Enabling security with federated repositories
To use HCL Commerce with LDAP, you must configure WebSphere Application Server Administrative Security with Federated Repositories. The federated repositories consist of one or more LDAP servers and a built-in, file-based repository.
The file-based repository stores the WebSphere Application Server Primary Administrative User. Even if the LDAP server is unavailable, the Primary Administrative User can still log on to the WebSphere Application Server administrative console.
Before you begin
Ensure that you complete the following tasks:
- Ensure that the database is started.
- Ensure that the LDAP server is started.
- Ensure that the WebSphere Application Server is running.
- If you are using SSL with the LDAP server, ensure that the WebSphere Application Server administrative security is enabled by using the file-based registry. If the administrative security is not enabled, the configuration scripts fail.
- If you are planning to set up HCL Commerce to connect with multiple LDAP servers, see the sample configuration steps in Federating two LDAP servers with a common root organization.
Important:
- HCL Commerce does not support rolling back to use the database repository after you configure HCL Commerce to use an LDAP repository.
- LDAP integration for HCL Commerce is implemented in Version 9.1.5. Ensure that you are using this version of HCL Commerce or greater.
About this task
The HCL Commerce LDAP integration supports the following LDAP server options:
- IBM Security Directory Server
- Custom LDAP v3 compliant server
Procedure
Complete the following steps to enable WebSphere Application Server security with Federated
Repositories:
-
Copy vmm.properties file from the following location in the
ts-app or ts-utils container.
- Location in ts-app container: /SETUP/ldap/properties
- Location in ts-utils container: /opt/WebSphere/CommerceServer90/components/ldap/properties
-
Update the vmm.properties file with the required LDAP
information.
For example: # # ----------------------------------------------------------------- # Licensed Materials - Property of HCL Technologies # # HCL Commerce # # (C) Copyright HCL Technologies Limited 1996, 2020 # ----------------------------------------------------------------- # # LDAP server type # Accepted values: (IDS, DOMINO, SUNONE, AD, NDS, CUSTOM) # IDS = IBM Security Directory Server # DOMINO = IBM Lotus Domino # SUNONE = Sun Java System Directory Server # AD = Microsoft Windows Active Directory # NDS = Novell Directory Services # CUSTOM=A custom Directory Server #-------------------------------------------------------- vmm.ldapType=IDS # Fully qualified LDAP server host name or IP address #-------------------------------------------------------- vmm.ldapHost=123.456.789.210 # LDAP server port number #-------------------------------------------------------- vmm.ldapPort=389 # Specifies whether the LDAP server requires an SSL connection # Accepted values are: (true, false) #-------------------------------------------------------- vmm.ldapWithSSL=false # The keystore file path for SSL commnication to LDAP #-------------------------------------------------------- vmm.keystorePath= # The keystore password # (To avoid decrypting warnings in the log, it is strongly recommended to use # the ASCII encrypted string generated from the <WCInstallDir>/bin/wcs_encrypt.bat # command without the merchant key option.) #-------------------------------------------------------- vmm.keystorePassword= # LDAP search base distinguished name, must be lower case #-------------------------------------------------------- vmm.baseDN=o=root organization # LDAP bind distinguished name, must be lower case #-------------------------------------------------------- vmm.bindDN=cn=root # LDAP bind password XOR encoded by WAS PropFilePasswordEncoder utility # For example: {xor}Lz4sLChvLTs= # # Needed for Runtime Environment. #-------------------------------------------------------- vmm.xorBindPassword={xor}Lz4sLChvLTs= # LDAP bind password # (To avoid decrypting warnings in the log, it is strongly recommended to use # the ASCII encrypted string generated from the <WCInstallDir>/bin/wcs_encrypt.bat # command without the merchant key option.) # # Needed for Development Environment. #-------------------------------------------------------- vmm.bindPassword=MVDKlJXqsnF6jaJjqJFu0+EaHcS1e7lZc1Iran+Ms8Q= # A full DN that maps to the HCL Commerce root organization; must be lower case. #-------------------------------------------------------- vmm.rootOrgDN=o=root organization # A full DN that maps to the HCL Commerce default organization; must be lower case. #-------------------------------------------------------- vmm.defaultOrgDN=o=default organization,o=root organization # Specifies the property names to use to log into the application server. # This field takes multiple login properties, delimited by a semicolon (;). # For example, uid;mail. All login properties are searched during login. # If multiple entries or no entries are found, an exception is thrown. # For example, if you specify the login properties as uid;mail and the login ID as Bob, # the search filter searches for uid=Bob or mail=Bob. When the search returns a single entry, # then authentication can proceed. Otherwise, an exception is thrown. #-------------------------------------------------------- vmm.ldapLoginProp=uid # The realm name, default to WC_<instanceName>_Realm. #-------------------------------------------------------- vmm.realmName=myrealm # The primary admin user id for the administrative security. # If global security is already enabled, input the primary user # currently using. # Otherwise, input a user which does not exist in the federated # repositories, the tool will create it into the WebSphere Application # Server built-in file base user repository. #-------------------------------------------------------- vmm.primaryAdminId=configadmin # The primary admin user password for the administrative security. # (To avoid decrypting warnings in the log, it is strongly recommended to use # the ASCII encrypted string generated from the <WCInstallDir>/bin/wcs_encrypt.bat # command without the merchant key option.) # # This is used by Toolkit. In Runtime, it's retrieved from a local file #-------------------------------------------------------- vmm.primaryAdminPwd=Ntjz8goyUYB8qplNy78MOBiIbv9pKAviyQYk5S/O6xY= # The Commerce test server name on toolkit, # Old name: WebSphere Commerce Test Server # New name: HCL Commerce Test Server # The default name is HCL Commerce Test Server, if you use the old test server name, # please set the property to the old name. #-------------------------------------------------------- commerceTestServerName=WebSphere Commerce Test Server # LDAP user search filter, needed when vmm.ldapType=CUSTOM #-------------------------------------------------------- vmm.ldapUserFilter=(&(uid=%v)(objectclass=inetOrgPerson)) # LDAP user prefix, needed when vmm.ldapType=CUSTOM (for example, uid) #-------------------------------------------------------- vmm.userPrefix=uid # LDAP organization prefix (for example, o) # Needed when vmm.ldapType=CUSTOM #-------------------------------------------------------- vmm.orgPrefix=o # LDAP organizational unit prefix, needed when vmm.ldapType=CUSTOM # (for example, ou) #-------------------------------------------------------- vmm.orgUnitPrefix=ou # LDAP user object class, needed when vmm.ldapType=CUSTOM # (for example, inetOrgPerson) #-------------------------------------------------------- vmm.userObjClass=inetOrgPerson # LDAP organization object class, needed when vmm.ldapType=CUSTOM # (for example, organization) #-------------------------------------------------------- vmm.orgObjClass=organization # LDAP organizational unit object class, needed when vmm.ldapType=CUSTOM # (for example, organizationalUnit) #-------------------------------------------------------- vmm.orgUnitObjClass=organizationalUnit # LDAP administrator distinguished name # @deprecated #-------------------------------------------------------- vmm.ldapAdminDN= # LDAP administrator password # (To avoid decrypting warnings in the log, it is strongly recommended to use # the ASCII encrypted string generated from the <WCInstallDir>/bin/wcs_encrypt.bat # command without the merchant key option.) # @deprecated #-------------------------------------------------------- vmm.ldapAdminPassword=
-
Enable LDAP in the database by completing the following steps:
-
Build the customized ts-app docker image to enable LDAP by
completing the following steps: