Configuring Security Access Manager for authentication only | HCL Digital Experience
HCL Digital Experience and IBM WebSphere Application Server support the Trust Association Interceptors (TAI) that IBM Security Access Manager provides. If you use Security Access Manager for authorization, you must also use Security Access Manager for authentication. Using Security Access Manager only for authorization is not supported.
About this task
Important information:
- The pdadmin command is a utility that supports Security Access Manager administrative functions.
- This procedure requires that you are familiar with WebSEAL administration concepts as presented in the WebSEAL Administrator Guide. For complete descriptions of all the pdadmin command options to create junctions, refer to the Security Access Manager documentation, particularly the WebSEAL Administration Guide.
- The following example assumes that a web server is located between the WebSEAL and HCL Digital Experience in the request flow. Thus, the junctions that are defined in the following instructions are configured for WebSEAL to forward requests to the HTTP server and then to HCL Digital Experience. If there is no HTTP server, modify the junction target host name and port values to enable direct communication from WebSEAL to HCL Digital Experience.
- The following examples do not show any load balancing or other performance-related request features in WebSEAL. For more information about these advanced options, consult the Security Access Manager documentation.
- The following examples show simple junction creation cases. Refer to the appropriate WebSEAL Administration Guide and WebSphere® Application Server documentation for information about advanced options, including generating WebSEAL LTPA Tokens in WebSEAL for SSO to WebSphere® Application Server.
Clustered environments: Complete
the validate-pdadmin-connection task on all nodes
in the cluster. Complete all other steps on the primary node.
Procedure
- Start the Security Access Manager policy and authorization servers, which are mandatory for successful configuration and for single sign-on (SSO) to occur.
- Create your junctions on the WebSEAL server.
Refer to the IBM Security Access Manager for e-business documentation
for guidance on junction creation. Complete the following steps to
create a virtual host TCP junction:
- Optional: If you plan to use
an SSL junction, more steps are needed before you can create the junction.
The necessary key and truststore must be set up with the correct certificates
to enable SSL. Follow the instructions in steps 1 - 3 of the topic
about configuring SSL. Then, complete the following steps
to create the virtual host junction:
- Use the IBM® Key Management utility to load the web server certificate into the key ring for the appropriate instance of WebSEAL. See the HTTP Server documentation for more details.
- Restart WebSEAL.
- Follow the steps that are mentioned earlier to create the junction. But change the -t value to ssl and add the appropriate set of options from the Mutually Authenticated SSL junctions portion of the WebSEAL Administration Guide: -B, -D, -K, -U, and -W.
- Enter the following tasks on the pdadmin command
to create the trusted user account:Tip: This step is mandatory for TAI junctions only. Skip this step if you created an LTPA junction. An LTPA junction is created when you use the -A parameter. Refer to the Security Access Manager for e-business documentation for this advanced configuration.The trusted user account in the Security Access Manager user registry must be the same as the one that the TAI within WebSphere® Application Server is configured to use. It is the ID that WebSEAL uses to identify itself to WebSphere® Application Server by using the -b supply option, and it is one of the underlying TAI security requirements.Note: To prevent potential vulnerabilities, do not use the
sec_master
orwpsadmin
users for the trusted user account. The trusted user account must be a dedicated user account for the purposes of communication between WebSEAL and the TAI.- pdadmin> user create webseal_userid webseal_userid_DN firstname surname password
- pdadmin> user modify webseal_userid account-valid yes
-
Clustered environments: Complete this step on all nodes.Run the following task in the wp_profile_root/ConfigEngine directory to validate that the PdPerm.properties file is correct and that communication between HCL Portal and the Security Access Manager server works:Tip: Run the validate-pdadmin-connection task on the HCL Digital Experience node or on each node in a clustered environment. In a clustered environment, WasPassword is the Deployment Manager administrator password. The wp.ac.impl.PDAdminPwd is the Security Access Manager administrative user password.
Table 1. Task to validate that the PdPerm.properties file exists by operating system Operating system Task AIX® ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
HP-UX ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
IBM® i ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDdAdminPwd=password
Linux™ ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
Solaris ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
Windows™ ConfigEngine.bat validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
z/OS® ./ConfigEngine.sh validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password
If the task does not run successfully: Run the run-svrssl-config task to create the properties file. For information, refer to Creating the PdPerm.properties file. Then, run the validate-pdadmin-connection task again. If the task is not successful after a second attempt, do not proceed with any subsequent steps. The fact that the task does not run successfully indicates that your portal cannot connect to the Security Access Manager server. Troubleshoot the connectivity issue between your portal instance and the Security Access Manager server. - If you are using junctions that require a Trust Association
Interceptor in WebSphere® Application Server,
you must install and configure the TAI if it was not already set up. To
configure the Security Access Manager Trust
Association Interceptor (TAI++), complete the following steps:
- Optional: Enable user provisioning.You must do this task only if you are using HCL Digital Experience to create and provision new users directly in LDAP, and you need these users to also be recognized by Security Access Manager. In an enterprise deployment of HCL Digital Experience this task would be unusual, as most large deployments have a separate user provisioning process, perhaps by using IBM® Security Identity Manager. HCL Digital Experience reads from LDAP but does not create new users. For more information, see the related links section.
-
If you are using Security Access Manager integrated with HCL Digital
Experience in a stand-alone environment that does not include a web server between
WebSEAL and Portal, complete the following steps:
- Log on to the WebSphere® Integrated Solutions Console.
- Go to and then click .
- Click New and then add the com.ibm.ws.webcontainer.extracthostheaderport custom property with a value of true.
- Click OK.
- Click New and add the trusthostheaderport custom property with a value of true.
- Click OK.
- Click Save to save your changes.
- Log out of the WebSphere® Integrated Solutions Console.
- Stop and restart the appropriate servers to propagate the changes. For specific instructions, see Starting and stopping servers, deployment managers, and node agents.
- Go to the WebSEAL node and edit the webseald-instance.conf file
for the appropriate WebSEAL instance. An example is webseald-default.conf.
This file sets the
basicauth-dummy-passwd
value to the password for the ID that WebSEAL uses to identify itself to WebSphere® Application Server. This password is the trusted user ID and password that were created in an earlier step. Stop and start the WebSEAL server before you continue. - If your WebSEAL instance is on the Windows™ operating system, limit the length of the generated URLs. Edit the webseald-instance.conf file and change the process-root-requests property value to filter to avoid problems with WebSEAL processing.
-
Import HCL Digital Experience users and groups into Security Access
Manager. Enter the following commands on the Security Access Manager
administrative command, where wpsadmin is the user ID for the
administrator, and wpsadmins is the administrators group name. The
fully distinguished names of the user and group IDs vary depending on your LDAP
settings.
user import wpsadmin uid=wpsadmin,cn=users,dc=ibm,dc=com user modify wpsadmin account-valid yes group import wpsadmins cn=wpsadmins,cn=groups,dc=ibm,dc=com
- Some functions of HCL Digital Experience require the use of the PUT, and DELETE HTTP method. By default, WebSEAL does not allow these requests. You must either allow this method at the applicable WebSEAL ACL and web server, or change the HTTP methods in the x-method-override configuration in the WebSEAL config file webseald-instance.conf.