Integrating community membership with Portal security
Configure the Virtual Member manager to integrate information from IBM® Connections communities with your WebSphere® Portal environment.
Starting with version 6.1, IBM WebSphere Application Server uses a component that is called Virtual Member manager (VMM) to manage information about community membership. VMM provides an interface that enables communication between WebSphere Portal and any repository, whether federated repositories, a stand-alone repository, or your own custom user registry. You can configure VMM to recognize IBM Connections as a repository so that Portal can access community user and group information from IBM Connections communities. For example, after VMM is configured, users can select IBM Connections private or public communities as groups when they assign security roles or access rights.
For more information about the architecture of VMM, see the article Virtual Member Manager Integration from the IBM Knowledge Center.
For more information about configuring a user repository for VMM, see the article Setting up a custom user repository from the IBM Knowledge Center.
After you configure IBM Connections to work with VMM, user can
- Search for IBM Connections public and private communities by name (represented as groups in WebSphere)
- Resolve public and private community membership for particular users (represented as group membership in WebSphere)
- Display the WebSphere users that are members of IBM Connections public or private community
The following are some known limitations:
- When you use the VMM get operation to get a single identifier and querying by name, instead of using the unique externalID, nothing is returned if more than one community name matches the query.
- The operation to display WebSphere users that are members of a particular IBM Connections community can have a performance impact for large groups.
- Tivoli® Directory Integrator is suggested for populating user data into Connections. When you use the profile data population wizard, a user's email might not be populated into the Communities database. A user might not appear in the proper communities until they log in to Communities, used a feature from the Communities service, or their profile is synchronized with Tivoli Directory Integrator.
Prerequisites
- IBM WebSphere Portal must be installed and verified
- IBM Connections must be installed and verified to work
- Hidden email is supported. In the 3.0.1.1 refresh, it is not mandatory any longer to enable the email.
- Single sign-on must be configured between Connections and Portal. Follow the steps in Configuring single sign-on.
- IBM Connections and IBM WebSphere Portal must share a common LDAP.
- Import the SSL certificate from IBM WebSphere Portal server to IBM Connections. Follow the steps in Importing a
certificate to support SSL with the following differences:
- Log in to the WebSphere Application Server Integrated Solutions Console for the Connections server, rather than the Portal server.
- Enter the host, port, and alias for the Portal server. For
example:
Host : portal.example.com Port : 10025 (SOAP default port on Portal. Please specify appropriate port if non default is used) Alias : Portal Certificate (Admin can choose any appropriate alias)
- Update the VMM schema so that PersonAccount on the Portal
server includes personCorrelationAttribute. Use this attribute
to specify the corresponding person relative distinguished name attribute. For example,
ibm-primaryEmail. For more information about name attributes for different
directories, see the article on Attribute mapping for Profiles in the IBM Knowledge Center. In
a clustered environment, run this command on the Deployment manager. To open the scripting
interface, refer to the article Opening a console window for interactive scripting in the IBM
Knowledge Center. Enter the following commands in the scripting
interface
. Then, enter the following command$AdminTask addIdMgrPropertyToEntityTypes {-name <personCorrelationAttribute> -dataType string -entityTypeNames PersonAccount}
. For example, if the personCorrelationAttribute matches ibm-entryUuid, use:$AdminConfig save
$AdminTask addIdMgrPropertyToEntityTypes {-name ibm-entryUuid -dataType string -entityTypeNames PersonAccount} $AdminConfig save
Note: Portal must be running while you run this command. Restart the server to apply the changes.
Configuring the IBM Connections repository to work with VMM
Complete these tasks to configure the IBM Connections User Repository adapter. When configuration is complete, you can verify that it is working by logging in to WebSphere Portal as an administrator. Open the Users and Groups portlet from the Administration tab. Search for groups that must be present as communities in your IBM Connections deployment. If you find the correct groups and the members of the groups are listed, the deployment is successful.