Configure multiple realms

FileNet P8 support for multiple realms depends on the features of the Content Engine's Java™ 2 Enterprise Edition (J2EE) application server. Multiple realm support is available for WebLogic, JBoss, and WebSphere 6.1.

The topic "Configure Content Engine instances" in IBM FileNet P8 Platform Installation and Upgrade Guide describes how to configure an initial authentication realm and how to add additional realms.

See Configuring authentication in the Security Overview for a high level picture of the separate processes of authentication and authorization.

To configure multiple realms with Active Directory

To configure all Active Directory Windows domains in a particular forest, simply configure one authentication provider in your J2EE application server that references the Windows Domain Controller hosting the Global Catalog. This configuration does not depend on the application server type and version.

To configure multiple realms using WebLogic

WebLogic supports multiple security realms and multiple authentication "providers" per realm. In WebLogic 9, Content Engine is installed into the default security realm; if there is more than one, the Summary of Security Realms in the WebLogic Administration Console displays the default.

This procedure assumes that you successfully installed Content Engine with WebLogic and have configured the LDAP task for Content Engine using Configuration Manager.

  1. Log in as WebLogic administrator to the WebLogic domain that contains Content Engine.
  2. In the realm in use by Content Engine, create a new authentication provider using properties that point to the additional naming context on your directory server.
  3. Restart the application server.
  4. Log in to Enterprise Manager as GCD administrator. Run the Create Directory Configuration wizard. Enter the same directory service configuration property values that you just added to the authentication provider.
  5. Repeat steps 1 and 2 for each additional directory server naming context that you want to configure as FileNet P8 realms.
  6. Grant the new users and groups access to objects, for example, by logging on to Enterprise Manager as object store administrator and adding the new accounts to document classes.
  7. Test the new configuration by logging in to a client application with an account residing in the newly configured realm.

For Weblogic configuration details, see the Realm Configuration sections of the topics describing your directory service provider.

To configure multiple realms using WebSphere

WebSphere supports multi-realm configuration through its federated user repository feature. While running Configuration Manager's Configure LDAP screen, set the Websphere LDAP repository type property to FederatedLDAP. See the Content Engine Task "Configure Content Engine instances" in the IBM FileNet P8 Platform Installation and Upgrade Guide.

To configure multiple realms using JBoss

JBoss supports multiple authentication realms by allowing multiple authentication login-module sections in its configuration file login-config.xml.

The easiest way to configure multiple realms is to use Configuration Manager to create the initial authentication section in the JBoss file login-config.xml in the server's \conf directory (for example: ..\server\myserver\conf\login-config.xml). After initial configuration, you can directly edit the XML file to change the initial values or add additional authentication login-module sections that point to additional naming contexts on your directory server.

This procedure assumes you have successfully installed Content Engine with JBoss and that you have configured the LDAP task for Content Engine using Configuration Manager.

  1. Open login-config.xml in an editor. Find the <authentication> section. It will look similar to the following sample:

    <application-policy name = "FileNet">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
          <module-option name="java.naming.provider.url">ldap://yourserver:389</module-option>
          <module-option name="java.naming.security.authentication">simple</module-option>
          ...
        </login-module>
      </authentication>
    </application-policy>

  2. Open login-config.xml in an editor. Find the <application-policy name = "FileNet"> section. It will look similar to the following sample:

    <application-policy name = "FileNet">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
          <module-option name="java.naming.provider.url">ldap://yourserver:389</module-option>
          <module-option name="java.naming.security.authentication">simple</module-option>
          ...
        </login-module>
      </authentication>
    </application-policy>

  3. Make a copy of the <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient"> ... </login-module> section and paste it right after the first. Change the required FileNet P8 values (e.g. java.naming.provider.url) in the new section so that it points to the new realm. See the Directory service providers section for information about each application server's attributes and values.
  4. Restart the application server.
  5. Log in to Enterprise Manager as GCD administrator. Run the Create Directory Configuration wizard. Enter the same directory service configuration property values that you just added to the authentication provider.
  6. Repeat steps 1 and 2 for each additional directory server naming context that you want to configure as FileNet P8 realms.
  7. Test the new configuration by logging in to a client application with an account residing in the newly configured realm.
  8. Grant the new users and groups access to objects by logging on to Enterprise Manager as object store administrator and adding the new accounts to document classes.