Configure multiple realms

FileNet P8 support for multiple realms depends on the features of the Content Engine's Java™ 2 Enterprise Edition (J2EE) application server. Multiple realm support is available for WebLogic, JBoss, and WebSphere 6.1.

The topic "Configure Content Engine instances" in Plan And Prepare Your Environment For IBM FileNet P8 describes how to configure an initial authentication realm. This topic explains how to add additional realms, and assumes you have already successfully installed Content Engine.

See Configuring authentication in the Security Overview for a high level picture of the separate processes of authentication and authorization.

To configure multiple realms with Active Directory

To configure all Active Directory Windows domains in a particular forest, simply configure one authentication provider in your J2EE application server that references the Windows Domain Controller hosting the Global Catalog. This configuration does not depend on the application server type and version.

To configure multiple realms using WebLogic

WebLogic supports multiple security realms and multiple authentication "providers" per realm. In WebLogic 9, Content Engine is installed into the default security realm; if there is more than one, the Summary of Security Realms in the WebLogic Administration Console displays the default.

This procedure assumes that you successfully installed CE with WebLogic and have configured the LDAP task for CE using Configuration Manager.

  1. Log on as WebLogic administrator to the WebLogic domain that contains CE.
  2. In the realm in use by CE, create a new authentication provider using properties that point to the additional naming context on your directory server.
  3. Restart the application server.
  4. Log on to Enterprise Manager (EM) as GCD administrator. Run the Create Directory Configuration wizard. Enter the same directory service configuration property values that you just added to the authentication provider.
  5. Repeat steps 1 and 2 for each additional directory server naming context that you want to configure as FileNet P8 realms.
  6. Grant the new users and groups access to objects, for example, by logging on to EM as object store administrator and adding the new accounts to document classes.
  7. Test the new configuration by logging in to a client application with an account residing in the newly configured realm.

For Weblogic configuration details, see the Realm Configuration sections of the topics describing your directory service provider.

To configure multiple realms using WebSphere

WebSphere 6.1 supports multi-realm configuration through its new federated user repository feature. Because federated user repositories must be configured before installing Content Engine, this procedure is explained in the "Configure WebSphere for Content Engine" task of Plan And Prepare Your Environment For IBM FileNet P8.

To configure multiple realms using JBoss

JBoss supports multiple authentication realms by allowing multiple authenticationlogin-module sections in its configuration file login-config.xml.

The easiest way to configure multiple realms this is to use Configuration Manager to create the initial authentication section in the JBoss file login-config.xml in the server's \conf directory (for example: ...\server\myserver\conf\login-config.xml). After initial configuration, you can directly edit the XML file to change the initial values or add additional authentication login-module sections that point to additional naming contexts on your directory server.

This procedure assumes you have successfully installed CE with JBoss and that you have configured the LDAP task for CE using Configuration Manager.

  1. Open login-config.xml in an editor. Find the <authentication> section. It will look similar to the following:

    <application-policy name = "FileNet">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
          <module-option name="java.naming.provider.url">ldap://yourserver:389</module-option>
          <module-option name="java.naming.security.authentication">simple</module-option>
          ...
        </login-module>
      </authentication>
    </application-policy>

  2. Open login-config.xml in an editor. Find the <application-policy name = "FileNet"> section. It will look similar to the following:

    <application-policy name = "FileNet">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
          <module-option name="java.naming.provider.url">ldap://yourserver:389</module-option>
          <module-option name="java.naming.security.authentication">simple</module-option>
          ...
        </login-module>
      </authentication>
    </application-policy>

  3. Make a copy of the <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient"> ... </login-module> section and paste it right after the first. Change the required FileNet P8 values (e.g. java.naming.provider.url) in the new section so that it points to the new realm. See the Directory service providers section for information about each application server's attributes and values.
  4. Restart the application server.
  5. Log on to EM as GCD administrator. Run the Create Directory Configuration wizard. Enter the same directory service configuration property values that you just added to the authentication provider.
  6. Repeat steps 1 and 2 for each additional directory server naming context that you want to configure as FileNet P8 realms.
  7. Test the new configuration by logging in to a client application with an account residing in the newly configured realm.
  8. Grant the new users and groups access to objects by logging on to EM as object store administrator and adding the new accounts to document classes.