portal admin lecture
TRANSCRIPT
© Copyright IBM Corp. 2003
ibm.com
International Technical Support Organization
WebSphere Portal V5.0.2 WebSphere Portal V5.0.2 FundamentalsFundamentals
ibm.com /redbooks© 2003 IBM Corporation
AgendaAgenda
Introduction to WebSphere PortalWebSphere Portal V5.0.2 Basics Migration to WebSphere Portal V5WebSphere Portal Administration and CustomizationWebSphere Portal V5.0.2 SecurityUnderstanding WebSphere Portal V5.0.2 SetupTracing and LoggingSummaryReferencesQ and A
1-2
ibm.com /redbooks© 2003 IBM Corporation
IBM®
International Technical Support Organization
Introduction to WebSphere PortalIntroduction to WebSphere Portal
ibm.com /redbooks© 2003 IBM Corporation
IBM Portal StrategyIBM Portal Strategy
WebSphereWebSphereWebSphereWebSphereWebSphereWebSphereWebSphereWebSphere
Software Software Software Software Software Software Software Software PlatformPlatformPlatformPlatformPlatformPlatformPlatformPlatform
Lotus Lotus Lotus Lotus Lotus Lotus Lotus Lotus Collaboration Collaboration Collaboration Collaboration Collaboration Collaboration Collaboration Collaboration
ToolsToolsToolsToolsToolsToolsToolsTools
EIP &EIP &EIP &EIP &EIP &EIP &EIP &EIP &
Content Content Content Content Content Content Content Content ManagementManagementManagementManagementManagementManagementManagementManagement
PervasivePervasivePervasivePervasivePervasivePervasivePervasivePervasive
DevicesDevicesDevicesDevicesDevicesDevicesDevicesDevices
TivoliTivoliTivoliTivoliTivoliTivoliTivoliTivoli
SecuritySecuritySecuritySecuritySecuritySecuritySecuritySecurity
WebSphereWebSpherePortal ServerPortal Server
3-4
ibm.com /redbooks© 2003 IBM Corporation
Basic TerminologyBasic Terminology
PORTAL A Portal is a Web site that provides end users with a single point of access
to Web-based resources.
PORTLET Portlet is an application that is hosted by the portal.
PORTLET APPLICATION A Portlet application is a set of Portlets grouped together in an execution
context.
ibm.com /redbooks© 2003 IBM Corporation
Basic Terminology (Contd..)Basic Terminology (Contd..)
Page
A page is a collection of portlets that display content to the user.Label
A label is a collection of nodes or in other words, collection of pages. URL
URL helps to launch any URL- addressable resource within the portal site, which can include external Web sites.
Content RootTopmost node in the tree is the content root. This content root can
have nodes that can be represented in a parent-child relationship.
5-6
ibm.com /redbooks© 2003 IBM Corporation
Benefits of using a PortalBenefits of using a Portal
Personalized Content DeliveryCollaboration Platform-neutral, open standards approachSimplified access to applicationsConsistent user interfaceSingle point of access
ibm.com /redbooks© 2003 IBM Corporation
Portal PrinciplePortal Principle
Combines application user interfaces together into one unified presentation
User registrationAuthentication and
AuthorizationPluggable portal components:
PortletsPersonalization based on profilesCustomization of pages by usersSearchContent Management
Administrators can either lock or open up areas of the page for end users to customize
Login
Portlets
Navigation
7-8
ibm.com /redbooks© 2003 IBM Corporation
Portlet PrinciplePortlet PrincipleEach Portlet is a separate
applicationDeveloped independently
Aggregated on a portal page
Can be placed anywhere on the page
Portlets have modes and window states
Portlets can support multiple devicesPhones, Organizers, Voice
Unique views for each device
Business logic can be shared
Portlets are portal context awarePer-Portlet settings managed by portal
Can access user profile information
ibm.com /redbooks© 2003 IBM Corporation
Themes and SkinsThemes and Skins
Themes and skins control every element of how the page looks: colors, fonts, spacing, images, navigation, rows, columns, and Portlets
Themes and skins can be applied to any group of pages, any time
9-10
ibm.com /redbooks© 2003 IBM Corporation
WPS Data Store
Portlet Container
Aggregation
SOAP
PC
WAP
iMode
Voice
PDA
Authorization
PortalEngine
WebSphereCUS
EnrollmentPortlet
SelfcarePortlet
AnyPortlet
Any Portlet
AdminPortlet
CustomizerPortlet
ProxyPortlet
CredentialVault
Search
ContentManagement
WebService
RemotePortlet
SOAP
SOAP
PortletRegistryUserConfig PortletData
Auth
entifi
catio
n
Portl
et A
PI (I
nvoc
atio
n)
Rem
ote
API
Application
WebSphere Portal Server Core ArchitectureWebSphere Portal Server Core Architecture
WPS Data Store
Portlet Container
Aggregation
SOAP
PC
WAP
iMode
Voice
PDA
Authorization
PortalEngine
WebSphereCUS
EnrollmentPortlet
SelfcarePortlet
AnyPortlet
Any Portlet
AdminPortlet
CustomizerPortlet
ProxyPortlet
CredentialVault
Search
ContentManagement
WebService
RemotePortlet
SOAP
SOAP
PortletRegistryUserConfig PortletData
Auth
entic
atio
n
Portl
et A
PI (I
nvoc
atio
n)
Rem
ote
API
Application
ibm.com /redbooks© 2003 IBM Corporation
Step 5
Portal servlet examines the request header
Determines the device and user information
Step 4Step 3Step 2Step 1
Layout system is called for the target markup
JSP templates define the overall page, rows, columns and decorations
How Portal Constructs PagesHow Portal Constructs Pages
Portlets render themselves in the 2nd phase
Portlets that support the target markup are included, others are omitted
Portlets are processed in two phases
The first phase processes portlet messages and sends events to other portlets
Portal database and security settings are checked
Determines what pages and portlets the user will see
11-12
ibm.com /redbooks© 2003 IBM Corporation
IBM®
International Technical Support Organization
WebSphere Portal V5 BasicsWebSphere Portal V5 Basics
ibm.com /redbooks© 2003 IBM Corporation
Important Themes in WebSphere Portal V5Important Themes in WebSphere Portal V5
Improved Installation
Flexible Configuration
Additional Out-Of-The Box Functionality
Enhanced Document Management
Enhanced Administration Functions
Improved Tooling Support
13-14
ibm.com /redbooks© 2003 IBM Corporation
WebSphere Portal Multiplatform Version 5 WebSphere Portal Multiplatform Version 5 OfferingsOfferings
Extend Lotus Collaboration Center(Including Sametime and QuickPlace)Lotus Extended SearchTivoli Web Site Analyzer
WebSphere Application ServerPortal Document ManagerIBM HTTP ServerPortal ServerIBM CloudscapeCollaboration Services APIPortal ToolkitWebSphere Translation ServerWebSphere Studio Site DeveloperWebSphere Portal Content PublishingIBM Directory ServerDB2 Universal Database
Enable
ibm.com /redbooks© 2003 IBM Corporation
WebSphere Portal Platform SupportWebSphere Portal Platform Support
Multi PlatformEnable, Extend
Windows 2000 server or Windows 2000 Advanced ServerLinux (SuSe, Red Hat, z/Linux)AIX
Solaris
Other PlatformsEnable
iSeriesz/OS
Express, Express PlusiSeries
15-16
ibm.com /redbooks© 2003 IBM Corporation
WebSphere Portal Version 5.0.2 FeaturesWebSphere Portal Version 5.0.2 Features
Simplified Install
Wizard-based and separated from ConfigurationFlexible Configuration
Post-install allows for changes on the fly; automated configuration tasks
Role-based Administration
Hierarchical admin access control; granular admin rolesExtended XMLAccess
Now manages users and user groups / admin portal capabilitiesWebSphere Portal Content Publisher (WPCP)
Integrated with PDMPortal Document Manager (PDM)
Integration with optional workflow and Productivity Portlets
ibm.com /redbooks© 2003 IBM Corporation
WebSphere Portal Version 5.0.2 Features WebSphere Portal Version 5.0.2 Features (cont.)(cont.)Collaboration Center
New WhoIsHere, Sametime [Buddy] List PortletCooperative Portlets
Data Exchange between Portlets within the same PageSearch Engine
Adds Categorization, Summarization, Supported File types featuresOn Demand Editors
Simple java-based Editors for office applicationsPortlet Builder
Wizard-based portlet builder: Domino, JDBC, and others (SAP, Siebel)
Simplified URLs to run Portlet PagesUser-specified URL Addressability
17-18
ibm.com /redbooks© 2003 IBM Corporation
Ease of UseEase of Use
Simplified Installation
Install WebSphere Application Server and Core Portal
Portal components installed as part of core portal server
Most basic options only at install time; Fewer choices to consider
Cloudscape included as an embedded database
No more Advanced vs. Standard Install
Post-installation configuration of LDAP, Database, etc.
Run 4.x portlets
ibm.com /redbooks© 2003 IBM Corporation
Collaboration CenterCollaboration Center
People FinderOn-line company directory with built-in instant messaging and
people awareness
My Lotus Team WorkplacesDisplay, search and launch Quickplace project team rooms
Lotus Web ConferencingView, schedule and attend Sametime e-meetings
New Collaboration Portlets
19-20
ibm.com /redbooks© 2003 IBM Corporation
Portal Document ManagerPortal Document Manager
Next generation of Portal Content Organizer (PCO)
Navigate through topic “folders”
View and edit documents
Search, categorize, and approve documents
Subscribe to documents
ibm.com /redbooks© 2003 IBM Corporation
Portal Search EnginePortal Search Engine
Search Web sites and Portal Document Manager
New featuresDocument Filters (Lotus 1-2-3,
etc)
Summarization
Categorization
Stemmer (improves languages support)
Metadata searchTag library and portlet services
for developing customized search portlets
21-22
ibm.com /redbooks© 2003 IBM Corporation
Productivity ComponentsProductivity Components
View and edit rich text documents, spreadsheets, presentations, etc.
Allow authoring of documents directly within the portal.
Not intended to provide all the functionality associated with a full-fledged productivity application.
ibm.com /redbooks© 2003 IBM Corporation
New and Enhanced Business PortletsNew and Enhanced Business Portlets
Internet Mail Box
Notes
iNotes
Newsgroup
MyList
23-24
ibm.com /redbooks© 2003 IBM Corporation
New Admin Portlets in WebSphere Portal v5New Admin Portlets in WebSphere Portal v5
Manage Pages
Users and Groups
Resource Permissions
User and Group Permissions
Custom Unique Names
URL Mapping
ibm.com /redbooks© 2003 IBM Corporation
User-driven Process IntegrationUser-driven Process Integration
Cooperative Portlets
portlet messaging enables rich portlet applications
Builds on Click to Action and portlet API for portlet-to-portlet communicationUses Property Broker component
25-26
ibm.com /redbooks© 2003 IBM Corporation
SummarySummary
Highlights for WebSphere Portal Multiplatform V5.0.2
WebSphere Portal V5.0.2 Offerings and Features
New WebSphere Portal V5.0.2 Admin Portlets
ibm.com /redbooks© 2003 IBM Corporation
IBM®
International Technical Support Organization
Migration to WebSphere Portal V5Migration to WebSphere Portal V5
27-28
ibm.com /redbooks© 2003 IBM Corporation
Migration ProcessMigration Process
Install and Configure WP V5
Complete manual migration steps for the followingUpgrade to Portal Toolkit 5.0 and WebSphere Studio 5.01Inspect/Upgrade/Test PortletsUpgrade/Test custom Themes and Skins
Migrate custom resources from Transcoding Technology
Run migration tasks
Migrate small portion of access control information not covered by migration tasks using manual steps documented in the migration guide.
ibm.com /redbooks© 2003 IBM Corporation
Migration Process – Manual Steps – Migration Process – Manual Steps – PortletsPortlets
PackagingRemove portlet.tld from WAR filesClick to action Portlets
Update click to action portlets with newer pbportlet.jar file from <wp5_root>/pb/lib
Collaborative portletsIf planning to use an older version of the Sametime Contact List
portlet (from WebSphere Portal Version 4.2.1 or older) in a WebSphere Portal Version 5.0 environment, make sure the hostAddress.xml file is made available to this portlet.
29-30
ibm.com /redbooks© 2003 IBM Corporation
Migration Process – Manual Steps – Migration Process – Manual Steps – Themes, Skins and CSSThemes, Skins and CSS
The Navigation model, that is used extensively in themes and skins, has changed from 4.2 to 5.0
Upgrade your custom themes and skins
References: Migration Guide, White Paper available on the Portal Zone
http://www7b.software.ibm.com/wsdd/zones/portal/
Existing cascading style sheets will continue to work in WP5. New style classes introduced by Version 5.
ibm.com /redbooks© 2003 IBM Corporation
Migration Process – Migration tasks – Migration Process – Migration tasks – IntroductionIntroduction
Migration package is installed under the root install directory of your WP5 under “migration” folder
Migration tasks supplied with WP5 are written using ANT 1.4.1
Two categories of tasks.
Tasks utilizing Portal’s XML configuration interface (xmlaccess).
Tasks utilizing direct database connections.
31-32
ibm.com /redbooks© 2003 IBM Corporation
IBM®
International Technical Support Organization
WebSphere Portal Administration and WebSphere Portal Administration and CustomizationCustomization
ibm.com /redbooks© 2003 IBM Corporation
Definitions: Customization vs. Definitions: Customization vs. PersonalizationPersonalization
Customization: The ability of the portal end user to change the portal experience for their purposes.
Example: Edit a stock portlet with your stocks
Personalization: The ability for an administrator to define rules that determine (based on who the portal end user is) the applications, data, and content that they see.
Example: A Business Rule that displays the local weather in a weather portlet.
33-34
ibm.com /redbooks© 2003 IBM Corporation
Page Structure and NavigationPage Structure and Navigation
My PortalThis is the first page displayed by portal after login. It is a label containing
business and productive out-of-box (which comes with the installation) portlets.
AdministrationA label containing pages with administrative portlets. Administrators use
these portlets for portal administration.
Page CustomizerA label containing pages for managing page content and layout.
Page PropertiesA page containing the Properties portlet. This page is hidden from navigation.
Organize FavoritesA page containing the Organize Favorites portlet, which allows users to
create, edit, activate, order and delete labels and URL’s.
ibm.com /redbooks© 2003 IBM Corporation
New Features in WebSphere Portal V5 New Features in WebSphere Portal V5 AdministrationAdministration
Redesigned administrative interface
Ability to arrange content in a tree structure
Web Clipping Portlet
Improved Logging Ability
Portlet menus for improved navigation
Improved XML Access
35-36
ibm.com /redbooks© 2003 IBM Corporation
Themes and SkinsThemes and Skins
Basic JSP structure remains the same as v4.2
Reference to background image in Theme is now found in the Theme’s Cascading Style Sheet
New file system locations:
<was_root>\installedapps\<hostname>\wps.ear\wps.war\themes
<was_root>\installedapps\<hostname>\wps.ear\wps.war\skinsChange required for real-time theme updates……..
ibm.com /redbooks© 2003 IBM Corporation
Creating ThemeCreating Theme
Create a new directory for your theme: <was_root>/installedApps/hostname/wps.ear/wps.war/themes/html/NewTheme
Choose a current theme closest to the layout you want:
/themes/html/ScienceCopy the resources into the appropriate directories
JSPs: Default.jsp, Banner.jsp, Navigation.jsp, ...
Images: banner.jpg, navfade.jpg, ...
Style Sheet: Styles.cssCustomize to get the look and feel you are looking for.Add this new theme using Themes and Skins portlet under Portal
Administration and Portal User Interface
37-38
ibm.com /redbooks© 2003 IBM Corporation
Real-time Theme UpdatingReal-time Theme Updating
Edit:<was_root>\config\cells\<node_name>\applications\ wps.ear\deployments\wps\wps.war\WEB-INF\ ibm-web-ext.xmi
Search for "reloadingEnabled" (NOT “reloadEnabled”) and change the setting to "true“
Save the file and restart the portal
ibm.com /redbooks© 2003 IBM Corporation
ThemesThemes
Overall look and feelNavigation
39-40
ibm.com /redbooks© 2003 IBM Corporation
SkinsSkins
Portlet decorationsNavigationHigh Performance Skins (Default and NoSkin only)
ibm.com /redbooks© 2003 IBM Corporation
New Administration PortletsNew Administration Portlets
Portal User Interface
Manage PagesAccess
Manage Users and Groups
Resource Permissions
User and Group PermissionsPortal Settings
URL Mapping
Custom Unique Names
41-42
ibm.com /redbooks© 2003 IBM Corporation
Manage Pages PortletManage Pages Portlet
Equivalent of Manage places and pages inWebSphere Portal V4
Provides a view of all pages a user has access toProvides a view of the hierarchy of “pages” Manage pages provides functionality for:
Creating, editing layout, reordering, editing properties of, assigning access to, and deleting pages
Creating, editing layout, reordering, editing properties of, assigning access to, and deleting labels
Creating, editing layout, reordering, editing properties of, assigning access to, and deleting URLs
ibm.com /redbooks© 2003 IBM Corporation
Manage Pages PortletManage Pages Portlet
43-44
ibm.com /redbooks© 2003 IBM Corporation
Resource PermissionsResource Permissions
Allows you to view and modify the roles and accessrights associated with portal resources
Enables you to move resources to and from external controlAllows Administrator, Security Administrator, Delegator roles to:
Display user/group and their roles on a resourceAssign Role on a resource to a user/groupRemove Role on a resource to user(s)/group(s) Pass/Do not pass role down from a resource to its children Allow inheritance on a resource from its parent/Do not allow
inheritance on a resource from its parentSearch for resources
ibm.com /redbooks© 2003 IBM Corporation
Resource Permissions PortletResource Permissions Portlet
45-46
ibm.com /redbooks© 2003 IBM Corporation
Users and Groups PortletUsers and Groups Portlet
Change for v5 is the combining of Manage user groups and Manage users into one portlet
New features are duplicate roles, duplicate groups
Creating a new user group creates user group in All authenticated groups and adds as member to group new user group task was launched from
Creating a new user creates user in All authenticated users and adds as member to group new user task was launched from
ibm.com /redbooks© 2003 IBM Corporation
User and Groups PermissionsUser and Groups Permissions
Displays the access rights that a user or user group has for WebSphere Portal resources
Indicates whether the role is inherited or explicitly assignedPerforms following functions based on Administrator,
Security Administrator, and Assigner roles
Display Roles for a User or Group on resources for a selected resource type
Display Roles for a User or Group on resources for a selected resource type
Remove Role(s) for resource(s) from user or group
47-48
ibm.com /redbooks© 2003 IBM Corporation
Custom Unique NamesCustom Unique Names
Portal uses object Ids to identify portal resources which are difficult to remember
Use to assign unique names (human readable names) to portal resources
Benefits
Easier to handle than the object IDs assigned by the portal
Make identification of portal resources easier in the following contexts
Export or import a portal configuration using the XML configuration interface
Linking portlets to other portal resources
Security of a portal is managed by an external access control system
Must be unique within the portal
ibm.com /redbooks© 2003 IBM Corporation
Custom Unique Names PortletCustom Unique Names Portlet
49-50
ibm.com /redbooks© 2003 IBM Corporation
URL MappingURL Mapping
ibm.com /redbooks© 2003 IBM Corporation
IBM®
International Technical Support Organization
WebSphere Portal V5 SecurityWebSphere Portal V5 Security
51-52
ibm.com /redbooks© 2003 IBM Corporation
HighlightsHighlights
WebSphere Portal V5 Security Basics
Authentication
WebSphere Member Manager
Single Sign On
Authorization
Role-Based Access Control
WebSphere Portal V5 Security Setup
Summary
ibm.com /redbooks© 2003 IBM Corporation
WebSphere PortalWebSphere Portal
53-54
ibm.com /redbooks© 2003 IBM Corporation
Application Server
Typical Portal DeploymentTypical Portal Deployment
WebApplication
AuthenticationProxy
Client
Client
ClientPortalServer
Back EndApplication
Back EndApplication
Client
Back EndApplication
Portlet
Portlet
Portlet
(Web)Application
User Registry(e.g. LDAP)
HTTP Server
Auth. Plugin
ibm.com /redbooks© 2003 IBM Corporation
Portal Security BasicsPortal Security Basics
WebSphere Portal security primarily focuses on:
Authentication Who are you?
Single Sign-On
AuthorizationWhat are you allowed to see and do?
55-56
ibm.com /redbooks© 2003 IBM Corporation
AuthenticationAuthentication
ibm.com /redbooks© 2003 IBM Corporation
Authentication ChoicesAuthentication Choices
WebSphere Application Server AuthenticationHTTP Basic AuthenticationForm-based Authentication
Lightweight Third Party Authentication (LTPA)Authentication Proxy and TAIs
Tivoli Access Manager, WebSEALNetegrity SiteMinder
57-58
ibm.com /redbooks© 2003 IBM Corporation
WebSphere Portal AuthenticationWebSphere Portal Authentication
Portal relies on the application server for establishing user identityForm-based authentication
LTPA Token functionalityWebSphere Portal can work with the Trust Association Interceptors (TAIs)
For third party authenticationPortal supports a variety of user registries
LDAP, Custom User Registry
ibm.com /redbooks© 2003 IBM Corporation
Authentication: What’s changed in Portal V5Authentication: What’s changed in Portal V5
Security setup now part of Portal configurationWebSphere Member Manager
Replaces WebSphere Member ServicesOld SSO functionality now deprecated
Portlets should not extract credentials directly from the JAAS Subject
Use credential service and/or the credential vault insteadAuthentication mechanisms migrated to J2EE Security
59-60
ibm.com /redbooks© 2003 IBM Corporation
Authentication in WebSphere Portal: RecapAuthentication in WebSphere Portal: Recap
Basic Portal AuthenticationNot connected to the application server security
User and password stored in Portal database
WebSphere Application Server authenticationChoice of user registriesEstablishes J2EE identityAllows using third-party authentication proxies
ibm.com /redbooks© 2003 IBM Corporation
User Profiles for Authenticated UsersUser Profiles for Authenticated Users
The User Profile is the set of attributes that make up the (usually static) information about usersName; uid; phone number; preferred language; Interests;
not all profile attributes may have values for every userManaged by WebSphere Member Manager
WebSphere Portal implementation of a WAS Custom User Registry
61-62
ibm.com /redbooks© 2003 IBM Corporation
User Registry SetupsUser Registry Setups
Authentication registry: User-supplied Custom User Registry Profile information: WMM/CURProfile information is held in the WMM DB as well as the custom registry
Custom User Registry provided by customer
Customer provided
Authentication registry:WMM Profile information:WMMNotice that Cloudscape is NOT a supported CUR
Custom User Registry (Configured on the WMM database – Provided by Portal Server)
Database Only
Authentication registry:LDAPProfile information:LDAP / WMM The degree of this split is configurable (i.e. what attributes are stored in LDAP and what in the WMM DB).
LDAP Database (+LDAP - optional)
Description WebSphere AppServer authentication registry
WebSphere Member Manager configuration
ibm.com /redbooks© 2003 IBM Corporation
WebSphere Member ManagerWebSphere Member Manager
63-64
ibm.com /redbooks© 2003 IBM Corporation
Storing User Profiles: WebSphere Member Storing User Profiles: WebSphere Member ManagerManager
Stores User Profile InformationUser’s name, e-mail, user preferences, etc.Group membership information
Does not store authentication informationCan be configured for:
Database persistenceCloudscape (default), DB2, Oracle, Sybase, MS SQL Server
LDAP persistenceMapping of WMM attributes to LDAP attributes
ibm.com /redbooks© 2003 IBM Corporation
User and User Group Management in V5User and User Group Management in V5
Click on Administration>Access>Users and Groups
View membership
Duplicate group assignments
Duplicate role assignments
Edit
65-66
ibm.com /redbooks© 2003 IBM Corporation
Single Sign On and Credential VaultSingle Sign On and Credential Vault
ibm.com /redbooks© 2003 IBM Corporation
Portal Single Sign-On: The Big PicturePortal Single Sign-On: The Big Picture
A u th e n tic a t io nP ro x y
C lie n t
C lie n t-W e b A p p S S O
C lie n t
C lie n tP o r ta lS e rv e r
B a c k E n dA p p lic a tio n
B a c k E n dA p p lic a tio n
B a c k E n dA p p lic a tio n
C lie n t
P o rtle t
P o rtle t
P o rtle t
W e bA p p lic a tio n
W e bA p p lic a tio n
P o rta l-B a c k E n d S S O
67-68
ibm.com /redbooks© 2003 IBM Corporation
Client-to-Web Application Single Sign On Client-to-Web Application Single Sign On SupportSupport
Application server built-in SSO support
LTPA
Authentication proxy SSO support Application Server‘s Trust Association Interceptors
Tivoli Access Manager (WebSeal)
Other third-party SSO frameworks environmentsNetegrity SiteMinder Web Agent
....
ibm.com /redbooks© 2003 IBM Corporation
Application Server
PortalServer
WebSphere LTPA Single Sign-OnWebSphere LTPA Single Sign-On
Step 1: User authenticates
Domino Server
WebApplication
Client
authenticate
send LTPA cookieHTTP Server
69-70
ibm.com /redbooks© 2003 IBM Corporation
Application Server
PortalServer
WebSphere LTPA Single Sign-OnWebSphere LTPA Single Sign-On
Step 2: LTPA token is accepted by applications
Domino Server
WebApplication
request
HTTP ServerClient
ibm.com /redbooks© 2003 IBM Corporation
Portal to Backend SSO: Credential ServicePortal to Backend SSO: Credential Service
Allows managing multiple user identities in Portal applications
Consists of:Credential serviceVault adapter
Vault implementationV4 SSO Functionality deprecated
Portlets should no longer attempt to get user and password from the JAAS Subject
Defa
ult
Adap
ter
Credential Portlet Service
DefaultVault Impl.
TAM GSOLockbox
TAM
Adap
ter
Cust
omAd
apte
r
Custom Vault
Portlet Portlet Portlet
Vault Adapter Interface
71-72
ibm.com /redbooks© 2003 IBM Corporation
Credential Slot TypesCredential Slot Types
Shared CredentialsA shared system credential slot stores system credentials
The actual secret is shared among all users and portletsUser-specific Credentials
Shared among all the portlets of a certain user
The secret is user specific, but valid for all of the user’s portlets
Private portlet slots They store credentials that are not shared among portlets
Credential secret is user specific as well as specific to a certain portlet instance
ibm.com /redbooks© 2003 IBM Corporation
Credential Vault Administration in V5Credential Vault Administration in V5
Click on Administration->Access->Credential Vault
73-74
ibm.com /redbooks© 2003 IBM Corporation
AuthorizationAuthorization
ibm.com /redbooks© 2003 IBM Corporation
J2EE Authorization ModelJ2EE Authorization Model
Supported Resources and ActionsURLs (GET, POST, PUT, DELETE) � security-constraint
EJB Methods � method-permissionJ2EE role = set of security-constraints and/or
method-permissionsJ2EE role configures access to business logic
75-76
ibm.com /redbooks© 2003 IBM Corporation
WebSphere Portal Authorization ModelWebSphere Portal Authorization Model
Programmatic security identical to J2EE.
Role concept is different:A role is a set of permissions in both models
J2EE roles allow any combination of J2EE permissions
In order to simplify Access Control configuration, the WP role space is restricted: Roles are created by applying an Action Set on a resource.
It is not possible to define a single role allowing different actions on different resources (e.g. (Modify Properties SalesPage) and (View ACL Portlet))
ibm.com /redbooks© 2003 IBM Corporation
WebSphere Portal Authorization WebSphere Portal Authorization Model(cont.)Model(cont.)
Supported ResourcesJ2EE model supports URLs with HTTP specific actions and EJB methods
Portal supports instance based authorization for all kinds of portal resources
Delegated AdministrationPortal access control protects access to the access control configuration
This is not supported by J2EE authorizationReconfiguration
Reconfiguration of J2EE permissions requires restart of J2EE entity
77-78
ibm.com /redbooks© 2003 IBM Corporation
Role-based Access ControlRole-based Access Control
ibm.com /redbooks© 2003 IBM Corporation
Portlet InstancePortlet Instance
Portal Resource TopologyPortal Resource Topology
Root Pages
Composition/Component n
Page /Component
Composition/Component 1.n
Page /Component
UserGroups
User Group /Community NUser Group /
Community 1
CatalogSegments
LibrarySegment 1Catalog
Segment
Portlets
Portlet InstancePortlet Instance
External AccessControl
Users URL MappingSegments
MappingSegment nMapping Segment
UserN
User
Categories
Category 1Category
UserN
User
Virtual Resource
Protected Resource
Implicitly protected resource
Propagates permissions on
WMM/S membership
WebModules
WebModule NWeb
Module
UDDIRegistries
UDDIRegistryUDDI
Registry
Portal
URLMapping N
URLMapping 1
PortletGroup
PortletGroup
PortletApplications
PortletApplicationPortlet
Application
RemotelyAccessible
Portlets
Portlet InstancePortlet Instance
CredentialVault
VaultSegmentVault
Segment
VaultSlotVault
Slot
Settings
EventHandlers
XmlAccess
WSRP
79-80
ibm.com /redbooks© 2003 IBM Corporation
Role ConceptRole Concept
RolePermission
Role Definition
User Subsystem
User
User Group
Role Assignment
Editor
User(View, SalesPortletInstance)
(View, SalesPage)SalesForce
User@SalesPage
ibm.com /redbooks© 2003 IBM Corporation
Actions & Action SetsActions & Action Sets
Administrators are allowed to do everythingSecurity Admins are allowed to grant access on a resource to other
principalsAssigners are allowed to grant access to other principalsManagers are allowed to create, edit, and delete shared resourcesEditors are allowed to create and edit shared resourcesPrivileged Users are allowed to create private resourcesUsers are allowed to view portal resources
ActionSetAction
Administrator Security Administrator
Assigner Manager Editor PrivilegedUser
User
Grant Access On
Delegate To
Delete
Add Child
Add Private Child
Edit
Personalize
View
81-82
ibm.com /redbooks© 2003 IBM Corporation
Role Creation & Role InheritanceRole Creation & Role Inheritance
Page0
Page1
Page2 Page3 Page4
Explicit role assignment
Editor
createRole(Page1, Editor Action Set)
Page5Inherited role
EditorEditor Editor
Editor
Editor Action Set = {View, Edit, …}
Resulting role: {(View Page1), (View Page2), …,
(Edit Page1), (Edit Page2), …}
not exposed to user
Role Domain
Domain Root
ibm.com /redbooks© 2003 IBM Corporation
Inheritance BlockingInheritance Blocking
Configured by Admin for a specific node and a specific action set (e.g. (Editors)
Inheritance Flag - Inherit action set permissions from parent node
Propagation Flag -Propagate action set permissions on child nodes
Propagation Flag allows editors to create resources without inherited Editor role assignment
Page0
Page1
Page2 Page3 Page4
Explicit role assignment
Editor
Page5Inherited role
EditorEditor Editor
Editor Page6 Editor
blockInheritance(Page4, Editor)
Inheritance Blocking
Propagation Blocking
blockPropagation(Page4, Editor)
83-84
ibm.com /redbooks© 2003 IBM Corporation
Creation of Shared ResourcesCreation of Shared Resources
User creates a shared resourceThe user that created the
resources becomes the owner of the resource
This owner relationship grants specific permissions on the corresponding resource
Ownership can be transferred
Page0
Page1
Page2 Page3 Page4
Explicit role assignment
Manager
Inherited role
ManagerManager Manager
ManagerPage5
createSharedResource(Page4)
Relationship
Owner
ibm.com /redbooks© 2003 IBM Corporation
Private ResourcesPrivate Resources
Users can be granted privileges to create private resources
The user that created the resource becomes the owner of the new Resource
Private resources are visible only for the owner of the resource
Private Resources do not inherit any roles from there ancestor nodes
Private Resources are deleted explicitly by the owner or automatically when the creator is removed from the portal
Page0
Page1
Page2 Page3 Page4
Explicit role assignment
Privileged User
Inherited role
Privileged User
Privileged User
Privileged User
createPersonalizedResource(Page4)
Page5
Private Resource
Owner
85-86
ibm.com /redbooks© 2003 IBM Corporation
Portal
User Registry
Tivoli Access Manager
Externalization ApproachExternalization Approach
o4 o5
o3o2
o6
o1
Editor@o1 = {(view, o1), (edit, o1), (view, o2), (edit, o2), (view, o3), (edit, o3), (view, o6), (edit, o6)}
Tivoli Access Manager
Editor@o1
Portal Resource Topology
Portal DB
Portal Admin TAM Admin
ibm.com /redbooks© 2003 IBM Corporation
Assign Access to a resourceAssign Access to a resource
87-88
ibm.com /redbooks© 2003 IBM Corporation
Assign Access to a Resource (..)Assign Access to a Resource (..)
ibm.com /redbooks© 2003 IBM Corporation
Assign Access to a Resource (..)Assign Access to a Resource (..)
89-90
ibm.com /redbooks© 2003 IBM Corporation
Assign Access to a Resource (..)Assign Access to a Resource (..)
ibm.com /redbooks© 2003 IBM Corporation
Assign Access to a Resource (..)Assign Access to a Resource (..)
91-92
ibm.com /redbooks© 2003 IBM Corporation
Group is now in role…Group is now in role…
ibm.com /redbooks© 2003 IBM Corporation
Security Setup in V5Security Setup in V5
93-94
ibm.com /redbooks© 2003 IBM Corporation
Setting Up Security in WebSphere Portal V5Setting Up Security in WebSphere Portal V5
Configuration steps required after installation
Steps vary significantly, depending on:User registry you select for authentication
Repository you select for WMM
Installation path you took
InfoCenter has detailed step-by-step instructions
ibm.com /redbooks© 2003 IBM Corporation
AdministrativeAdministrative Commands in a Secure Commands in a Secure PortalPortal
Application server administrative commands require user and password once security is on
Example: stopServer
stopServer –username wasadmin –password adminpwd
Has to be a user mapped to an admin role
95-96
ibm.com /redbooks© 2003 IBM Corporation
SummarySummary
We Learned;
WebSphere Portal V5 Security changes
Authentication and Authorization
Role Based Access Control
Single Sign on with WebSphere Portal
ibm.com /redbooks© 2003 IBM Corporation
IBM®
International Technical Support Organization
Understanding WebSphere Portal V5 Understanding WebSphere Portal V5 SetupSetup
97-98
ibm.com /redbooks© 2003 IBM Corporation
Setup / ConfigurationSetup / Configuration
Base Configuration
Separate configuration / install
WAS 5.0.1 Enterprise EditionCloudscape DatabasePortal 5.0Base PortletsIBM HTTP ServerWebSphere Portal Content
Publisher
LDAP IntegrationRelational DatabaseCollaboration CenterSametimeQuickPlaceWSSDetc.
ibm.com /redbooks© 2003 IBM Corporation
Using Configuration Tasks(wpsconfig.bat)Using Configuration Tasks(wpsconfig.bat)
Main Configuration File
<PORTAL>\config\wpconfig.propertiesActions commands used by scripts
<PORTAL>\config\actionsHelper templates to reduce the configuration overhead
<PORTAL>\config\helpersTemplates used by the configuration program
<PORTAL>\config\templatesFinalized version of the configuration files
<PORTAL>\config\work
99-100
ibm.com /redbooks© 2003 IBM Corporation
Configuration Example ResultsConfiguration Example Results
Check <PORTAL>\config\\actions\*.xml for result codes if needed # Error conditions: # Codes returned by underlying class: # RC_SUCCESS = 0 # check succeeded, no error(s) to report # RC_NO_CONNECTION = 1 # Connection to LDAP server failed. Check URL, userid/password # RC_OBJECT_NOT_FOUND = 2 # objectDn could not be found in directory # RC_INVALID_NAME = 3 # javax.naming.NameNotFoundException # RC_INVALID_AUTH = 4; # javax.naming.AuthenticationException
ibm.com /redbooks© 2003 IBM Corporation
Setup / Configuration Tips and GotchasSetup / Configuration Tips and Gotchas
Use correct WAS Admin server (e.g. server1)Use Portal admin on 9091
(e.g. http://hostname.domain:9091/admin)Always check for “BUILD SUCCESSFUL” on configDon’t assume wpconfig.properties is the final say
<PORTAL>\shared\app\config is the key to most configurationMake backup copies of your wpconfig.properties file
101-102
ibm.com /redbooks© 2003 IBM Corporation
IBM®
International Technical Support Organization
Tracing and LoggingTracing and Logging
ibm.com /redbooks© 2003 IBM Corporation
Setup LogsSetup Logs
Portal component installation problems (<PORTAL>\log)wpinstalllog.txt ConfigMessages.log
wpsinstalllog.txt ConfigTrace.log
wpcpinstalllog.txt ConfigTraceXX.log
installmessages.txt portletinstall.txtWebSphere Application Server / IHS
<WAS_ROOT>\logs\log.txt <WAS_ROOT>\logs\ihs_log.txt
wpwasfp1.txt wppmefp1.txt
103-104
ibm.com /redbooks© 2003 IBM Corporation
Runtime Log FilesRuntime Log Files
Application Server (<WAS>\logs\appserver)
startServer.log / stopServer.log / appserver.pid
Portal Server (<PORTAL>\log)
SystemOut.log SystemErr.log
wps_timestamp.log (default) trace.log (if tracing enabled)
Configuration Logs (<PORTAL>\log)
ConfigTrace.log ConfigMessages.log
IBM HTTP Server Logs (<IHS>\logs)
access.log error.log
ibm.com /redbooks© 2003 IBM Corporation
Tracing OptionsTracing Options
TemporaryUnder the administration portlets
Portal Analysis -> Enable TracingExtended
<PORTAL>\shared\app\config\log.propertiestraceString=parameter
parameter example: com.ibm.wps.*=all=enabledApplication Server (depends on component?)
WebSphere Application Server AdministrationTroubleshooting -> Logs and Traces -> WebSphere Portal
105-106
ibm.com /redbooks© 2003 IBM Corporation
Some Common Portal Trace StringsSome Common Portal Trace Strings
Logging In
Credential vaults / SSO
Portal Tag Libraries
XMLAccess
com.ibm.wps.services.puma.*com.ibm.wps.engine.command.*com.ibm.wps.puma.*com.ibm.wps.sso.*
com.ibm.wps.sso.vaultservice.*com.ibm.wps.sso.*com.ibm.wps.command.credentialvault.*com.ibm.wps.portletservice.credentialvault.*
com.ibm.wps.engine.tags.*
com.ibm.wps.command.xml.*
ibm.com /redbooks© 2003 IBM Corporation
SummarySummary
We covered;
WebSphere Portal basics
WebSphere Portal V5 enhancements
WebSphere Portal Setup, Administration, Customization and Security
Logging and Tracing
107-108
ibm.com /redbooks© 2003 IBM Corporation
ReferencesReferences
WebSphere Portal Product Documentationhttp://www7b.software.ibm.com/wsdd/zones/portal/proddoc.html#500
WebSphere Portal V5 Infocenterhttp://publib.boulder.ibm.com/pvc/wp/500/ent/en/InfoCenter/index.html
WebSphere Portal Zonehttp://www7b.software.ibm.com/wsdd/zones/portal/
IBM Redbookshttp://www.ibm.com/redbooks
j
ibm.com /redbooks© 2003 IBM Corporation
Q and AQ and A
109-110