Configuring security by using the server setup application

The server setup application is a browser-based web application for IBM® WebSphere® Application Server that helps you deploy the other Rational® Asset Manager applications and configure the database, security, performance, and repository settings. You can use the server setup application to later modify these settings instead of using the Administration pages within Rational Asset Manager web client.

Before you begin

Procedure

In Section 3, configure users and authentication:
  • If you chose LDAP authentication in step 7.b, configure the connection to the LDAP on the Configure LDAP Authentication page. LDAP must be running and the LDAP server must be accessible from this computer.
    1. Configure the LDAP repository connection. On this page, you define the information that Rational Asset Manager server uses to contact the LDAP server: the address of the LDAP server, the communications port, and if necessary, a user ID and password that Rational Asset Manager will use to query the registry.
      • LDAP Vendor: Select your LDAP software. When you select a vendor, the suggested value column shows example values for some of the properties that the LDAP server requires.
      • Server: Type the name of the server on which LDAP is installed; for example, ldap.example.com. If security is enabled on the LDAP server, check SSL enabled.
      • Port: type the port number of the LDAP server.
      • Connect Anonymously: If your LDAP repository does not require a user ID and password for access, select this check box. If your LDAP repository requires a user ID and password, clear this box and complete the Bind User DN and Bind Password text fields.
      • Bind User DN: Type the distinguished name (DN) of a user that has access to query the LDAP database. Rational Asset Manager uses this user name to access LDAP. For example, uid=123456,c=us,ou=exampleorganization,o=example.com.
      • Bind password: if you typed a user DN, type the password for the user name.
      Note: If you are using LDAP authentication and a single LDAP hostname is mapped to multiple IP address in your network configuration then you must use the WebSphere Application Server administrative console and click Security > Global security > Standalone LDAP registry > Configure to apply the appropriate configuration property to prevent possible LDAP user account lockouts if users log in to Rational Asset Manager with invalid credentials.

      An invalid login causes the server to validate the user with each IP address and thus causes multiple login failures. If you have set a maximum number of login attempts, one invalid logon could cause an LDAP account lockout. To prevent this issue from occurring, follow the steps described here: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK42672

    2. Click Test connection. If the server setup application connects to LDAP, continue. You cannot proceed with LDAP Authentication until a connection is configured.
    3. Identify a user in the LDAP registry to be the Rational Asset Manager repository administrator.
      • Administrator ID: Type the unique ID of the user who will be the repository administrator for Rational Asset Manager. The repository administrator is responsible for configuring Rational Asset Manager server. For example (if your LDAP uses email address as the unique identifier) Administrator@example.com.
      • Password: type the password for the administrator ID.
      • User search filter: Type the syntax that LDAP will use to query for a user. The %v represents the search term that was entered from an input text field. The search will run as if a wildcard is part of the search term. The default search template is constructed to find all person objectClasses where either the mail property or the name property is the same as the search term.
      • User search base: type the path of the root from where to start searching the LDAP registry for users; for example, ou=exampleorganization,o=example.com.
    4. Click Verify the User.
    5. If the server setup application found the user in the LDAP registry, click Next. Do not continue configuring LDAP authentication until a user has been identified as the repository administrator.
    6. On the next page, map user properties in Rational Asset Manager to the corresponding user properties in your LDAP registry. Rational Asset Manager requires this information for user authentication, for user data retrieval and display, and to communicate with users by email.
      • Unique identifier: Type the property name of the user's objectClass instance that represents the unique user's ID. For example: (objectClass) person's serialNumber property, or the (objectClass) user's sAMAccountName property. The default value is uid.
      • Login identifier: Type the (objectClass) property that users use as their login ID. Even though it is common for the Unique ID and login ID to be the same, you can set the registry so that a user logs in using another ID (for example, an email address). For example, userPrincipleName.
      • LDAP user name query: Type the LDAP search query that maps the short name of a user to an LDAP entry; for example, *:userPrincipleName or *:uid.
      • Email: Type the property name that contains a user's email address; for example, mail.
      • Phone number: Type property name that contains a user's phone number; for example, telephonenumber.
      • Locale: Type the property name of the user’s email language setting; for example, zh-TW, or leave the field blank for the default value and for users to manage their email language setting. If the value is a language that is supported in Rational Asset Manager, such as de, ko, ja, zh_TW, zh_CN, es, pt_BR, en, fr, and ru), the user profiles are set with that language preference. It the value is not valid or does not exist in LDAP, en (English) is used by default.
      • Image URL Template: You can store images somewhere other than an LDAP registry. If you can retrieve a user's image by using a URL, configure this template to retrieve the image at the same time as the user information in the registry. In the template, ${value} represents a LDAP user property of the user object that will be replaced when the image is retrieved. For example, for a user with a uid property=123456, the default template https://image_server_url/photo/${uid}.jpg results in the URL https://image_server_url/photo/123456.jpg.
    7. Click Test the Mapping. If all mappings are correct, the administrator's user ID, name, email, phone number, and photo are displayed with a success message.
    8. Specify user group properties in LDAP. User group information in LDAP can be retrieved and reused by Rational Asset Manager communities. In Rational Asset Manager, communities are the primary organizational grouping within a repository: they are collections of users with a common interest in a set of assets, and each community can define its members, member roles, permissions, processes, and assets.
      • User group search filter: This is the filter for searching groups. The default searches any of groupOfUniqueNames (static group), groupOfNames (static LDAP group), groupOfUrls (dynamic LDAP group), group (Active Directory defined group) for the search term entered by the user.
      • User group search base: type the base search for searching groups; for example, ou=memberlist,ou=groups,o=example.com.
      • Group ID Map: type the LDAP search query that maps the short name of a group to an LDAP entry; for example, *:cn.
      • Group Member ID Map: type the LDAP search query that identifies user-to-group relationships; for example, memberof:member.
    9. Click Next. The Users and Authentication Configuration summary page opens.
    10. To complete the configuration, restart the application server. You can also wait to restart the server until you complete the other steps in the server setup application.
    11. Click Next.
    Note:

    This configures LDAP authentication for only the Rational Asset Manager application.

  • If you chose File-based authentication in step 7.b, add or delete users from the list on the Configure File-based Authentication page. File-based authentication means that user information is stored in a text file on the server. By default there are six users ("admin" and "user1" through "user5").
    Note: The passwords for the six default users are the same as their user IDs.
    1. Add, edit, or delete users:
      • To filter the list of users, type a search string in the Search text field and click Search. You can use wildcards (*). To see the entire list, type * in the Search text field.
      • To add a user, click Add User and type the user's ID and password.
      • To delete a user, next to that user's name, click Delete.
    2. When you are finished, click Next. The Users and Authentication Configuration summary page opens.
    3. To complete the configuration, restart the application server. You can also wait to restart the server until you complete the other steps in the server setup application.
    4. Click Next.
    5. Go to step 11.
  • If you chose to use a federated repository, the local operating system, or a custom user registry (other than file-based) in step 7.b, you will be prompted to confirm that the user ID of the administrator for the user registry will be the repository administrator. There are no other configuration options for this type of authentication.

What to do next

Feedback