IBM BS029ML - WebSphere Portal Server Self Help Manual Download Page 147 | Manualshive

Page: 147 / 242

background image

Chapter 4. WebSphere Portal security

133

[8/17/07 16:45:23:294 EDT] 2934440 ServletInstan E SRVE0100E: Did not realize
init() exception thrown by servlet portal: javax.servlet.UnavailableException:
Initialization of one or more services failed.

In this case, an expired client certificate caused the system to fail.

If there is any message related to the SSL handshake, you need to check the client certificate
created when the TAM runtime was configured on WebSphere Application Server.

Enable traces on TAM

In certain cases, it is desirable to enable the WebSEAL traces along with those in WebSphere
Application Server and Portal. To enable the WebSEAL Web traces, run the following
commands from the PDAdmin console:

pdadmin> server task <webseald-server> trace set pdweb.debug 9 file
path=C:\temp\webseald.trace\pdweb.debug
pdadmin> server task <webseald-server> trace set pdweb.snoop 9 file
path=C:\temp\webseald.trace\pdweb.snoop

To disable these traces: run these commands:

pdadmin> server task <webseald-server> trace set pdweb.snoop 0
pdadmin> server task <webseald-server> trace set pdweb.debug 0

If the problem is with authorization with TAM, we recommend adding a “debug=true” custom
attribute to the PDLoginModule in the WebSphere Application Server administrative console
(select

Security

→

Global security

→

JAAS Configuration

→

Application Logins

→

Portal_Login

→

JAAS Login Modules

→

com.tivoli.mts.PDLoginModule

→

Custom

properties

and add debug as the name and true as the value). This will generate debug

information to the SystemOut.log upon logging in similar to Example 4-22.

Example 4-22 PDLoginModule debug output

[5/26/07 14:46:02:346 EDT] 13de60b4 SystemOut    O delegate class name:
com.tivoli.mts.PDLoginModule
[5/26/07 14:46:02:346 EDT] 13de60b4 SystemOut     O Using the current thread class
loader
[5/26/07 14:46:02:456 EDT] 13de60b4 SystemOut    O user_dn is null
[5/26/07 14:46:02:687 EDT] 13de60b4 SystemOut    O [PDLoginModule]: added
PDPrincipal
[5/26/07 14:46:02:697 EDT] 13de60b4 SystemOut    O [PDLoginModule]: added
PDCredential

To reconfigure TAM configuration, do not simply disable security. The TAM settings have to be
manually removed from the Portal configuration before trying to disable security.

Portal access control (PAC)

When debugging PAC related problems, check the following:

򐂰

Make sure that the user is indeed in the group (if permissions were assigned to groups).
One simple test is to assign the user individually and see if that helps.

򐂰

Use the XMLAccess utility to generate an export of the object tree, and follow the tree to
check that the roles are assigned.

򐂰

If rights should not be given and you cannot discover where they were set, check for the
virtual principals of which all users are members.

«
...
145
146
147
148
149
...
»

Summary of Contents for BS029ML - WebSphere Portal Server

Page 1: ...Guide Philip Monson Fang Feng Jerry Dancy Shadi Albouyeh Chakravarthy Kunapareddy Stephanie Martin James Roca John Chambers Key recommendations for optimal configuration and use Problem avoidance dete...

Page 2: ......

Page 3: ...International Technical Support Organization IBM WebSphere Portal V6 Self Help Guide January 2008 REDP 4339 00...

Page 4: ...nt Users Restricted Rights Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp First Edition January 2008 This edition applies to IBM WebSphere Portal Version 6 Note Be...

Page 5: ...characterization at the specification level 20 2 3 Operational architectures 21 2 3 1 Adopting a tiered architecture 21 2 3 2 Addressing scaleability and high availability 21 2 4 Portal deployment co...

Page 6: ...security 74 3 3 3 What is about to happen 77 3 3 4 Is it working 79 3 4 Problem determination 80 3 4 1 Installation problem determination 80 3 4 2 Database transfer problem determination 81 3 4 3 LDAP...

Page 7: ...component 160 5 3 2 JVM problems 160 5 3 3 Some common problems and workarounds 163 5 4 Portal administration tools 164 5 5 Runtime monitoring 168 5 5 1 What to monitor 168 5 5 2 Useful resources 168...

Page 8: ...ctices 210 Fix strategy 211 Overview of the maintenance strategy 213 Our approach to maintenance 214 Overview of the fix strategy 215 Our approach to fixes 215 Some additional best practices 218 Migra...

Page 9: ...ditions of the publication IBM may make improvements and or changes in the product s and or the program s described in this publication at any time without notice Any references in this information to...

Page 10: ...oft Siebel and TopLink are registered trademarks of Oracle Corporation and or its affiliates Enterprise JavaBeans EJB Java JavaBeans JavaScript JDBC JMX JNI JSP JVM J2EE Solaris Sun and all Java based...

Page 11: ...ise include Portal security system administration WebSphere Member Manager and XMLaccess He has been working with IBM for 11 years He holds a Doctor of Philosophy in Computer Science from Texas A M Un...

Page 12: ...loped the Portal Perform guide for the IBM EMEA geography He is also credited with developing the Portal Build Validate method which when adopted minimizes implementation failure Most recently James t...

Page 13: ...com redbooks residencies html Comments welcome Your comments are important to us We want our papers to be as helpful as possible Send us your comments about this paper or other IBM Redbooks publicatio...

Page 14: ...xii IBM WebSphere Portal V6 Self Help Guide...

Page 15: ...served 1 Chapter 1 Introduction This chapter provides you with an overview of this Redpaper highlights some of the new features in IBM WebSphere Portal Version 6 and provides a general description of...

Page 16: ...nt When Why should I convert my portal server s from Cloudscape to an external database What can I do to optimize the runtime in my portal environment How do I convert my portal server s from a test L...

Page 17: ...plications content business processes and people for a unified user experience WebSphere Portal improves overall productivity and customer satisfaction WebSphere Portal provides for improved operation...

Page 18: ...ansactions faster Application templating and easier portlet development accelerates application deployment and customization through the innovative use of services oriented architecture SOA Inline con...

Page 19: ...try or multiple user registries reducing the need for investing and implementing a directory consolidation solution Data Domains Portal now allows the separation of portal data into multiple domains D...

Page 20: ...ation of WebSphere Portal Server using the flexible deployment options for the most common topologies WebSphere Portal Server provides a number of mechanisms to help keep your assets protected In Chap...

Page 21: ...e included fixes to preventively fixes issues and when to switch to later releases to introduce additional features Performing regular backups is the surest way to protect your systems and critical da...

Page 22: ...8 IBM WebSphere Portal V6 Self Help Guide...

Page 23: ...h intimate knowledge of the challenges and pitfalls that go hand in hand with managing many large scale WebSphere Portal deployments this chapter sets out to provide the reader with an informed approa...

Page 24: ...ble methodology Indeed the IBM Global Services Method GS Method or GSM has been the basis for many successful WebSphere Portal Server deployments However the merits and application of such methodologi...

Page 25: ...rly challenging when an organization s core business is other than software development Indeed most organizations can no longer afford the time or the cost of development to write new applications eac...

Page 26: ...anner An adapter is specific to a particular Enterprise Information System EIS and generally requires client code to be written to parse the proprietary format of the data provided by the EIS However...

Page 27: ...xt Diagram as shown in Figure 2 1 Figure 2 1 System Context Diagram Figure 2 1 illustrates the various system components and most significant roles of the system Besides that it helps to identify in h...

Page 28: ...rformance in all phases of a project life cycle to be successful For those customers finding themselves in the unfortunate situation of having selected and purchased bare metal systems without having...

Page 29: ...ccess the solution at any given point in time Internally WebSphere Portal Server maintains a database entry for all registered users after their initial login No constraint other than the size of the...

Page 30: ...val Rate It is important to recognize that it may be necessary to plan for such situations when many users simultaneously access the Portal solution at the same time This generally breaks any rule of...

Page 31: ...Internet Explorer or Mozilla Firefox This component communicates with the solution through the HTTP HTTPS protocol receives responses in HTML format and renders them for the user The Internet Browser...

Page 32: ...n environment that allows them to create edit and publish Web content Because knowledge owners have less dependence on technical resources they can publish content in a more timely and efficient way b...

Page 33: ...business transactional interaction The data stored is relevant to the specific business interaction for example bank balance insurance information current purchase by the user and so on Portlet appli...

Page 34: ...NFR capacity Hardware Example pSeries Operating System Example AIX 5L V5 3 0 0 0 3 Non Functional Requirements Availability Example Minimum of two physical nodes one in each data center configured as...

Page 35: ...cial in terms of overall enterprise security and performance optimization As such it is strongly suggested that a n tier approach is adopted as the topology of choice for all high volume WebSphere Por...

Page 36: ...Sphere Portal Server V6 0 x architecture of choice However maintaining continuous operation during periods of scheduled or unscheduled maintenance requires careful consideration As this implementation...

Page 37: ...nd jcr are deployed alongside the release database domain Note that the JCR Repository exists in a different database The environment also hosts a LDAP directory server not shown which is highly avail...

Page 38: ...h each Portal cluster supporting a different line of business The dual cluster with two lines of production architecture Deploying either a single clustered instance or a multiple clustered instance w...

Page 39: ...3 Dual cluster architecture illustrating two lines of production Key features of this architecture are Two independent HTTP Server clusters HTTP Cluster A and HTTP Cluster B consisting of at least tw...

Page 40: ...Sphere Portal Server V6 0 x this requirement is now a possibility Such a requirement however raises the question about how best to design an operational architecture that caters for such a global depl...

Page 41: ...rchitecture The latest WebSphere Portal Server V6 0 1 deployment option includes support for WebSphere Extended Deployment V6 0 2 or WebSphere XD for short Such an architecture makes it possible to dy...

Page 42: ...disaster recovery However unlike the approach detailed in 2 4 3 The dual cluster with two lines of production architecture on page 29 such a deployment does not normally see both sets of production s...

Page 43: ...uster with two lines of production architecture The deployment of a dual clustered WebSphere Portal Server V6 0 x architecture with Two Lines of Production brings about distinct advantages when mainte...

Page 44: ...does not yield an exact replica In certain situations this may be sufficient for a number of customers The recommended approach therefore for creating an exact replica of one environment to another in...

Page 45: ...er of reasons To fully utilize the processing power of modern SMP servers Local redundancy Horizontal clustering By contrast horizontal clustering should be considered for the following reasons To ach...

Page 46: ...e expensive both in terms of CPU and memory and thus usually only configured to handle a maximum of 10 20 connections simultaneously Each queue has the potential to become saturated There also exists...

Page 47: ...between platforms may result in inappropriate comparisons If comparisons are made pay special attention to clock speed number of CPUs used and hardware manufacturer benchmarking data Take into accoun...

Page 48: ...M heap Unlike previous versions of WebSphere Portal Server prior to V6 0 x which ran WCM as an integrated sub component there is no longer the need to create a separate WCM JCR database repository for...

Page 49: ...Sphere Portal Server with a large JVM heap and a high Web Container thread pool In keeping with the IBM Proven Performance Tuning Methodology the recommendation is to reduce the JVM heap and the Web C...

Page 50: ...e user s HttpSession As such it is possible to enable HttpSession failover support to facilitate maintaining a user s session when requests are failed over to a subsequent cluster member However argua...

Page 51: ...wever the LTPA token is in itself subject to expiry even if a user s browser session is maintained The LTPA token effectively starts to time out immediately upon creation WebSphere Portal Server also...

Page 52: ...dependence for Web based application security Provide the ability to control access to Web applications and content which may be hosted through multiple Web servers at the URL level Provide the abilit...

Page 53: ...roxy server That is when a user logs into a WebSphere Portal Server solution protected by TAM it is actually the Tivoli WebSEAL server that performs the authentication task As such the key points for...

Page 54: ...only one supported by the TAI Also note that the user password is not passed in the HTTP Header for security reasons After the TAI processing is successful WebSphere Application Server creates a user...

Page 55: ...r V6 0 both the Policy Server and WebSEAL components with WebSphere Portal Server V6 0 1 WebSphere Portal Server login with Tivoli WebSEAL Most WebSphere Portal Server deployments include a number of...

Page 56: ...ecognize that such a configuration does not extend to gracefully quiescing user requests from one or more back end systems when those systems need to be taken down for scheduled maintenance This is in...

Page 57: ...otentially this could be revised to just dc acme dc com or even dc acme dc co dc uk It is anticipated that a number of organizational units OU would be needed at the topmost level to provide a degree...

Page 58: ...ject class and could add other attributes such as Account Number Insurance Number and Employment Band This prevents potential conflicts when a new version of the directory is installed and the default...

Page 59: ...minated master peer during normal operation However should the load balancer detect a failure of the master peer the load balancer will re route all requests to the alternate master peer During write...

Page 60: ...instance but with the firewall idle timeout System Administrators should ensure that the tcp_keepidle system setting on each of the servers is smaller than the firewall idle timeout Failing this when...

Page 61: ...Any user customization made against one cluster member regardless of the Line of Production or cluster by a user is now available to the same user as and when that user accesses any of the other clust...

Page 62: ...entiating between distinct databases would allow any DBA to specifically tune and size that database accordingly A DB2 instance is a logical database server environment DB2 databases are created withi...

Page 63: ...site http www ibm com servers eserver pseries library hacmp_docs html HADR DB2 High Availability Disaster Recovery HADR provides a new alternative for delivering a high availability solution by replic...

Page 64: ...network is very important In this configuration a dedicated Gigabit Ethernet segment is used in conjunction with Network Interface Backup NIB for redundancy Note that an outage at the Log transfer ne...

Page 65: ...mplementation We strongly recommend that a WebSphere Portal Server based implemention is treated as a complex infrastructure project from the outset For anything other than an out of the box implement...

Page 66: ...ongoing concern All too often performance is disregarded until the performance tuning phase of a project resulting in a critical situation Consider performance testing those back end systems prior to...

Page 67: ...e ensuring a smooth deployment is a key factor in satisfying any stakeholder A deployment and cutover plan as such should minimize the impact of the cutover with the stakeholder s staff existing produ...

Page 68: ...54 IBM WebSphere Portal V6 Self Help Guide...

Page 69: ...3 WebSphere Portal installation This chapter contains information that will guide you through the installation of your WebSphere Portal Server This chapter includes the following topics Installation D...

Page 70: ...requirements to determine whether the software runs native or connected to the WebSphere Portal Supported hardware and software WebSphere Portal V6 0 software requirements http publib boulder ibm com...

Page 71: ...wp f conf_gui html Console Interface http publib boulder ibm com infocenter wpdoc v6r0 topic com ibm wp ent doc wp f conf_console html Response File http publib boulder ibm com infocenter wpdoc v6r0 t...

Page 72: ...247387 html Custom A more custom type of installation is to install a new version of WebSphere Portal Server on an existing instance of WebSphere Application Server Once you launch the install program...

Page 73: ...07 5 32 48 PM MultiPlatform install com ibm wps install DetectWpsAction msg2 No WAS with WPS detected After the system completes validation the installer proceeds with the WebSphere Application Server...

Page 74: ...bat action empty portal DPortalAdminPwd PASSWORD_REMOVED DWasPassword PASSWORD_REMOVED DLTPAPassword PASSWORD_REMOVED DskipWTP true Jul 31 2007 3 39 45 PM MultiPlatform install com ibm wps install Ex...

Page 75: ...of the possible applications to stop are ServletInvoker war pickerPortlet war JspServer war mylist war QuickLinks war newsgroup war docviewer war FileServer war reminder war worldclock war Attention...

Page 76: ...ing the files necessary to install WebSphere Portal and its supporting software are the electronic Service Delivery eSD sites These sites include Passport Advantage and Partner World which are linked...

Page 77: ...http publib boulder ibm com infocenter wpdoc v6r0 topic com ibm wp ent doc wpf i nst_source html 3 1 4 Is it working In order to ensure a successful installation of WebSphere Portal we recommend that...

Page 78: ...WebSphere Portal ConfigTrace log Most commonly the installation failures result from the configuration tasks that are executed during installation The wp_root log ConfigTrace log contains the generate...

Page 79: ...wp600_244 2006 07 18 17 02 which follows with the confirmtaion that WebSphere Portal has been initialized 7 30 07 18 09 33 578 EDT 00000016 ServletWrappe A SRVE0242I wps wps portal Initialization suc...

Page 80: ...Resource 2 value Resource x value Resource1 value Resource 2 value Resource x value Resource1 Referential Integrity Referential Integrity DB Schema Resource 2 Resource x Resource 1 abc Resource 2 Res...

Page 81: ...nsfer of your database s from Cloudscape to an external database you should execute the following steps 1 If you have not done so already the first thing you should do before attempting to transfer yo...

Page 82: ...h the values required in order to perform the database transfer as both methods will pull the information from these files Do not provide values for other parameters in the properties files other than...

Page 83: ...tune your database management system 2 Assign an ID or privilege that will be used by WebSphere Portal Server s for system to system communications from the portal to the database 3 Create the WebSphe...

Page 84: ...wmm Dwmm DbPassword password WPSconfig sh validate database driver Windows WPSconfig bat validate database connection wps Drelease DbPassword password Dcustomization DbPassword password Dcommunity Db...

Page 85: ...his step If the problem you are facing is not related to incorrect values and you wish to troubleshoot the exceptions then refer to 3 4 Problem determination on page 80 for additional guidance 3 2 4 I...

Page 86: ...targets For a discussion on external authentication solutions such as Tivoli Access Manager or Computer Associates eTrust Siteminder as well as other topics surround LDAP planning refer to 2 6 7 LDAP...

Page 87: ...here Application Server console or failover will not occur successfully should the primary server suffer an outage LDAP Schema Design While it is possible to set up WebSphere Portal Server with only o...

Page 88: ...to add additional attributes that do not correspond to a typical LDAP database The LookAside option is available when configuring LDAP security with realms or without Enabling LookAside can be done b...

Page 89: ...the membership information used later to enable LDAP security 4 Connectivity check PING From the server in which you will enable security perform a ping test to verify the connection to your LDAP host...

Page 90: ...information 10 Disable Security Run the disable security task using the command line or the wizard After the disable security task completes you should receive a BUILD SUCCESSFUL message indicating th...

Page 91: ...LDAP or a Member Manager database already exists in the operational environment is configuration of security with a custom user registry At this point you should be ready to configure security having...

Page 92: ...unning the task through the command line as shown in Example 3 7 Example 3 7 Specifying the password as a parameter WPSconfig sh bat task_name Dpassword_property_key password_value Once you have locat...

Page 93: ...of the following two tasks for UNIX Windows Realm Support WPSconfig sh bat enable security wmmur ldap i5 OS WPSconfig sh profileName profile_root DPortalAdminPwd password DLTPAPassword password DLDAP...

Page 94: ...successfully click the different links in the portal to make sure that no errors are received both in the browser and in the SystermErr log and SystemOut log files If you configured your LDAP registr...

Page 95: ...al Server for remote connection to your databases your client should match the same levels as your database server If your server and clients are not at the required levels refer to 3 1 1 How do I pre...

Page 96: ...ue is not isolated to the LDAP servers Not applying the required fixes Fix Packs for your portal environment can also cause errors during the enablement of security process and can affect the overall...

Page 97: ...ix entry Confirm the privileges of your LDAPBind user if anonymous access is not allowed Failure to disable security before enabling security Before you can run the enable security task you must disab...

Page 98: ...84 IBM WebSphere Portal V6 Self Help Guide...

Page 99: ...fferent level of complexities To accommodate such a wide range of security requirements WebSphere Portal has provided a rich set of configuration options that integrate with different security infrast...

Page 100: ...in a WebSphere Application Server It can leverage the underlying application server s powerful security infrastructure In addition WebSphere Portal security extended the security configuration provide...

Page 101: ...act upon and manage profiles such as create read update remove and search members in the profile repository These services also support managing groups including assigning members to and unassigning...

Page 102: ...N is unique and may be changed and reused After a member is deleted from Member Manager a new member can be created and reuse the memberDN of the deleted member An example of a memberDN of a Person Ja...

Page 103: ...the Local Operating System user registry Lightweight Directory Access Protocol LDAP user registry and custom user registry CUR In some corporations the existing directory servers such as LDAP servers...

Page 104: ...tion avoid the requirement of repeating authentication of the users This is where SSO comes into play The goal of single sign on is to provide a secure method of authenticating a user one time within...

Page 105: ...al security or a combination of a form based login plus the client certificate to achieve a higher level of security In this section we describe the basic login flow in details and then give a short d...

Page 106: ...that the Portal subject is not shared with applications besides WebSphere Portal The Portal subject is also passed on to the optional Portal JAAS login Depending on the configuration WebSphere Portal...

Page 107: ...mmarized in Table 4 2 Table 4 2 PAC artifacts Other applications through SSO The LTPA in the client request triggers WebSphere Application Server to create the security context with the user credentia...

Page 108: ...e decision module is triggered when a resource is accessed by a user Most of the permission configurations should be assigned to groups which is more efficient than assigning them to individual users...

Page 109: ...configuration parameters are presented in CacheManagerService properties in portal_root shared app wp services properties jar These settings can be customized through WP CacheManagerService in the Web...

Page 110: ...s put the network at risk by installing unauthorized software opening virus infected e mail attachments succumbing to social network attacks and so on When designing your Web sites based on WebSphere...

Page 111: ...rs should seriously consider reconfiguring security with a commercially available LDAP server If the system will be put into production and performance is a major concern we do not recommend the datab...

Page 112: ...nistrator user for WebSphere Application Server sometimes called Server ID You use this ID to start and stop the server and to log on to the administrative console for any administration configuration...

Page 113: ...ould be updated in the Administrative Console Before the password is changed in LDAP you must have the Application Server running and already logged in to the Administrative Console After the password...

Page 114: ...for at http www 306 ibm com software genservers portal support 4 2 5 Integration with Tivoli Access Manager TAM The most common configuration of the integration is for the portal to take advantage of...

Page 115: ...he entries you entered into wpconfig properties are correct The configuration tasks in WebSphere Portal take the values of the parameters in the file to assemble and issue PDadmin commands based on th...

Page 116: ...he tasks If there are special customizations required on the junctions created from the TAM side or special requirements on the TAI from the WebSphere side for example TAI manual steps are required If...

Page 117: ...and the file system You should try to make these backups approximately at the same time if possible See Appendix B Maintenance Fix strategy backup strategy and migration strategy on page 207 for detai...

Page 118: ...information as possible What is the problem How can you describe the problem Are there any error messages Is a screen capture available When did it happen Under what conditions was the problem observ...

Page 119: ...are able to navigate to the administration portlets and conduct administration operations such as create pages search and add users and groups install portlets create virtual portals and so on The por...

Page 120: ...strings are required we would suggest an analysis of the Java stacktrace following the error message s in the log The stacktrace should show certain calling code patterns that should give clues to wha...

Page 121: ...e additional strings shown in Table 4 5 Table 4 5 Trace strings for security problems Problem Trace strings Portal application server startup com ibm ws security all without realm wmmbase com ibm ws s...

Page 122: ...tal Analysis Enable Tracing as shown in Figure 4 6 Figure 4 6 Enable Tracing portlet The static approach requires a system restart which is not always desirable The dynamic option is preferred under s...

Page 123: ...cture Being able to use LDAP tools such as ldapsearch or LDAP browser to verify user and groups and to generate the output of a subtree a user or a group in LDAP Data Interchange Format LDIF Understan...

Page 124: ...profiles wp_profile UNIX Linux opt IBM WebSphere AppServer profiles wp_profile security xml This is the configuration file for the WebSphere Application Server global security Whenever a security prob...

Page 125: ...of WMMUR Notice that the file locations in a cluster are different They must point to those under wsas_profile_root config wmm The trustAssociation stanza defines all the definitions of all the Trust...

Page 126: ...erRegistry section This tells us that the administrator might have configured the LDAP without realm support before and the LDAP related configuration remains in the file This may not be necessarily b...

Page 127: ...8492250 alias Portal_LTPA loginModules xmi id JAASLoginModule_1174328492594 moduleClassName com ibm ws security common auth module proxy WSLoginModuleProxy authenticationStrategy REQUIRED options xmi...

Page 128: ...ccessing the datasources defined in JDBC providers at runtime admin authz xml This file is in the same directory as security xml It contains the users and groups for the administrative console adminis...

Page 129: ...n a full manual synchronization from the Dmgr to push the changes to all nodes 5 Restart the cluster to make the change effective wmm xml This is the most important file for WMM configuration Any typo...

Page 130: ...epositoryForGroups LDAP1 adminId uid bindid ou people ou dept o acme com adminPassword afacWLqg1trlbNupQsppiw ldapHost corpldap acme com ldapPort 389 ldapType 0 sslEnabled false sslTrustStore C WebSph...

Page 131: ...his attribute defaults to the Relative Distinguished Name RDN in most cases but it is not necessary When WMMUR is configured this should be the same as the customer property wmmUserSecurityNameAttr re...

Page 132: ...figuration tasks enable security wmmur ldap enable security wmmur db or enable security wmmur custom It must be set up manually by the Portal administrator after the security is configured An example...

Page 133: ...trongly recommend encrypting the password using the WMM utility called wmm_encrypt bat sh An alternative to this approach of manually modifying the file wmmWASAdmin xml using an editor is using the ut...

Page 134: ...og should look like the following 4 30 07 16 15 54 429 PDT 0000000a ApplicationMg A WSVR0200I Starting application wmmApp 4 30 07 16 15 55 728 PDT 0000000a EJBContainerI I WSVR0207I Preparing to start...

Page 135: ...result in the failure of the portal servlet Usually failure of one or more individual portlet applications would not affect the entire portal server but some may affect the usage of the server such a...

Page 136: ...In most cases the failure is due to the failed authentication of the WebSphere Application Server administration user Using LDAP tools like an LDAP browser or ldapsearch try to verify that the LDAP bi...

Page 137: ...intermittent compare the success and failure cases such as the clients used access URLs time of the day and so on If there are recent configuration changes on the portal server the LDAP server the da...

Page 138: ...al system we also suggest the traces to be enabled on other components such as LDAP HTTP server and External Security Manager ESM such as Tivoli Access Manager TAM In some extreme cases IP trace may b...

Page 139: ...entifier ou people ou dept o acme com ou people ou dept o acme com sn sn Admin cn cn wpsadmin ibm primaryEmail ibm primaryEmail wpsadmin acme com uid uid wpsadmin givenName givenName wps preferredLang...

Page 140: ...n in Example 4 16 Example 4 16 WMM returns the group to which the user belongs 8 3 07 11 27 54 750 EDT 00000040 WMM Trace Log com ibm ws wmm MemberRepositoryManager API MemberSet getGroupsForMember Me...

Page 141: ...mupService from the WebSphere Application Server Administrative console and add a custom property with enabled as the name and true as the value You may also want to check the sizes of the Access Cont...

Page 142: ...mm datatype MemberIdentifier com ibm websphere wmm da tatype StringSet 1 securityName WMMRealm testuser1 accessID user WMMRealm uid testuser1 ou people ou dept o acme com is not granted any of the req...

Page 143: ...and manipulates the membership structure without directly accessing the back end user registry After the security is enabled and users are able to log in they often see problems of locating users or g...

Page 144: ...user used in WMM configuration and password is the password for the bind user If you are able to search for users or groups by attributes but there is a problem of finding their membership informatio...

Page 145: ...amic group support An example is groupOfURLs memberURL Another common cause of the search problem is SizeLimitExceededException In wmm xml a default maxSearchResults is defined to be 200 You can manua...

Page 146: ...imilar to those in Example 4 20 Example 4 20 TAI is loaded successfully 8 17 07 16 44 35 608 EDT 2934440 TrustAssociat A SECJ0121I Trust Association Init class com ibm ws security web WebSealTrustAsso...

Page 147: ...ministrative console select Security Global security JAAS Configuration Application Logins Portal_Login JAAS Login Modules com tivoli mts PDLoginModule Custom properties and add debug as the name and...

Page 148: ...teps carefully When configuring SSL make sure you are very clear that in the handshake about which party is the client and which is the server A network diagram should be drawn to show the components...

Page 149: ...set the JSSE trace add a custom property with the name javax net debug and value true in the WebSphere Application Server admin console for the JVM running Before verifying portal server applications...

Page 150: ...136 IBM WebSphere Portal V6 Self Help Guide...

Page 151: ...runtime and services In this chapter we discuss the WebSphere Portal Server V6 0 x runtime architecture and the important components that are involved We will also discuss optimizing the environment...

Page 152: ...and portlets a user has access to and for assembling the appropriate page based on the request made The aggregator has several plug in points or filters with which customers may inject custom processi...

Page 153: ...contains the majority of the JSPs responsible for providing the overall Portal look and feel WebSphere Member Manager WebSphere Member Manager WMM is the component of WebSphere Portal Server that man...

Page 154: ...een want to read or want to share Users can create and edit documents without having to be logged in to WebSphere Portal Users can then upload the documents to Document Manager which allows other auth...

Page 155: ...onfigured while installing WebSphere Portal Server Normally there should not be a need to modify any of the configuration parameters in the DataStore service One important property of the DataStore se...

Page 156: ...To better balance processing power Document Conversion Services can be delegated to a remote server In this case the service is accessed simply with HTTP rather than SOAP or EJB Since WebSphere Portal...

Page 157: ...hen only based on a thorough Java garbage collection GC analysis Remember If you use a big heap then garbage collection will be less frequent but much slower as there is more memory to search through...

Page 158: ...tructure Java and Process Management Process Definition Java Virtual Machine The default and recommended values are shown in Table 5 2 Table 5 2 Additional IBM JVM settings The Xnoclassgc setting prev...

Page 159: ...Just In Time JIT Compiled code Java Native Interface JNI code Native Thread Stacks Inflators Deflators GZipOutputStreams Class Loaded data IBM JVM CPU utilization If a system is observed to consume a...

Page 160: ...equately sized to hold all class loaded data This includes classes loaded at Portal Server runtime startup and dynamically compiled JSPs If the Permanent generation becomes full a Full GC will result...

Page 161: ...urated There also exists the possibility that if one of the back end queues saturates that it will have a knock on effect impacting the other queues in front For example it is not unusual that if a da...

Page 162: ...nt after startup An examination of a Java thread dump will fail to show a thread count matching the minimum thread setting immediately after initialization To view or modify the Web container settings...

Page 163: ...he default and recommended values Table 5 7 Web container custom property settings The ConnectionIOTimeOut setting can be used to override the maximum time in seconds that a Web container waits when t...

Page 164: ...waiting for new connections the timeout is currently measured only on the request waiting at the head of the queue so if the queue is 10 deep the 10th request will wait for 10 timeout periods before...

Page 165: ...token to honor subsequent requests that would otherwise require reauthentication However the LTPA token is in itself subject to expiry even if a user s browser session is maintained Effectively the LT...

Page 166: ...value Table 5 10 Advanced LDAP settings 5 2 8 WebSphere session management tuning User interactions with WebSphere Portal Server are maintained through the use of a HttpSession This provides a way to...

Page 167: ...constructing a Java object for the resulting entity after performing the necessary interaction with the underlying data store However Portal and Portlets do not interface with WMM directly Instead req...

Page 168: ...ctory for example this is the memberOf attribute WMM can be configured to use this attribute when asked by WebSphere Portal Server for the groups for which a user is a member rather than doing an iter...

Page 169: ...tal Configuration Services section of the WebSphere Portal Server Version 6 0 Information Center at http publib boulder ibm com infocenter wpdoc v6r0 topic com ibm wp ent doc wps s rvcfgref html LDAP...

Page 170: ...e misses are observed for a concerned entry when viewed with Performance Viewer However one important parameter found under the Cache Manager Service property settings is the cacheglobal size directiv...

Page 171: ...ct in enabling this functionality as the state must be persisted to the Portal database In most cases disabling this feature is acceptable as Portal navigation is more than intuitive for a user The Co...

Page 172: ...ched response is considered stale in a user s browser Under certain circumstances it may prove necessary to create a session associated with the Portal anonymous front page This is achieved by setting...

Page 173: ...Service Table 5 22 PUMA Service You should ensure that both the user minimum attributes and group minimum attributes settings contain the attributes deemed necessary for your requirements If Portal or...

Page 174: ...ese components in place it is very important to narrow down exactly the failing component in case there is a problem 5 3 2 JVM problems Understanding JVM is very important because the IBM WebSphere pl...

Page 175: ...being executed Use the verbose gc option to look at the state of the Java heap JVM signals in UNIX AIX and Solaris like other UNIX based operating systems make use of signals Signals are of course a m...

Page 176: ...am where two threads DeadLockThread 0 and DeadLockThread 1 were unsuccessfully attempting to synchronize on two java lang Integers You can see in Example 5 3 on page 166 that DeadLockThread 1 has lock...

Page 177: ...on about using tools to analyze hangs and crashes 5 3 3 Some common problems and workarounds There is ample information in the above mentioned IBM Redbooks publication and the InfoCenter about the pro...

Page 178: ...ation portlets Portal administrative users can use the administration portlets to perform administrative tasks and actions on portal resources depending on the access rights that the administrative us...

Page 179: ...ment backup refer to Appendix B Maintenance Fix strategy backup strategy and migration strategy on page 207 Overview of the portal configuration Cloning of a portal Copying parts of a configuration su...

Page 180: ...ationException LDAP error code 49 Invalid Credentials This message can be misleading Solution The LDAP error message Invalid Credentials means that the user name or password are wrong It can also mean...

Page 181: ...al Server V6 InfoCenter for more information about ReleaseBuilder at http publib boulder ibm com infocenter wpdoc v6r0 index jsp topic com ibm wp en t doc wpf dep_rbabout html Portal Scripting Interfa...

Page 182: ...ortal and also some IBM tools such as IBM Tivoli Composite Application Management ITCAM and PV Performance Viewer 5 5 1 What to monitor It is very important to first understand what exactly needs to b...

Page 183: ...reased self sufficiency Any improvement in self sufficiency will greatly increase the chances of reaching your companies project deadlines on a more consistent basis Here we outline the best practices...

Page 184: ...nt when a problem occurs and research is required The tool is especially helpful when a problem requires interaction with the WebSphere Portal Server Level 2 Support team and a PMR and log collection...

Page 185: ...r IBM and attach the collector file at the same time It is simple to do and yet extremely helpful for expediting a solution from IBM So whether you need to find information about a software fix collec...

Page 186: ...ture in place on the machine itself ISA runs as a Web application on a small application server At startup the default behavior for the application server is to dynamically pick an open port The port...

Page 187: ...at http www ibm com developerworks websphere techjournal 0706_supauth 0706_supau th html The ISA training from the IBM Education Assistant found at http publib boulder ibm com infocenter ieduasst v1r...

Page 188: ...r feature to access the available plug ins For WebSphere Portal Server V6 0 we recommend that the following plug ins be installed WebSphere Portal V5 1 WebSphere Portal V6 0 WebSphere Application Serv...

Page 189: ...ote customer self help 175 Next scroll down and choose the plug ins listed in Figure A 2 on page 174 and click the Install button to install the WebSphere Application Server and WebSphere Portal Serve...

Page 190: ...The next best practice step is to get into the habit of opening ISA each morning you begin work Get in the habit of using ISA as your interface access into the world of WebSphere Portal Server suppor...

Page 191: ...to understand any known pitfalls that may cause problems so you can avoid them if possible So in this example we will use the Search feature to search for the string database transfer oracle by enteri...

Page 192: ...you have determined what you believe to be the most relevant and significant error stack from the logs The error stack you are focused on is shown here Caused by java sql SQLException Database wp601 n...

Page 193: ...orks IBM Newsgroups and Forums Google Product Information Centers Since the error is occurring on WebSphere Portal Server V6 0 x we have limited the IBM Software Support Documents search to only WebSp...

Page 194: ...search options click Search and wait for ISA to populate the results in the left hand pane as shown in Figure A 7 Figure A 7 Initial search results As you can see in Figure A 7 the search returns item...

Page 195: ...der IBM Software Support Documents Let us check that result first since it is searching TechNotes So we click the result under IBM Software Support Documents and it shows the search results in the rig...

Page 196: ...powerful collaboration mechanism By accessing the forum you now have access to the knowledge and experience of the collective WebSphere Portal Server user community Once in the WebSphere Portal Server...

Page 197: ...that IBM Level 2 support uses to troubleshoot problems To gain access to the available tools you must first install the individual tool plug ins by using the Updater feature Once in the Updater featur...

Page 198: ...mportant functions Proactively collects logs using the embedded Automated Problem Determination AutoPD log collection mechanism Opens new PMRs through the embedded Electronic Service Request ESR mecha...

Page 199: ...he WebSphere Portal Server environment You attempt to use self help techniques and tools to resolve or rediscover the problem and determine a solution If self help techniques fail to resolve the probl...

Page 200: ...attach the previous log collection to the PMR By doing this task the logs will be made available to the support team at the time the PMR is opened Attention Following this approach to attach the logs...

Page 201: ...next step is to open a PMR with WebSphere Portal Server support To engage WebSphere Portal Server support use the Service feature within ISA to first collect the logs Since the ISA install is remote t...

Page 202: ...ection type Once the log collection is complete move the zip file from the remote WebSphere Portal Server machine locally to the ISA machine Note Review the list of collection scripts and choose the o...

Page 203: ...erested readers Administrators and users of IBM WebSphere Portal are encouraged to visit and monitor the product support page for not only the portal product itself but for all the supporting software...

Page 204: ...ght column usually containing general IBM support information Across the top is the familiar breadcrumb trail that is useful in navigating through the layers of IBM Web pages as shown in Figure A 14 F...

Page 205: ...k presents a list of all available downloads with the most recent added content at the top Visitors seeking more in depth information will find the links in the Learn section particularly useful These...

Page 206: ...are using custom themes and skins throughout After assigning a new theme to the portal s Administration pages the administrator has been unable to assign access to a portlet when using the Manage Por...

Page 207: ...try into the search box The results page looks like Figure A 18 Figure A 18 Results of the search One of the results number 6 at the time of this writing is shown in Figure A 19 Figure A 19 The answer...

Page 208: ...ribing the components shown in number 3 s list above refer to the TechNote Explanation of Functional Areas and Components of IBM WebSphere Portal and WebSphere Portal Express version 6 0 http www ibm...

Page 209: ...docview wss rs 688 uid swg21236371 as shown in Figure A 22 Figure A 22 MustGather Read first page This page is currently available for Versions 6 0 5 1 and 5 0 Future releases will be added as they be...

Page 210: ...rtlets to use in your environment Some are free some are limited use and others are available for charge only Product support life cycle This page lists the various releases of the WebSphere Portal fa...

Page 211: ...the Information Centers and abstracts for white papers and highlighted TechNotes It is often more useful to remember where you have seen some information for future reference rather than the complete...

Page 212: ...phere Portal Server RSS feed is a great way to receive the most current news and technical updates about WebSphere Portal Server How do RSS feeds help The best way to state the value of RSS feeds is t...

Page 213: ...s one place that leads you to the most accessed supported pages regardless of what IBM products you are using It allows you to quickly search your choice of content residing on several of IBM s server...

Page 214: ...Support button allows quick access to general IBM support tools including IBM ID registration This tool is needed to access many IBM Web sites Electronic Service Request ESR This tool is used to manag...

Page 215: ...tton WebSphere button The WebSphere button allows quick access to product specific support tools including Quick access to product specific software and support pages Quick access to newsgroups and fo...

Page 216: ...fectively to meet your business requirements Modules consist of the following types of content Presentations many with audio Provide an overview of a product or technology or a more in depth look at a...

Page 217: ...e following link http www 306 ibm com software info education assistant From this page you can link to content by brand See Figure A 28 Figure A 28 IBM Education Assistant main page Best practices Whe...

Page 218: ...s a new tool that brings together all three of these support elements information tools and processes to help you solve problems in an easier and more consistent manner IGAA takes you step by step thr...

Page 219: ...At each point along the path additional information is only a click away if you need specific details about any step in the problem determination workflow While the primary goal of IGAA is to guide yo...

Page 220: ...t Practices can be found in this particularly useful document The Support Authority Introducing the IBM Guided Activity Assistant This document can be found at http www ibm com developerworks webspher...

Page 221: ...rights reserved 207 Appendix B Maintenance Fix strategy backup strategy and migration strategy This appendix discusses best practice approaches and procedures used during the maintenance phase of a W...

Page 222: ...nd node agents are stopped The remaining clustered nodes continue to operate and maintain 24x7 operations After the backups are complete on the first group of Portal nodes those nodes are brought back...

Page 223: ...wo sections of five nodes each 4 Stop the individual Portal application servers on nodes 1 through 5 using the Deployment Manager Administrative Console 5 Stop the node agents for nodes 1 through 5 us...

Page 224: ...Manager server from the command line Once again these steps are not meant to provide a detailed step by step procedure but rather an approach to implementing a backup and recovery procedure for WebSp...

Page 225: ...nes an APAR as A formal report to IBM development of a problem caused by a suspected defect in a current unaltered release of an IBM program An APAR may also be used by development to document new fun...

Page 226: ...ave a Refresh Pack available as well for existing customers to install into their existing environment Fix Pack This is the standard delivery for updates it has been fully regression tested by IBM pri...

Page 227: ...the current list of recommendations for WebSphere Portal in the TechNote Recommended fixes and updates for WebSphere Portal 7007603 Customers are recommended to use this as a foundation for understand...

Page 228: ...ng proven in their own QA systems When a new Fix Pack or other higher level MDV is available it is installed on a QA environment to begin thorough testing within the local environment to ensure no pro...

Page 229: ...formation Center regarding the installation of fixes in a clustered environment as covered in the topic Installing interim fixes on a cluster node which can be found at http publib boulder ibm com inf...

Page 230: ...the Web Page or Web Clipping portlet can be found by searching on the portlet s name on the catalog s main page as shown in Figure B 1 Figure B 1 Search box on the catalog The search results should i...

Page 231: ...ot cover WebSphere Portal deployed on OS 390 It does however apply to the portal installed on the supported distributions of Linux on System z SUSE and Red Hat because the operating system is so simil...

Page 232: ...oulder ibm com infocenter wpdoc v6r0 index jsp topic com ibm wp en t doc wpf portalupdateinstaller html Keep backup copies of the fixes you have installed also off of the server to which they have bee...

Page 233: ...mote Log Collector utility http www 306 ibm com software support isa to capture the diagnostic data and log files necessary to find the root cause of the problem Appendix A Using IBM tools to find sol...

Page 234: ...ortal Server artifacts that will be filtered out from the source server are the old WebSphere Portal Server administration portlets The last part of the core migration is importing the edited XML file...

Page 235: ...lp identify the problem The following log files are used during the migration to track the progress of the migration task and will display errors that occur wp_root log MigrationMessages log wp_root l...

Page 236: ...very common point of failure that can have several causes In this task the WebSphere Portal Server exports the groups from the V5 1 system to create an XML file that will then be used to import the g...

Page 237: ...ime if your theme will require changes It is best to hold onto the file changes and add them after the migration finishes Custom portlets As with themes and skins most WebSphere Portal Server V5 1 por...

Page 238: ...o contact WebSphere Portal Server Level 2 support Before doing this task it will speed the PMR resolution if you collect the WebSphere Portal Server V6 migration mustgather document before opening a P...

Page 239: ...Migrating from V5 1 REDP 4227 WebSphere Portal V5 0 Production Deployment and Operations Guide SG24 6391 WebSphere Portal Version 6 Enterprise Scale Deployment Best Practices SG24 7387 WebSphere V3 5...

Page 240: ...226 IBM WebSphere Portal V6 Self Help Guide...

Page 241: ......

Page 242: ...avoidance determination and resolution Best practices for security and maintenance This IBM Redpaper focuses on considerations for the optimal configuration and use of IBM WebSphere Portal Server We p...

Reviews:

No comments

Related manuals for BS029ML - WebSphere Portal Server

Brand: 3Com Pages: 4

Brand: CSSN Pages: 8

Brand: Olympus Pages: 149

Brand: I-Data Pages: 79

DEEP FREEZE - INTEGRATING WITH ALTIRIS...

Brand: FARONICS Pages: 22

NeatWorks For Mac

Brand: NeatWorks Pages: 33

Brand: Panasonic Pages: 27

LUMIX Simple Viewer

Brand: Panasonic Pages: 32

TI InterActive!

Brand: Texas Instruments Pages: 63

Brand: GRASS VALLEY Pages: 44

Brand: Oracle Pages: 224

Application Server 10.1.3.4

Brand: Oracle Pages: 170

REGISTRYBOOSTER 2010 - V1

Brand: UNIBLUE Pages: 11

Digital Vintage Reverb DVR2

Brand: TC Electronic Pages: 16

Brand: Guzik Pages: 29

Brand: HP Pages: 210

Brand: HP Pages: 3

D300s - Evo - 128 MB RAM

Brand: HP Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands