Portal用户加入LDAP安全性步骤
1.修改<wp_profile>/ConfigEngine/config/helpers 的wp_add_federated_ids.properties文件
federated.ldap.id=PortalLdap
federated.ldap.host=ldap.XXX.com
federated.ldap.port=389
federated.ldap.bindDN=uid=wpsbind,cn=apps,dc=XXX
federated.ldap.bindPassword=wpsbind
federated.ldap.ldapServerType=IDS
federated.ldap.baseDN=dc=XXX
2 ./ConfigEngine.sh validate-federated-ldap -DparentProperties=/portal/IBM/WebSphere/wp_profile/ConfigEngine/config/helpers/wp_add_federated_ids.properties -DsaveParentProperties=true -DWasPassword=wpsbind
这步的目的是把wp_add_federated_ids.properties文件里面的信息更新到/portal/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc.properties文件下去。
3.
./ConfigEngine.sh wp-create-ldap -DWasPassword=wpsbind
4.重启门户
cd /portal/IBM/WebSphere/AppServer/bin
./stopServer.sh server1 -user wpsbind -password wpsbind
./stopServer.sh WebSphere_Portal -user wpsbind -password wpsbind
./stopNode.sh -user wpsbind -password wpsbind
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin
./stopManager.sh -user wpsbind -password wpsbind
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin
./startManager.sh
cd /portal/IBM/WebSphere/AppServer/bin
./startNode.sh
./startServer.sh server1
./startServer.sh WebSphere_Portal
5.如果Portal默认有uid=wpsbind,o=defaultWIMFileBasedRealm,而TDS端有uid=wpsbind,cn=users,dc=mycompany,dc=com这样类似的用户,执行下列操作,这步的目的是让短名暂时失效,在以后的步骤中会再次启动短名
./ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=wpsbind
6.在LDAP里面验证所有的属性
./ConfigEngine.sh wp-validate-federated-ldap-attribute-config -DWasPassword=wpsbind
7.在wkplc.properties文件中更新用户为uid=wpsbind,cn=apps,dc=XXX
./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=wpsbind -DnewAdminId=uid=wpsbind,cn=apps,dc=XXX -DnewAdminPw=wpsbind
8.重启门户
cd /portal/IBM/WebSphere/AppServer/bin
./stopServer.sh server1 -user wpsbind -password wpsbind
./stopServer.sh WebSphere_Portal -user wpsbind -password wpsbind
./stopNode.sh -user wpsbind -password wpsbind
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin
./stopManager.sh -user wpsbind -password wpsbind
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin
./startManager.sh
cd /portal/IBM/WebSphere/AppServer/bin
./startNode.sh
./startServer.sh server1
./startServer.sh WebSphere_Portal
9.将wpsadmins组加入LDAP
./ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=wpsbind -DnewAdminId=uid=wpsbind,cn=apps,dc=XXX -DnewAdminPw=wpsbind -DnewAdminGroupId=cn=wpsadmins,cn=groups,cn=apps,dc=XXX
10.重启门户
cd /portal/IBM/WebSphere/AppServer/bin
./stopServer.sh server1 -user wpsbind -password wpsbind
./stopServer.sh WebSphere_Portal -user wpsbind -password wpsbind
./stopNode.sh -user wpsbind -password wpsbind
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin
./stopManager.sh -user wpsbind -password wpsbind
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin
./startManager.sh
cd /portal/IBM/WebSphere/AppServer/bin
./startNode.sh
./startServer.sh server1
./startServer.sh WebSphere_Portal
11.删除默认的文本安全性库
./ConfigEngine.sh wp-query-repository -DWasPassword=wpsbind
以下是执行的结果,请参考:
/********************************************************/
[wplc-query-federated-repository]Instance attributes (Set 1 of 1):
[wplc-query-federated-repository]ignoreDuplicateIDs= *** NOT_SPECIFIED ***
[wplc-query-federated-repository]attribute=[ *** NONE_SPECIFIED *** ]
[wplc-query-federated-repository]customproperty=[ *** NONE_SPECIFIED *** ]
[wplc-query-federated-repository]trimSpaces= *** NOT_SPECIFIED ***
[wplc-query-federated-repository] Existing Federated Repositories
[wplc-query-federated-repository] Repository Name : {Details}
[wplc-query-federated-repository] *******************************
[wplc-query-federated-repository] InternalFileRepository : {repositoryType=File, host=LocalHost}
[wplc-query-federated-repository] PortalLdap : {repositoryType=LDAP, specificRepositoryType=IDS, host=portal.xm.fjtic.cn}
[wplc-query-federated-repository] Status = Complete
/********************************************************/
12.修改/portal/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc.properties文件
personAccountParent=cn=apps,dc=XXX
groupParent=cn=groups,cn=apps,dc=XXX
personAccountRdnProperties=uid
groupRdnProperties=cn
13.确保wpsbind用户和wpsadmins在LDAP里面
./ConfigEngine.sh wp-set-entitytypes -DWasPassword=wpsbind
14.修改wkplc.properties文件
federated.delete.baseentry=o=defaultWIMFileBasedRealm
federated.delete.id=InternalFileRepository
15.使短名生效
./ConfigEngine.sh wp-modify-realm-disable-dn-login -DWasPassword=wpsbind
16.重启门户
cd /portal/IBM/WebSphere/AppServer/bin
./stopServer.sh server1 -user wpsbind -password wpsbind
./stopServer.sh WebSphere_Portal -user wpsbind -password wpsbind
./stopNode.sh -user wpsbind -password wpsbind
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin
./stopManager.sh -user wpsbind -password wpsbind
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin
./startManager.sh
cd /portal/IBM/WebSphere/AppServer/bin
./startNode.sh
./startServer.sh server1
./startServer.sh WebSphere_Portal
至此,Portal安全性已经完成。
/***********************************下面是一些小知识************************************************/
1.如何快速的杀掉portal相关的进程
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/logs/dmgr/dmgr.pid
/portal/IBM/WebSphere/wp_profile/logs/nodeagent/nodeagent.pid
/portal/IBM/WebSphere/wp_profile/logs/WebSphere_Portal/WebSphere_Portal.pid
/portal/IBM/WebSphere/wp_profile/logs/server1/server1.pid
分别是dmgr、node、websphere_portal、server1的进程号文件,需要杀掉的时候可以直接cat 相应的pid号,然后直接kill pid号
2.
ldapsearch -D uid=wpsbind,cn=apps,dc=XXX -b dc=XXX -w wpsbind
以uid=wpsbind,cn=apps,dc=XXX用户去搜dc=XXX下面的用户用户-w后面加的是wpsbind用户的密码
ldapsearch -D cn=root -b dc=XXX -w citicpassw6rd
ldapsearch -D uid=wpsbind,cn=apps,dc=XXX -b cn=apps,dc=XXX -w wpsbind
3.在做第九步的时候报错,查看system.out文件里面有这样的信息,
LTPAServerObj E SECJ0373E: Cannot create credential for the user John Doe due to failed validation of the LTPA token. The exception is java.rmi.RemoteException: null; nested exception is
com.ibm.websphere.security.EntryNotFoundException at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(UserRegistryImpl.java:825) at
com.ibm.ws.security.ltpa.LTPAServerObject.validate(LTPAServerObject.java:1133) at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:599)
....
Caused by: com.ibm.websphere.security.EntryNotFoundException at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:256) at com.ibm.ws.wim.registry.WIMUserRegistry$6.run(WIMUserRegistry.java:351) at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperUser(ProfileSecurityManager.java:973) at com.ibm.ws.wim.registry.WIMUserRegistry.getUniqueUserId(WIMUserRegistry.java:340) at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(UserRegistryImpl.java:750)
... 41 more
Caused by: com.ibm.websphere.wim.exception.EntityNotFoundException:
CWWIM4538E Multiple principals were found for the 'John Doe' principal name. at
com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:235)
解决的方法是
cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/wim/config
<config:userSecurityNameMapping propertyForInput="principalName" propertyForOutput="principalName"/>
修改为
<config:userSecurityNameMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/>
具体问题的链接为http://www-01.ibm.com/support/docview.wss?uid=swg21366910
4.在安装完portal的DM后一定要注意登陆DM控制台
在安全 → 全局安全性下
修改成类似的形式。
5.
确保主节点DM和次节点Node是开启的状态
1.修改cd /portal/IBM/WebSphere/wp_profile/ConfigEngine/config/helpers 的wp_add_federated_ids.properties文件
federated.ldap.id=PortalLdap
federated.ldap.host=ldap.XXX.com
federated.ldap.port=389
federated.ldap.bindDN=uid=wpsbind,cn=apps,dc=XXX
federated.ldap.bindPassword=wpsbind
federated.ldap.ldapServerType=IDS
federated.ldap.baseDN=dc=XXX
2.修改/portal/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc.properties
PortalAdminId=uid=wpsbind,cn=apps,dc=XXX
PortalAdminGroupId=cn=wpsadmins,cn=groups,cn=apps,dc=XXX
3.cd /portal/IBM/WebSphere/wp_profile/ConfigEngine
./ConfigEngine.sh update-jcr-admin -DWasPassword=wpsbind
次节点无法启动,后台日志报LDAP连接失败错误
将主节点/portal/IBM/WebSphere/wp_profile/config/cells/dmgrCell/下security.xml文件和ltpa.jceks文件替换到次节点的相应目录下
将主节点/portal/IBM/WebSphere/wp_profile/config/cells/dmgrCell/wim/config下的wimconfig.xml文件替换到次节点的相应目录下。
4.NodeAgent节点无法同步、从DM控制台无法停止WebSphere_Portal
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/security.xml
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/wim/config/wimconfig.xml
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/admin-authz.xml
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/fileRegistry.xml
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/ltpa.jceks
5个文件拷贝到
/portal/IBM/WebSphere/wp_profile/config/cells/dmgrCell 下,然后再重新启动nodeagent再看同步是否有问题,如果没有问题后,同步了再将portal重新启动。
如果觉得我的文章对您有用,请点赞。您的支持将鼓励我继续创作!
赞0
添加新评论0 条评论