Managing anonymous access for a FileNet deployment

IBM® Connections requires anonymous access to be set in FileNet® for public communities unless external users are part of a community, in which case anonymous access needs to be disabled.

About this task

Configuring an anonymous user is required if you want users to access Connections Content Manager without authenticating. The installation process also prompts for an anonymous user, and if you entered an anonymous user account during the installation, anonymous access is already configured. These steps might be used to enable or disable anonymous access after the installation. In some cases, such as when desktop single-sign is enabled, or when roles in the communities application are restricted to limit access to authenticated users, setting up anonymous access for FileNet is optional. For more information, see Roles.

For more information, see Enabling anonymous access for a FileNet deployment.

If you want to allow external users to participate in your Connections communities, then anonymous needs to be disabled for Connections Content Manager.

For more information, see Disabling anonymous access.

Parent topic: Configuring the FileNet deployment used by Libraries

Enabling anonymous access for a FileNet deployment

About this task

IBM FileNet Collaboration Services implements anonymous access with a designated user that is used only for this purpose. The user must be a system-type user that is not used by a real person. The user ID must not have any particular privileges on the object store beyond what is given by the installation guide. This user's access control records determines what level of access is given to anonymous users. So, choose a functional ID that is reserved for this purpose and that does not have special access.

The display name of the user that is used in this role might appear in some supplemental user interfaces, so a user account or functional ID must be chosen with a suitable display name that matches the purpose of this account, for example, Anonymous User. Do not choose the administrative account ID. Follow these steps to enable anonymous access

Procedure

  1. Log in to the WebSphere Application Server Integrated Solutions Console that hosts your FileNet server with the FileNet Collaboration Services application.
  2. Enable use of authentication data on unprotected URLs as follows:
    1. Navigate to Security > Global Security > Web and SIP security > General Settings .
    2. Make sure Authenticate only when the URI is protected is selected and Use available authentication data when an unprotected URI is accessed also is selected.
  3. Modify security role mapping for the FileNet Collaboration Services application as follows:
    1. Continuing in the WebSphere Administration console, navigate to Applications > WebSphere Enterprise Applications > Navigator.
    2. Click Security role to user/group mapping.
    3. Select the Authenticated option and then select Map Special Subjects and Everyone.
    4. Click OK to save your changes.
  4. Install the authentication filter code as follows:
    1. In WebSphere Administration console navigate to WebSphere Enterprise Applications.
    2. Select the FileNet Collaboration Services option.
    3. Click Update.
    4. For Application update options, select the Replace, add, or delete multiple files option.
    5. Select local file system if you are running the browser on the Deployment Manager node and then locate the auth_filter_patch.zip file in the <connections_install_root>/ccm/ccm/ccm/auth_filter_patch/auth_filter_patch.zip directory. If the browser is not running on the Deployment Manager (DM) node, then select remote file system and choose the DM file system, locating the auth_filter_patch.zip file in the directory previously stated.
    6. Click Next and OK to update the application.
  5. Click Applications > WebSphere enterprise applications > Navigator > User RunAs roles,
  6. Select the Anonymous role and enter the username and password of the LDAP user who is designated for the anonymous access role.
  7. Click Apply and then click OK to save.
  8. Click Save.
  9. Resynchronize nodes with the master configuration, refer to Synchronizing nodes.
  10. Open the Administration Console for Content Platform Engine (ACCE) and expand the Object Stores node on the side navigation tree.
  11. Right-click ICObjectStore, the object you want to configure, and then click Open.
  12. Select Search, click New Object Store Search, select Collaboration Configuration in the Class menu, and then click Run. A single result object displays after you select OK for any warnings.
  13. Click the object and then click Properties.
  14. On the Properties tab, click the Property Value cell for Download Count Anonymous User Ids, which displays a dropdown menu.
  15. Select Edit list, add the user into the list, and then select it from the dropdown menu. The user must be the same user that you provided for the User RunAs roles in the WebSphere Application Server Integrated Solutions Console in step 2; however, the SID of the user must be provided instead of the user name. To understand how SID values are created, refer to Generating SID values.
  16. Click Close.

Disabling anonymous access

About this task

There are situations where you need to disable anonymous access. For example, if you want to allow external users to participate in your Connections communities, then anonymous access must be disabled for all of Connections, including Connections Content Manager. You can also disable anonymous access if you want to force users to log in before accessing content.

Procedure

  1. Modify security role mapping for the FileNet Collaboration Services application as follows:
    1. Continuing in the WebSphere Administration console, navigate to Applications > WebSphere Enterprise Applications > Navigator.
    2. Click Security role to user/group mapping.
    3. Select the Authenticated option and then select Map Special Subjects and All Authenticated in Application's Realm.
    4. Click OK to save your changes.
  2. Click Applications > WebSphere Enterprise Applications > Navigator > User RunAs roles.
  3. Select the Anonymous role.
  4. Click Remove and then click OK to save.
  5. Click Save.
  6. Resynchronize nodes with the master configuration, refer to Synchronizing nodes.
  7. Open the Administration Console for Content Platform Engine (ACCE) and expand the Object Stores node on the side navigation tree.
  8. Right-click ICObjectStore, the object you want to configure, and then click Open.
  9. Select Search, click New Object Store Search, select Collaboration Configuration in the Class menu, and then click Run.
  10. Click the object and then click Properties.
  11. On the Properties tab, click the Property Value cell for Download Count Anonymous User Ids, which displays a dropdown menu.
  12. Select Edit list to remove the user from the list. The user to be removed must be the same user that you previously provided for the User RunAs roles in the WebSphere Application Server Integrated Solutions Console in step 2; however, the SID of the user must be provided instead of the user name.
    • To confirm that you are removing the correct value, and understand how SID values are created, refer to Generating SID values.
    • To remove the user, select the appropriate user from the list and click Remove. Click OK to confirm, click OK again to close the edit dialog, and then click Save to preserve the changes.