E
dit
A
ttach
P
rintable
r5 - 2022-03-15 - 17:17:12 -
ShubjitNaik
You are here:
TWiki
>
Deployment Web
>
DeploymentInstallingUpgradingAndMigrating
>
LibertyMultipleUserRegistries
<div id="header-title" style="padding: 10px 15px; border-width:1px; border-style:solid; border-color:#FFD28C; background-image: url(<nop>https://jazz.net/wiki/pub/Deployment/WebPreferences/TLASE.jpg); background-size: cover; font-size:120%"> ---+!! Configuring Federated LDAP registries for Jazz Applications on !WebSphere Liberty Profile <img src="https://jazz.net/wiki/pub/Deployment/WebPreferences/uc.png" alt="uc.png" width="50" height="50" align="right"> %DKGRAY% Authors: Main.ShubjitNaik<br> Build basis: IBM Collaborative Lifecycle Management 6.0.1 and higher %ENDCOLOR%</div></sticky> <!-- Page contents top of page on right hand side in box --> <sticky><div style="float:right; border-width:1px; border-style:solid; border-color:#DFDFDF; background-color:#F6F6F6; margin:0 0 15px 15px; padding: 0 15px 0 15px;"> %TOC{title="Page contents"}% </div></sticky> <sticky><div style="margin:15px;"></sticky> *Federation of user registries on !WebSphere Liberty* %BR% !WebSphere Application Server Liberty Profile allows configuring Multiple federated registries. User registry federation is used when user and group information is spread across multiple registries. For example, the information might be in two different LDAPs, in two subtrees of the same LDAP, in a file, or the users are of a system. The information might even be in a custom user data repository. With registries federated, you can search and use these distributed user information in a unified manner with continuous store of information. Using federated registry, you can use the unified view for authentication and authorization of users in Liberty. There are 2 parts to setting up Federated User Registries for CLM. * Configuring !WebSphere Liberty Profiles hosting Jazz Applications with Federated Registries * Configuring CLM to Import Users from Multiple User Registries ---++ Scenarios * Configuring Federated Registries on a departmental/ single server topology * Configuring Federated Registries on a Distributed setup * Federating LDAP registry with a Basic User Registry ---++ Enable federated registries in Liberty ---+++ Including Features to support Federated Registries * Enable the Liberty Profile to support Federated Registries * Edit =Jazz_App_install_dir/server/liberty/servers/clm/server.xml= and include the following in the list of features * <verbatim> <feature>appSecurity-2.0</feature> <feature>servlet-3.0</feature> <feature>ldapRegistry-3.0</feature> </verbatim> * On a distributed setup, Configure each Liberty Profile hosting a Jazz Application with similar configurations ---+++ Federate two or more LDAP registries * First ensure the Group Names planned to be used with Jazz are Unique across all User registries (Example: !JazzAdmin_host1, !JazzAdmin_Host2) * Ensure the =ldapUserRegistry.xml= entry is enabled in =Jazz_App_install_dir/server/liberty/servers/clm/server.xml= <verbatim> <include location="conf/ldapUserRegistry.xml"/> </verbatim> * Edit =Jazz_App_install_dir/server/liberty/servers/clm/ldapUserRegistry.xml= and modify to match your environment * We have included a few examples from different federated LDAP environments (MS Active Directory and !ApacheDS) to help guide the configuration ---++++ Microsoft Active Directory * <verbatim><server> <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=HOST1,DC=com" bindDN="CN=CLM Admin,CN=Users,DC=HOST1,DC=com" bindPassword="********" host="ldapserver1" id="ldapserver1:389" ignoreCase="true" port="389" realm="ldapserver1:389" recursiveSearch="true" referal="follow" sslEnabled="false"> <activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" > </activedFilters> </ldapRegistry> <ldapRegistry ldapType="Microsoft Active Directory" baseDN="CN=Users,DC=HOST2,DC=com" bindDN="CN=CLM Admin,CN=Users,DC=HOST2,DC=com" bindPassword="********" host="ldapserver2" id="ldapserver2:389" ignoreCase="true" port="389" realm="ldapserver2:389" recursiveSearch="true" referal="follow" sslEnabled="false"> <activedFilters userFilter="(&(sAMAccountName=%v)(objectcategory=user))" groupFilter="(&(cn=%v)(objectcategory=group))" userIdMap="user:sAMAccountName" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" > </activedFilters> </ldapRegistry> </server></verbatim> ---++++ !ApacheDS * <verbatim><server> <ldapRegistry ldapType="Custom" baseDN="dc=clm,dc=com" host="ldapserver1" id="ldapserver1:10389" ignoreCase="true" port="10389" realm="ldapserver1:10389" recursiveSearch="true" referal="follow" sslEnabled="false"> <customFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" userIdMap="*:uid" > </customFilters> </ldapRegistry> <ldapRegistry ldapType="Custom" baseDN="dc=example,dc=com" host="ldapserver2" id="ldapserver2:10389" ignoreCase="true" port="10389" realm="ldapserver2:10389" recursiveSearch="true" referal="follow" sslEnabled="false" timestampFormat="yyyyMMddHHmmss.SSSSSSZ"> <customFilters groupFilter="(&(cn=%v)(|(objectclass=groupOfUniqueNames)(objectclass=posixGroup)))" groupIdMap="*:cn" groupMemberIdMap="groupOfUniqueNames:uniquemember" userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" userIdMap="*:uid" > </customFilters> </ldapRegistry> </server> </verbatim> %BR% * The above example is from an !ApacheDS server setup with Anonymous Authentication. Include the !BindDN if necessary ---+++ LDAP Registry federated with Basic * First ensure the Group Names planned to be used with Jazz are Unique across the LDAP and Basic User registries (Example: !JazzAdmin_host1, !JazzAdmin_Host2) * Ensure the =ldapUserRegistry.xml= and =basicUserRegistry.xml= entries are enabled in =Jazz_App_install_dir/server/liberty/servers/clm/server.xml= <verbatim> <include location="conf/basicUserRegistry.xml"/> <include location="conf/ldapUserRegistry.xml"/> </verbatim> * Edit =Jazz_App_install_dir/server/liberty/servers/clm/conf/ldapUserRegistry.xml= and modify to match your environment, you can include federate LDAP registries as per the above example as well * Edit =Jazz_App_install_dir/server/liberty/servers/clm/conf/basicUserRegistry.xml= and include Users and groups as per your requirement <verbatim><server> <basicRegistry id="Jazz" realm="Jazz"> <user name="ADMIN" password="{xor}HhsSFhE="/> <user name="bclmadmin" password="{xor}Lz4sLCgwLTtsbW5rag=="/> <user name="bclmuser" password="{xor}Lz4sLCgwLTs="/> <group name="BJazzAdmins"> <member name="ADMIN"/> <member name="bclmadmin"/> </group> <group name="BJazzProjectAdmins"> <member name="bclmadmin"/> </group> <group name="BJazzGuests"> <member name="bclmadmin"/> </group> <group name="BJazzUsers"> <member name="bclmuser"/> </group> </basicRegistry> </server></verbatim> * You can either enter Plain Text Passwords or encrypt the passwords using the securityUtility ---+++ Encrypt Passwords * To encrypt passwords, run the script =Jazz_App_install_dir/server/liberty/wlp/bin/securityUtility= * To run the securityUtility script, use the following syntax: * <verbatim>$ securityUtility encode userPassword </verbatim> where _userPassword_ is the password to encode * After the script completes, copy the output to the password attribute associated with the user ID (or bindPassword) ---+++ Group to Role Mappings * Map Groups to the respective Jazz Roles * Edit =Jazz_App_install_dir/server/liberty/server/liberty/servers/clm/conf/application.xml= and modify Group mapping for jts.war, ccm.war and qm.war <verbatim> <application id="jts" location="${server.config.dir}/apps/jts.war" name="jts" type="war"> <application-bnd> <security-role name="JazzAdmins"> <group name="JazzAdmins_Host1"/> <group name="JazzAdmins_Host2"/> <group name="JazzAdmins_Basic"/> </security-role> <security-role name="JazzProjectAdmins"> <group name="JazzProjectAdmins_Host1"/> <group name="JazzProjectAdmins_Host2"/> <group name="JazzProjectAdmins_Basic"/> </security-role> <security-role name="JazzUsers"> <group name="JazzUsers_Host1"/> <group name="JazzUsers_Host2"/> <group name="JazzUsers_Basic"/> </security-role> <security-role name="JazzGuests"> <group name="JazzGuests_Host1"/> <group name="JazzGuests_Host2"/> <group name="JazzGuests_Basic"/> </security-role> </application-bnd> </application> </verbatim> ---+++ Liberty server administration * Include Users/Groups for Liberty server administration * These Users/Groups would be able to access the Liberty server administration page https://SERVER:PORT/adminCenter * Edit =Jazz_App_install_dir/server/liberty/server/liberty/servers/clm/server.xml= and modify the section shown below <verbatim> <!-- Edit the following, after setting up the user registry, to define the user(s) and/or group(s) that can perform Liberty server administration (e.g. access the Admin Center) --> <administrator-role> <user>bclmadmin</user> <group>JazzAdmins_Host1</group> </administrator-role> </verbatim> ---++ Importing Users to Jazz Team Server (JTS) ---+++ Importing Users from Federated LDAP Registries =Note: You can only Synchronize users from one LDAP registry at a time into JTS.= * Configure your Jazz Team Server to your Primary LDAP server for Night Sync * To import from second LDAP registry to CLM, manually change the LDAP and group details in JTS > Advanced Properties ---+++++!! Related topics: [[DeploymentWebHome][Deployment web home]], [[DeploymentWebHome][Deployment web home]] ---+++++!! External links: * [[https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/cwlp_repository_federation.html][Federation of user registries - Liberty Profile]] * [[https://www.ibm.com][IBM]] ---+++++!! Additional contributors: Main.TWikiUser, Main.TWikiUser <sticky></div></sticky>
E
dit
|
A
ttach
|
P
rintable
|
V
iew topic
|
Backlinks:
We
b
,
A
l
l Webs
|
H
istory
: r5
<
r4
<
r3
<
r2
<
r1
|
M
ore topic actions
Deployment
Deployment web
Planning and design
Installing and upgrading
Migrating and evolving
Integrating
Administering
Monitoring
Troubleshooting
Community information and contribution guidelines
Create new topic
Topic list
Search
Advanced search
Notify
RSS
Atom
Changes
Statistics
Web preferences
NOTE: Please use the Sandbox web for testing
Status icon key:
To do
Under construction
New
Updated
Constant change
None - stable page
Smaller versions of status icons for inline text:
Copyright © by IBM and non-IBM contributing authors. All material on this collaboration platform is the property of the contributing authors.
Contributions are governed by our
Terms of Use.
Please read the following
disclaimer
.
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more
here
.