Information in this section is provided to assist in the
security planning process but is not a complete description of any
security feature or level of support.
- Authentication and authorization are separate processes.
- Authentication (logon security) is separate from authorization
(object and process security). You must configure your JAAS login
on the Content Platform Engine application
server so that any user or group that can successfully log on to FileNet® P8 resources can also be
authorized to work within FileNet P8 interfaces,
using the Content Platform Engine directory
service provider connection.
- Configuration Manager captures configuration information to create
your application server authentication provider; or you can use an
authentication provider that already exists on the application server.
Immediately following the initial Content Platform Engine deployment, you will
use IBM® Administration Console for Content
Platform Engine to configure
the Content Platform Engine authorization
by creating a Directory Configuration.
- Logins are done through JAAS.
- FileNet P8 uses Java™ Authentication and Authorization
Service (JAAS) for authentication, which is a process that occurs
between a Java EE client application,
a Java EE application server,
and one or more JAAS login modules. This process does not involve
any FileNet P8 code.
- FileNet P8 platform
uses JAAS for authentication only, not for authorization on stored
objects. Also, it does not support Java Security
Manager.
- Determine single sign-on (SSO) requirements.
- Content Platform Engine ability
to use JAAS-based authentication means that if a single sign-on (SSO)
provider writes a JAAS LoginModule for a supported application server,
then clients of FileNet P8 applications
hosted in that application server can use that SSO solution. See Single
Sign-On Solutions for IBM FileNet P8 at ibm.com/redbooks
for configuration information.
- Determine Kerberos applicability.
- You can use Kerberos for SSO authentication between .NET applications
or other products that use it, provided you use Windows Active Directory as the directory
server.
- Decide how many authentication realms you require.
- At least one authentication realm is required, which you create
during an initial installation by running the Configuration Manager
Configure LDAP task. After making sure that the first realm is working
properly, you can configure additional realms, depending on your security
model and requirements.
- Make sure that you have a directory service provider in place.
- Directory services are provided by third-party directory servers.
Refer to the IBM
FileNet P8 system requirements for
the list of supported products.
- Starting
with version 5.2, Content Platform Engine supports
heterogeneous directory server configurations when running in an IBM virtual member manager environment.
(To use virtual member manager, Content Platform Engine requires WebSphere® Application
Server version 7.0 or above.)
For all other directory environments, only homogenous LDAP server
combinations are supported, meaning that a single FileNet P8 domain can be configured
to use only one of the supported directory servers.
- Understand the users and groups required for FileNet P8.
- All general administrative users and groups needing access to FileNet P8-based applications must
reside in one of the supported directory servers. The planning and
preparation tasks provide instructions for creating the administrative
accounts required for installation and initial configuration.
- (WebLogic only) Any WebLogic authentication provider must be dedicated
to FileNet P8.
- For performance reasons, do not share any authentication provider
that is used by WebLogic for deployed FileNet P8 components with applications
used for other purposes.
- You can configure Content Platform Engine to
use email or UPN for login
- You can assign the directory server's email attribute or, for
Active Directory, the userPrincipalName (UPN) to be the user short
name that is used for login. Instructions in the IBM
FileNet P8 Platform Installation and Upgrade Guide provide a link to a
procedure that explains how to do this.
- (WebSphere only)
Choose Stand-alone or Federated repository type.
- There is an option in the Configuration Manager Configure LDAP
task to select whether the WebSphere Application
Server repository
type is Stand-alone LDAP registry or Federated repositories. To have
Configuration Manager use your repository type setting, select the
Configuration Manager option Set as current active user
registry.
- If you choose Stand-alone LDAP registry
- Configuration Manager changes the administrative console user
login to the account you enter as the Administrative console
user name. This account must reside in the Stand-alone
LDAP registry location. The existing administrative console user login,
if any, becomes invalid.
- To have Configuration Manager replace an existing Stand-alone
LDAP registry configuration, you must enable the Configuration Manager
option Overwrite existing repository.
- If you choose Federated repositories
- By choosing the Federated repositories option in Configuration
Manager, you are adding a new LDAP realm to an existing Federated
LDAP repository. The administrative console user name that you provide
must be a unique user across all federated realms.
- Avoid overlapping realm definitions
- In the Configuration Manager task Configure LDAP, if you set the WebSphere Application
Server LDAP repository type option
to Federated repositories, do not enter repositories
with overlapping suffixes as they are not supported. For example,
the following two repositories with overlapping Base entry distinguished
names are not supported:
- dc=ibm,dc=com
- dc=filenet,dc=ibm,dc=com
This restriction especially applies to Active Directory parent
and child domains, since by definition parent/child domains in AD
have overlapping suffixes.
- The repositories in the next example are supported, because they
are sibling repositories and do not overlap:
- dc=tivoli,dc=ibm,dc=com
- dc=filenet,dc=ibm,dc=com
- Administrative security must be enabled
- Configuration Manager does not change the state of WebSphere administrative security.
If it was on before running Configuration Manager, then it stays on;
if it was off before, then it stays off.
- WebSphere Application
Server security domains
- Content Platform Engine supports WebSphere Application
Server security domains, a feature
that is introduced in WebSphere Application
Server 7.0.
Security domains allow administrators to define multiple security
configurations for use in a single cell or application server. By
default, all administrative and user applications in WebSphere Application
Server use the same global security
configuration. However, with security domains, you can create additional
security configurations if you want to specify different security
attributes for some or all of your user applications. For example,
you can define different settings (such as a different user registry)
for user applications than for administrative applications. You can
also define separate security configurations for user applications
that are deployed to different servers and clusters.
- To use security domains, you deploy Content Platform Engine in the normal way,
and then use your WebSphere Application
Server administrative
console to create a security domain and to assign Content Platform Engine to it. Content Platform Engine code then automatically
honors this domain setting. All Content Platform Engine servers and clients
must be in one of the available WebSphere security
domains. Also, the Content Platform Engine bootstrap
account (cpe_bootstrap_admin) must be present in
both the WebSphere Application
Server global
security configuration and the security domain that applies to the Content Platform Engine; or you can skip the
bootstrap login at the server startup by setting the JVM argument -Dcom.filenet.engine.init.BGThreadsAsBootstrapId=false.