WebSphere

Setting application security for Business Space

To turn on security for Business Space you must enable both application security and administrative security.

Before you begin

Before you complete this task, you must have completed the following tasks:
  • Configured a profile, and configured Business Space on that profile.
  • Configured the database tables (if you are using a remote database or deployment environment).
  • Configured the REST service endpoints for the widgets you will use in Business Space.
  • Checked that your user ID is registered in the user registry for your product.

About this task

The Business Space enterprise archive (EAR) file is preconfigured to ensure authentication and authorization of access. Business Space uses one default J2EE role, which is mapped to all authenticated users, which ensures that users are prompted to authenticate when accessing Business Space URLs. Unauthenticated users are redirected to a login page.

Authorization to spaces and page content in Business Space is handled internally to Business Space as part of managing spaces.

To enable authenticated access (J2EE role-based authorization) to Business Space, you must have a user registry configured and application security enabled.

Procedure
  1. For complete instructions on security, see the security documentation for your product.
  2. For the Business Space application, on the Secure administration, applications, and infrastructure administrative console page, select both Enable administrative security and Enable application security.
  3. On the same administrative console page, under User account repository, designate either Federated repositories, Local Operating System, Standalone LDAP registry, or Standalone custom registry. If you select Federated repositories for Business Space, you will have additional capabilities in your widgets and framework, such as enhanced search capabilities. When searching for users to share spaces and pages, the search scope includes e-mail, a user's full name and user ID.
  4. If Business Space is remote from where your product is running, and if the node where Business Space is running and node where your product is running are not in the same cell, you must complete manual steps to make sure that single-sign-on (SSO) is enabled. For example, if you are using more than one product (WebSphere Business Modeler Publishing Server, WebSphere Business Monitor, WebSphere Enterprise Service Bus, or WebSphere Process Server), the servers are on different nodes, and you want them all to be able to work with the Business Space server, you must manually configure SSO. To enable SSO, complete the following steps:
    1. Under Authentication, click single sign-on (SSO) to make sure that the Enabled check box is selected.
    2. Make sure that all the nodes use the same User account repository information (see step 3).
    3. Open the Authentication mechanisms and expiration page on the administrative console: On the administrative console, expand Security, select Secure administration, applications, and infrastructure. Under Authentication, click Authentication mechanisms and expiration.
    4. Under Cross-cell single sign on, type a password for the key file and a Fully qualified key file name, which is a location and file name where you want to export the key file. The Fully qualified key file name is the absolute path on the system where your server is running.
    5. Click Export Keys. The key file is saved on the system where the server is running.
    6. If the two nodes are not on the same system, copy the key file physically to the other systems.
    7. Import the key file on every other node using the same key file: Log on to the administrative console for the other node, and complete steps c-d above (use the same password for the exported key file that you copied over), and click Import keys.
    8. Restart server after importing keys on each system.
  5. If you are using HTTPS in the endpoints file, the endpoint location is on a different node than Business Space, and the Secure Sockets Layer (SSL) certificate is self-signed, you must import the SSL certificate.
    1. Log on to the administrative console for the server that contains Business Space and import the SSL certificate that is used by the remote node where product is running.
      1. Under Security, click SSL certificate and key management.
      2. On the SSL certificate and key management page, under Related items, click Key stores and certificates page.
      3. On the Key stores and certificates page, click NodeDefaultTrustStore to modify that TrustStore type.
      4. On the NodeDefaultTrustStore page, under Additional Properties, click Signer certificates.
      5. On the Signer certificates page for the NodeDefaultTrustStore, click the Retrieve from port button.
      6. On Retrieve from port page, under General Properties, type the host, port, and alias for where your product is running. Click Retrieve signer information button and then click OK.
      7. Restart both servers.
    2. Log on to the administrative console for the product node and import the SSL certificate that is used by the node where Business Space is running.
      1. Repeat steps i.-v. above.
      2. On the Retrieve from port page, under General Properties, type the host and port for where Business Space is running. Click the Retrieve signer information button and then click OK.
      3. Restart both servers.
    For more information about SSO and SSL, see the WebSphere Application Server information center.

What to do next


task Task topic

Terms of use | Feedback


Timestamp icon Last updated: 22 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic/com.ibm.websphere.wbpm.bspace.config.620.doc/doc/tcfg_bsp_app_admin_security.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).