Home
HCL Digital Experience Product Documentation
Welcome to the product documentation for HCL Digital Experience. Find information about how to install, configure, maintain, and use HCL Web Content Manager and HCL Portal Server, Enable, and Extend solutions.
HCL Digital Experience 8.5
Learn how to install, configure, troubleshoot, maintain, and use Version 8.5 of HCL Web Content Manager and HCL Portal Server, Enable, and Extend.
Securing
Security tasks include setting up property extension databases and custom user repositories, configuring and activating SSL, and configuring authentication. In addition, tasks such as activating Federal Information Processing Standards (FIPS) and NIST SP800-131a security modules and configuring external security managers such as Security Access Manager might be required to secure your portal environment.
Security and authentication considerations
Security and authentication are key elements of a production environment. Learn about single sign-on, credential vaults and external security managers.
Credential Vault
The Credential Vault is a service that stores credentials that allow portlets to log in to applications outside the realm on behalf of the user. It manages multiple identities for portlets and users.

HCL Digital Experience Product Documentation
Welcome to the product documentation for HCL Digital Experience. Find information about how to install, configure, maintain, and use HCL Web Content Manager and HCL Portal Server, Enable, and Extend solutions.
- HCL Digital Experience 9.5
- HCL Digital Experience 9.5 [Legacy Content]
- HCL Digital Experience 9.0
  Learn how to install, configure, troubleshoot, maintain, and use Version 9.0 of HCL Web Content Manager and HCL Portal Server, Enable, and Extend.
- HCL Digital Experience 8.5
  Learn how to install, configure, troubleshoot, maintain, and use Version 8.5 of HCL Web Content Manager and HCL Portal Server, Enable, and Extend.
  - Overview
    HCL Digital Experience (formerly IBM WebSphere Portal and IBM Web Content Manager) empowers you to create, manage, and deliver engaging omnichannel digital experiences to virtually all audiences with responsive content, targeted offers, seamlessly integrated applications, and consistent branding across channels (web, mobile. and hybrid mobile/web applications and more).
  - Roadmaps to deploy your system
    Review the roadmaps to understand the common deployment, configuration, migration, and integration patterns.
  - Roadmaps to create your website
    Review the roadmaps to understand how to create your website.
  - Online Help
    This Online Help is made available in the HCL Digital Experience Help Center for quick references on how to install, configure, maintain, and use HCL Digital Experience.
  - Installing
    HCL Digital Experience provides flexible deployment options that range from proof-of-concept where you can examine and test functionality to a highly available and scalable production environment. Review the planning information to learn more about hardware and software requirements, high availability, scalability, supported topologies, and much more. Select your operating system and then select the installation pattern that most reflects your business needs.
  - Configuring
    Run the following tasks after you install and deploy HCL Digital Experience. They address tasks that are typically run one time and have a global effect. Some configuration changes are made more frequently or do not have a global effect. These tasks are addressed in the Administering section.
  - Backup and restore
    Backup and recovery of data files and databases is an essential operation for any business system, particularly for data and applications that run in production environments. Create and follow a plan for backing up and recovering data on all tiers of your HCL Digital Experience deployment. IBM Installation Manager must also be included in backup and recovery planning. If you back up the HCL Portal file structure and then install a fix pack, your HCL Digital Experience and IBM Installation Manager become out of sync after you restore the HCL Portal file system. This condition is not recoverable.
  - Migrating
    Successful migration requires significant planning and preparation, understanding the tools that are involved, and careful execution of the appropriate steps in the order provided.
  - Integrating
    Integrate HCL Digital Experience with software such as HCL Sametime to enable your users to collaborate more easily. You can also use the unified task list portlet to integrate HCL with your backend business process software, such as IBM Process Server.
  - Administering
    Use the administration tools that are provided with the portal to do various day-to-day administration tasks. There are two methods for editing portal setup: using the administration portlets or the XML configuration interface. The administration portlets are a convenient way to make real-time updates to the portal's configuration. While the XML configuration interface is suited to more advanced administration, including batch processing of updates.
  - Securing
    Security tasks include setting up property extension databases and custom user repositories, configuring and activating SSL, and configuring authentication. In addition, tasks such as activating Federal Information Processing Standards (FIPS) and NIST SP800-131a security modules and configuring external security managers such as Security Access Manager might be required to secure your portal environment.
    - Security and authentication considerations
      Security and authentication are key elements of a production environment. Learn about single sign-on, credential vaults and external security managers.
      - Authentication
        Authentication requires users to identify themselves to gain access to a system or resources. The combination of a user ID and a password is the most common method of authentication. Users can identify themselves immediately upon entry to the system or the system can prompt users to identify themselves before accessing protected resources. After users successfully authenticate, the system identifies which resources-specific users have sufficient authorization to access.
      - Federal Information Processing Standards and (NIST) SP800-131a
        Federal Information Processing Standards (FIPS) and NIST SP800-131a are standards and guidelines issued by the United States National Institute of Standards and Technology (NIST) for federal government computer systems. FIPS and SP800-131a are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist.
      - Planning for single sign-on
        Single sign-on provides a secure method of authenticating a user one time within an environment and using that authentication (for the duration of the session) to access other applications, systems, and networks. In the context of HCL Digital Experience there are two single sign-on realms; one realm from the client to the portal and other web applications and the other realm from the portal to the backend applications.
      - Secure communications using SSL
        Configuring HCL Digital Experience for SSL adds security to the client-portal exchange. It encrypts all traffic between the client browser and the server, so that no one can "eavesdrop" on the information that is exchanged over the network between the client browser and HCL Digital Experience. In addition, assuming that the IBM WebSphere Application Server is also configured to accept or require SSL connections, the LTPA Token and other security and session information can be protected against hijack and replay attacks.
      - Credential Vault
        The Credential Vault is a service that stores credentials that allow portlets to log in to applications outside the realm on behalf of the user. It manages multiple identities for portlets and users.
      - Caching considerations
        Information that is protected by access control and is therefore restricted to a limited set of people needs special consideration when served from an access control agnostic cache. These considerations especially apply to server side caches but you also need to consider local browser caches.
    - Controlling access
      After creating users and groups, you can assign them different levels of access to specific resources, roles, and policies. This access controls what actions they can perform on various pages, portlets, and applications.
    - Enabling Attribute Based Security
      Attribute based security for HCL Web Content Manager content is an access filter in the product filter chain. You can extend the access control permission checks for HCL Web Content Manager content beyond the user or group-based decisions. You can define your own criteria. The criteria might involve categories, keywords, textComponents, htmlComponents, or shortTextComponents for an item.
    - Java 2 security
      Java 2 (J2SE) security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. J2SE security allows you to set up individual policy files that control the privileges assigned to individual code sources. If the code does not have the required permissions and still tries to execute a protected operation, the Java™ Access Controller will throw a corresponding security exception.
    - Integrating with OpenID authentication
      Web applications provide information and services to public users and personalized information and services to authenticated users. Users often work with multiple web applications, which require multiple IDs and passwords. This requirement can be difficult to maintain. Integrating identity providers (Google, Yahoo, or Facebook) into your site can simplify logging in for your users.
    - Integrating with IBM WebSphere Application Server TAI authentication
      WebSphere Application Server provides Trust Association Interceptors (TAI) plug-ins to generate an authenticated session and security context for applications that are running on the tWas infrastructure and the HCL Portal server. The login process is coded to recognize an established WebSphere Application Server authentication and use the implicit login path for such cases.
    - Enabling step-up authentication and/or the Remember me cookie
      Using step-up authentication and/or the Remember me cookie lets you fine-tune user authentication to pages and portlets.
    - Securing LTPA keys on a production environment
      The Lightweight Third Party Authentication (LTPA) key holds cryptographic keys that secure the user authentication session and cookies. To secure the production server environment, regenerate the LTPA key using the WebSphere Integrated Solutions Console. If you plan to enable single sign-on at a later time, you must first disable the automatic key generation.
    - Configuring SSL
      Secure socket layers (SSL) encrypt traffic between the client browser and the server to secure information exchanged over the network between the browser and HCL Digital Experience. You will need to configure your environment for SSL to activate this additional security feature.
    - Enabling FIPS and (NIST) SP800-131a
      HCL Digital Experience tolerates IBM WebSphere Application Server support of Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) SP800-131a. You can configure WebSphere Application Server to activate FIPS 140-2 compliant security modules. When you enable FIPS, you can use only FIPS to securely encrypt data. For this reason, you must also configure FIPS for systems that require secure transactions, which can include HTTP servers and LDAP servers.
    - Configuring Session Security Integration
      IBM WebSphere Application Server protects your session from access by other users.
    - Enabling HTTP Basic Authentication for simple clients
      HCL Digital Experience provides an HTTP Basic Authentication Trust Association Interceptor that can be enabled to allow specific clients to log into the portal by using HTTP Basic Authentication instead of HTTP Form Based Authentication.
    - Setting up custom user repositories
      A custom user repository is any repository that HCL Portal does not support out-of-box. However, you can configure HCL Portal to support any type of repository in a federated or stand-alone user registry, whether an LDAP directory, database, file system, and so on. Setting up custom user repositories involves tasks such as defining additional repositories to the default federated user registry, creating a custom stand-alone user repository, and updating your user repository to reflect changes in your environment. Learn what steps are required to create and update custom user repositories and what specific interfaces you must implement to enable communication between HCL Portal and a repository.
    - External security managers
      Use external security managers such as IBM Security Access Manager to perform authentication and authorization for HCL Digital Experience. You can use an external security manager for authentication only or for both authentication and authorization. Using an external security manager to perform only authorization is not supported at this time.
    - Deleting passwords from properties files
      The configuration tasks might require you to write security-sensitive information, such as passwords, into multiple properties files. When you no longer need this security-sensitive information for your configuration, you should remove them and move the files to a safe place or set the file permissions so that only authorized users can read them.
    - Updating user ID and passwords
      HCL Digital Experience and IBM WebSphere Application Server use some accounts from the registry (for example, the LDAP server) including administrative and bind IDs for authenticated access to databases and LDAP severs respectively, as well as the HCL Digital Experience and WebSphere Application Server administrative IDs. Often this means that the account passwords are stored in the HCL Digital Experience and WebSphere Application Server bootstraps configuration files, which allows the authentication process to work.
    - Content Security Policy
      The Content-Security-Policy header is used by modern browsers to enhance security of HCL Digital Experience site documents or web pages by allowing HCL Digital Experience administrators or developers declare which dynamic resources are allowed to load.
  - Monitoring
    HCL Portal includes tools and features to help you monitor the portal site.
  - Setting up a website
    Setting up a website includes, creating pages, adding navigation, setting up search, and adding content to the site. Themes are used to customize the portal's look-and-feel. Out-of-the-box templates and the site wizard can help you set up your portal site faster. You can add wikis and blogs to your site and let users tag and rate content on your site.
  - Staging to production
    During portal solution development, the solution is initially developed, tested, and refined on one server or a limited number of servers. The solution is deployed later on live systems, referred to as the production environment. The process of moving the solution from the development environment to the production environment is called staging.
  - Developing
    This section includes developer documentation on extending applications and development assets for HCL Portal and HCL Web Content Manager.
  - Troubleshooting
    This section helps you resolve problems, use diagnostic tools and tracing to capture HCL Digital Experience system errors.
  - Reference
    View information that can help you use the Digital Experience Help Center including directory conventions, terms of use, trademarks, a glossary, and more.
  - Glossary
    This glossary includes terms and definitions for HCL Digital Experience.
  - Content Template Catalog 4.4
    The Content Template (CTC) is a set of templates that accelerate the process of building a website.

Credential Vault | HCL Digital Experience

The Credential Vault is a service that stores credentials that allow portlets to log in to applications outside the realm on behalf of the user. It manages multiple identities for portlets and users.

Using Credential Vault, a portlet can retrieve a user's authentication identity and then pass the information to a backend application. The Credential Vault features the following level of sign-on:

Passive Credentials: Passive Credentials retrieve stored secret data such as user ID and password or certificates. This option is more flexible. However, it requires portlet writers to manage their own connections and authentication to backend applications with the credentials they retrieved from the Credential Vault.

Credential objects can also pass IBM® Security Access Manager or Computer Associates eTrust SiteMinder single sign-on tokens to backend applications.

HCL Digital Experience provides one simple database vault implementation for mappings to secrets for other enterprise applications. By default, the Credential Vault contains an administrator-managed vault segment and a user-managed vault segment. Administrator-managed vaults allow users to update mappings; however, users cannot add new applications to this vault. The user-managed vault segment allows users to add application definitions, such as a POP3 mail account, under the user vault and store a mapping there. By default, the vault uses an encryption plug-in that encodes the passwords in Base 64.

HCL Digital Experience initially provides two vault adapter configurations that write to the database:

A default vault for administrator-managed vault segments that stores credentials in the release domain: default-release
And a default vault for user-managed vault segments that stores credentials in the customization domain: default-customization

HCL Portal also supports the storage and retrieval of credentials from other vault services, such as Security Access Manager. HCL Portal includes a Credential Vault adapter for Security Access Manager. This plug-in works on the following operating systems:

AIX®
Solaris
Windows™
z/OS®