WebSphere Portal加入LDAP安全性

Portal用户加入LDAP安全性步骤

1.修改<wp_profile>/ConfigEngine/config/helpers 的wp_add_federated_ids.properties文件

federated.ldap.id=PortalLdap
federated.ldap.host=ldap.XXX.com
federated.ldap.port=389
federated.ldap.bindDN=uid=wpsbind,cn=apps,dc=XXX

federated.ldap.bindPassword=wpsbind
federated.ldap.ldapServerType=IDS
federated.ldap.baseDN=dc=XXX

2 ./ConfigEngine.sh validate-federated-ldap -DparentProperties=/portal/IBM/WebSphere/wp_profile/ConfigEngine/config/helpers/wp_add_federated_ids.properties -DsaveParentProperties=true -DWasPassword=wpsbind

这步的目的是把wp_add_federated_ids.properties文件里面的信息更新到/portal/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc.properties文件下去。

3.

./ConfigEngine.sh wp-create-ldap -DWasPassword=wpsbind

4.重启门户

cd /portal/IBM/WebSphere/AppServer/bin

./stopServer.sh server1 -user wpsbind -password wpsbind

./stopServer.sh WebSphere_Portal -user wpsbind -password wpsbind

./stopNode.sh -user wpsbind -password wpsbind

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin

./stopManager.sh -user wpsbind -password wpsbind

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin

./startManager.sh

cd /portal/IBM/WebSphere/AppServer/bin

./startNode.sh

./startServer.sh server1

./startServer.sh WebSphere_Portal

5.如果Portal默认有uid=wpsbind,o=defaultWIMFileBasedRealm，而TDS端有uid=wpsbind,cn=users,dc=mycompany,dc=com这样类似的用户，执行下列操作，这步的目的是让短名暂时失效，在以后的步骤中会再次启动短名

./ConfigEngine.sh wp-modify-realm-enable-dn-login -DWasPassword=wpsbind

6.在LDAP里面验证所有的属性

./ConfigEngine.sh wp-validate-federated-ldap-attribute-config -DWasPassword=wpsbind

7.在wkplc.properties文件中更新用户为uid=wpsbind,cn=apps,dc=XXX

./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=wpsbind -DnewAdminId=uid=wpsbind,cn=apps,dc=XXX -DnewAdminPw=wpsbind

8.重启门户

cd /portal/IBM/WebSphere/AppServer/bin

./stopServer.sh server1 -user wpsbind -password wpsbind

./stopServer.sh WebSphere_Portal -user wpsbind -password wpsbind

./stopNode.sh -user wpsbind -password wpsbind

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin

./stopManager.sh -user wpsbind -password wpsbind

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin

./startManager.sh

cd /portal/IBM/WebSphere/AppServer/bin

./startNode.sh

./startServer.sh server1

./startServer.sh WebSphere_Portal

9.将wpsadmins组加入LDAP

./ConfigEngine.sh wp-change-portal-admin-user -DWasPassword=wpsbind -DnewAdminId=uid=wpsbind,cn=apps,dc=XXX -DnewAdminPw=wpsbind -DnewAdminGroupId=cn=wpsadmins,cn=groups,cn=apps,dc=XXX

10.重启门户

cd /portal/IBM/WebSphere/AppServer/bin

./stopServer.sh server1 -user wpsbind -password wpsbind

./stopServer.sh WebSphere_Portal -user wpsbind -password wpsbind

./stopNode.sh -user wpsbind -password wpsbind

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin

./stopManager.sh -user wpsbind -password wpsbind

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin

./startManager.sh

cd /portal/IBM/WebSphere/AppServer/bin

./startNode.sh

./startServer.sh server1

./startServer.sh WebSphere_Portal

11.删除默认的文本安全性库

./ConfigEngine.sh wp-query-repository -DWasPassword=wpsbind

以下是执行的结果，请参考：

/********************************************************/

[wplc-query-federated-repository]Instance attributes (Set 1 of 1):

[wplc-query-federated-repository]ignoreDuplicateIDs= *** NOT_SPECIFIED ***

[wplc-query-federated-repository]attribute=[ *** NONE_SPECIFIED *** ]

[wplc-query-federated-repository]customproperty=[ *** NONE_SPECIFIED *** ]

[wplc-query-federated-repository]trimSpaces= *** NOT_SPECIFIED ***

[wplc-query-federated-repository] Existing Federated Repositories

[wplc-query-federated-repository] Repository Name : {Details}

[wplc-query-federated-repository] *******************************

[wplc-query-federated-repository] InternalFileRepository : {repositoryType=File, host=LocalHost}

[wplc-query-federated-repository] PortalLdap : {repositoryType=LDAP, specificRepositoryType=IDS, host=portal.xm.fjtic.cn}

[wplc-query-federated-repository] Status = Complete

/********************************************************/

12.修改/portal/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc.properties文件

personAccountParent=cn=apps,dc=XXX
groupParent=cn=groups,cn=apps,dc=XXX

personAccountRdnProperties=uid
groupRdnProperties=cn

13.确保wpsbind用户和wpsadmins在LDAP里面

./ConfigEngine.sh wp-set-entitytypes -DWasPassword=wpsbind

14.修改wkplc.properties文件

federated.delete.baseentry=o=defaultWIMFileBasedRealm
federated.delete.id=InternalFileRepository

15.使短名生效

./ConfigEngine.sh wp-modify-realm-disable-dn-login -DWasPassword=wpsbind

16.重启门户

cd /portal/IBM/WebSphere/AppServer/bin

./stopServer.sh server1 -user wpsbind -password wpsbind

./stopServer.sh WebSphere_Portal -user wpsbind -password wpsbind

./stopNode.sh -user wpsbind -password wpsbind

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin

./stopManager.sh -user wpsbind -password wpsbind

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/bin

./startManager.sh

cd /portal/IBM/WebSphere/AppServer/bin

./startNode.sh

./startServer.sh server1

./startServer.sh WebSphere_Portal

至此，Portal安全性已经完成。

/***********************************下面是一些小知识************************************************/

1.如何快速的杀掉portal相关的进程

/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/logs/dmgr/dmgr.pid

/portal/IBM/WebSphere/wp_profile/logs/nodeagent/nodeagent.pid
/portal/IBM/WebSphere/wp_profile/logs/WebSphere_Portal/WebSphere_Portal.pid
/portal/IBM/WebSphere/wp_profile/logs/server1/server1.pid

分别是dmgr、node、websphere_portal、server1的进程号文件，需要杀掉的时候可以直接cat 相应的pid号，然后直接kill pid号

2.

ldapsearch -D uid=wpsbind,cn=apps,dc=XXX -b dc=XXX -w wpsbind

以uid=wpsbind,cn=apps,dc=XXX用户去搜dc=XXX下面的用户用户-w后面加的是wpsbind用户的密码

ldapsearch -D cn=root -b dc=XXX -w citicpassw6rd

ldapsearch -D uid=wpsbind,cn=apps,dc=XXX -b cn=apps,dc=XXX -w wpsbind

3.在做第九步的时候报错，查看system.out文件里面有这样的信息，

LTPAServerObj E SECJ0373E: Cannot create credential for the user John Doe due to failed validation of the LTPA token. The exception is java.rmi.RemoteException: null; nested exception is
com.ibm.websphere.security.EntryNotFoundException at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(UserRegistryImpl.java:825) at
com.ibm.ws.security.ltpa.LTPAServerObject.validate(LTPAServerObject.java:1133) at com.ibm.ws.security.server.lm.ltpaLoginModule.login(ltpaLoginModule.java:599)
....
Caused by: com.ibm.websphere.security.EntryNotFoundException at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:256) at com.ibm.ws.wim.registry.WIMUserRegistry$6.run(WIMUserRegistry.java:351) at com.ibm.ws.wim.security.authz.ProfileSecurityManager.runAsSuperUser(ProfileSecurityManager.java:973) at com.ibm.ws.wim.registry.WIMUserRegistry.getUniqueUserId(WIMUserRegistry.java:340) at com.ibm.ws.security.registry.UserRegistryImpl.createCredential(UserRegistryImpl.java:750)
... 41 more
Caused by: com.ibm.websphere.wim.exception.EntityNotFoundException:
CWWIM4538E Multiple principals were found for the 'John Doe' principal name. at
com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:235)

解决的方法是

cd /portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/wim/config
<config:userSecurityNameMapping propertyForInput="principalName" propertyForOutput="principalName"/>

修改为

<config:userSecurityNameMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/>

具体问题的链接为http://www-01.ibm.com/support/docview.wss?uid=swg21366910

4.在安装完portal的DM后一定要注意登陆DM控制台

在安全 → 全局安全性下

修改成类似的形式。

5.

确保主节点DM和次节点Node是开启的状态

1.修改cd /portal/IBM/WebSphere/wp_profile/ConfigEngine/config/helpers 的wp_add_federated_ids.properties文件

federated.ldap.id=PortalLdap
federated.ldap.host=ldap.XXX.com
federated.ldap.port=389
federated.ldap.bindDN=uid=wpsbind,cn=apps,dc=XXX

federated.ldap.bindPassword=wpsbind
federated.ldap.ldapServerType=IDS
federated.ldap.baseDN=dc=XXX

2.修改/portal/IBM/WebSphere/wp_profile/ConfigEngine/properties/wkplc.properties
PortalAdminId=uid=wpsbind,cn=apps,dc=XXX
PortalAdminGroupId=cn=wpsadmins,cn=groups,cn=apps,dc=XXX

3.cd /portal/IBM/WebSphere/wp_profile/ConfigEngine
./ConfigEngine.sh update-jcr-admin -DWasPassword=wpsbind

次节点无法启动，后台日志报LDAP连接失败错误

将主节点/portal/IBM/WebSphere/wp_profile/config/cells/dmgrCell/下security.xml文件和ltpa.jceks文件替换到次节点的相应目录下

将主节点/portal/IBM/WebSphere/wp_profile/config/cells/dmgrCell/wim/config下的wimconfig.xml文件替换到次节点的相应目录下。

4.NodeAgent节点无法同步、从DM控制台无法停止WebSphere_Portal

/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/security.xml
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/wim/config/wimconfig.xml
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/admin-authz.xml
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/fileRegistry.xml
/portal/IBM/WebSphere/AppServer/profiles/Dmgr02/config/cells/dmgrCell/ltpa.jceks

5个文件拷贝到
/portal/IBM/WebSphere/wp_profile/config/cells/dmgrCell 下，然后再重新启动nodeagent再看同步是否有问题，如果没有问题后，同步了再将portal重新启动。