configuring the bmp v8 process server to use …...suggestions on configuring for ldap set up your...
TRANSCRIPT
© 2012 IBM Corporation
IBM Business Process Management
1
Configuring the BMP V8 Process Server to use LDAP Federated Repository
z/OSB1SR01ProcessServer
z/OSB2SR01ProcessServer
z/OSB4SR01ProcessServer
z/OSB3SR01ProcessServer
LDAP ServerPort 389
pcsr01aProcessCenterServer
© 2012 IBM Corporation
IBM Business Process Management
2
Topics WebSphere User ID Authentication options:
– Local OS (RACF)– File-Based Repository– LDAP (Tivoli Directory Services
Why use LDAP for your Registry?– Centralized Repository across different platforms– More flexible naming conventions (>8 chars, special chars)
How to configure WebSphere to use LDAP (see Lab exercise) Authorization
– Not done by LDAP– RACF or WebSphere mapping to “Roles”
Using WebSphere Bindings for Authorization– Security Roles mapped to Users/Groups in Application .ear files
© 2012 IBM Corporation
IBM Business Process Management
3
User Authentication in BPM:PS V8 for z/OS Federated Repositories set up by the WpsSecurity.py script
– Configures VMM Mapping Module for Web & RMI Inbound requests– Uses InternalFileRepository in fileRepository.xml / wmiconfig.xml
+ “RACF Bridge” (udbRACF):
© 2012 IBM Corporation
IBM Business Process Management
4
Replacing the FileBased Repository with LDAPConfigure Tivoli Directory Server (LDAP server) on zLinux, z/OS, or ….
1) ISC: Add a Federated TDS Repository pointing to LDAP Server 2) Add Users & Passwords to LDAP3) Remove InternalFileRepository4) Re-cycle the WAS Cell
z/OSB1SR01ProcessServer
FBS
z/OSB2SR01ProcessServer
FBS
z/OSB4SR01ProcessServer
FBS
z/OSB3SR01ProcessServer
FBS
pcsr01aProcessCenterServer
zLinux – 192.168.17.232 wpspctr.wsclab.washington.ibm.com
Repository
UDB
Process Servers on z/OS in WSLPLEX Team 1 Team 2 Team 3 Team 4 192.168.17.201 192.168.17.202 192.168.17.203 192.168.17.204
Process Center LDAP Server
Port 389
'FBS' = File-Based Security
© 2012 IBM Corporation
IBM Business Process Management
5
Configuring LDAP
Client Authentication: LDAP Using LDAP for your Registry Authorization Using WebSphere Bindings
Why use LDAP vs “Local OS”? Your users aren't already in RACF (Customers vs Employees)
Share a common Security Repository with other Platforms Userids longer than 8 characters or contain special characters ('_')
– e.g. SSN, First Name, Last Name, tw_admin (Lombardi)
New applications using 'new' technology (Politics)
(About 25% of WebSphere for z/OS customers use LDAP.)
Hidden
© 2012 IBM Corporation
IBM Business Process Management
6
User Registries and Authentication WebSphere Relies on a User Registry for:
– Information about Users- Users include application clients, administrators.- User information (e.g. password) used for authentication.
– Information about Groups (collections of users)- Groups essential to efficient security administration.- WebSphere needs to know what group(s) a user belongs to.
LDAP does all this.
User1 Group1User2 Group2User3 Group3
User Registry
Client Authentication: LDAPWeb Container can authenticate users using LDAP as the User Registry.
– Authentication method specified in application deployment descriptor.- Basic Authentication- Form Based Authentication- SSL Client Certificate Authentication
© 2012 IBM Corporation
IBM Business Process Management
7
Adding a TDS Repository to WebSphere Security
– Under "Related items", click "Manage repositories"– Click "Add" to add LDAP ("Tivoli Directory Server")
ISC: Security > Global Security– With BPM, the "Current realm definition" is set to "Federated Repositories"
- The cell is using a file-based repository for authenticating some Ids- RACF for authenticating & authorizing the admin console & business apps.
– Click “Configure” to add another Security Repository
© 2012 IBM Corporation
IBM Business Process Management
8
Specifing the LDAP Server PropertiesRepository identifier: "TDS"Directory Type: "IBM Tivoli Directory Server"Primary Host name: "wg3#.washington.ibm.com"Port: 389Bind distinguished name: "uid=z7bind,cn=users,o=ATS"Bind password: "z7bind"Login props: "uid"
Click “OK”Save & Synch.
© 2012 IBM Corporation
IBM Business Process Management
9
Incorporate TDS/LDAP into Federated Repositories
– Under Repositories in the realm, click on "Add base entry to realm"
– Select "TDS" in the drop-down.– For DN, enter "o=ATS"– Click "OK", Save and synch.
– Click “Configure” (again) to add TDS
© 2012 IBM Corporation
IBM Business Process Management
10
Current File-Based Repository is still there . . . The “WIMFileBasedRealm still has the tw* userIDs defined. In the ISC, go to “Users and Groups” > Manage Users, and search for
user Ids starting with “tw*” - note they still use o=defaultWIMFileBasedRealm
© 2012 IBM Corporation
IBM Business Process Management
11
Remove the tw_ IDs from the FileBasedRepository
Remove the InternalFileRepository – ISC: Security > Global security > under "Repositories in the realm"– Click on "Configure" and you will see this: Select the InternalFileRepository– Click "Remove."
–The b6admin and other b6* IDs are defined in RACF, and –The tw_* Ids are defined in the InternalFileRepository
(They can only exist in one or the other – Not both.)
© 2012 IBM Corporation
IBM Business Process Management
12
Add the tw_ userIDs to LDAP
ldapmodify -h wg3#.washington.ibm.com -p 389 -a \-D'cn=LDAP Administrator' -w secret -f /u/user1/tw_users.ldif
– adding new entry uid=tw_admin,cn=users,o=ATS– adding new entry uid=tw_author,cn=users,o=ATS– adding new entry uid=tw_webservice,cn=users,o=ATS– adding new entry uid=tw_portal_admin,cn=users,o=ATS– adding new entry uid=tw_runtime_server,cn=users,o=ATS– adding new entry cn=tw_admins,cn=groups,o=ATS– adding new entry cn=tw_authors,cn=groups,o=ATS– adding new entry cn=tw_portal_admins,cn=groups,o=ATS– adding new entry cn=tw_allusers,cn=groups,o=ATS– adding new entry uid=tw_user1,cn=users,o=ATS– adding new entry cn=tw_users,cn=groups,o=ATS– adding new entry uid=tw_manager1,cn=users,o=ATS– adding new entry cn=tw_managers,cn=groups,o=ATS
Re-Cycle the B#Cell again to use LDAP for the tw_ IDs –You must Restart the Dep. Manager, the NodeAgent, & all servers.
© 2012 IBM Corporation
IBM Business Process Management
13
Display Users in LDAP Browser w/ LDAP Browser
Launch JXplorer on your workstation from Start Programs > JXplorer Connect to the LDAP server with these parameters:
– Host: wg31.washington.ibm.com– Port: 389– Protocol: LDAP v3– DSML Service: leave blank– Base DN: o=ATS– Level: User + Password– User DN: cn=LDAP Administrator– Password: secret
Click the Save button as WG3#.
© 2012 IBM Corporation
IBM Business Process Management
14
LDAP Browser display You can now see the
tw_ userIDs:
© 2012 IBM Corporation
IBM Business Process Management
15
Verify tw_ users to be in LDAP Registry Log in to the ISC, and click “Users and Groups” > “Manage Users” and
filter on tw* to see which repositories re managing them. They should be in LDAP (o=ATS) as seen here:
© 2012 IBM Corporation
IBM Business Process Management
16
Authorization with WebSphere BindingsALL Role info is stored in the Application's .ear file.
–What roles are associated with the application.–Which users and groups have which roles
Roles could be managed by– the application developer,– the application deployer,– the WebSphere administrator,– the User Registry administrator.
Configure WebSphere to use LDAP as the user registry. Configure WebSphere to use Built-in Authorization.
– Security > Global security > External authorization providers > Select Built-in Authorization.
WebSphere will Authorize with info in the application's xml files. RACF is not involved at all
© 2012 IBM Corporation
IBM Business Process Management
17
LDAP Authentication & Bindings Authorization
Authenticate user and find outWhat groups the user belongs to.
Does the user have the roleNecessary to run the app?
WebSphereApplication
Server
LDAP User Registry
Which LDAP
Users and Groups
have which Roles
Application's.ear File
LDAP User andGroup Info
Role(s)Required
by theApplication
Authentication Authorization
© 2012 IBM Corporation
IBM Business Process Management
18
Using WebSphere Bindings for Authorization In order for WebSphere to use LDAP for authentication and WebSphere Bindings for authorization: –Configure WebSphere to use LDAP as the user registry. –Configure WebSphere to use Built-in Authorization.
- Security > Global security > External authorization providers > Select Built-in Authorization.
–WebSphere will look for Authorization info in the installed application's xml files.
© 2012 IBM Corporation
IBM Business Process Management
19
Location of Bindings InfoIn the .ear file:
–Role names are declared in application.xml file.–Roles names are also declared in the web.xml file in
the .war file. –User/Group authorizations are located in
ibm-application-bnd.xmi.These files become part of the installed application in
WebSphere, which uses them for authorization decisions.
© 2012 IBM Corporation
IBM Business Process Management
20
Managing BindingsThree opportunities for defining or modifying bindings: 1) In the .ear file, before application deployment, using RAD or IID
2) At application deployment time (in the ISC), or . . .3) After the application has been deployed in the ISC:
–These are 'temporary' changes.- The deployed app will be different from the .ear file. - If you deploy the .ear file again, it will overlay any bindings changes in the installed app.
© 2012 IBM Corporation
IBM Business Process Management
21
Security role to user/group mappingBindings set in .ear file at Deployment time. Review or modify in: ISC: Applications > Enterprise Applications > [application]
> Security role to user/group mapping
© 2012 IBM Corporation
IBM Business Process Management
22
What About the Admin Console?
● The Admin Console is a Java EE application.● It uses role based authorization.● administrator, operator, configurator, etc.● If you configure WebSphere to use Built-in Authorization (bindings), you will manage administrative security through the Admin Console.
© 2012 IBM Corporation
IBM Business Process Management
23
Managing Admin Role Bindings Users and Groups > Administrative User Roles orUsers and Groups > Administrative Group Roles
SelectClick Add
© 2012 IBM Corporation
IBM Business Process Management
24
Worth remembering...
If you are using Built-in Authorization...– Manage Admin Roles using:
- Users and Groups-->Administrative User Roles- Users and Groups-->Administrative Group Roles
If you are using SAF Authorization...– Manage Admin Roles using EJBROLE resources in your SAF security product.
© 2012 IBM Corporation
IBM Business Process Management
25
Suggestions on Configuring for LDAP
Set up your cell using SAF security first–This will insure that your RACF profiles and certificates are set up
correctly.
Switch to LDAP registry.–Use RACF as a fallback if necessary.
© 2012 IBM Corporation
IBM Business Process Management
26
Suggestions on Managing Bindings Use descriptive role names.
– Including the app name in the role name makes it unique.
Manage security by groups whenever possible.– For each role create a corresponding group in the registry– In the .ear file, give the group permission to the role.– Put users in appropriate groups in the user registry.
Work to manage security from the user registry. Work to minimize bindings changes. Decide how you will manage bindings changes.
– In the .ear file?– At install time?– After install time?
Decide who is responsible for ensuring that your security policy is enforced.
– Developer? Deployer? Administrator?
© 2012 IBM Corporation
IBM Business Process Management
27
LDAP and Bindings Summary
Bindings are used by WebSphere to determine if a user has the authority to run the application.
Properly set up, security administration with bindings is as easy as connecting users to groups.
Improperly set up, lots of application redeployments and interruptions are possible.
Advance planning will be worth the effort.
© 2012 IBM Corporation
IBM Business Process Management
28
Optional Lab to Use LDAP Federated RepositorySee the LDAP Lab handout: