In this post I will describe how to set-up a MS AD (Microsoft Active Directory) users integration for TWS & TDWC directly using WebSphere (for Windows machine there is another way using the OS capabilities).
Prerequisites: A MS AD (Microsoft Active Directory) account (service account preferred) that will be used to connect to MS AD and read its repository.
For both TWS and TDWC the set-up is identical (if they both run on the same WebSphere it needs to be performed only once).
To set-up the TWS / TDWC and MS AD integration:
Prerequisites: A MS AD (Microsoft Active Directory) account (service account preferred) that will be used to connect to MS AD and read its repository.
For both TWS and TDWC the set-up is identical (if they both run on the same WebSphere it needs to be performed only once).
To set-up the TWS / TDWC and MS AD integration:
1. Login to WebSphere admin page:
3. Then go to Configure ... -- Manage repositories (Under Related Items) and click Add
4. On LDAP server under Directory type select Microsoft Windows Active Directory and fill in the data as:
- Directly: https://
:31124/ibm/console/secure/securelogon.do?action=force (this si the default link) - From TDWC:
2. Go to Security -- Global Security, and under User account repository set Current realm definition as Standalone LDAP registry (to use a single repository, e.g. MS AD only) or Federated repositories (to use multiple repositories, e.g. MS AD, Local Server Account).
!!!!! Important: If the account name is not unique across Federated repositories the user WILL NOT be authenticated, be very very careful with this.
3. Then go to Configure ... -- Manage repositories (Under Related Items) and click Add
4. On LDAP server under Directory type select Microsoft Windows Active Directory and fill in the data as:
- Repository identifier -- just a display name
- Primary host name -- your Microsoft Active Directory (MS AD) domain controller server name (DNS name) or fully qualified domain name (FQDN) or IP address
- Port -- the server port that will be used to connect to MS AD in order to get users data (default: 389)
- Bind distinguished name -- specify the distinguished name for the application name to use when binding to the MS AD repository
- Bind password -- specify the password for the application server to use when binding to the MS AD repository (in short: the password for user_name on the Bind distinguished name field)
Press OK and if you opted for Standalone LDAP registry go to the last step (8).
5. Go to Global Security -- Federated repositories -- Repositories in the realm: -- Add Base entry to Realm...
6. On Repository reference select:
- Repository -- The one you created at step 4.
- Distinguished name of a base entry that uniquely identifies this set of entries in the realm -- specify the distinguished name of a base entry that uniquely identifies this set of entries in the realm
Press OK
7. Press Apply and Save directly to the master configuration.
8. Restart the WebSphere.
Now the users authentication is performed using MS AD (only MS AD or and MS AD). Also you may use MS AD groups or DL (distributions lists) to grant rights in TWS and / or TDWC.
Thank you. Very useful article. How does the above link/relate to the actual TWS Security File?
ReplyDeleteIn the TWS Security File you grant users access, once you integrated it with AD you can add in Security file AD accounts and / or AD Groups (Distribution Lists).
Delete