Enabling step-up authentication, the Remember me cookie, or both | HCL Digital Experience
You can choose to enable either step-up authentication or the Remember me cookie individually or you can choose to enable these features together.
Before you begin
Log on to the WebSphere® Integrated Solutions Console and go to . Verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.
You
can use step-up authentication with Web Services for Remote
Portlets (WSRP) extensions. The authentication level that
is defined for portlets on the Producer portal is automatically set
on the Consumer portal when it consumes WSRP services. If you apply
step-up authentication mechanisms on the Producer, users are also
challenged for stronger authentication credentials on the Consumer
portal as required. To use step-up authentication with a WSRP extension,
ensure that your environment meets the following requirements:
- The Producer and Consumer portals are HCL Portal Version 8.5 or later.
- You enable step-up authentication on both the Producer and Consumer portals.
- The authentication levels are the same on the Producer and Consumer
portals. Notes:
- Portal administrators can change authentication levels on both the Producer portal or Consumer portal at any time.
- If the authentication level on the Consumer portal is less than the authentication level on the Producer portal, the Producer portal gives the following error message: AccessDeniedFault EJPWC1118E: User authentication not strong enough. Then, users cannot access the portlet. For this reason, the authentication level on the Consumer portal must be the same as the authentication level on the Producer portal.
About this task
Important: The Remember me cookie does not extend
the Portal Personalization feature
to the public area. When the Remember me cookie identifies a user
in a public area, the user is still considered anonymous from an access
control point of view.
Web Content Manager note: The authoring portlet and the web content viewer do not
fully support step-up authentication or the Remember me cookie. However,
the user name component is aware of the Remember me cookie. If the
Remember me cookie is set on a request and a user is not logged in,
the anonymous user design is not used. Instead, it uses the user name
design complete with the name or distinguished name of the user that
is specified by the Remember me cookie.
Restriction: Step-up
authentication requires the LtpaToken2 for single sign-on. Read Implementing single sign-on to minimize web user
authentications for details.
Note: When
you enable both step-up authentication and the Remember me cookie,
you receive the following authentication levels:
- standard
- identified
- authenticated
- standard
- authenticated
Procedure
- Go to the wp_profile_root/ConfigEngine/properties directory.
- Open the wkplc.properties file with a text editor.
-
Enter one of the following values for the enable_rememberme
parameter under the StepUp Authentication heading:
Note: Add the enable_rememberme parameter to the wkplc.properties file if it does not exist.
- If you are enabling both step-up authentication and the Remember me cookie, enter true.
- If you are enabling step-up authentication only, enter false.
- If you are enabling the Remember me cookie only, leave blank.
- Enter a value for the following parameters under the StepUp
Authentication heading if you are enabling the Remember
me cookie:Note: Go to the properties file for specific information about the parameters.
- sua_user
- sua_serversecret_password
- Save your changes to the wkplc.properties file.
- Open a command prompt.
- Change to the wp_profile_root/ConfigEngine directory.
- Choose one of the following tasks to modify your environment:
- If you are enabling step-up authentication and or the Remember me cookie, run the enable-stepup-authentication task.
- If you are enabling the Remember me cookie only, run the enable-rememberme task.
Use the following command syntax:- AIX® HP-UX Linux™ Solaris: ./ConfigEngine.sh task_name -DWasPassword=password
- IBM® i: ConfigEngine.sh task_name -DWasPassword=password
- Windows™: ConfigEngine.bat task_name -DWasPassword=password
- z/OS®: ./ConfigEngine.sh task_name -DWasPassword=password
Where task_name is either enable-stepup-authentication or enable-rememberme.
- Check the output for any error messages before you run any additional tasks. If any of the configuration tasks fail, verify the values in the wkplc.properties file.
- In a clustered environment, copy the wp.auth.base.sua_loginmodule.jar file in the AppServer_root/lib/ext/ directory of one of the Portal nodes to the AppServer_root/lib/ext/ directory of the deployment manager.
- Stop and restart the appropriate servers to propagate the changes. For instructions, go to Starting and stopping servers, deployment managers, and node agents.
- Complete the following steps to change
the authentication level on a page or portlet: