Properties File: wkplc.properties
About the properties file
When specifying values:
- Do NOT enclose any value in quotes. This will cause a failure in the configuration tasks.
- Windows paths must use a forward slash (/) instead of a backward slash. A backward slash is an escaped character.
- Windows long paths are acceptable.
- Properties are immutable. Once set, they cannot be changed when a configuration task is running.
-
Property values can be defined in three ways: on the command line, in this property file, and in a build file. The configuration task uses the following order to determine the property value:
- First the task checks the command line values, so specifying (-DMyNode=somenode) takes precedence.
- Second, the task checks the property file values.
- Third, the task checks the build file property values.
-
WasSoapPort
-
Description
The port used to connect to the WebSphere Application Server with remote connections.
-
Default value
10005
-
Examples
None available
-
-
WasRemoteHostName
-
Description
The host name of the remote server that connects to WebSphere Application Server. Enter the host name including the domain, such as my_host_name.mydomain.com
-
Default value
@your_host_name@
-
Examples
:
-
-
RegistrySynchronized
-
Description
Tells the system if the registry is synchronized or not. This value should never be modified unless a forced synchronization is necessary.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
General properties
2.1. WebSphere Application Server properties
Provide information about the WebSphere Application Server used in the WebSphere Portal stack.
-
VirtualHostName
-
Description
The name of the WebSphere Application Server virtual host.
-
Default value
default_host
-
Examples
None available
-
-
WasUserid
-
Description
User ID that is used for WebSphere Application Server security authentication. Type the value in lower case, regardless of the case used in the distinguished name (DN).
For an LDAP configuration:
- The ID cannot contain spaces
- The ID is the fully qualified distinguished name (DN) of a current administrative user for the WebSphere Application Server. For a configuration using a Virtual Manager User Registry database, the short version of the distinguished name must be used.
-
Default value
wpsadmin
-
Examples
None available
-
-
WasPassword
-
Description
The password for the user ID specified for WebSphere Application Server security authentication. If you use the command line interface, the password can be specified in this file or you can provide the password using the -DWasPassword parameter.
-
Default value
No default value
-
Examples
None available
-
-
WasHome
-
Description
Type the directory path to where WebSphere Application Server product files are installed. You must use forward slashes (/) to delimit elements in the path.
-
Default value
@was.root@
-
Examples
-
AIX: /usr/IBM/WebSphere/AppServer
-
Linux: /opt/IBM/WebSphere/AppServer
-
Windows: c:/Program_Files/IBM/WebSphere/AppServer
-
-
-
WasUserHome
-
Description
The directory where WebSphere Application Server user data (profile) is created. The installation program sets this value based on user information that is provided during installation. You must use forward slashes (/) to delimit elements in the path.
-
Default value
@was.user.root@
-
Examples
-
AIX: /usr/WebSphere/wp_profile
-
Linux: /opt/WebSphere/wp_profile
-
Windows: c:/WebSphere/wp_profile
-
-
-
CellName
-
Description
The name of the WebSphere Application Server cell where the application server is located.
-
Default value
@CellName@
-
Examples
None available
-
-
NodeName
-
Description
The node within the WebSphere Application Server cell where the WebSphere Application Server is located. This value must be unique among other node names in the same cell. Typically this value is the same as the host name for the computer.
-
Default value
@NodeName@
-
Examples
None available
-
-
ServerName
-
Description
The name of the application server where the HCL Portal application is deployed. This value must be unique among other application server names in the same cell.
-
Default value
WebSphere_Portal
-
Examples
None available
-
-
WasAdminServer
-
Description
The name of the application server for administration.
-
Default value
server1
-
Examples
: server1
-
-
LTPAPassword
-
Description
This value specifies the password to encrypt and decrypt the LTPA keys.
-
Default value
No default value
-
Examples
None available
-
2.2. HCL Portal configuration properties
Provide basic information about HCL Portal, such as installation directory, ports numbers, user IDs and passwords, and more.
-
WpsInstallLocation
-
Description
The directory where HCL Portal is installed. You must use forward slashes (/) to delimit elements in the path.
-
Default value
/usr/IBM/WebSphere/PortalServer
/opt/IBM/WebSphere/PortalServer
c:/IBM/WebSphere/PortalServer
-
Examples
AIX: /usr/IBM/WebSphere/PortalServer
Linux: /opt/IBM/WebSphere/PortalServer
Windows: c:/IBM/WebSphere/PortalServer
-
-
WpsHostName
-
Description
The fully qualified HCL Portal host name. This value is set by the installation program based on user input during installation.
-
Default value
localhost
-
Examples
:
-
-
WpsHostPort
-
Description
The transport port number used to access the host machine identified by the WpsHostName property.
-
Default value
80
-
Examples
80
-
-
PortalAdminId
-
Description
This ID is the short name for the initial HCL Portal administrator user account. This name is used to create a full Distinguished Name (DN), which is used to create an account in the WIM file-based repository. If the ID includes spaces, then you must take extra steps to enter it on the command line by using the -D parameter.
(UNIX only)For command line tasks, if you provide the ID by using the -D parameter, some tasks require that you enter the fully qualified user DN. If your fully qualified user DN contains a space, you cannot provide the DN using the -D parameter. For example, if your DN is
cn=wpsadmin,cn=users,o=Software Group,dc=yourco,dc=com,
then you must place the DN in the properties file or a parent properties file. If you create a parent properties file named mysecurity.properties, they you would run the following command: ./ConfigEngine.sh task_name -DparentProperties=/opt/mysecurity.properties.(Windows only)For command prompt tasks, if you provide the ID by using the -D parameter, some tasks require that you enter the fully qualified DN. If your fully qualified user DN contains a space, then you must place quotations around the fully qualified user DN in the command. An example of a DN with spaces is:
cn=wpsadmin,cn=users,o=Software Group,dc=yourco,dc=com,
An example of the DN provided using the -D parameter is: ConfigEngine.bat task_name -DuserID="cn=wpsadmin,cn=users,o=Software Group,dc=yourco,dc=com"A valid user ID contains only ASCII characters and can contain the following characters:
- Lowercase characters {a-z} and uppercase characters {A-Z}
- Numbers {0-9}
- Exclamation point {!}, Hyphen {-}, period {.}, question mark {?}, accent grave {`}, tilde {~} Open parenthesis {(}, and
- close parenthesis {)}
- Open bracket {[} and close bracket {]}
-
Default value
wpsadmin
-
Examples
None available
-
-
PortalAdminPwd
-
Description
The initial password for the HCL Portal administrator ID. The password cannot contain spaces. The password cannot be longer than 128 characters.
A valid password contains only ASCII characters and can contain the following characters:
- Lowercase characters {a-z} and uppercase characters {A-Z}
- Numbers {0-9}
- Exclamation point {!}, Hyphen {-}, period {.}, question mark {?}, accent grave {`}, tilde {~} Open parenthesis {(}, and
- close parenthesis {)}
- Open bracket {[} and close bracket {]}
- Underscore {_}
- Default value
No default value
-
Examples
None available
-
-
PortalAdminGroupId
-
Description
The fully qualified Distinguished Name (DN) for the HCL Portal Administrator group. Type the value in lowercase, regardless of the case that is used in the DN.
-
Default value
wpsadmins
-
Examples
Windows Active Directory: cn=,cn=groups,dc=yourco,dc=com
Windows Active Directory-Lightweight-Directory-Services: cn=,cn=groups,dc=yourco,dc=com
Custom user registry: cn=wpsadmins,o=default organization
IBM Tivoli Directory Server: cn=,cn=groups,dc=yourco,dc=com
HCL Domino: cn=
Oracle Directory Server: cn=,ou=groups,o=yourco.com
Novell eDirectory: cn=,ou=groups,o=yourco.com
Development configuration without security: wpsadmins
-
-
PortalUniqueID
-
Description
The value is used for the object ID creation mechanism and must be different for each node. The ID is 12 hex digits that are unique to this HCL Portal instance. It is usually a MAC address from a communications adapter on this node. Only nodes that run in one server can have the same PortalUniqeID.
-
Default value
00054E48AA0C
-
Examples
None available
-
-
WpsContextRoot
-
Description
The value of this property is part of the URL that is used to access HCL Portal from a browser. Valid characters are alphabetic and numeric including underscore, forward slash, and dash. The value entered may contain forward slashes but may not start with a forward slash. Leave the Context root and Default home fields blank to remove the context root information. Or, modify the fields by adding a new context root and default home. Example URL if the context root is wps:
http://localhost:80/wps/portal
. -
Default value
wps
-
Examples
Context root: : wps
-
-
WpsHostBasePort
-
Description
Specify the port block to use for HCL Portal Server.
-
Default value
10000
-
Examples
None available
-
-
SMFLibrary
-
Description
The library where the ifaedjreg.jar file resides
-
Default value
No default value
-
Examples
None available
-
-
SMFNativeLibrary
-
Description
The library where the SMF DLLs reside.
-
Default value
No default value
-
Examples
None available
-
-
ServerShortName
-
Description
The server's jobname, as specified in the MVS START command JOBNAME parameter. JOBNAME is the name of the task or script that runs when the server is running. MVS (Multiple Virtual Storage) is the name of the operating system that runs on the mainframe. The value is passed as a parameter to the server's start procedures to specify the location of the server's configuration files and identify the server to certain WebSphere for z/OS- exploited z/OS facilities (for example, SAF). The name must be seven or fewer characters and all uppercase.
-
Default value
BBOS002
-
Examples
: SAF
-
-
ClusterTransitionName
-
Description
The cluster transition name of the WLM APPLENV (WLM application environment) name for this server. The name must be eight or fewer characters and all uppercase.
-
Default value
BBOC002
-
Examples
None available
-
-
WpsSMPEHomeDirectory
-
Description
The location of the SMP/E installation image for the HCL Portal SMP/E package.
-
Default value
No default value
-
Examples
None available
-
-
TransferDomainList
-
Description
Required for database transfer The list of database 'domains' that will be transferred by the database-transfer process. This value should not be altered unless you want to include or exclude specific domains from the transfer process. If you need to enter multiple values, use a comma to separate each value, for example "value1,value2".
-
Valid values
release
community
customization
jcr
feedback
likeminds
-
Default value
release,community,customization,jcr,feedback,likeminds
-
Examples
None available
-
HCL Portal cluster properties
The following properties are used if you have a clustered environment.
-
ClusterName
-
Description
Type a name for your cluster. Do not use spaces or special characters in the cluster name.
-
Default value
PortalCluster
-
Examples
None available
-
-
PushFrequency
-
Description
Specify the time, in seconds, to wait before pushing new or modified cache entries to other servers. Enter a value of 1 or greater.
-
Default value
1
-
Examples
None available
-
-
ReplicationType
-
Description
Set the global sharing policy for this application server. Type NONE if you do not want to share cache among different application servers. Only invalidation events are shared among servers in the replication domain. NONE is the equivalent of NOT_SHARED in the WebSphere Application Server Integrated Solutions Console.
Type PUSH to share cache. Cache insertions, both the cache ID and the content, are distributed to other nodes in the cluster as they are inserted into the cache on any node.
Type PUSH_PULL to share the cache ID but not the cache content. Cache content is pulled by other servers as needed.
-
Valid values
NONE
PUSH
PUSH_PULL
-
Default value
NONE
-
Examples
None available
-
-
PrimaryNode
-
Description
Set the value to true if you are on the primary node and to run tasks on the primary node. Set the value to false if you are on a secondary node and to run tasks on secondary nodes.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
Step-up authentication properties
Step-up authentication allows for different types of authentication, with different trust levels or "strength of authentication". Different pages and portlets can be configured to require different trust levels in order to access those pages and portlets.
-
sua_user
-
Description
The key that is used to encrypt the Cookie information. The value does not need to match to a real user.
-
Default value
No default value
-
Examples
: myname
-
-
sua_serversecret_password
-
Description
The encryption key for the information used in the RememberMe cookie, which is part of the step-up authentication. This does not need to be an existing password. For example, you can use mypassword as the value.
-
Default value
No default value
-
Examples
None available
-
-
enable_rememberme
-
Description
This value defines if the Remember me cookie should be enabled when the enable-stepup-authentication task is run.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
-
disable_rememberme
-
Description
This value defines if the Remember me cookie should be disabled when the disable-stepup-authentication task is run.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
Virtual portal configuration properties
Configuration tasks that use the virtual portal configuration properties include: create-virtual-portal, delete-virtual-portal, modify-virtual-portal, list-all-virtual-portals
-
VirtualPortalTitle
-
Description
If you are creating a virtual portal, enter the name of the new virtual portal. If you are deleting or modifying a virtual portal, enter the name of virtual portal to delete or modify.
-
Default value
No default value
-
Examples
None available
-
-
VirtualPortalRealm
-
Description
Type the realm to use for the virtual portal that you defined for the VirtualPortalTitle property.
-
Default value
No default value
-
Examples
None available
-
-
VirtualPortalHostName
-
Description
Type the DNS of the virtual portal. The virtual portal can be referenced by the DNS name instead of the URL prefix. When the value is left blank, a virtual portal uses the common DNS name for all portals.
-
Default value
No default value
-
Examples
None available
-
-
VirtualPortalContext
-
Description
Type the unique portal context that must be provided for the Virtual Portal. If you set the host name parameter (VirtualPortalHostName), the portal context is ignored. A virtual portal can either be accessed by a DNS/Host name or a URL prefix. When both a DNS/Host name and URL prefix are provided, the DNS/Host name is used for VirtualPortalContext.
-
Default value
No default value
-
Examples
None available
-
-
VirtualPortalNlsFile
-
Description
Optional: Create a globalization file to specify titles and descriptions in other languages for your virtual portal. If you do not specify a globalization file, the system creates the virtual portal with the title that you specified for the VirtualPortalTitle parameter. Titles and descriptions are not created for other languages. Type the path and filename of an NLS file which contains language specific information for the Virtual Portal.
The virtual portal title that is defined in the in the national language support (NLS) file, also called globalization file, overrides the value that you provide for the VirtualPortalTitle property. If you want to create a description for the virtual portal, you must specify it in the globalization file.
If you want to modify the title or description of the Virtual Portal, you have to add the new title and description to the globalization file.
Do not use prefixes in that globalization file.
-
Default value
No default value
-
Examples
None available
-
-
VirtualPortalObjectId
-
Description
The object ID of the virtual portal. The object ID is required to modify and delete virtual portals. To determine object ID, run the following task: list-all-virtual-portals. Do not delete the default virtual portal. The object ID for the default Virtual Portal ends with _0.
-
Default value
No default value
-
Examples
None available
-
General security properties
-
ignoreDuplicateIDs
-
Description
Set this value to true to recover from an incomplete LDAP repository creation if the repository cannot be deleted.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
trimSpaces
-
Description
Set this value to false and add the attribute to the security ANT target in order to contain trailing spaces of attributes defined in this file. Set the value to true and the system will remove spaces in any of the values you have specified.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
Federated security properties
7.1. Add or update an LDAP
Use the properties in this section to create (wp-create-ldap) or update (wp-update-federated-ldap) the LDAP configuration in WebSphere identity manager (WIM). If you are updating the LDAP configuration, the federated.ldap.id and federated.ldap.host must match the repository that you want to update.
-
federated.ldap.id
-
Description
Specify a unique identifier for the repository within the cell. For the task wp-create-ldap, the ID can be an arbitrary string to name the new repository definition. For the task wp-update-federated-ldap, the ID must be the ID of the existing repository definition that you want to update.
Characters that are not allowed in normal XML strings cannot be used in the repository ID. The ID can contain only the following characters: Alphanumeric (a-z, A-Z, 0-9), dash (-), and underscore (). It cannot start or end with a dash (-) or an underscore (), and must be a minimum of 3 characters and a maximum of 36 characters in length.
-
Default value
No default value
-
Examples
: myldapid
-
-
federated.ldap.host
-
Description
Specify the host name of the primary LDAP server. Type either an IP address or a domain name service (DNS) name. If multiple load-balanced LDAP servers are in use, enter the host name of the load balancer. During an update, the value of federated.ldap.host must match the LDAP host name of the existing repository that is named by the federated.ldap.id property NOTE: It is not possible to use the wp-update-federated-ldap task to change the host name of an existing LDAP repository definition. To do that, you must delete the old repository definition and add a repository definition by running the wp-create-ldap task again.
-
Default value
No default value
-
Examples
: ..com
-
-
federated.ldap.port
-
Description
Type the LDAP server port. Typically, port values for the LDAP protocol are 389 for non-encrypted traffic, and 636 for encrypted traffic.
-
Default value
federated.ldap.sslEnabled=false: 389
federated.ldap.sslEnabled=true: 636
Otherwise: 389
-
Examples
None available
-
-
federated.ldap.bindDN
- Description
-
Default value
No default value
-
Examples
Windows Active Directory: cn=administrator,cn=users,dc=domain,dc=yourco,dc=com
Windows Active Directory-Lightweight-Directory-Services: cn=administrator,cn=users,dc=domain,dc=yourco,dc=com
Custom: cn=user,dc=yourco,dc=com or uid=user,dc=yourco,dc=com
IBM Tivoli Directory Server: cn=root
Domino LDAP: cn=username
Oracle Directory Server: cn=Directory Manager
Novell eDirectory: cn=administrator,ou=yourorganization,o=yourco
IBM Directory Server: uid=wpsadmin,cn=users,dc=yourco,dc=com
-
federated.ldap.bindPassword
-
Description
Type the password for the federated.ldap.bindDN user account.
-
Default value
No default value
-
Examples
None available
-
-
federated.ldap.ldapServerType
-
Description
Type the value for the LDAP server to integrate with.
-
Valid values
AD
ADAM
CUSTOM
DOMINO
IDS6
ZOSDS
NDS
SUNONE
-
Default value
IDS6
-
Examples
Microsoft Active Directory: AD
Microsoft Active Directory - Lightweight Directory Services: ADAM
Custom: CUSTOM
HCL Domino: DOMINO
IBM Tivoli Directory Server: IDS6
IBM Tivoli Directory Server for z/OS: ZOSDS
Novell eDirectory: NDS
Oracle Directory Server or SunOne: SUNONE
-
-
federated.ldap.baseDN
-
Description
Specify the point in the LDAP directory information tree (DIT) that serves as the "root" of the portal server's view. HCL Portal has visibility only of users and groups that are descendant's of this point in the DIT.
-
Default value
No default value
-
Examples
: dc=yourco,dc=com
-
7.1.1. Group and PersonAccount entity types
This section contains properties that tell WIM and Portal about the objectclasses and other LDAP attributes of the entity types. The supported entity types for Portal are Group and PersonAccount. WIM supports additional entity types, but Portal does not make use of them. The properties that are important for the 2 entity types are:
- Group entity type:
- default objectClasses = groupOfNames
- default objectClassesForCreate = groupOfNames
- default searchFilter =<empty>
- default searchBases = <empty>
- PersonAccount entity type:
- default objectClasses = inetOrgPerson
- default objectClassesForCreate = inetOrgPerson
- default searchFilter = <empty>
- default searchBases = <empty>
7.1.2. LDAP properties for Group member attributes
Provide information used to add or update your federated LDAP Group entity type.
-
federated.ldap.et.group.objectClasses
-
Description
Specify one or more object classes for the group entity type. Separate multiple object classes with a semicolon(;). Use object classes that are unique to groups only. If there are both users and groups with an objectclass of 'top', then you cannot use the object class 'top' here.
-
Default value
federated.ldap.ldapServerType=IDS6: groupOfUniqueNames
federated.ldap.ldapServerType=AD: group
federated.ldap.ldapServerType=ADAM: group
federated.ldap.ldapServerType=DOMINO: dominoGroup
federated.ldap.ldapServerType=SUNONE: groupOfUniqueNames
federated.ldap.ldapServerType=SUNONE: groupOfUniqueNames
federated.ldap.ldapServerType=NDS: groupOfNames
Otherwise: groupOfUniqueNames
-
Examples
IBM Tivoli Directory Server: groupOfUniqueNames
Microsoft Active Directory: group
Microsoft Active Directory - Lightweight Directory Services: group
HCL Domino: dominoGroup
Oracle Directory Server: groupOfUniqueNames
SunOne: groupOfUniqueNames
Novell eDirectory: groupOfNames
-
-
federated.ldap.et.group.objectClassesForCreate
-
Description
Type one or more object classes to use when an entity type is created. Separate multiple object classes with a semicolon(;). If the value of this property is the same as the federated.ldap.et.group.objectClasses property, then you do not need to type a value for this property. If your LDAP is read-only, meaning portal is not allowed to write to it, then you do not need to type a value for this property.
Type one or more object classes to use when an entity type is created. Separate multiple object classes with a semicolon(;).
If the value of this field is the same as the LDAP group objectclasses, then leave this field empty.
If your LDAP is read-only, meaning portal is not allowed to write to it, then leave this field empty.
-
Default value
No default value
-
Examples
(Multiple group objectClasses): groupOfUniqueNames;myPortalObjectClass
-
-
federated.ldap.et.group.searchFilter
-
Description
WIM uses this filter during search requests for groups to your LDAP Server. Leave this property value blank, unless your LDAP group definitions are unusually complex. If the property value is blank, WIM dynamically formulates the filter that is based on the directory type and the objectclasses set for the entity type.
For example, if the objectclass of the group entity is "groupOfUniqueNames" and the naming attribute for a group is "cn", then the default filter would be:
(&(cn=*)(objectClass=groupOfUniqueNames))
If you do need to specify the search filter for WIM to use to search for groups, the syntax is like a standard LDAP search filter.
-
Default value
No default value
-
Examples
: (&(cn=*)(objectClass=myCustomGroupObjectClass))
-
-
federated.ldap.et.group.searchBases
-
Description
WIM performs a search operation for each search base that you enter, which affects performance. Minimize the number of search bases. Leave the value blank and WIM uses the baseEntries as the search bases that are configured for this repository. Specify one or more search bases if you need to limit where WIM searches for groups to the portion of the subtree below the baseEntries. For example, if the baseEntries are high up in the LDAP tree and a search returns results that should not be included. Separate multiple search bases with a semicolon (;).
If you use the portal configuration tools, it is only possible to create one base entry as specified by the federated.ldap.baseDN property. However, WebSphere Application Server allows multiple base entries per repository definition.
For multiple virtual portal environment, the realm definition of the virtual portal overwrites the searchBase for the objectType. To ensure that virtual portals without realm assignments remain functional, keep the search base in sync with the nodes where you want the search to start.
-
Default value
No default value
-
Examples
Multiple group search bases: "cn=groups1,dc=yourco,dc=com;cn=groups2,dc=yourco,dc=com"
-
-
federated.ldap.et.personaccount.objectClasses
-
Description
Type one or more object classes for the entity type. Use object classes that are unique to users. If there are both users and groups with an objectclass of 'top', then you cannot use the object class 'top' here. Separate multiple object classes with a semicolon (;).
-
Default value
federated.ldap.ldapServerType=IDS6: inetOrgPerson
federated.ldap.ldapServerType=AD: user
federated.ldap.ldapServerType=ADAM: user
federated.ldap.ldapServerType=DOMINO: dominoPerson
federated.ldap.ldapServerType=SUNONE: inetOrgPerson
federated.ldap.ldapServerType=SUNONE: inetOrgPerson
federated.ldap.ldapServerType=NDS: inetOrgPerson
Otherwise: inetorgperson
-
Examples
IBM Tivoli Directory Server: inetOrgPerson
Microsoft Active Directory: user
Microsoft Active Directory - Lightweight Directory Services: user
HCL Domino: dominoPerson
Oracle Directory Server: inetOrgPerson
SunOne: inetOrgPerson
Novell eDirectory: inetOrgPerson
-
-
federated.ldap.et.personaccount.objectClassesForCreate
-
Description
Specify one or more object classes to use when an entity type is created. If the value of this property is the same as the federated.ldap.et.personaccount.objectClasses property, leave this value blank. If your LDAP is read-only, meaning portal is not allowed to it, leave this value blank. Separate multiple object classes with a semicolon(;).
-
Default value
No default value
-
Examples
Multiple PersonAccount objectClasses: inetOrgPerson;myPortalObjectClass
-
-
federated.ldap.et.personaccount.searchFilter
-
Description
WIM uses this filter during search requests for groups to your LDAP Server. Leave this property value blank, unless your LDAP group definitions are unusually complex. If the property value is blank, WIM dynamically formulates the filter that is based on the directory type and the objectclasses set for the entity type.
For example, if the objectclass of the PersonAccount entity is "inetOrgPerson" and the naming attribute for a user is "uid" then the default filter would be:
(&(uid=*)(objectClass=inetOrgPerson))
If you do need to specify the search filter for WIM to use to search for groups, the syntax is like a standard LDAP search filter.
-
Default value
No default value
-
Examples
: (&(cn=*)(objectClass=myCustomPersonAccountObjectClass))
-
-
federated.ldap.et.personaccount.searchBases
-
Description
WIM performs a search operation for each search base that you enter, which affects performance. Minimize the number of search bases. Leave the value blank and WIM uses the baseEntries as the search bases that are configured for this repository. Specify one or more search bases if you need to limit where WIM searches for groups to the portion of the subtree below the baseEntries. For example, if the baseEntries are high up in the LDAP tree and a search returns results that should not be included. Separate multiple search bases with a semicolon (;).
If you use the portal configuration tools, it is only possible to create one base entry as specified by the federated.ldap.baseDN property. However, WebSphere Application Server allows multiple base entries per repository definition.
For multiple virtual portal environment, the realm definition of the virtual portal overwrites the searchBase for the objectType. To ensure that virtual portals without realm assignments remain functional, keep the search base in sync with the nodes where you want the search to start.
-
Default value
No default value
-
Examples
Multiple PersonAccount search bases: "cn=users1,dc=yourco,dc=com;cn=users2,dc=yourco,dc=com"
-
-
federated.ldap.gm.groupMemberName
-
Description
Type the LDAP attribute that is used as the group member attribute. This is the attribute within the group object that lists the members of that group.
-
Default value
federated.ldap.ldapServerType=AD: member
federated.ldap.ldapServerType=ADAM: member
Otherwise: uniqueMember
-
Examples
For groups of objectclass groupOfUniqueNames: uniqueMember
For groups of objectclass groupOfNames: member
-
-
federated.ldap.gm.objectClass
-
Description
Type the group object class that contains the member attribute. If you do not enter a group object class, the member attribute applies to all group object classes.
-
Default value
federated.ldap.ldapServerType=AD: group
federated.ldap.ldapServerType=ADAM: group
Otherwise: groupOfUniqueNames
-
Examples
: groupOfNames
: groupOfUniqueNames
: group
-
-
federated.ldap.gm.scope
-
Description
Set the scope of the member attribute. This is similar to the scope setting for the membership attribute (which is the attribute on the user object that tells what groups the user is a member of), but in this case it tells WIM about the scope of the member record in the group object that tells what users are members of the group. Set the value to direct if the LDAP member attribute in your LDAP server's group objects contains direct members only. Set the value to nested if the LDAP member attribute in your LDAP server's group objects contains direct members and nested members. Note: It is very unusual for this to be anything other than "direct".
-
Valid values
direct
nested
-
Default value
direct
-
Examples
None available
-
-
federated.ldap.gm.dummyMember
-
Description
Many directory servers do not allow the creation of an empty group, meaning a group with no members. A dummy member enables group creation without requiring the creator to specify the first group member at the same time. When a group is created, a dummy member is created to satisfy the directory requirement. For Novell eDirectory, Oracle Directory Server, and Windows Active Directory the dummy member must be empty or point to an existing entry in the LDAP.
-
Default value
federated.ldap.ldapServerType=AD:
federated.ldap.ldapServerType=ADAM:
federated.ldap.ldapServerType=SUNONE:
federated.ldap.ldapServerType=NDS:
Otherwise: uid=dummy
-
Examples
None available
-
7.1.3. Advanced properties for Group configuration
Provide information that is used to add or update your federated LDAP user registry. The properties in this section are not always needed, depending on how your LDAP user registry is set up and your particular use cases. The federated.ldap.gc.name, federated.ldap.gc.updateGroupMembership, and federated.ldap.gc.scope properties can be set before you run the wp-create-ldap task initially. Or, the group configuration can be added to an existing registry instance by setting the gc.ldap.id, gc.name, gc.scope, and gc.updateGroupMembership properties and running the wp-create-ldap-groupconfig task.
-
federated.ldap.gc.name
-
Description
A membership attribute is an alternative way of getting group membership information from the LDAP user registry. Leave the field empty if your LDAP does not support the group membership attribute.
Type the LDAP name of an attribute or virtual attribute in a user object that lists the groups of which that user is a member.
A membership attribute is an attribute within the user object that contains the list of groups that the user is a member of. Many LDAP registries support the group memebership attribute. Also, each user registry implements the group membership attribute differently.
In some cases, the membership attribute is not persisted with the user record. Instead, it is calculated on demand.
In some cases, the membership attribute includes all groups, such as nested groups, dynamic groups, and static groups. If your LDAP implementation includes all groups memberships, then it is more efficient to use a membership attribute instead of manually requesting the information from a client. For more information about when to use the attribute, see the federated.ldap.gc.scope property.
You do not need to use nested or dynamic groups to use a membership attribute. If your directory uses only non-nested, static group memberships, use the standard group membership query method.
-
Default value
federated.ldap.ldapServerType=IDS6: ibm-allGroups
federated.ldap.ldapServerType=AD: memberOf
federated.ldap.ldapServerType=ADAM: memberOf
federated.ldap.ldapServerType=DOMINO: dominoAccessGroups
federated.ldap.ldapServerType=SUNONE: isMemberOf
federated.ldap.ldapServerType=NDS: groupMembership
federated.ldap.ldapServerType=ZOSDS: ibm-allGroups
-
Examples
IBM Tivoli Directory Server: ibm-allGroups
Microsoft Active Directory: memberOf
Microsoft Active Directory - Lightweight Directory Services: memberOf
HCL Domino: dominoAccessGroups
Oracle Directory Server: isMemberOf
SunOne (versions prior to 6.3): nsrole
Novell eDirectory: groupMembership
-
-
federated.ldap.gc.updateGroupMembership
-
Description
Updates the group membership if the member is deleted or renamed. Some LDAP servers, such as HCL Domino, do not clean up the membership of the user when a user is deleted or renamed. If you choose an LDAP server that does not clean up memberships, then the value of this property is set to true to enable membership cleanup.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.ldap.gc.scope
-
Description
This property tells WIM how much information the LDAP server returns when portal requests the group membership attribute value for a user object.
Set the value to all if the membership attribute contains a complete list of all possible group memberships for a user, already including consideration for group nesting, dynamic memberships, and static direct group memberships.
Set the value to direct if the membership attribute contains only direct static group memberships, but not dynamic or nested group memberships.
Set the value to nested if the membership attribute contains both direct static memberships and memberships from groups that are nested within other groups. Dynamic group memberships are not included. You can configure WIM to additionally resolve dynamic group memberships. To configure dynamic group support, you must use the Integrated Solutions Console.
The Virtual Member Manager (WIM) component within WebSphere Application Server uses this setting to determine what it needs to do to build a sufficiently complete list of group memberships for a user. Setting this parameter to accurately reflect your LDAP registry is important for both performance and correct operation. If your LDAP provides a complete set of group memberships, including nested groups, dynamic groups, and static direct groups, set the scope attribute to all. Otherwise, WIM redundantly resolves the nested group memberships.
Conversely, if your registry provides only direct group memberships, but group nesting is used in your application and directory, then set the scope property to direct. Otherwise, WIM fails to do the required work that is needed to complete the group membership list. As a result the full set of groups necessary for the application to operate correctly is not available.
Portal asks WIM to retrieve nested group membership information from the LDAP registry. If your security policy and LDAP registry are not set up to use nested groups, then set accessControlDataManagement.enableNestedGroups to false in the Access Control Data Management Service.
-
Valid values
all
direct
nested
-
Default value
direct
-
Examples
None available
-
-
federated.ldap.adapterClassName
-
Description
The implementation class name for the repository adapter.
-
Default value
com.ibm.ws.wim.adapter.ldap.LdapAdapter
-
Examples
None available
-
-
federated.ldap.supportSorting
-
Description
This value indicates if sorting is supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.ldap.supportTransactions
-
Description
This value indicates if transactions are supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.ldap.isExtIdUnique
-
Description
Specify if the external ID is unique.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
-
federated.ldap.supportExternalName
-
Description
Specifies if external names are supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.ldap.sslEnabled
-
Description
Specify whether secure socket communication is enabled to the LDAP server. If you set the value to true, SSL settings for LDAP are used.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.ldap.sslConfiguration
-
Description
If you choose to use SSL for your LDAP server connection, you can use this field to specify a WebSphere Application Server security configuration other than the default, for the encryption setup. To find SSL configuration names open the Integrated Solutions Console and go to Security->SSL certificate and key management, and under Related Items, select SSL configurations. If you leave the value blank, then the default SSL configuration set in WebSphere Application Server is used.
-
Default value
No default value
-
Examples
: mySSLconfig
-
-
federated.ldap.certificateMapMode
-
Description
Specify the certificate map mode to use if client certificate authentication is used for HCL Portal. Select whether to map X.509 certificates into an LDAP directory by exact DN or certificate filter. If you set the value as CERTIFICATE_FILTER, then you must also specify the filter mapping in the federated.ldap.certificateFilter property. If you select EXACT_DN, then the DN in the certificate must exactly match the user entry in the LDAP server, including case and spaces.
-
Valid values
EXACT_DN
CERTIFICATE_FILTER
-
Default value
EXACT_DN
-
Examples
None available
-
-
federated.ldap.certificateFilter
-
Description
Specifies the filter certificate mapping property for the LDAP filter if client certificate authentication is used for HCL Portal. The filter is used to map attributes in the client certificate to entries within the LDAP repository. To use this filter, the value for federated.ldap.certificateMapMode must be set to CERTIFICATE_FILTER. Filter syntax: ${Client certificate attribute}
-
Default value
No default value
-
Examples
: uid=${SubjectCN}
-
-
federated.ldap.supportPaging
-
Description
This value indicates if paging is supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.ldap.authentication
-
Description
Select the authentication method to use. This corresponds to the "bind method" used by WIM to validate the password for a user during log in. NOTE: WIM currently only supports the Simple method.
-
Default value
simple
-
Examples
None available
-
-
federated.ldap.loginProperties
-
Description
The property name that is used to log in. Usually the login property is the first RDN of the user object DN, such as "uid" or "cn". However, it is possible to log in with some other LDAP attribute. For example, it is possible use an email address to log in, even if the email address is not part of the DN of the user. The only requirement is that any property used here is defined in the PersonAccount entity schema, and if necessary, is mapped to the corresponding underlying LDAP server attribute. It is possible to specify multiple login attributes by delimiting the entries with a semi-colon, for example "uid;mail". When you specify multiple properties, users can log in using any of the listed attributes.
-
Default value
uid
-
Examples
Common Name: : cn
Unique ID: : uid
-
-
federated.ldap.referral
-
Description
A referral occurs when the information requested from your LDAP server is stored in another LDAP server. When a referral occurs, you can select to ignore it or to retrieve the information from the other LDAP. Select Follow if the LDAP should attempt to retrieve the information.
-
Valid values
ignore
follow
-
Default value
follow
-
Examples
None available
-
-
federated.ldap.derefAliases
-
Description
This value is required if "federated.ldap.referral=follow". An alias occurs when the information requested from your LDAP is stored in another LDAP. The returned value is an alias for the information that is stored in the other LDAP. You can select to retrieve the actual value, instead of the alias. Retrieval the actual value is referred to as dereferencing the alias. Select the dereferencing method that you would like to use.
- Set the value to never and the alias entries that are encountered during the search operation are processed as 'normal' entries. The alias entries are returned if they match the search filter.
- Set the value to always and the alias entries that are encountered during the search operation, in both the search base and entries within the scope of the search, are dereferenced.
- Set the value to finding and the LDAP dereference the search base entry but does not dereference any other alias entries within the search scope. Alias entries within the search scope of the dereferenced base are processed as 'normal' entries and are returned if they match the search filter.
- Set the value to searching and the LDAP dereferences alias entries within the scope of the search but does not dereference the search base entry (if it contains an alias). The search base is processed as a 'normal' entry (even if it is an alias entry). It is returned if it matches the search filter and is in the search scope.
- Valid values
never
always
finding
searching
-
Default value
always
-
Examples
None available
-
-
federated.ldap.connectTimeout
-
Description
The connection timeout measured in seconds.
-
Default value
0
-
Examples
None available
-
-
federated.ldap.primaryServerQueryTimeInterval
-
Description
The polling interval for testing the primary server availability. The value is specified in minutes.
-
Default value
15
-
Examples
None available
-
-
federated.ldap.returnToPrimaryServer
-
Description
Indicates to return to the primary LDAP server when it is available.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
-
federated.ldap.searchPageSize
-
Description
The search page size, which represents the number of entries per page.
-
Default value
No default value
-
Examples
None available
-
-
federated.ldap.searchCountLimit
-
Description
The search count limit.
-
Default value
500
-
Examples
None available
-
-
federated.ldap.searchTimeLimit
-
Description
The search time limit measured in milliseconds.
-
Default value
120000
-
Examples
None available
-
-
federated.ldap.translateRDN
-
Description
This value indicates whether to translate RDN or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.ldap.cp.maxPoolSize
-
Description
The maximum number of context instances that can be maintained concurrently by the context pool for this LDAP server by WIM. Specifying a value of 0 allows the pool to grow without bound. This is the only context pooling property that can be set by the initial LDAP repository setup ConfigEngine task (wp-create-ldap). See the Portal Tuning Guide for recommendations on setting on up context pooling in WIM under Portal. You can set other "cp.*" properties and run the wp-update-ldap-contextpool task to completely configure WIM context pooling. WIM uses the maximum pool size per node in the cluster. Therefore the total number of connections that might be made to the LDAP server is the maximum context pool size value multiplied by the number of nodes in the cluster.
-
Default value
20
-
Examples
None available
-
7.2. Add or update database
The following properties are used for creating or updating a database user registry configuration. Database modification tasks of WIM need a connection to a running server instance. Your server must be running before you running the following tasks: wp-create-db
or wp-update-db
-
federated.db.DataSourceName
-
Description
The name of the data source to be used for this WIM database domain. It must comply with the WebSphere Application Server requirements. You cannot use the reserved names releaseDS, communityDS, customizationDS, jcrDS, lmdbDS, and feedback. You can use the same name for all portal database domains that are sharing user ID, password, and JDBC database URL.
-
Default value
vmmfeddbDS
-
Examples
None available
-
-
federated.db.DbType
-
Description
Database management software to use for the WIM Federated database domain.
-
Valid values
derby
db2
db2_iseries
db2_zos
oracle
sqlserver2005
-
Default value
db2
-
Examples
None available
-
-
federated.db.DbUrl
-
Description
The JDBC database URL to be used to connect with the database of this portal database domain. It must comply with your JDBC Driver software requirements. This property that is combined with the properties database name and schema name must be unique for the portal database domains release, community, customization, and JCR.
-
Default value
jdbc:db2:vmmfeddb
-
Examples
Apache Derby: jdbc:derby:wpsdb;create=true
IBM DB2 with type 2 drivers: jdbc:db2:wpsdb
IBM DB2 with type 4 drivers, Linux: jdbc:db2://:50001/wpsdb:returnAlias=0;
IBM DB2 with type 4 drivers, Windows: jdbc:db2://:50000/wpsdb:returnAlias=0;
IBM DB2 for i with type 2 drivers: jdbc:db2:*LOCAL/wpsdb;metadata source=1
IBM DB2 for i with type 4 drivers: jdbc:as400://wpsdb;metadata source=1
Remote IBM DB2 for i with type 4 drivers: jdbc:as400://wpsdb;metadata source=1;prompt=false
DB2 for z/OS: jdbc:db2:
Remote DB2 for z/OS with type 2 drivers: jdbc:db2:wpsdb
Remote DB2 for z/OS with type 4 drivers: jdbc:db2://:/
Oracle Database with type 4 drivers and thin client: jdbc:oracle:thin:@//:1521/
Oracle Database with type 2 drivers and thick client: jdbc:oracle:oci:@//:1521/
Microsoft SQL Server: jdbc:sqlserver://:1433;SelectMethod=cursor;DatabaseName=wpsdb
-
-
federated.db.DbName
-
Description
The name of the database (location name of the DB2 for z/OS subsystem) to be used for this portal database domain. It must comply with your database management software requirements. This property that is combined with the properties schema name and JDBC database URL must be unique for the portal database domains release, community, customization, and JCR.
-
Default value
federated.db.DbType=db2: WPWIM
federated.db.DbType=db2_iseries:
federated.db.DbType=db2_zos:
federated.db.DbType=oracle:
federated.db.DbType=sqlserver2005: WPWIM
Otherwise: vmmfeddb
-
Examples
Apache Derby: vmmfeddb
IBM DB2: WPWIM
IBM DB2 for i: /WPSDB
DB2 for z/OS:
Oracle Database: vmmfeddb
Microsoft SQL Server: WPWIM
-
-
federated.db.id
-
Description
Specify a unique identifier for the repository within the cell. Characters that are not allowed in normal XML strings ( & < > " ' ) cannot be used in the repository ID.
-
Default value
vmmDb
-
Examples
None available
-
-
federated.db.baseDN
-
Description
The database base entry. This is the start point where all DB entities will be stored under. Verify the uniqueness of this string.
-
Default value
No default value
-
Examples
None available
-
-
federated.db.DbUser
-
Description
The database user ID used to configure the database objects of this federated database domain. It must comply with your database management software requirements. It is also used by the data source to connect with the database, unless you specify a runtime database user.
-
Default value
db2admin
-
Examples
None available
-
-
federated.db.DbPassword
-
Description
The password of the database user ID used to configure the database objects of the federated database domain. It must comply with your database management software requirements. It is also used by the data source to connect with the database, unless you specify a runtime database user.
-
Default value
No default value
-
Examples
None available
-
7.2.1. Advanced database properties
-
federated.db.JdbcProviderName
-
Description
The name of JDBC provider to be used for the WIM database user registry. Note that the la.JdbcProviderName can be the same as this value, or different. The la.JdbcProviderName is the JDBC provider for the property extension database. This federated.db.JdbcProviderName is the JDBC provider for the WIM database user registry. Both of these databases can be in the same database provider, or in different providers. If they are in the same database, then the same provider name can be used. If they are in different databases, then different appropriate JDBC provider names must be used.
-
Default value
vmmdbJDBC
-
Examples
None available
-
-
federated.db.DbSchema
-
Description
The name to be used to qualify database objects of this WIM database domain. It must comply with your database management software requirements. This property that is combined with the properties database name and JDBC database URL must be unique for the portal database domains release, community, customization, and JCR.
-
Default value
federate
-
Examples
None available
-
-
federated.db.DbNameOnZos
-
Description
The name of the database to be used for this portal database domain. It must comply with your database management software requirements.
-
Default value
WPSTST02
-
Examples
None available
-
-
federated.db.XDbName
-
Description
The database alias used to create the database for this portal database domain. It must comply with your database management software requirements. Required for IBM DB2 that runs on Linux and UNIX operating systems. Also required for IBM DB2 that runs on a Microsoft Windows operating system that uses type 2 JDBC drivers and is running on the same server as HCL Portal.
-
Default value
wps6TCP
-
Examples
Release, Community, Customization, WIM, and JCR: wps6TCP
Feedback: fdbk6TCP
LikeMinds: lmdb6TCP
-
-
federated.db.DbNode
-
Description
The name of the database node that is used to create the database for this portal database domain. It must comply with your database management software requirements. Required for IBM DB2 that run on Linux and UNIX operating systems.
-
Default value
wpsNode
-
Examples
Release, Community, Customization, JCR, and WIM: wpsNode
Feedback and LikeMinds: pznNode
-
-
federated.db.DbStorageGroup
-
Description
The name of the DB2 for z/OS storage group to be used for this portal database domain.
-
Default value
WPSSG
-
Examples
None available
-
-
federated.db.DbVolumes
-
Description
Defines the volumes of the DB2 for z/OS storage group used for this portal database domain.
-
Default value
*
-
Examples
None available
-
-
federated.db.DbVcat
-
Description
Identifies the integrated catalog facility catalog (VCAT) for the DB2 for z/OS storage group that is used for this portal database domain.
-
Default value
DSN910
-
Examples
None available
-
-
federated.db.Db4KBufferPoolName
-
Description
The name of the DB2 for z/OS 4 K buffer pool to be used for this portal database domain.
-
Default value
BP0
-
Examples
None available
-
-
federated.db.Db32KBufferPoolName
-
Description
The name of the DB2 for z/OS 32 K buffer pool to be used for this portal database domain.
-
Default value
BP32K
-
Examples
None available
-
7.2.2. Setting up database tables
Provide information that is needed to configure tables for your federated database.
-
federated.db.reportSqlError
-
Description
Specify whether to report SQL errors while setting up the WIM federated database.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
-
federated.db.saltLength
-
Description
The length of the salt that is used when the system hashes passwords stored in the Member Manager database repository.
-
Default value
12
-
Examples
None available
-
-
federated.db.encryptionKey
-
Description
The encryption key to encrypt the database user registry.
-
Default value
rZ15ws0ely9yHk3zCs3sTMv/ho8fY17s
-
Examples
: rZ15ws0ely9yHk3zCs3sTMv/ho8fY17s
-
-
federated.db.adapterClassName
-
Description
The implementation class name for the repository adapter.
-
Default value
com.ibm.ws.wim.adapter.db.DBAdapter
-
Examples
None available
-
-
federated.db.supportSorting
-
Description
This value indicates whether sorting is supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.db.supportTransactions
-
Description
This value indicates if transactions are supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.db.isExtIdUnique
-
Description
This value specifies if the external ID is unique.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
-
federated.db.supportExternalName
-
Description
This value indicates if external names are supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.db.entityRetrievalLimit
-
Description
This value specifies the maximum number of entities that the system can retrieve from the database with a single database query.
-
Default value
50
-
Examples
None available
-
7.3. Custom user registry properties
The following properties are used to create or updated a custom user registry (CUR) in a federated security configuration. The properties are referenced when the following tasks are run: wp-create-cur and wp-update-federated-cur
-
federated.cur.id
-
Description
This ID specifies a unique identifier for the repository within the cell. Characters that are not allowed in normal XML strings ( & < > " ' ) cannot be used in the repository ID.
-
Default value
No default value
-
Examples
None available
-
-
federated.cur.adapterClassName
-
Description
The implementation class name for the repository adapter.
-
Default value
No default value
-
Examples
None available
-
-
federated.cur.baseDN
-
Description
The CUR base entry.
-
Default value
No default value
-
Examples
None available
-
-
federated.cur.isExtIdUnique
-
Description
This value specifies whether the external ID is unique.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
-
federated.cur.supportExternalName
-
Description
This value indicates whether external names are supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.cur.supportPaging
-
Description
This value indicates whether paging is supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.cur.supportSorting
-
Description
This value indicates whether sorting is supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
federated.cur.supportTransactions
-
Description
This value indicates whether transactions are supported or not.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
7.3.1. Federated custom user registry (CUR) custom properties
The following properties and values are used to create a custom property using the wp-create-cur-custom-property task.
-
cur.id
-
Description
The ID of the repository, where the custom property will be created.
-
Default value
No default value
-
Examples
None available
-
-
cur.name
-
Description
The name of the custom property.
-
Default value
No default value
-
Examples
None available
-
-
cur.value
-
Description
Value of the custom property:
-
Default value
No default value
-
Examples
None available
-
7.4. Enable federated repository
The following properties are used when you run the wp-modify-federated-security task. The task enables a federated repository and the existing default realm is renamed.
-
federated.primaryAdminId
-
Description
Type the ID of the WebSphere Application Server administrative user. The ID must exist in a user repository.
-
Default value
No default value
-
Examples
Windows Active Directory: cn=,cn=users,dc=yourco,dc=com
Windows Active Directory Lightweight-Directory-Services:
Custom User Registry:
IBM Tivoli Directory Server: uid=,cn=users,dc=yourco,dc=com
HCL Domino: cn=,o=yourco.com
Novell eDirectory: uid=,ou=people,o=yourco.com
Oracle Directory Server: uid=,ou=people,o=yourco.com
-
-
federated.realm
-
Description
Specify the realm name to use. The existing default realm is renamed.
-
Default value
No default value
-
Examples
None available
-
-
federated.serverId
-
Description
Specify a user ID in the repository that is used for internal process communication.
-
Default value
No default value
-
Examples
Windows Active Directory: cn=,cn=users,dc=yourco,dc=com
Windows Active Directory-Lightweight-Directory-Services:
Custom User Registry:
IBM Tivoli Directory Server: uid=,cn=users,dc=yourco,dc=com
HCL Domino: cn=,o=yourco.com
Novell eDirectory: uid=,ou=people,o=yourco.com
Oracle Directory Server: uid=,ou=people,o=yourco.com
-
-
federated.serverPassword
-
Description
Specify a password for the user ID in the repository that is used for internal process communication.
-
Default value
No default value
-
Examples
None available
-
7.4.1. Advanced federated repository properties
-
federated.registryClassName
-
Description
The registry class name.
-
Default value
com.ibm.ws.wim.registry.WIMUserRegistry
-
Examples
None available
-
-
federated.ignoreCase
-
Description
This value specifies whether the query matches case sensitivity. This value is not used during node federation to the deployment manager with WebSphere Application Server when LDAP security is enabled.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
7.5. LDAP attribute configuration validation
The following properties are used with the wp-validate-federated-ldap-attribute-config
and wp-update-federated-ldap-attribute-config
tasks.
-
federated.ldap.attributes.nonSupported
-
Description
This value is a comma-separated list of attributes that are added/removed from the list of nonsupported attributes
-
Default value
No default value
-
Examples
None available
-
-
federated.ldap.attributes.nonSupported.delete
-
Description
If true, then the attributes in federated.ldap.nonSupported are deleted from the list of nonsupported attributes, else they are added.
-
Valid values
true
false
-
Default value
No default value
-
Examples
None available
-
-
federated.ldap.attributes.mapping.ldapName
-
Description
The name of the attribute in LDAP.
-
Default value
No default value
-
Examples
None available
-
-
federated.ldap.attributes.mapping.portalName
-
Description
The name of the attribute in portal.
-
Default value
No default value
-
Examples
None available
-
-
federated.ldap.attributes.mapping.entityTypes
-
Description
The list of entityTypes that the mapping applies to.
-
Valid values
PersonAccount
Group
-
Default value
PersonAccount
-
Examples
None available
-
7.6. Delete federated repository properties
The following properties are used the wp-delete-repository
task.
-
federated.delete.baseentry
-
Description
The name of the base entry to be deleted from the default realm. If the base entry exists in other realms, it must be deleted manually first. Leave the value empty only if you want to delete the property extension repository.
-
Default value
No default value
-
Examples
None available
-
-
federated.delete.id
-
Description
The ID of the repository to be deleted from the WIM configuration. This parameter must be set to LA if you want to delete the property extension repository.
-
Default value
No default value
-
Examples
None available
-
WIM property extension database properties
Property extension database was previously called the lookaside database. The property extension database stores more attributes that cannot be stored in the LDAP user registry. Database modification tasks of WIM need a connection to a running server instance. Make sure that your server is running. The properties are used with the following tasks: wp-configure-la-complete and wp-add-la-property
-
la.JdbcProviderName
-
Description
The name of JDBC provider for the WIM property extension database. Note that the federated.db.JdbcProviderName can be the same as this value, or different. The federated.db.JdbcProviderName is the JDBC provider for the WIM database user registry. This la.JdbcProviderName is the JDBC provider for the WIM property extension database. Both of these databases can be in the same database provider, or in different providers. If they are in the same database, then the same provider name can be used. If they are in different databases, then different appropriate JDBC provider names must be used.
-
Default value
vmmdbJDBC
-
Examples
None available
-
-
la.DbType
-
Description
Database management software to be use for the property extension domain.
-
Valid values
db2
db2_iseries
db2_zos
derby
oracle
sqlserver2005
-
Default value
db2
-
Examples
None available
-
-
la.DbUrl
-
Description
The JDBC database URL to be used to connect with the database of the property extension database domain. It must comply with your JDBC Driver software requirements. This property that is combined with the properties database name and schema name must be unique for the portal database domains release, community, customization, and JCR.
-
Default value
jdbc:db2:vmmladb
-
Examples
None available
-
-
la.DbName
-
Description
The name of the database (location name of the DB2 for z/OS subsystem) to be used for the property extension database domain. Use the property extension domain store more properties outside of the user registry. It must comply with your database management software requirements. This property that is combined with the properties schema name and JDBC database URL must be unique for the portal database domains release, community, customization, and JCR.
If you change the name of the HCL Portal data source due to a database migration, you must manually update the la.DbName property in the wpconfig_dbdomain.properties file. The file is located here: portal_server_root/config/wpconfig_dbdomain.properties
-
Default value
la.DbType=db2: WIMLADB
la.DbType=db2_iseries:
la.DbType=db2_zos:
la.DbType=oracle:
la.DbType=sqlserver2005: WIMLADB
Otherwise: vmmladb
-
Examples
Apache Derby: vmmladb
IBM DB2: WIMLADB
IBM DB2 for i: /WIMLADB
DB2 for z/OS:
Oracle Database: vmmladb
Microsoft SQL Server: WIMLADB
-
-
la.DataSourceName
-
Description
The name of the data source to be used for property extension database domain. It must comply with the WebSphere Application Server requirements. You cannot use the reserved names releaseDS, communityDS, customizationDS, jcrDS, lmdbDS, and feedback. You can use the same name for all portal database domains that are sharing user ID, password, and JDBC database URL.
-
Default value
vmmladbDS
-
Examples
None available
-
-
la.DbUser
-
Description
The database user ID used to configure the database objects of the property extension database domain. It must comply with your database management software requirements. It is also used by the data source to connect with the database, unless you specify a runtime database user.
-
Default value
db2admin
-
Examples
None available
-
-
la.DbPassword
-
Description
Password for the property extension database administrator user ID. The password must comply with the database management software requirements. The ConfigEngine cannot validate that the password complies with the software requirements.
-
Default value
No default value
-
Examples
None available
-
8.1. Advanced properties
-
la.DbNameOnZos
-
Description
The name of the database to be used for this portal database domain. It must comply with your database management software requirements.
-
Default value
WPSTST02
-
Examples
None available
-
-
la.XDbName
-
Description
The database alias used to create the database for this portal database domain. It must comply with your database management software requirements. Required for IBM DB2 that runs on Linux and UNIX operating systems. Also required for IBM DB2 that runs on a Microsoft Windows operating system that uses type 2 JDBC drivers and is running on the same server as HCL Portal.
-
Default value
wps6TCP
-
Examples
None available
-
-
la.DbNode
-
Description
The name of the database node that is used to create the database for this portal database domain. It must comply with your database management software requirements. Required for IBM DB2 that run on Linux and UNIX operating systems.
-
Default value
wpsNode
-
Examples
None available
-
-
la.DbSchema
-
Description
The name to be used to qualify database objects of property extension database domain. It must comply with your database management software requirements. This property that is combined with the properties database name and JDBC database URL must be unique for the portal database domains release, community, customization, and JCR.
-
Default value
federate
-
Examples
None available
-
8.2. Create property extension tables
-
la.reportSqlError
-
Description
Specify whether to report SQL errors that occur while you are setting up databases.
-
Valid values
true
false
-
Default value
true
-
Examples
None available
-
-
la.entityRetrievalLimit
-
Description
This value specifies the maximum number of entities that the system can retrieve from the database with a single database query.
-
Default value
50
-
Examples
None available
-
8.3. Add a property
The following properties are used by wp-add-la-property and wp-add-property configuration tasks. Use wp-add-la-property if you are defining a new property to store in WIM property extension database. Use wp-add-property if you are defining a new property that maps to an attribute in LDAP or a custom registry. These tasks use a secured connection to WebSphere Application Server. Check the wp_profile/properties/sas.client.props file and verify the following setting: com.ibm.CORBA.securityEnabled=true If you are using a remote telnet connection, set com.ibm.CORBA.loginSource
to stdin or properties.
-
la.providerURL
-
Description
The remote endpoint where your portal server or deployment manager installation is available. Check the value for hostname:port. The port points to the BOOTSTRAP_ADDRESS port of either the WebSphere_Portal server or the deployment manager. The deployment manager is used in a clustered environment.
-
Default value
corbaloc:iiop:localhost:10020
-
Examples
Stand-alone Server example: corbaloc:iiop:localhost:10020
Clustered example: corbaloc:iiop:dmgr.example.com:9809
-
-
la.propertyName
-
Description
The name of the property that you are adding.
-
Default value
No default value
-
Examples
: email, dept
-
-
la.deployfile
-
Description
Use this property when you want to create multiple properties by using a single ConfigEngine operation. Specify the path and name of the XML file that contains the properties that you want to add. You can specify a path that is relative to the ConfigEngine directory or the fully qualified file system path. If you specify a value for this property, do not specify a value for la.propertyName, la.dataType, or la.Multivalued.
The following is a sample of an XML deploy file that is used to add three properties.
<wplc-add-property> <resource propertyName="attribute_name_1" dataType="Int" entityTypes="Group" multiValued="true" /> <resource propertyName="attribute_name_2" dataType="String" entityTypes="PersonAccount" multiValued="true" /> <resource propertyName="attribute_name_3" dataType="Base64Binary" entityTypes="Group,PersonAccount" multiValued="false" /> </wplc-add-property>
The resource tag includes attributes that are specific for the property: propertyName, dataType, entityType, and multiValued.
-
Default value
No default value
-
Examples
: deploy.xml
-
-
la.entityTypes
-
Description
This value is a list of entity types that the new property is applicable to. If you need to enter multiple values, use a comma to separate each value, for example "value1,value2".
-
Valid values
Group
PersonAccount
-
Default value
No default value
-
Examples
: Group,PersonAccount
-
-
la.dataType
-
Description
Defines the type of data that is stored in the attribute that is being created. If this attribute is mapped to LDAP, this data type must match the corresponding attribute type in LDAP. Consult your LDAP administrator if you are unsure of the data types in LDAP. If this attribute is stored in the WIM property extension database, the data type must match the corresponding attribute type as defined in WIM's database.
While it is possible to add attributes of different types to WIM, the Registration/Edit My Profile Portlet is only capable of working with attributes of type String and Int. If you need UI support for other types, you would need your own custom form or portlet that can process those types. Portal does not have a UI that reads or updates group attributes. The one exception is the UI that is used to create a group.
-
Valid values
String
Int
DateTime
Base64Binary
IdentifierType
Boolean
Long
Double
Short
-
Default value
No default value
-
Examples
None available
-
-
la.multiValued
-
Description
Defines if the property can contain multiple values or not.
-
Valid values
true
false
-
Default value
No default value
-
Examples
None available
-
-
repositoryId
-
Description
This value is only used for the
wp-add-property
task. Adding a property to WIM configuration of a repository does not add the property to the LDAP system. List of repositories that the new property is added to. The list of repositories must be separated by a comma. Leave the value blank to add the property to all repositories. -
Default value
No default value
-
Examples
None available
-
WIM LDAP entity type configuration
Provide values for the following properties if you need to create, delete, or add an LDAP entity type configuration. The properties are used with the following configuration tasks: wp-create-ldap-entitytype , wp-delete-ldap-entitytype , and wp-add-ldap-entitytype-rdn .
-
et.ldap.id
-
Description
This value specifies the LDAP server ID.
-
Default value
No default value
-
Examples
: myLDAPServer
-
-
et.entityTypeName
-
Description
Specifies the name of the entity type to create, update, or delete.
-
Valid values
PersonAccount
Group
-
Default value
No default value
-
Examples
None available
-
-
et.objectClass
-
Description
This value specifies a semi-colon (;) delimited list of object classes to be added.
-
Default value
No default value
-
Examples
: groupOfUniqueNames
-
-
et.searchFilter
-
Description
This value specifies the search filter that you want to use to search the entity type. A filter like departmentNumber=1234 would allow only objects with this department number to be a valid search result.
-
Default value
No default value
-
Examples
None available
-
-
et.objectClassesForCreate
-
Description
This value specifies a semi-colon (;) delimited list of object classes to use when an entity type is created. If the value of this parameter is the same as the objectClass parameter, you do not need to specify this parameter.
-
Default value
No default value
-
Examples
: groupOfUniqueNames
-
-
et.searchBases
-
Description
This value specifies the search base or bases to use while the system searches the entity type.
-
Default value
No default value
-
Examples
: o=foo,o=bar
-
-
et.rdnName
-
Description
This value specifies more attributes for the
wp-add-ldap-entitytype-rdn
task. This attribute name is used to build the relative distinguished name (RDN) for the entity type. It is unusual for there to be more than one for a PersonAccount or Group entity type. -
Default value
No default value
-
Examples
None available
-
-
et.ldap.referral
-
Description
This value specifies more attributes for the
wp-add-ldap-entitytype-rdn
task. The value indicates how the LDAP server handles referrals to other LDAP servers. If you type ignore, the LDAP ignores referrals to other LDAP servers. If you type follow, the LDAP follows the redirect to other LDAP servers. -
Valid values
ignore
follow
-
Default value
follow
-
Examples
None available
-
-
et.ldap.host
- Description
-
Default value
No default value
-
Examples
None available
WIM supported entity types configuration
The wp-update-entitytype
task updates the entity type 'entityTypeName' with the value of defaultParent and adds the RDN attribute to the existing list. The wp-set-entitytype
task updates the entity type 'entityTypeName' with the value of defaultParent. It also resets the rdnProperties list to contain only rdnProperties entries for the value (or values, if a semicolon-delimited list is supplied) of the RDN attribute name property.
-
entityTypeName
-
Description
This value specifies the name of the entity type. This should be either PersonAccount or Group.
-
Valid values
PersonAccount
Group
-
Default value
No default value
-
Examples
None available
-
-
defaultParent
-
Description
Specify the base entry name that is used as default parent for the entity type.
-
Default value
No default value
-
Examples
None available
-
-
rdnProperties
-
Description
This value specifies the RDN attribute name for the supported entity type in the entity domain name. The RDN attribute is the first attribute in the Distinguished Name. Usually the attribute is "uid" or "cn", but it depends on how the DNs in your LDAP server are set up.
-
Default value
cn
-
Examples
None available
-
-
updatePumaSearchBase
-
Description
Define whether the default search attribute for users and groups in PUMA Store Service is also updated.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
10.1. Update the defaultParent of the entity types Group and PersonAccount
The wp-update-entitytypes task updates the defaultParent of the entity types Group and PersonAccount and adds the RDN attributes to the existing list. The wp-set-entitytypes task updates the defaultParent of the entity types Group and PersonAccount and adds the RDN attributes as only entry in the RDN list.
-
personAccountParent
-
Description
Type the default parent of the entity type PersonAccount. WIM creates new users as a child of the parent when no other explicit parent is specified. This value must be a descendant of the baseDN of the LDAP server and it must be a fully specified DN of the container, including the baseDN value. For example, if federated.ldap.baseDN=dc=yourco,dc=com then the parent might be personAccountParent=cn=users,dc=yourco,dc=com. It might also be personAccountParent=cn=users,ou=newPeopleGoHere,dc=yourco,dc=com.
-
Default value
No default value
-
Examples
If the base DN is dc=yourco,dc=com: cn=users,dc=yourco,dc=com
-
-
groupParent
-
Description
Type the default parent of the entity type Group. When an explicit parent is not specified for a new group, WIM uses the default parent that is specified here. The parent must be a descendant of the base DN of the LDAP server. It also must be a fully specified DN of the container, including the base DN value.
-
Default value
No default value
-
Examples
If base DN is dc=yourco,dc=com: cn=groups,dc=yourco,dc=com
Another example, for base DN is dc=yourco,dc=com: cn=groups,ou=newGroupsGoHere,dc=yourco,dc=com
-
-
personAccountRdnProperties
-
Description
The RDN attribute is the first attribute in the Distinguished Name. Usually the attribute is "uid" or "cn", but it depends on how the DNs in your LDAP server are set up. It is possible to specify multiple attribute names that are separated by semicolons, but this is highly unusual. Do not leave this property blank. This property is primarily used when you create a new user through WIM. In combination with the default parent for the entity type, the attribute tells WIM how to create the DN for the new entry. The value (or values, if multiple values are specified in a semicolon-delimited list) is set as rdnProperties entries with the supportedEntityType stanza in WIM's wimconfig.xml configuration file.
-
Default value
uid
-
Examples
: uid
-
-
groupRdnProperties
-
Description
The RDN attribute is the first attribute in the Distinguished Name. Usually the attribute is "cn" for the Group entity type, but it depends on how the DNs in your LDAP server are set up. It is possible to specify multiple attribute names that are separated by semicolons, but this is highly unusual. Do not leave this property blank. This property is primarily used when you are creating a new group through WIM. In combination with the default parent for the entity type, the attribute tells WIM how to create the DN for the new entry. The value (or values, if multiple values are specified in a semicolon-delimited list) is set as rdnProperties entries with the supportedEntityType stanza in WIM's wimconfig.xml configuration file.
-
Default value
cn
-
Examples
: cn
-
10.2. Group member attribute configuration
If the group member attribute does not exist, it will be created. The following properties are used with the wp-update-ldap-groupmember
and wp-delete-ldap-groupmember
tasks.
-
gm.ldap.id
-
Description
The ID of the LDAP repository definition within which the group definition is updated. The ID is an arbitrary ID that was specified when the repository definition was created.
-
Default value
No default value
-
Examples
None available
-
-
gm.groupMemberName
-
Description
The name of the LDAP attribute that is used as the group member attribute.
-
Default value
No default value
-
Examples
For groupOfUniquNames: uniqueMember
For groupOfNames: Member
-
-
gm.objectClass
-
Description
The group object class that contains the member attribute. If you do not define this parameter, the member attribute applies to all group object classes
-
Default value
No default value
-
Examples
: groupOfNames
: groupOfUniqueNames
-
-
gm.scope
-
Description
Type the scope of the member attribute. This is the attribute within the group objects that lists the members of the group. NOTE: It is unusual for this to be any value other than "direct". Type nested if the LDAP member attribute includes direct and nested members. Type direct if the LDAP member attribute includes direct members only.
-
Valid values
nested
direct
-
Default value
direct
-
Examples
None available
-
-
gm.dummyMember
-
Description
If you create a group without specifying a member, a dummy member will be filled in to avoid creating an exception about missing a mandatory attribute. For Novell eDirectory servers, Oracle Directory Server and Windows Active Directory, the value has to be empty or point to an existing entry in the LDAP directory.
-
Default value
No default value
-
Examples
None available
-
10.3. Create group member configuration
The following properties are used with the wp-create-ldap-groupconfig
task.
-
gc.ldap.id
-
Description
This value specifies a unique identifier for an existing repository within the cell. This value must match the ID of the repository to be updated.
-
Default value
No default value
-
Examples
None available
-
-
gc.name
-
Description
A membership attribute is an alternative way of getting group membership information from the LDAP user registry. Leave the field empty if your LDAP does not support the group membership attribute.
Type the LDAP name of an attribute or virtual attribute in a user object that lists the groups of which that user is a member.
A membership attribute is an attribute within the user object that contains the list of groups that the user is a member of. Many LDAP registries support the group memebership attribute. Also, each user registry implements the group membership attribute differently.
In some cases, the membership attribute is not persisted with the user record. Instead, it is calculated on demand.
In some cases, the membership attribute includes all groups, such as nested groups, dynamic groups, and static groups. If your LDAP implementation includes all groups memberships, then it is more efficient to use a membership attribute instead of manually requesting the information from a client. For more information about when to use the attribute, see the federated.ldap.gc.scope property.
You do not need to use nested or dynamic groups to use a membership attribute. If your directory uses only non-nested, static group memberships, use the standard group membership query method.
-
Default value
federated.ldap.ldapServerType=IDS6: ibm-allGroups
federated.ldap.ldapServerType=AD: memberOf
federated.ldap.ldapServerType=ADAM: memberOf
federated.ldap.ldapServerType=DOMINO: dominoAccessGroups
federated.ldap.ldapServerType=SUNONE: isMemberOf
federated.ldap.ldapServerType=SUNONE: nsrole
federated.ldap.ldapServerType=NDS: groupMembership
-
Examples
IBM Tivoli Directory Server: ibm-allGroups
Microsoft Active Directory: memberOf
Microsoft Active Directory - Lightweight Directory Services: memberOf
HCL Domino: dominoAccessGroups
Oracle Directory Server: isMemberOf
SunOne (versions prior to 6.3): nsrole
Novell eDirectory: groupMembership
-
-
gc.updateGroupMembership
-
Description
Updates the group membership if the member is deleted or renamed. Some LDAP servers, such as HCL Domino, do not clean up the membership of the user when a user is deleted or renamed. If you choose an LDAP server that does not clean up memberships, then the value of this property is set to true to enable membership cleanup.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
gc.scope
-
Description
Tells WIM how much information your LDAP server returns when WIM requests the group membership attribute value for a user object. The group membership attribute is an attribute on the user object that contains the list of groups of which the user is a member. This scope property describes to WIM how complete the list is. For example, the list might include only static groups of which the user is a direct member or it might include dynamic memberships, or the results of resolving any nested group relationships.
- Set the value to all if the membership attribute includes a complete list of all possible group memberships for a user, including nested, dynamic, and direct group memberships.
- Set the value to direct if the membership attribute includes only direct memberships.
- Set the value to nested if the membership attribute included both direct and nested memberships, but it does not include dynamic memberships. Nested refers to groups within other groups. Select the option that reflects your LDAP registry configuration. If your selection does not match the LDAP configuration, poor performance and failures might occur.
If the group membership attribute for the user objects within your LDAP returns only direct membership information and you select nested, when your application requests nested group information the operation will return incomplete results. Based on your selection, WIM expects the LDAP to return the nested group information. It does not do the additional work to determine the nested group information.
If your LDAP returns nested group information and WIM is configured to support dynamic groups, WIM tries to resolve the dynamic group membership information that is requested by an application. You must use the Integrated Solutions Console to configure dynamic groups in WIM.
If your LDAP provides a complete set of group memberships, including nested groups, dynamic groups, and static direct groups, and you set the scope attribute to direct, WIM redundantly tries to resolve the nested group memberships.
Portal asks WIM to retrieve nested group membership information from the LDAP registry. If your security policy and LDAP registry are not set up to use nested groups, then set accessControlDataManagement.enableNestedGroups to false in the Access Control Data Management Service.
-
Valid values
all
direct
nested
-
Default value
direct
-
Examples
None available
-
10.4. Context pool
The following properties are used with the wp-update-ldap-contextpool
task.
-
cp.ldap.id
-
Description
The name of the LDAP repository configuration for which the context pool settings are to be updated.
-
Default value
No default value
-
Examples
None available
-
-
cp.maxPoolSize
-
Description
This value specifies the maximum number of context instances that can be maintained concurrently in the context pool for this LDAP server by WIM. This value must be greater than or equal to the preferred context pool size. However, specifying a value of 0 allows the pool to grow without bound. WIM uses the buffer pool size per node in the cluster. Therefore the total number of connections that might be made to the LDAP server is the maximum context pool size value multiplied by the number of nodes in the cluster.
-
Default value
20
-
Examples
None available
-
-
cp.initPoolSize
-
Description
This value specifies the initial (minimum) size of the context pool for this LDAP server in WIM. This value must be less than or equal to the preferred context pool size.
-
Default value
1
-
Examples
None available
-
-
cp.prefPoolSize
-
Description
Specify the preferred size of the context pool for this LDAP server in WIM. The size must be greater than or equal to the initial context pool size, and less than or equal to the maximum context pool size, unless the maximum size is set to 0. If this value is less than the maximum size (or if the maximum size is set to 0) and the pool grows larger than the preferred size due to transient high load conditions, the pool shrinks back to the preferred size when the high load condition subsides. The preferred size value is treated as a "hint" which WIM gives a best effort to maintain, not a hard limit that is strictly enforced always.
-
Default value
3
-
Examples
None available
-
-
cp.poolTimeout
-
Description
This value specifies the maximum lifetime of a context instance. Specify the lesser of your LDAP server or firewall connection time-out, if applicable. A value of 0 means a context will never time out. This value is specified in seconds.
-
Default value
2700
-
Examples
None available
-
-
cp.poolWaitTime
-
Description
This value specifies the time that a thread waits for a context to become available. The timeout applies only when maximum size of the pool is reached (so that no more contexts can be allocated) but all existing context instances are busy. This value, which is specified in milliseconds, must not be more than a few seconds.
-
Default value
3000
-
Examples
None available
-
10.5. Realm configuration
The following properties are used to in multiple realm configuration tasks. If no realm name is specified, the default realm is updated.updated. The wp-create-realm
tasks uses the following properties: realmName, addBaseEntry, securityUse, and delimiter The wp-update-realm
task uses the following properties: realmName, securityUse, and delimiter The wp-delete-realm
task uses the following property: deleteRealmName The wp-default-realm
task uses the following property: defaultRealmName The wp-add-realm-baseentry
task uses the following properties: realmName and addBaseEntry The wp-delete-realm-baseentry
task uses the following properties: realmName and deleteBaseEntry The wp-query-realm-baseentry
task uses the following property: realmName The wp-modify-realm-defaultparents
task uses the following properties: realmName, realm.personAccountParent, realm.groupParent, and realm.orgContainerParent The wp-modify-realm-enable-dn-login
task uses the following property: realmName The wp-modify-realm-disable-dn-login
task uses the following property: realmName
-
realmName
-
Description
Specify the name of the realm to create or update. If no realm name is provided, the default realm is updated.
-
Default value
No default value
-
Examples
None available
-
-
addBaseEntry
-
Description
This value specifies the name of base entry to be added to the realm.
-
Default value
No default value
-
Examples
None available
-
-
securityUse
-
Description
Indicates whether a virtual realm within the WIM configuration is actively in use currently in the security setup of the server; or is not currently in use but is eligible to be used; or is not eligible for use at all. The default is "active".
-
Valid values
active
inactive
nonSelectable
-
Default value
active
-
Examples
None available
-
-
delimiter
-
Description
This value specifies the delimiter that is used for this realm.
-
Default value
/
-
Examples
None available
-
-
defaultRealmName
-
Description
This value specifies the name of the new default realm.
-
Default value
No default value
-
Examples
None available
-
-
deleteBaseEntry
-
Description
This value specifies the name of the base entry to be deleted from the realm.
-
Default value
No default value
-
Examples
None available
-
-
realm.personAccountParent
-
Description
This value specifies the default parents to be set for the entity type PersonAccount. The realm that is entered in realmName is used to make the change.
-
Default value
No default value
-
Examples
None available
-
-
realm.groupParent
-
Description
This value specifies the default parents to be set for the entity type Group. The realm that is entered in realmName is used to make the change.
-
Default value
No default value
-
Examples
None available
-
-
realm.orgContainerParent
-
Description
This value specifies the default parents to be set for the entity type OrgContainer. The realm that is entered in realmName is used to make the change.
-
Default value
No default value
-
Examples
None available
-
10.6. Base entry configuration
The following properties are used by the wp-create-base-entry
, wp-update-base-entry
, and wp-delete-base-entry
. When you run the wp-update-base-entry
task, if the base entry does not exist, the task creates the entry.
-
id
-
Description
The ID of the repository, where the base entry is created, updated, or deleted. When a base entry is created, it is automatically added to the default realm.
-
Default value
No default value
-
Examples
None available
-
-
baseDN
-
Description
This value specifies the name of the base entry to create, update, or delete.
-
Default value
No default value
-
Examples
None available
-
-
nameInRepository
-
Description
The distinguished name (DN) in the repository that uniquely identifies the base entry name. In most cases, the name is not the same value as the base DN.
-
Default value
No default value
-
Examples
None available
-
10.7. Change administrative users
The following properties are used by the wp-change-was-admin-user
and wp-change-portal-admin-user
tasks. The wp-change-portal-admin-user
task also changes the admin group if the ID is set.
-
newAdminId
-
Description
Type the fully qualified DN that exists in your LDAP registry that you want to use as the Portal Administrator account. The short login name for this administrator account must not be identical to the original administrative user ID short login name. If the DN includes spaces, then you must take extra steps to enter it on the command line by using the -D parameter.
(UNIX only)For command line tasks, if you provide the DN by using the -D parameter, some tasks require that you enter the fully qualified DN. If your fully qualified DN contains a space, you cannot provide the ID by using the -D parameter. For example, if your DN is
cn=someuser,cn=users,o=Software Group,dc=yourco,dc=com,
then you must place the DN in the properties file or a parent properties file. If you create a parent properties file named mysecurity.properties, your command is: ./ConfigEngine.sh task_name -DparentProperties=/opt/mysecurity.properties.(Windows only)For command prompt tasks, if you provide the DN by using the -D parameter, some tasks require that you enter the fully qualified user DN. If your fully qualified DN contains a space, then you must place quotations around the fully qualified DN in the command. An example of a DN with spaces is:
cn=someuser,cn=users,o=Software Group,dc=yourco,dc=com,
An example of the DN provided using the -D parameter is: ConfigEngine.bat task_name -DuserID="cn=someuser,cn=users,o=Software Group,dc=yourco,dc=com"A valid user DN can contain the following characters:
- Lowercase characters {a-z} and upper case characters {A-Z}
- Numbers {0-9}
- Exclamation point {!}, hyphen {-}, period {.}, question mark {?}, accent grave {`}, tilde {~}
- Open parenthesis {(} and close parenthesis {)}
- Open bracket {[} and close bracket {]}
- Underscore {_}
- Must be less than 200 characters
-
Default value
No default value
-
Examples
Windows Active Directory: cn=,cn=users,dc=yourco,dc=com
Windows Active Directory 2003: cn=,cn=users,dc=yourco,dc=com
Windows Active Directory-Lightweight-Directory-Services: cn=,cn=users,dc=yourco,dc=com
IBM Tivoli Directory Server: uid=,cn=users,dc=yourco,dc=com
IBM Tivoli Directory Server for z/OS: uid=,cn=users,dc=yourco,dc=com
HCL Domino: cn=,o=yourco.com
Novell eDirectory: uid=,ou=people,o=yourco.com
Oracle Directory Server: uid=,ou=people,o=yourco.com
Custom: uid=,cn=users,dc=yourco,dc=com
-
-
newAdminPw
-
Description
Type the password for the DN that already exists in the user registry. Valid passwords contains only ASCII characters and the following characters:
- Lowercase letter {a-z} and uppercase letters {A-Z}
- Numbers {0-9}
- Exclamation point {!}, hyphen {-}, period {.}, question mark {?}, accent grave {`}, and tilde {~}
- Open parenthesis {(} and close parenthesis {)}
- Open bracket {[} and close bracket {]}
- Underscore {_}
- The password cannot contain a space
- Must be 128 characters or less
- Default value
No default value
-
Examples
None available
-
-
newAdminGroupId
-
Description
Type the DN of the existing group from LDAP that you want to use as the portal administrative group.
-
Default value
No default value
-
Examples
Windows Active Directory: cn=,cn=groups,dc=yourco,dc=com
Windows Active Directory-Lightweight-Directory-Services: cn=,cn=groups,dc=yourco,dc=com
IBM Tivoli Directory Server: cn=,cn=groups,dc=yourco,dc=com
HCL Domino: cn=,o=yourco.com
Novell eDirectory: cn=,ou=groups,o=yourco.com
Oracle Directory Server: cn=,ou=groups,o=yourco.com
-
10.8. Change attribute configuration
The wp-update-attribute-config
task sets the overall required and unsupported properties.
-
user.attributes.required
-
Description
This value specifies the new (comma separated) list of attributes that are required for user creation
-
Default value
sn
-
Examples
None available
-
-
user.attributes.nonsupported
-
Description
This value specifies the new (comma separated) list of attributes that are ignored by portal.
-
Default value
certificate,identifier
-
Examples
None available
-
10.9. Restore WIM security
The following properties are used with the wp-restore-default-repository-configuration
task.
-
restore.file.realm
-
Description
This value specifies the realm name to be used. A realm with this name is created .
-
Default value
federatedRealm
-
Examples
None available
-
-
restore.file.delimiter
-
Description
This value specifies the delimiter that is used for this realm. Enter any value but do not leave this field blank.
-
Default value
/
-
Examples
None available
-
-
restore.file.primaryAdminId
-
Description
This value specifies the ID (short name) of the WebSphere Application Server administrative user. The ID must exist in a user repository.
-
Default value
adminUID
-
Examples
None available
-
-
restore.file.primaryAdminPassword
-
Description
This value specifies the password (short name) of the WebSphere Application Server administrative user.
-
Default value
adminPWD
-
Examples
None available
-
-
restore.file.primaryPortalAdminGroup
-
Description
The user group (short name) with administrative permission in portal. The group must exist in the LDAP server.
-
Default value
adminGroupCN
-
Examples
None available
-
10.10. Community Isolation and external users
The following properties are used with the wp-configure-community-isolation
and wp-configure-external-users
task.
-
communityIsolation.enabled
-
Description
This value specifies whether the Boolean flag enables community isolation (peer groups).
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
externalUsers.enabled
-
Description
This value specifies whether the Boolean flag enables or disables external users.
-
Valid values
true
false
-
Default value
false
-
Examples
None available
-
-
externalUsers.parentDN
-
Description
The parent distinguished name (DN) for new external users.
-
Default value
No default value
-
Examples
: ou=externalUsers,o=defaultWIMFileBasedRealm
-
More properties for internal use only
-
AdditionalPropertiesToFilter
-
Description
Do not change the value of this attribute unless directed to do so by IBM Support
-
Default value
newAdminPw
-
Examples
None available
-
-
wps.userdir
-
Description
Do not change the value of this attribute unless directed to do so by IBM Support.
-
Default value
PortalServer
-
Examples
None available
-