The security model in IBM® WebSphere® Application Server and IBM WebSphere Portal affects the planning
and implementation of security in a cluster. Security is enabled by
default for the WebSphere Application
Server deployment
manager. WebSphere Portal does
not attempt to change the security settings in the deployment manager
cell whenever a node is federated. Therefore, any existing security
configuration of a stand-alone WebSphere Portal is replaced with the
security settings of the deployment manager cell when it joins that
cell. If you remove the node from the deployment manager cell, the
original security settings are reinstated.
Default security settings
The default security
that is enabled on the deployment manager profiles and
WebSphere Portal profiles installation
is the Virtual Member Manager (VMM) federated security with a single
file-based repository configured. If you plan to add the stand-alone
node into a deployment manager cell, there is no need to modify this
default security setting on a
WebSphere Portal node. During federation,
the stand-alone environment security settings are replaced with the
deployment manager security settings. The original stand-alone environment
security settings are preserved and revert to the original settings
if you remove the node from the cluster.
Note: If administrative security
is disabled on the deployment manager, it must be enabled before you
run the security configuration tasks on the WebSphere Portal cluster members.
Security options for a cluster
All of the
VMM federated security options, including multiple LDAP repositories,
database repositories, and the default file-based repository can be
used.
WebSphere Portal provides a number
of security tasks, which can be used to modify the WebSphere Application
Server security settings
and make the required updates to the WebSphere Portal configuration in a
single step. As soon as a WebSphere Portal node
is federated into a deployment manager cell, all run WebSphere Portal security tasks update
the security configuration on the deployment manager cell. Run security
tasks after you federate the WebSphere Portal node because the Deployment
Manager cell does not contain the configuration resources that are
required to run the security tasks.
Note: Do not use the file-based
repository as your only repository in a production environment. The
reason is that updates are only possible through the WebSphere Integrated Solutions Console, not through portal
user management. These updates are sent to each node in the cell
with deployment manager file synchronization. This process can be
time-consuming for large volumes of users and groups. Also, synchronization
does not occur at the same time for all nodes in a cell, so there
are times when the nodes in the cell have differing security definitions.
Also, the Users and Groups portlet is not available
with the file-based repository. You must replace the file-based repository
with a federated LDAP user registry to have access to the Users
and Groups portlet.