
  2. In the Available realm definitions drop down select Standalone LDAP registry and click Configure.
     

     
  3. Before you fill in the configuration details do the following.
    1. Determine the full distinguished name (DN) and password of an account in the administrators group of the LDAP registry. This user should have the ability to search and read users and group information from the registry.
    2. Determine the short name and password of  the administrative user. In Windows environment this can be the administrative user of the server node that WebSphere is installed on. In Unix environment this can be a administrative user in the LDAP registry. In both environments this can be the same as the user selected in step 3a.
  4. Now fill in the information:
    1. In the field Primary administrative user name enter the administrator user name (short name, not the full distinguished name). This is the name determined in step 3b.
    2. Select the check box Server identity that is stored in the repository".
    3. Enter the user id as above and the password.
    4. In the Type of LDAP server drop down select Microsoft Active Directory as the type of LDAP server.
    5. In the Host field specify the domain name service (DNS) name of the machine that is running Microsoft Active Directory. By default the port is as given, if this is different change that as well.
    6. In the Base distinguished name (DN) field specify the domain components of the DN of the account that is chosen in the step 3b above. For example: DC=testnet,DC=testworld,DC=com
    7. In the field Bind distinguished name (DN) enter the full distinguished name of the account that is chosen in step 3b above.
      For example: CN=prralk, CN=users, DC=testnet, DC=testworld, dc=com. Or else you can also put the domain name of the user. For example: prralk@testnet.testworld.com
    8. In the field Bind password enter the  password of the account that is given as the distinguished name in step 4g.
       
    9. Click OK and Save to save the changes to the Master configuration.
  5. Back in the main security configuration page, set Standalone LDAP registry as the current authentication realm by clicking Set as current.
    1. Select Enable administrative security check box,
    2. Select Enable application security check box.
    3. Deselect Use java 2 security to restrict....
    4. Select OK and Save changes to master configuration.
  6. Once security is enabled in order to stop the server you have to supply the user name and the password of the administrative user (the user used in step 4a). The simplest way to do this is to modify the following script by adding the administrative user name and password as shown.
    1. In <WAS_INSTALL_HOME>\AppServer\profiles\AppSrv01\bin\stopServer.bat script modify the following:
      call "C:\Program Files\IBM\WebSphere\AppServer\bin\stopServer.bat" %* -username <adminuser> -password <passwd>.
    2. Since user name and password are displayed in plain text in the stopServer.bat script to enhance security follow the steps given here >.
  7. Now you have to add a new user alias in the J2C authentication data based on the server admin user id so that this user can be used by Service integration bus and other JMS services.
    1. Go to Security > Global Security.
    2. Select Java Authentication and Authorization Service > J2C authentication data.
  8. Create a new entry for the server admin account.
    1. Give any name as the alias (e.g:serveradmin). For the user Id give the user name of the administrative user which is used in step 4a above (admin user of the WAS node).
    2. Give the password.
    3. Click OK and Save to save additions to the Master configuration.
  9. Go to JMS providers > Default messaging provider > Activation specification.
    1. Select the Activation specification created e.g:FndAdminTopicAS.
    2. In the Authentication alias drop down select the alias created in step 8a.
    3. Select OK and Save to save the changes.

Changes when installing IFS Applications

  1. The following change is necessary in order to make Web Client work with LDAP authentication. However if you have created internal system users as LDAP users in the LDAP user registry this is not necessary. The following is necessary only if you use an already existing LDAP user to behave as IFSWEBCONFIG user
  2. Web client uses an internal system user named IFSWEBCONFIG. This user has the data base role FND_WEBCONFIG. Select a user that exist in LDAP user registry and has a corresponding Foundation1 user in the database to act as the IFSWEBCONFIG user. Grant the role FND_WEBCONFIG to this user. During the installation process (or reconfiguration process) of IFS Applications when you come to the step where you have to provide the passwords for internal system users enter the password of the LDAP user selected to act as IFSWEBCONFIG user as the password of IFSWEBCONFIG user.
      
  3. The LDAP user selected to act as the IFSWEBCONFIG user must be granted an LDAP role in addition to the common LDAP role that is granted to all the users. For example in our test environment the test user was granted two LDAP roles which are CNCN=Org.Employees.TST.Staff.EN,OU=Staff,OU=TST,OU=Employees,OU=Organizational,OU=TESTGroups,DC=testnet,DC=testworld,DC=com and CN=Org.Employees.TST.Technology.Staff.EN,OU=Staff,OU=Technology,OU=TST,OU=Employees,OU=Organizational,OU=TESTGroups,DC=testnet,DC=testworld,DC=com

IFS Internal users

IFS applications use several internal users. Correct set up of these internal users are mandatory for correct functionality of the application. There are two ways to handle the internal users.

  1. Set up internal users as LDAP users
  2.  Make existing LDAP users behave as internal users

Procedure

  1. Set up internal users as LDAP users
    1. In the LDAP user registry of the organization create users corresponding to the internal system users.
    2. For example there should be a user corresponding to IFSADMIN in the LDAP registry named IFSADMIN etc. In the database set up these internal system users accordingly.
    3. The LDAP users created to correspond the internal system users must belong to the same LDAP group as the other LDAP users. This is the LDAP group assigned to J2EE role IFSUser. In addition to that IFSWEBCONFIG user must also belong to the second LDAP group that we assigned to the J2EE role IFSTrustedExternalModule
  2. Make existing LDAP users behave as internal users
    1. you can make the existing LDAP users behave as internal system users by granting them the Database roles that are assigned to internal system users.
    2. For example IFSADMIN user is needed to perform functions like adding users to the system etc. If you want to make an LDAP user behave as IFSADMIN you have to grant the Database role FND_ADMIN to the corresponding Foundation 1 user. Once this role is granted that LDAP user would also be able to function with the privileges granted to IFSADMIN.
    3. Likewise if you want to make an LDAP user behave as a internal system user grant the corresponding Foundation 1 user the necessary roles in the database. You may have to do this for user like IFSCONNECT and IFSPLSQLAP.
    4. If you assign a LDAP user to behave as IFSWEBCONFIG that user has to be granted the role FND_WEBCONFIG and should be used during the IFS Applications installation process as shown above.

Deploying EAR files

  1. Deploy the EAR files