FileNet P8 support for multiple realms depends on the features of the Content Engine's Java™ 2 Enterprise Edition (J2EE) application server. Multiple realm support is available for WebLogic, JBoss, and WebSphere 6.1.
The topic "Configure Content Engine instances" in Plan And Prepare Your Environment For IBM FileNet P8 describes how to configure an initial authentication realm. This topic explains how to add additional realms, and assumes you have already successfully installed Content Engine.
See Configuring authentication in the Security Overview for a high level picture of the separate processes of authentication and authorization.
To configure multiple realms with Active Directory
To configure all Active Directory Windows domains in a particular forest, simply configure one authentication provider in your J2EE application server that references the Windows Domain Controller hosting the Global Catalog. This configuration does not depend on the application server type and version.
To configure multiple realms using WebLogic
WebLogic supports multiple security realms and multiple authentication "providers" per realm. In WebLogic 9, Content Engine is installed into the default security realm; if there is more than one, the Summary of Security Realms in the WebLogic Administration Console displays the default.
This procedure assumes that you successfully installed CE with WebLogic and have configured the LDAP task for CE using Configuration Manager.
For Weblogic configuration details, see the Realm Configuration sections of the topics describing your directory service provider.
To configure multiple realms using WebSphere
WebSphere 6.1 supports multi-realm configuration through its new federated user repository feature. Because federated user repositories must be configured before installing Content Engine, this procedure is explained in the "Configure WebSphere for Content Engine" task of Plan And Prepare Your Environment For IBM FileNet P8.
To configure multiple realms using JBoss
JBoss supports multiple authentication realms by allowing multiple authenticationlogin-module sections in its configuration file login-config.xml.
The easiest way to configure multiple realms this is to use Configuration Manager to create the initial authentication section in the JBoss file login-config.xml in the server's \conf directory (for example: ...\server\myserver\conf\login-config.xml). After initial configuration, you can directly edit the XML file to change the initial values or add additional authentication login-module sections that point to additional naming contexts on your directory server.
This procedure assumes you have successfully installed CE with JBoss and that you have configured the LDAP task for CE using Configuration Manager.
<authentication>
section. It will
look similar to the following:
<application-policy name = "FileNet">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://yourserver:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
...
</login-module>
</authentication>
</application-policy>
<application-policy name = "FileNet">
section.
It will look similar to the following:
<application-policy name = "FileNet">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="java.naming.provider.url">ldap://yourserver:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
...
</login-module>
</authentication>
</application-policy>
login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient"
> ... </login-module
> section
and paste it right after the first. Change the required FileNet P8 values
(e.g. java.naming.provider.url) in the new section so that it points to the
new realm. See the Directory service providers section
for information about each application server's attributes and values.