portal admin lecture

© Copyright IBM Corp. 2003

ibm.com

International Technical Support Organization

WebSphere Portal V5.0.2 WebSphere Portal V5.0.2 FundamentalsFundamentals

ibm.com /redbooks© 2003 IBM Corporation

AgendaAgenda

Introduction to WebSphere PortalWebSphere Portal V5.0.2 Basics Migration to WebSphere Portal V5WebSphere Portal Administration and CustomizationWebSphere Portal V5.0.2 SecurityUnderstanding WebSphere Portal V5.0.2 SetupTracing and LoggingSummaryReferencesQ and A

1-2


IBM®


Introduction to WebSphere PortalIntroduction to WebSphere Portal


IBM Portal StrategyIBM Portal Strategy

WebSphereWebSphereWebSphereWebSphereWebSphereWebSphereWebSphereWebSphere

Software Software Software Software Software Software Software Software PlatformPlatformPlatformPlatformPlatformPlatformPlatformPlatform

Lotus Lotus Lotus Lotus Lotus Lotus Lotus Lotus Collaboration Collaboration Collaboration Collaboration Collaboration Collaboration Collaboration Collaboration

ToolsToolsToolsToolsToolsToolsToolsTools

EIP &EIP &EIP &EIP &EIP &EIP &EIP &EIP &

Content Content Content Content Content Content Content Content ManagementManagementManagementManagementManagementManagementManagementManagement

PervasivePervasivePervasivePervasivePervasivePervasivePervasivePervasive

DevicesDevicesDevicesDevicesDevicesDevicesDevicesDevices

TivoliTivoliTivoliTivoliTivoliTivoliTivoliTivoli

SecuritySecuritySecuritySecuritySecuritySecuritySecuritySecurity

WebSphereWebSpherePortal ServerPortal Server

3-4


Basic TerminologyBasic Terminology

PORTAL A Portal is a Web site that provides end users with a single point of access

to Web-based resources.

PORTLET Portlet is an application that is hosted by the portal.

PORTLET APPLICATION A Portlet application is a set of Portlets grouped together in an execution

context.


Basic Terminology (Contd..)Basic Terminology (Contd..)

Page

A page is a collection of portlets that display content to the user.Label

A label is a collection of nodes or in other words, collection of pages. URL

URL helps to launch any URL- addressable resource within the portal site, which can include external Web sites.

Content RootTopmost node in the tree is the content root. This content root can

have nodes that can be represented in a parent-child relationship.

5-6


Benefits of using a PortalBenefits of using a Portal

Personalized Content DeliveryCollaboration Platform-neutral, open standards approachSimplified access to applicationsConsistent user interfaceSingle point of access


Portal PrinciplePortal Principle

Combines application user interfaces together into one unified presentation

User registrationAuthentication and

AuthorizationPluggable portal components:

PortletsPersonalization based on profilesCustomization of pages by usersSearchContent Management

Administrators can either lock or open up areas of the page for end users to customize

Login

Portlets

Navigation

7-8


Portlet PrinciplePortlet PrincipleEach Portlet is a separate

applicationDeveloped independently

Aggregated on a portal page

Can be placed anywhere on the page

Portlets have modes and window states

Portlets can support multiple devicesPhones, Organizers, Voice

Unique views for each device

Business logic can be shared

Portlets are portal context awarePer-Portlet settings managed by portal

Can access user profile information


Themes and SkinsThemes and Skins

Themes and skins control every element of how the page looks: colors, fonts, spacing, images, navigation, rows, columns, and Portlets

Themes and skins can be applied to any group of pages, any time

9-10


WPS Data Store

Portlet Container

Aggregation

SOAP

PC

WAP

iMode

Voice

PDA

Authorization

PortalEngine

WebSphereCUS

EnrollmentPortlet

SelfcarePortlet

AnyPortlet

Any Portlet

AdminPortlet

CustomizerPortlet

ProxyPortlet

CredentialVault

Search

ContentManagement

WebService

RemotePortlet

SOAP

SOAP

PortletRegistryUserConfig PortletData

Auth

entifi

catio

n

Portl

et A

PI (I

nvoc

atio

n)

Rem

ote

API

Application

WebSphere Portal Server Core ArchitectureWebSphere Portal Server Core Architecture

WPS Data Store

Portlet Container

Aggregation

SOAP

PC

WAP

iMode

Voice

PDA

Authorization

PortalEngine

WebSphereCUS

EnrollmentPortlet

SelfcarePortlet

AnyPortlet

Any Portlet

AdminPortlet

CustomizerPortlet

ProxyPortlet

CredentialVault

Search

ContentManagement

WebService

RemotePortlet

SOAP

SOAP

PortletRegistryUserConfig PortletData

Auth

entic

atio

n

Portl

et A

PI (I

nvoc

atio

n)

Rem

ote

API

Application


Step 5

Portal servlet examines the request header

Determines the device and user information

Step 4Step 3Step 2Step 1

Layout system is called for the target markup

JSP templates define the overall page, rows, columns and decorations

How Portal Constructs PagesHow Portal Constructs Pages

Portlets render themselves in the 2nd phase

Portlets that support the target markup are included, others are omitted

Portlets are processed in two phases

The first phase processes portlet messages and sends events to other portlets

Portal database and security settings are checked

Determines what pages and portlets the user will see

11-12


IBM®


WebSphere Portal V5 BasicsWebSphere Portal V5 Basics


Important Themes in WebSphere Portal V5Important Themes in WebSphere Portal V5

Improved Installation

Flexible Configuration

Additional Out-Of-The Box Functionality

Enhanced Document Management

Enhanced Administration Functions

Improved Tooling Support

13-14


WebSphere Portal Multiplatform Version 5 WebSphere Portal Multiplatform Version 5 OfferingsOfferings

Extend Lotus Collaboration Center(Including Sametime and QuickPlace)Lotus Extended SearchTivoli Web Site Analyzer

WebSphere Application ServerPortal Document ManagerIBM HTTP ServerPortal ServerIBM CloudscapeCollaboration Services APIPortal ToolkitWebSphere Translation ServerWebSphere Studio Site DeveloperWebSphere Portal Content PublishingIBM Directory ServerDB2 Universal Database

Enable


WebSphere Portal Platform SupportWebSphere Portal Platform Support

Multi PlatformEnable, Extend

Windows 2000 server or Windows 2000 Advanced ServerLinux (SuSe, Red Hat, z/Linux)AIX

Solaris

Other PlatformsEnable

iSeriesz/OS

Express, Express PlusiSeries

15-16


WebSphere Portal Version 5.0.2 FeaturesWebSphere Portal Version 5.0.2 Features

Simplified Install

Wizard-based and separated from ConfigurationFlexible Configuration

Post-install allows for changes on the fly; automated configuration tasks

Role-based Administration

Hierarchical admin access control; granular admin rolesExtended XMLAccess

Now manages users and user groups / admin portal capabilitiesWebSphere Portal Content Publisher (WPCP)

Integrated with PDMPortal Document Manager (PDM)

Integration with optional workflow and Productivity Portlets


WebSphere Portal Version 5.0.2 Features WebSphere Portal Version 5.0.2 Features (cont.)(cont.)Collaboration Center

New WhoIsHere, Sametime [Buddy] List PortletCooperative Portlets

Data Exchange between Portlets within the same PageSearch Engine

Adds Categorization, Summarization, Supported File types featuresOn Demand Editors

Simple java-based Editors for office applicationsPortlet Builder

Wizard-based portlet builder: Domino, JDBC, and others (SAP, Siebel)

Simplified URLs to run Portlet PagesUser-specified URL Addressability

17-18


Ease of UseEase of Use

Simplified Installation

Install WebSphere Application Server and Core Portal

Portal components installed as part of core portal server

Most basic options only at install time; Fewer choices to consider

Cloudscape included as an embedded database

No more Advanced vs. Standard Install

Post-installation configuration of LDAP, Database, etc.

Run 4.x portlets


Collaboration CenterCollaboration Center

People FinderOn-line company directory with built-in instant messaging and

people awareness

My Lotus Team WorkplacesDisplay, search and launch Quickplace project team rooms

Lotus Web ConferencingView, schedule and attend Sametime e-meetings

New Collaboration Portlets

19-20


Portal Document ManagerPortal Document Manager

Next generation of Portal Content Organizer (PCO)

Navigate through topic “folders”

View and edit documents

Search, categorize, and approve documents

Subscribe to documents


Portal Search EnginePortal Search Engine

Search Web sites and Portal Document Manager

New featuresDocument Filters (Lotus 1-2-3,

etc)

Summarization

Categorization

Stemmer (improves languages support)

Metadata searchTag library and portlet services

for developing customized search portlets

21-22


Productivity ComponentsProductivity Components

View and edit rich text documents, spreadsheets, presentations, etc.

Allow authoring of documents directly within the portal.

Not intended to provide all the functionality associated with a full-fledged productivity application.


New and Enhanced Business PortletsNew and Enhanced Business Portlets

Internet Mail Box

Notes

iNotes

Newsgroup

MyList

23-24


New Admin Portlets in WebSphere Portal v5New Admin Portlets in WebSphere Portal v5

Manage Pages

Users and Groups

Resource Permissions

User and Group Permissions

Custom Unique Names

URL Mapping


User-driven Process IntegrationUser-driven Process Integration

Cooperative Portlets

portlet messaging enables rich portlet applications

Builds on Click to Action and portlet API for portlet-to-portlet communicationUses Property Broker component

25-26


SummarySummary

Highlights for WebSphere Portal Multiplatform V5.0.2

WebSphere Portal V5.0.2 Offerings and Features

New WebSphere Portal V5.0.2 Admin Portlets


IBM®


Migration to WebSphere Portal V5Migration to WebSphere Portal V5

27-28


Migration ProcessMigration Process

Install and Configure WP V5

Complete manual migration steps for the followingUpgrade to Portal Toolkit 5.0 and WebSphere Studio 5.01Inspect/Upgrade/Test PortletsUpgrade/Test custom Themes and Skins

Migrate custom resources from Transcoding Technology

Run migration tasks

Migrate small portion of access control information not covered by migration tasks using manual steps documented in the migration guide.


Migration Process – Manual Steps – Migration Process – Manual Steps – PortletsPortlets

PackagingRemove portlet.tld from WAR filesClick to action Portlets

Update click to action portlets with newer pbportlet.jar file from <wp5_root>/pb/lib

Collaborative portletsIf planning to use an older version of the Sametime Contact List

portlet (from WebSphere Portal Version 4.2.1 or older) in a WebSphere Portal Version 5.0 environment, make sure the hostAddress.xml file is made available to this portlet.

29-30


Migration Process – Manual Steps – Migration Process – Manual Steps – Themes, Skins and CSSThemes, Skins and CSS

The Navigation model, that is used extensively in themes and skins, has changed from 4.2 to 5.0

Upgrade your custom themes and skins

References: Migration Guide, White Paper available on the Portal Zone

http://www7b.software.ibm.com/wsdd/zones/portal/

Existing cascading style sheets will continue to work in WP5. New style classes introduced by Version 5.


Migration Process – Migration tasks – Migration Process – Migration tasks – IntroductionIntroduction

Migration package is installed under the root install directory of your WP5 under “migration” folder

Migration tasks supplied with WP5 are written using ANT 1.4.1

Two categories of tasks.

Tasks utilizing Portal’s XML configuration interface (xmlaccess).

Tasks utilizing direct database connections.

31-32


IBM®


WebSphere Portal Administration and WebSphere Portal Administration and CustomizationCustomization


Definitions: Customization vs. Definitions: Customization vs. PersonalizationPersonalization

Customization: The ability of the portal end user to change the portal experience for their purposes.

Example: Edit a stock portlet with your stocks

Personalization: The ability for an administrator to define rules that determine (based on who the portal end user is) the applications, data, and content that they see.

Example: A Business Rule that displays the local weather in a weather portlet.

33-34


Page Structure and NavigationPage Structure and Navigation

My PortalThis is the first page displayed by portal after login. It is a label containing

business and productive out-of-box (which comes with the installation) portlets.

AdministrationA label containing pages with administrative portlets. Administrators use

these portlets for portal administration.

Page CustomizerA label containing pages for managing page content and layout.

Page PropertiesA page containing the Properties portlet. This page is hidden from navigation.

Organize FavoritesA page containing the Organize Favorites portlet, which allows users to

create, edit, activate, order and delete labels and URL’s.


New Features in WebSphere Portal V5 New Features in WebSphere Portal V5 AdministrationAdministration

Redesigned administrative interface

Ability to arrange content in a tree structure

Web Clipping Portlet

Improved Logging Ability

Portlet menus for improved navigation

Improved XML Access

35-36


Themes and SkinsThemes and Skins

Basic JSP structure remains the same as v4.2

Reference to background image in Theme is now found in the Theme’s Cascading Style Sheet

New file system locations:

<was_root>\installedapps\<hostname>\wps.ear\wps.war\themes

<was_root>\installedapps\<hostname>\wps.ear\wps.war\skinsChange required for real-time theme updates……..


Creating ThemeCreating Theme

Create a new directory for your theme: <was_root>/installedApps/hostname/wps.ear/wps.war/themes/html/NewTheme

Choose a current theme closest to the layout you want:

/themes/html/ScienceCopy the resources into the appropriate directories

JSPs: Default.jsp, Banner.jsp, Navigation.jsp, ...

Images: banner.jpg, navfade.jpg, ...

Style Sheet: Styles.cssCustomize to get the look and feel you are looking for.Add this new theme using Themes and Skins portlet under Portal

Administration and Portal User Interface

37-38


Real-time Theme UpdatingReal-time Theme Updating

Edit:<was_root>\config\cells\<node_name>\applications\ wps.ear\deployments\wps\wps.war\WEB-INF\ ibm-web-ext.xmi

Search for "reloadingEnabled" (NOT “reloadEnabled”) and change the setting to "true“

Save the file and restart the portal


ThemesThemes

Overall look and feelNavigation

39-40


SkinsSkins

Portlet decorationsNavigationHigh Performance Skins (Default and NoSkin only)


New Administration PortletsNew Administration Portlets

Portal User Interface

Manage PagesAccess

Manage Users and Groups

Resource Permissions

User and Group PermissionsPortal Settings

URL Mapping

Custom Unique Names

41-42


Manage Pages PortletManage Pages Portlet

Equivalent of Manage places and pages inWebSphere Portal V4

Provides a view of all pages a user has access toProvides a view of the hierarchy of “pages” Manage pages provides functionality for:

Creating, editing layout, reordering, editing properties of, assigning access to, and deleting pages

Creating, editing layout, reordering, editing properties of, assigning access to, and deleting labels

Creating, editing layout, reordering, editing properties of, assigning access to, and deleting URLs


Manage Pages PortletManage Pages Portlet

43-44


Resource PermissionsResource Permissions

Allows you to view and modify the roles and accessrights associated with portal resources

Enables you to move resources to and from external controlAllows Administrator, Security Administrator, Delegator roles to:

Display user/group and their roles on a resourceAssign Role on a resource to a user/groupRemove Role on a resource to user(s)/group(s) Pass/Do not pass role down from a resource to its children Allow inheritance on a resource from its parent/Do not allow

inheritance on a resource from its parentSearch for resources


Resource Permissions PortletResource Permissions Portlet

45-46


Users and Groups PortletUsers and Groups Portlet

Change for v5 is the combining of Manage user groups and Manage users into one portlet

New features are duplicate roles, duplicate groups

Creating a new user group creates user group in All authenticated groups and adds as member to group new user group task was launched from

Creating a new user creates user in All authenticated users and adds as member to group new user task was launched from


User and Groups PermissionsUser and Groups Permissions

Displays the access rights that a user or user group has for WebSphere Portal resources

Indicates whether the role is inherited or explicitly assignedPerforms following functions based on Administrator,

Security Administrator, and Assigner roles

Display Roles for a User or Group on resources for a selected resource type

Display Roles for a User or Group on resources for a selected resource type

Remove Role(s) for resource(s) from user or group

47-48


Custom Unique NamesCustom Unique Names

Portal uses object Ids to identify portal resources which are difficult to remember

Use to assign unique names (human readable names) to portal resources

Benefits

Easier to handle than the object IDs assigned by the portal

Make identification of portal resources easier in the following contexts

Export or import a portal configuration using the XML configuration interface

Linking portlets to other portal resources

Security of a portal is managed by an external access control system

Must be unique within the portal


Custom Unique Names PortletCustom Unique Names Portlet

49-50


URL MappingURL Mapping


IBM®


WebSphere Portal V5 SecurityWebSphere Portal V5 Security

51-52


HighlightsHighlights

WebSphere Portal V5 Security Basics

Authentication

WebSphere Member Manager

Single Sign On

Authorization

Role-Based Access Control

WebSphere Portal V5 Security Setup

Summary


WebSphere PortalWebSphere Portal

53-54


Application Server

Typical Portal DeploymentTypical Portal Deployment

WebApplication

AuthenticationProxy

Client

Client

ClientPortalServer

Back EndApplication

Back EndApplication

Client

Back EndApplication

Portlet

Portlet

Portlet

(Web)Application

User Registry(e.g. LDAP)

HTTP Server

Auth. Plugin


Portal Security BasicsPortal Security Basics

WebSphere Portal security primarily focuses on:

Authentication Who are you?

Single Sign-On

AuthorizationWhat are you allowed to see and do?

55-56


AuthenticationAuthentication


Authentication ChoicesAuthentication Choices

WebSphere Application Server AuthenticationHTTP Basic AuthenticationForm-based Authentication

Lightweight Third Party Authentication (LTPA)Authentication Proxy and TAIs

Tivoli Access Manager, WebSEALNetegrity SiteMinder

57-58


WebSphere Portal AuthenticationWebSphere Portal Authentication

Portal relies on the application server for establishing user identityForm-based authentication

LTPA Token functionalityWebSphere Portal can work with the Trust Association Interceptors (TAIs)

For third party authenticationPortal supports a variety of user registries

LDAP, Custom User Registry


Authentication: What’s changed in Portal V5Authentication: What’s changed in Portal V5

Security setup now part of Portal configurationWebSphere Member Manager

Replaces WebSphere Member ServicesOld SSO functionality now deprecated

Portlets should not extract credentials directly from the JAAS Subject

Use credential service and/or the credential vault insteadAuthentication mechanisms migrated to J2EE Security

59-60


Authentication in WebSphere Portal: RecapAuthentication in WebSphere Portal: Recap

Basic Portal AuthenticationNot connected to the application server security

User and password stored in Portal database

WebSphere Application Server authenticationChoice of user registriesEstablishes J2EE identityAllows using third-party authentication proxies


User Profiles for Authenticated UsersUser Profiles for Authenticated Users

The User Profile is the set of attributes that make up the (usually static) information about usersName; uid; phone number; preferred language; Interests;

not all profile attributes may have values for every userManaged by WebSphere Member Manager

WebSphere Portal implementation of a WAS Custom User Registry

61-62


User Registry SetupsUser Registry Setups

Authentication registry: User-supplied Custom User Registry Profile information: WMM/CURProfile information is held in the WMM DB as well as the custom registry

Custom User Registry provided by customer

Customer provided

Authentication registry:WMM Profile information:WMMNotice that Cloudscape is NOT a supported CUR

Custom User Registry (Configured on the WMM database – Provided by Portal Server)

Database Only

Authentication registry:LDAPProfile information:LDAP / WMM The degree of this split is configurable (i.e. what attributes are stored in LDAP and what in the WMM DB).

LDAP Database (+LDAP - optional)

Description WebSphere AppServer authentication registry

WebSphere Member Manager configuration


WebSphere Member ManagerWebSphere Member Manager

63-64


Storing User Profiles: WebSphere Member Storing User Profiles: WebSphere Member ManagerManager

Stores User Profile InformationUser’s name, e-mail, user preferences, etc.Group membership information

Does not store authentication informationCan be configured for:

Database persistenceCloudscape (default), DB2, Oracle, Sybase, MS SQL Server

LDAP persistenceMapping of WMM attributes to LDAP attributes


User and User Group Management in V5User and User Group Management in V5

Click on Administration>Access>Users and Groups

View membership

Duplicate group assignments

Duplicate role assignments

Edit

65-66


Single Sign On and Credential VaultSingle Sign On and Credential Vault


Portal Single Sign-On: The Big PicturePortal Single Sign-On: The Big Picture

A u th e n tic a t io nP ro x y

C lie n t

C lie n t-W e b A p p S S O

C lie n t

C lie n tP o r ta lS e rv e r

B a c k E n dA p p lic a tio n



C lie n t

P o rtle t

P o rtle t

P o rtle t

W e bA p p lic a tio n

W e bA p p lic a tio n

P o rta l-B a c k E n d S S O

67-68


Client-to-Web Application Single Sign On Client-to-Web Application Single Sign On SupportSupport

Application server built-in SSO support

LTPA

Authentication proxy SSO support Application Server‘s Trust Association Interceptors

Tivoli Access Manager (WebSeal)

Other third-party SSO frameworks environmentsNetegrity SiteMinder Web Agent

....


Application Server

PortalServer

WebSphere LTPA Single Sign-OnWebSphere LTPA Single Sign-On

Step 1: User authenticates

Domino Server

WebApplication

Client

authenticate

send LTPA cookieHTTP Server

69-70


Application Server

PortalServer

WebSphere LTPA Single Sign-OnWebSphere LTPA Single Sign-On

Step 2: LTPA token is accepted by applications

Domino Server

WebApplication

request

HTTP ServerClient


Portal to Backend SSO: Credential ServicePortal to Backend SSO: Credential Service

Allows managing multiple user identities in Portal applications

Consists of:Credential serviceVault adapter

Vault implementationV4 SSO Functionality deprecated

Portlets should no longer attempt to get user and password from the JAAS Subject

Defa

ult

Adap

ter

Credential Portlet Service

DefaultVault Impl.

TAM GSOLockbox

TAM

Adap

ter

Cust

omAd

apte

r

Custom Vault

Portlet Portlet Portlet

Vault Adapter Interface

71-72


Credential Slot TypesCredential Slot Types

Shared CredentialsA shared system credential slot stores system credentials

The actual secret is shared among all users and portletsUser-specific Credentials

Shared among all the portlets of a certain user

The secret is user specific, but valid for all of the user’s portlets

Private portlet slots They store credentials that are not shared among portlets

Credential secret is user specific as well as specific to a certain portlet instance


Credential Vault Administration in V5Credential Vault Administration in V5

Click on Administration->Access->Credential Vault

73-74


AuthorizationAuthorization


J2EE Authorization ModelJ2EE Authorization Model

Supported Resources and ActionsURLs (GET, POST, PUT, DELETE) � security-constraint

EJB Methods � method-permissionJ2EE role = set of security-constraints and/or

method-permissionsJ2EE role configures access to business logic

75-76


WebSphere Portal Authorization ModelWebSphere Portal Authorization Model

Programmatic security identical to J2EE.

Role concept is different:A role is a set of permissions in both models

J2EE roles allow any combination of J2EE permissions

In order to simplify Access Control configuration, the WP role space is restricted: Roles are created by applying an Action Set on a resource.

It is not possible to define a single role allowing different actions on different resources (e.g. (Modify Properties SalesPage) and (View ACL Portlet))


WebSphere Portal Authorization WebSphere Portal Authorization Model(cont.)Model(cont.)

Supported ResourcesJ2EE model supports URLs with HTTP specific actions and EJB methods

Portal supports instance based authorization for all kinds of portal resources

Delegated AdministrationPortal access control protects access to the access control configuration

This is not supported by J2EE authorizationReconfiguration

Reconfiguration of J2EE permissions requires restart of J2EE entity

77-78


Role-based Access ControlRole-based Access Control


Portlet InstancePortlet Instance

Portal Resource TopologyPortal Resource Topology

Root Pages

Composition/Component n

Page /Component

Composition/Component 1.n

Page /Component

UserGroups

User Group /Community NUser Group /

Community 1

CatalogSegments

LibrarySegment 1Catalog

Segment

Portlets


External AccessControl

Users URL MappingSegments

MappingSegment nMapping Segment

UserN

User

Categories

Category 1Category

UserN

User

Virtual Resource

Protected Resource

Implicitly protected resource

Propagates permissions on

WMM/S membership

WebModules

WebModule NWeb

Module

UDDIRegistries

UDDIRegistryUDDI

Registry

Portal

URLMapping N

URLMapping 1

PortletGroup

PortletGroup

PortletApplications

PortletApplicationPortlet

Application

RemotelyAccessible

Portlets


CredentialVault

VaultSegmentVault

Segment

VaultSlotVault

Slot

Settings

EventHandlers

XmlAccess

WSRP

79-80


Role ConceptRole Concept

RolePermission

Role Definition

User Subsystem

User

User Group

Role Assignment

Editor

User(View, SalesPortletInstance)

(View, SalesPage)SalesForce

User@SalesPage


Actions & Action SetsActions & Action Sets

Administrators are allowed to do everythingSecurity Admins are allowed to grant access on a resource to other

principalsAssigners are allowed to grant access to other principalsManagers are allowed to create, edit, and delete shared resourcesEditors are allowed to create and edit shared resourcesPrivileged Users are allowed to create private resourcesUsers are allowed to view portal resources

ActionSetAction

Administrator Security Administrator

Assigner Manager Editor PrivilegedUser

User

Grant Access On

Delegate To

Delete

Add Child

Add Private Child

Edit

Personalize

View

81-82


Role Creation & Role InheritanceRole Creation & Role Inheritance

Page0

Page1

Page2 Page3 Page4

Explicit role assignment

Editor

createRole(Page1, Editor Action Set)

Page5Inherited role

EditorEditor Editor

Editor

Editor Action Set = {View, Edit, …}

Resulting role: {(View Page1), (View Page2), …,

(Edit Page1), (Edit Page2), …}

not exposed to user

Role Domain

Domain Root


Inheritance BlockingInheritance Blocking

Configured by Admin for a specific node and a specific action set (e.g. (Editors)

Inheritance Flag - Inherit action set permissions from parent node

Propagation Flag -Propagate action set permissions on child nodes

Propagation Flag allows editors to create resources without inherited Editor role assignment

Page0

Page1

Page2 Page3 Page4


Editor

Page5Inherited role

EditorEditor Editor

Editor Page6 Editor

blockInheritance(Page4, Editor)

Inheritance Blocking

Propagation Blocking

blockPropagation(Page4, Editor)

83-84


Creation of Shared ResourcesCreation of Shared Resources

User creates a shared resourceThe user that created the

resources becomes the owner of the resource

This owner relationship grants specific permissions on the corresponding resource

Ownership can be transferred

Page0

Page1

Page2 Page3 Page4


Manager

Inherited role

ManagerManager Manager

ManagerPage5

createSharedResource(Page4)

Relationship

Owner


Private ResourcesPrivate Resources

Users can be granted privileges to create private resources

The user that created the resource becomes the owner of the new Resource

Private resources are visible only for the owner of the resource

Private Resources do not inherit any roles from there ancestor nodes

Private Resources are deleted explicitly by the owner or automatically when the creator is removed from the portal

Page0

Page1

Page2 Page3 Page4


Privileged User

Inherited role

Privileged User

Privileged User

Privileged User

createPersonalizedResource(Page4)

Page5

Private Resource

Owner

85-86


Portal

User Registry

Tivoli Access Manager

Externalization ApproachExternalization Approach

o4 o5

o3o2

o6

o1

Editor@o1 = {(view, o1), (edit, o1), (view, o2), (edit, o2), (view, o3), (edit, o3), (view, o6), (edit, o6)}

Tivoli Access Manager

Editor@o1

Portal Resource Topology

Portal DB

Portal Admin TAM Admin


Assign Access to a resourceAssign Access to a resource

87-88


Assign Access to a Resource (..)Assign Access to a Resource (..)



89-90





91-92


Group is now in role…Group is now in role…


Security Setup in V5Security Setup in V5

93-94


Setting Up Security in WebSphere Portal V5Setting Up Security in WebSphere Portal V5

Configuration steps required after installation

Steps vary significantly, depending on:User registry you select for authentication

Repository you select for WMM

Installation path you took

InfoCenter has detailed step-by-step instructions


AdministrativeAdministrative Commands in a Secure Commands in a Secure PortalPortal

Application server administrative commands require user and password once security is on

Example: stopServer

stopServer –username wasadmin –password adminpwd

Has to be a user mapped to an admin role

95-96


SummarySummary

We Learned;

WebSphere Portal V5 Security changes

Authentication and Authorization

Role Based Access Control

Single Sign on with WebSphere Portal


IBM®


Understanding WebSphere Portal V5 Understanding WebSphere Portal V5 SetupSetup

97-98


Setup / ConfigurationSetup / Configuration

Base Configuration

Separate configuration / install

WAS 5.0.1 Enterprise EditionCloudscape DatabasePortal 5.0Base PortletsIBM HTTP ServerWebSphere Portal Content

Publisher

LDAP IntegrationRelational DatabaseCollaboration CenterSametimeQuickPlaceWSSDetc.


Using Configuration Tasks(wpsconfig.bat)Using Configuration Tasks(wpsconfig.bat)

Main Configuration File

<PORTAL>\config\wpconfig.propertiesActions commands used by scripts

<PORTAL>\config\actionsHelper templates to reduce the configuration overhead

<PORTAL>\config\helpersTemplates used by the configuration program

<PORTAL>\config\templatesFinalized version of the configuration files

<PORTAL>\config\work

99-100


Configuration Example ResultsConfiguration Example Results

Check <PORTAL>\config\\actions\*.xml for result codes if needed # Error conditions: # Codes returned by underlying class: # RC_SUCCESS = 0 # check succeeded, no error(s) to report # RC_NO_CONNECTION = 1 # Connection to LDAP server failed. Check URL, userid/password # RC_OBJECT_NOT_FOUND = 2 # objectDn could not be found in directory # RC_INVALID_NAME = 3 # javax.naming.NameNotFoundException # RC_INVALID_AUTH = 4; # javax.naming.AuthenticationException


Setup / Configuration Tips and GotchasSetup / Configuration Tips and Gotchas

Use correct WAS Admin server (e.g. server1)Use Portal admin on 9091

(e.g. http://hostname.domain:9091/admin)Always check for “BUILD SUCCESSFUL” on configDon’t assume wpconfig.properties is the final say

<PORTAL>\shared\app\config is the key to most configurationMake backup copies of your wpconfig.properties file

101-102


IBM®


Tracing and LoggingTracing and Logging


Setup LogsSetup Logs

Portal component installation problems (<PORTAL>\log)wpinstalllog.txt ConfigMessages.log

wpsinstalllog.txt ConfigTrace.log

wpcpinstalllog.txt ConfigTraceXX.log

installmessages.txt portletinstall.txtWebSphere Application Server / IHS

<WAS_ROOT>\logs\log.txt <WAS_ROOT>\logs\ihs_log.txt

wpwasfp1.txt wppmefp1.txt

103-104


Runtime Log FilesRuntime Log Files

Application Server (<WAS>\logs\appserver)

startServer.log / stopServer.log / appserver.pid

Portal Server (<PORTAL>\log)

SystemOut.log SystemErr.log

wps_timestamp.log (default) trace.log (if tracing enabled)

Configuration Logs (<PORTAL>\log)

ConfigTrace.log ConfigMessages.log

IBM HTTP Server Logs (<IHS>\logs)

access.log error.log


Tracing OptionsTracing Options

TemporaryUnder the administration portlets

Portal Analysis -> Enable TracingExtended

<PORTAL>\shared\app\config\log.propertiestraceString=parameter

parameter example: com.ibm.wps.*=all=enabledApplication Server (depends on component?)

WebSphere Application Server AdministrationTroubleshooting -> Logs and Traces -> WebSphere Portal

105-106


Some Common Portal Trace StringsSome Common Portal Trace Strings

Logging In

Credential vaults / SSO

Portal Tag Libraries

XMLAccess

com.ibm.wps.services.puma.*com.ibm.wps.engine.command.*com.ibm.wps.puma.*com.ibm.wps.sso.*

com.ibm.wps.sso.vaultservice.*com.ibm.wps.sso.*com.ibm.wps.command.credentialvault.*com.ibm.wps.portletservice.credentialvault.*

com.ibm.wps.engine.tags.*

com.ibm.wps.command.xml.*


SummarySummary

We covered;

WebSphere Portal basics

WebSphere Portal V5 enhancements

WebSphere Portal Setup, Administration, Customization and Security

Logging and Tracing

107-108


ReferencesReferences

WebSphere Portal Product Documentationhttp://www7b.software.ibm.com/wsdd/zones/portal/proddoc.html#500

WebSphere Portal V5 Infocenterhttp://publib.boulder.ibm.com/pvc/wp/500/ent/en/InfoCenter/index.html

WebSphere Portal Zonehttp://www7b.software.ibm.com/wsdd/zones/portal/

IBM Redbookshttp://www.ibm.com/redbooks

j


Q and AQ and A

109-110

portal admin lecture

Documents