configuring the bmp v8 process server to use …...suggestions on configuring for ldap set up your...

© 2012 IBM Corporation

IBM Business Process Management

1

Configuring the BMP V8 Process Server to use LDAP Federated Repository

z/OSB1SR01ProcessServer




LDAP ServerPort 389

pcsr01aProcessCenterServer



2

Topics WebSphere User ID Authentication options:

– Local OS (RACF)– File-Based Repository– LDAP (Tivoli Directory Services

Why use LDAP for your Registry?– Centralized Repository across different platforms– More flexible naming conventions (>8 chars, special chars)

How to configure WebSphere to use LDAP (see Lab exercise) Authorization

– Not done by LDAP– RACF or WebSphere mapping to “Roles”

Using WebSphere Bindings for Authorization– Security Roles mapped to Users/Groups in Application .ear files



3

User Authentication in BPM:PS V8 for z/OS Federated Repositories set up by the WpsSecurity.py script

– Configures VMM Mapping Module for Web & RMI Inbound requests– Uses InternalFileRepository in fileRepository.xml / wmiconfig.xml

+ “RACF Bridge” (udbRACF):



4

Replacing the FileBased Repository with LDAPConfigure Tivoli Directory Server (LDAP server) on zLinux, z/OS, or ….

1) ISC: Add a Federated TDS Repository pointing to LDAP Server 2) Add Users & Passwords to LDAP3) Remove InternalFileRepository4) Re-cycle the WAS Cell


FBS


FBS


FBS


FBS

pcsr01aProcessCenterServer

zLinux – 192.168.17.232 wpspctr.wsclab.washington.ibm.com

Repository

UDB

Process Servers on z/OS in WSLPLEX Team 1 Team 2 Team 3 Team 4 192.168.17.201 192.168.17.202 192.168.17.203 192.168.17.204

Process Center LDAP Server

Port 389

'FBS' = File-Based Security



5

Configuring LDAP

Client Authentication: LDAP Using LDAP for your Registry Authorization Using WebSphere Bindings

Why use LDAP vs “Local OS”? Your users aren't already in RACF (Customers vs Employees)

Share a common Security Repository with other Platforms Userids longer than 8 characters or contain special characters ('_')

– e.g. SSN, First Name, Last Name, tw_admin (Lombardi)

New applications using 'new' technology (Politics)

(About 25% of WebSphere for z/OS customers use LDAP.)

Hidden



6

User Registries and Authentication WebSphere Relies on a User Registry for:

– Information about Users- Users include application clients, administrators.- User information (e.g. password) used for authentication.

– Information about Groups (collections of users)- Groups essential to efficient security administration.- WebSphere needs to know what group(s) a user belongs to.

LDAP does all this.

User1 Group1User2 Group2User3 Group3

User Registry

Client Authentication: LDAPWeb Container can authenticate users using LDAP as the User Registry.

– Authentication method specified in application deployment descriptor.- Basic Authentication- Form Based Authentication- SSL Client Certificate Authentication



7

Adding a TDS Repository to WebSphere Security

– Under "Related items", click "Manage repositories"– Click "Add" to add LDAP ("Tivoli Directory Server")

ISC: Security > Global Security– With BPM, the "Current realm definition" is set to "Federated Repositories"

- The cell is using a file-based repository for authenticating some Ids- RACF for authenticating & authorizing the admin console & business apps.

– Click “Configure” to add another Security Repository



8

Specifing the LDAP Server PropertiesRepository identifier: "TDS"Directory Type: "IBM Tivoli Directory Server"Primary Host name: "wg3#.washington.ibm.com"Port: 389Bind distinguished name: "uid=z7bind,cn=users,o=ATS"Bind password: "z7bind"Login props: "uid"

Click “OK”Save & Synch.



9

Incorporate TDS/LDAP into Federated Repositories

– Under Repositories in the realm, click on "Add base entry to realm"

– Select "TDS" in the drop-down.– For DN, enter "o=ATS"– Click "OK", Save and synch.

– Click “Configure” (again) to add TDS



10

Current File-Based Repository is still there . . . The “WIMFileBasedRealm still has the tw* userIDs defined. In the ISC, go to “Users and Groups” > Manage Users, and search for

user Ids starting with “tw*” - note they still use o=defaultWIMFileBasedRealm



11

Remove the tw_ IDs from the FileBasedRepository

Remove the InternalFileRepository – ISC: Security > Global security > under "Repositories in the realm"– Click on "Configure" and you will see this: Select the InternalFileRepository– Click "Remove."

–The b6admin and other b6* IDs are defined in RACF, and –The tw_* Ids are defined in the InternalFileRepository

(They can only exist in one or the other – Not both.)



12

Add the tw_ userIDs to LDAP

ldapmodify -h wg3#.washington.ibm.com -p 389 -a \-D'cn=LDAP Administrator' -w secret -f /u/user1/tw_users.ldif

– adding new entry uid=tw_admin,cn=users,o=ATS– adding new entry uid=tw_author,cn=users,o=ATS– adding new entry uid=tw_webservice,cn=users,o=ATS– adding new entry uid=tw_portal_admin,cn=users,o=ATS– adding new entry uid=tw_runtime_server,cn=users,o=ATS– adding new entry cn=tw_admins,cn=groups,o=ATS– adding new entry cn=tw_authors,cn=groups,o=ATS– adding new entry cn=tw_portal_admins,cn=groups,o=ATS– adding new entry cn=tw_allusers,cn=groups,o=ATS– adding new entry uid=tw_user1,cn=users,o=ATS– adding new entry cn=tw_users,cn=groups,o=ATS– adding new entry uid=tw_manager1,cn=users,o=ATS– adding new entry cn=tw_managers,cn=groups,o=ATS

Re-Cycle the B#Cell again to use LDAP for the tw_ IDs –You must Restart the Dep. Manager, the NodeAgent, & all servers.



13

Display Users in LDAP Browser w/ LDAP Browser

Launch JXplorer on your workstation from Start Programs > JXplorer Connect to the LDAP server with these parameters:

– Host: wg31.washington.ibm.com– Port: 389– Protocol: LDAP v3– DSML Service: leave blank– Base DN: o=ATS– Level: User + Password– User DN: cn=LDAP Administrator– Password: secret

Click the Save button as WG3#.



14

LDAP Browser display You can now see the

tw_ userIDs:



15

Verify tw_ users to be in LDAP Registry Log in to the ISC, and click “Users and Groups” > “Manage Users” and

filter on tw* to see which repositories re managing them. They should be in LDAP (o=ATS) as seen here:



16

Authorization with WebSphere BindingsALL Role info is stored in the Application's .ear file.

–What roles are associated with the application.–Which users and groups have which roles

Roles could be managed by– the application developer,– the application deployer,– the WebSphere administrator,– the User Registry administrator.

Configure WebSphere to use LDAP as the user registry. Configure WebSphere to use Built-in Authorization.

– Security > Global security > External authorization providers > Select Built-in Authorization.

WebSphere will Authorize with info in the application's xml files. RACF is not involved at all



17

LDAP Authentication & Bindings Authorization

Authenticate user and find outWhat groups the user belongs to.

Does the user have the roleNecessary to run the app?

WebSphereApplication

Server

LDAP User Registry

Which LDAP

Users and Groups

have which Roles

Application's.ear File

LDAP User andGroup Info

Role(s)Required

by theApplication

Authentication Authorization



18

Using WebSphere Bindings for Authorization In order for WebSphere to use LDAP for authentication and WebSphere Bindings for authorization: –Configure WebSphere to use LDAP as the user registry. –Configure WebSphere to use Built-in Authorization.

- Security > Global security > External authorization providers > Select Built-in Authorization.

–WebSphere will look for Authorization info in the installed application's xml files.



19

Location of Bindings InfoIn the .ear file:

–Role names are declared in application.xml file.–Roles names are also declared in the web.xml file in

the .war file. –User/Group authorizations are located in

ibm-application-bnd.xmi.These files become part of the installed application in

WebSphere, which uses them for authorization decisions.



20

Managing BindingsThree opportunities for defining or modifying bindings: 1) In the .ear file, before application deployment, using RAD or IID

2) At application deployment time (in the ISC), or . . .3) After the application has been deployed in the ISC:

–These are 'temporary' changes.- The deployed app will be different from the .ear file. - If you deploy the .ear file again, it will overlay any bindings changes in the installed app.



21

Security role to user/group mappingBindings set in .ear file at Deployment time. Review or modify in: ISC: Applications > Enterprise Applications > [application]

> Security role to user/group mapping



22

What About the Admin Console?

● The Admin Console is a Java EE application.● It uses role based authorization.● administrator, operator, configurator, etc.● If you configure WebSphere to use Built-in Authorization (bindings), you will manage administrative security through the Admin Console.



23

Managing Admin Role Bindings Users and Groups > Administrative User Roles orUsers and Groups > Administrative Group Roles

SelectClick Add



24

Worth remembering...

If you are using Built-in Authorization...– Manage Admin Roles using:

- Users and Groups-->Administrative User Roles- Users and Groups-->Administrative Group Roles

If you are using SAF Authorization...– Manage Admin Roles using EJBROLE resources in your SAF security product.



25

Suggestions on Configuring for LDAP

Set up your cell using SAF security first–This will insure that your RACF profiles and certificates are set up

correctly.

Switch to LDAP registry.–Use RACF as a fallback if necessary.



26

Suggestions on Managing Bindings Use descriptive role names.

– Including the app name in the role name makes it unique.

Manage security by groups whenever possible.– For each role create a corresponding group in the registry– In the .ear file, give the group permission to the role.– Put users in appropriate groups in the user registry.

Work to manage security from the user registry. Work to minimize bindings changes. Decide how you will manage bindings changes.

– In the .ear file?– At install time?– After install time?

Decide who is responsible for ensuring that your security policy is enforced.

– Developer? Deployer? Administrator?



27

LDAP and Bindings Summary

Bindings are used by WebSphere to determine if a user has the authority to run the application.

Properly set up, security administration with bindings is as easy as connecting users to groups.

Improperly set up, lots of application redeployments and interruptions are possible.

Advance planning will be worth the effort.



28

Optional Lab to Use LDAP Federated RepositorySee the LDAP Lab handout:

configuring the bmp v8 process server to use …...suggestions on configuring for ldap set up your...

Documents