Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Portal Server 6 2004Q2 Administration Guide 

Chapter 3
Administering Authentication, Users, and Services

This chapter describes how to use Sun Java™ System Identity Server to administer authentication, users, and services. This chapter does not attempt to explain all aspects of Identity Server. Instead, it focuses on those aspects that pertain to Sun Java™ System Portal Server. See the Identity Server documentation for more information.

This chapter contains these sections:


Overview of Sun Java System Identity Server

In Sun Java System Portal Server (formerly Sun™ ONE Portal Server) implementations, you administer authentication methods, create domains, roles and users, and manage other data, such as profile attributes and logs, through the product itself. You also use the iPlanet Portal Server 3.0 APIs to develop custom applications.

Now, with Sun Java System Portal Server 6 2004Q2 product, you use Identity Server administrative capabilities and APIs formerly found within iPlanet Portal Server 3.0 itself. Identity Server is a set of tools that leverage the management and security potential of Sun Java™ System Directory Server. The goal of Identity Server is to provide an interface for managing user objects, policies, and services for organizations using the Sun Java System Directory Server.

Identity Server enables:

You access all three of these functions through a graphical user interface, the web-based Identity Server admin console. In addition, the command-line interface, amadmin, enables you to perform batch administrative tasks on the directory server. For example, you can create, register, and activate new services; and create, delete, and read (get) organizations, people containers, groups, roles, and users.

Summary of Identity Server Features

Identity Server provides the following management components. Previously, these components resided within the Portal Server 3.0 framework itself.

Comparison: Portal Server 3.0 and Portal Server 6.2

Table 3-1 provides an overview to the major changes that have taken place to the Portal Server product. Many functions and features that previously were part of the Sun ONE Portal Server 3.0 (formerly iPlanet Portal Server 3.0) product are now part of Identity Server. In the table, the first column lists a concept or term, the second column defines the function or feature for that term in the Sun Java System Portal Server 3.0 product, the third column describes the corresponding feature or function in the Sun Java System Portal Server 6 2004Q2 product.

Table 3-1   Sun Java System Portal Server 3.0 to Sun Java System Portal Server 6 2004Q2 Comparison 

Concept or Term

Sun Java System Portal Server 3.0

Sun Java System Portal Server 6 2004Q2

Role tree

A hierarchy you configure within Sun Java System Portal Server 3.0 to organize users and applications. The four levels of the role tree are:

  • root
  • domain
  • role
  • user

Concept of role tree no longer applies.

Instead, because Identity Server leverages the capability of Sun Java System Directory Server, you use the Directory Information Tree (DIT) to organize your users, organizations, suborganizations, and so on.

Domain/
Organization

A top-level grouping of users with common interests, such as employees or customers. Note that this is not a DNS domain, but a means that Sun Java System Portal Server 3.0 uses to group users into logical communities.

Concept of domain no longer applies. Instead, the Identity Server organization represents the top level of a hierarchical structure used by an enterprise to manage its departments and resources.

Upon installation, Identity Server asks for the root suffix, and the default is derived from the domain name (for example, for the domain sun.com, the default is dc=sun, dc=com). Additional organizations can be created after installation to manage separate enterprises. All created organizations fall beneath the top-level organization. Within these sub organizations other suborganizations can be nested. There is no limitation on the depth to the nested structure.

Role

Divides the members of a domain according to function. The role contains a set of attributes and policies that define a user’s Desktop policy.

Contains a privilege or set of privileges that can be granted to a user or users. This includes access and management of identity information stored in Sun Java System Directory Server and access to privileges protected by the Identity Server policy module. A Identity Server role also has associated with it a profile, which is stored in the class-of-service template.

Role is defined differently in Identity Server and it includes the ability for a single user to have multiple roles, which was previously not supported.

The privileges for a role are defined in access control instructions (ACIs). The Identity Server includes several predefined roles. The Identity Server Console allows you to edit a role’s ACI to assign access privileges within the Directory Information Tree.

Attribute

Supports two types of attributes: global and user-configurable. Global attributes apply to the entire platform and are configured only by the Super Administrator. User-configurable attributes apply to underlying levels of the role tree, as described in the following sections. A delegated Domain Administrator can configure these attributes for the domain, parent role, child role, and user levels. At the user level of the role tree, some attributes can be customized for each user, as needed.

Makes use of Identity Server attributes, which can be one of the following types:

  • Global— The values applied to the global attributes are applied across the Identity Server configuration and are inherited by every configured organization.
  • Dynamic—A dynamic attribute can be assigned to an Identity Server configured role or organization. When the role is assigned to a user or a user is created in an organization, the dynamic attribute then becomes a characteristic of the user.
  • Organization—These attributes are assigned to organizations only. In that respect, they work as dynamic attributes. They differ from dynamic attributes, though, as they are not inherited by entries in the subtrees.
  • User—These attributes are assigned directly to each user. They are not inherited from a role or an organization and, typically, are different for each user.
  • Policy—Policy attributes are privilege attributes. Once a policy is configured, they may be assigned to roles or organizations. That is the only difference between dynamic and policy attributes; dynamic attributes are assigned directly to a role or an organization and policy attributes are used to configure policies and then applied to a role or an organization.

Policy

Configures portal access policies to applications, the Desktop, NetFile, Netlet, and so on.

Rules that define who can do what to which resource. The Identity Server Policy Service allows an organization to set up these rules or policies. In general, policy is created at the organization (or suborganization) level to be used throughout the organization’s tree. In order to create a named policy, the specific policy service must first be registered to the organization under which the policy will be created.

In Sun Java System Identity Server 6 2004Q2, the policy service consists only of lists of URLs that are allowed or denied. This is not sufficient for Portal Server to build a policy-based Desktop for content. This is why policy for channel access is built into the display profile for the Desktop. The Portal Server 6 2004Q2 Desktop supports a display profile that allows list of channels to be merged from several roles. If, for example, you have 25 roles, each with a handful of channels associated with that role, users can be configured to have any number of those roles, and the Desktop they get will then provide the aggregation of all those roles. Merge semantics control how channels from the various roles are aggregated or merged. For the purpose of merging display profiles, a hierarchical ordering is imposed on the roles in the Portal Server. The merge begins with the lowest priority document (lowest number) and proceeds in increasing priority number, until it arrives at the user (base), the highest priority profile. See Chapter 7, "Administering the Display Profile" for information on merging display profiles.

Component/
Service

The four major components of Portal Server 3.0 are the server itself, the profile server, the gateway, and the firewall.

Component has been replaced by Identity Server service, which is group of attributes defined under a common name. The attributes define the parameters that the service provides to an organization. Identity Server is the service framework.

Sun Java System Portal Server 6 2004Q2 relies on Identity Server to provide core services, such as authentication, user management, and policy management, as well as for the framework to run Portal Server specific services (Desktop, NetMail, Rewriter, and Search).

Administrative interfaces

Provides its own admin console to administer only Portal Server 3.0 components.

The command-line interface is ipsadmin.

Uses the Identity Server admin console to administer Identity Server services, users, and policy, as well as Sun Java System Portal Server specific services (Desktop, NetMail, Rewriter, and Search.)

The command-line interfaces that replace ipsadmin are amadmin, dpadmin, and rwadmin.

Comparison: Portal Server 6.0 and Portal Server 6.2

Table 3-2 provides an overview to the changes that have taken place between the Portal Server 6.0 product and Portal Server 6.2 product. In the table, the first column lists a concept or term, the second column defines the function or feature for that term in the Sun Java System Portal Server 6.0 product, the third column describes the corresponding feature or function in the Sun Java System Portal Server 6.2 product.

Table 3-2   Sun Java System Portal Server 6.0 to Sun Java System Portal Server 6 2004Q2 Comparison 

Concept or Term

Sun Java System Portal Server 6.0

Sun Java System Portal Server 6 2004Q2

Policy

Assign a policy to users. Once a policy has been named and created, it can be assigned to the organization or role. Assigning a policy at the organization level makes its attributes available to all entries in the organization. Assigning policy to a role makes its attributes available to all users who contain the role attribute.

Delegate an organization’s policy definitions and decisions to another organization. (Alternately, policy decisions for a resource can be delegated to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation.

Create a normal policy to define access permissions. A normal policy can consist of multiple rules, subjects, and conditions.

Authentication menu

The authentication menu configuration feature provided by the Sun ONE Identity Server 5.1 administration console supports a menu of authentication modules selected by the user.

If you need to configure a selectable list of valid authentication modules, use the Sun Java System Identity Server administration console to set each authentication module with the same value in the authentication level attribute. Refer to Chapter 3, "Administering Authentication, Users, and Services" for information on configuring authentication modules.

Identity Server Constraints

When using Identity Server, the following constraints apply:

Identity Server Interfaces

Identity Server Admin Console

This browser-based console provides a graphical user interface to manage the Identity Server enterprise, including Sun Java System Portal Server services. The admin console has default administrators with varying degrees of privileges used to create and manage the services, policies and users. (Additional delegated administrators can be created based on roles.) See Chapter 4, "Configuring Delegated Administration" for more information.

The Identity Server admin console is divided into three sections: the location pane, the Navigation pane and the Data pane. By using all three panes you navigate the directory, perform user and service configurations, and create policies.

See Chapter 1, "Introduction to Administering the Sun Java System Portal Server" for more information.

Identity Server Command-Line

The Identity Server command-line interface is amadmin, to administer the server, and amserver, to stop and start the server process. amadmin is also used to load XML service files into the directory server and perform batch administrative tasks on the directory tree.The iPlanet™ Portal Server 3.0 command-line interfaces, ipsadmin and ipsserver are no longer used.

For more information on amadmin, see the Identity Server documentation.


Logging In to the Identity Server Admin Console

You can log in to the Identity Server console in two ways:

When you log in to the admin console, the capabilities that are presented to you depend on your access permissions. Access permissions are determined based on the ACIs or roles assigned to you. For example, the superuser sees all of the admin console’s functionality; a delegated administrator might only see a subset of this functionality, perhaps for a suborganization; end users see only the user attributes pertaining to their particular user ID.

Currently, there are two URLs available for logging in to the admin console:

The /amconsole URL explicitly requests the HTML pages for the Identity Server admin console. If you log in using /amconsole, it brings up the admin console and then you’ll see the URL change to /amserver/UI/login so the user can authenticate. Regardless of the configuration, this URL can be used to access the admin console.

The /amserver URL requests the HTML pages for the Identity Server service. Although the default set up when Sun Java System Portal Server is installed is to redirect this URL to log in to the admin console, because the /amserver URL accesses the Identity Server service this URL can be used to make other services besides the console available. For example,

To log in to the Identity Server admin console

Configuring Log in to the Admin Console Using an IP Address

You cannot log in to the Identity Server admin console by using the server’s IP address. This is because of the cookie domain settings in Identity Server.

However, you can add the local host’s IP address to the list of Cookie Domains on the admin console.

  1. Select Service Configuration from the location pane.
  2. Click Platform.
  3. Add your local host’s IP address to Global.

You should now be able to access the admin console with IP address, rather than the domain name.


Viewing Basic Information

A script is available to enable you to display basic information about the product such as the version, build date of the Sun Java System Portal Server as well as the version and build date for the jar file. The version script is installed in portal-server-installation-root/SUNWps/bin directory where portal-server-installation-root is the base directory in which you installed the Sun Java System Portal Server. The default is /opt.

To view product information:

  1. Change directories to the directory where the script is installed. That is:
  2. cd portal-server-installation-root/SUNWps/bin

  3. To view information about the Sun Java System Portal Server, type
  4. ./version

  5. To view information about the jar file on the Sun Java System Portal Server, type
  6. ./version jar-file

    where jar-file is the name of the jar file.


Starting and Stopping Sun Java System Portal Server

This section describes how to stop and start Sun Java System Portal Server. Because Sun Java System Portal Server depends on Identity Server, you do not start and stop Sun Java System Portal Server directly. You need to restart the Identity Server server itself.

These instructions may vary with the web container. See the Sun ONE Portal Server 6 2004Q2 Developer’s Guide for more information.

The Sun Java System Portal Server supports various platform locales. To start the Sun Java System Portal Server with a value other than the installed default see the Sun ONE Portal Server 6 2004Q2 Developer’s Guide.


Managing Identity Server Services

This section provides an introduction to Identity Server services used by Sun Java System Portal Server. See the Identity Server documentation for complete information.

Installation and Sun Java System Web Server Packaging

User Management

Single Sign-On/Authentication

Service Management

Sun Java System Portal Server 6 2004Q2 defines the following Identity Server services:


Managing Sun Java System Portal Server Users

The Directory Information Tree (DIT) organizes your users, organizations, suborganizations, and so on into a logical or hierarchical structure that enables you to efficiently administer and assign appropriate access to the users assuming those roles or contained within those organizations. This section provides information to help you plan the directory structure or tree underlying your portal server implementation by providing information about the functions and capabilities of organizations, suborganizations, and roles, and also providing procedures for creating and managing organizations, roles, and users.


Note

Sun Java System Portal Server 6 2004Q2 supports organizations; previously, Sun Java System Portal Server 3.0 used the concept of domains.


The top of the organization tree in Identity Server is specified at install time. Additional organizations can be created after installation to manage separate enterprises. All created organizations fall beneath the top-level organization. Within these suborganizations other suborganizations can be nested. There is no limitation on the depth to the nested structure.


Note

The top of the tree does not have to be called isp. It can be called anything. But with a tree organized with a generic top, for example, isp, then organizations within the tree can share roles.


Roles are a new grouping mechanism that are designed to be more efficient and easier to use for applications. Each role has members, or entries that possess the role. As with groups, you can specify role members either explicitly or dynamically. The roles mechanism automatically generates the nsRole attribute containing the DN of all role definitions in which the entry is a member. Each role contains a privilege or set of privileges that can be granted to a user or users. In Sun Java System Portal Server 6 2004Q2, multiple roles can be assigned to a single user. The privileges for a role are defined in Access Control Instructions (ACIs). The Sun Java System Portal Server includes several predefined roles. The Identity Server console allows you to edit a role’s ACI to assign access privileges within the Directory Information Tree. Built-in examples include Top-level Admin Role and Top-level Help Desk Admin Role. You can create other roles that can be shared across organizations.

Planning Organizations, Suborganizations, and Roles

As you plan your DIT structure, you need to decide whether to use a hierarchical or flat tree structure. As a general rule, you should strive to make your tree as flat as possible. However, as the size of your organization grows, a certain amount of hierarchy is important to facilitate granting and managing user access. The three key structural entities in Identity Server for building your DIT structure are organizations (or suborganizations), roles, and users. Before you plan your structure, you should understand the functions, characteristics, and interrelationships of each of these entities.

Organizations and Suborganizations

Roles

Users

Scenario 1: Hierarchical Structure with Suborganizations and Roles

Although you should strive for as flat a structure as possible, some hierarchy is useful to provide necessary groupings. The high-level steps to create a hierarchical structure are:

  1. Creating a top-level organization.
  2. Identifying all the functional or organizational groupings of users in your enterprise and determine for which ones you want to create a DIT structural entity, that is, ones that need to have specific privileges. Typically this should be only the largest subdivisions in your enterprise and the administrators for managing them. Use names that are generic or functional, so reorganizations and name changes will not be problematic.
  3. For each DIT entity that has some affiliation with the top-level organization, creating either a suborganization (that is, an organization under another organization in the Identity Server world) or a role for that entity.
  4. Use the following guidelines to decide whether to use a suborganization or role:

    • Define a suborganization for entities that contain groupings of users with similar access needs. Typically this will be broad functional or organizational entities for which a single set of permissions could be assigned.
    • Define a role if it is possible that users in the child organizations need to have this role. All users belong to an organization or suborganization. If they do not have any roles assigned to them, they inherit their permissions from the organization in which they reside. Therefore, if you want a user to have attributes from both the organization they reside in and any parent organizations, you must use the role mechanism and assign them multiple roles.
  5. For each role, defining a RoleAdministratorRole to manage the role. Then set the ACIs appropriately (management privileges: add or delete users, modify role attributes, and so on.)
  6. Defining the users who will access your enterprise. If users are inheriting their privileges from their organization, place them in the appropriate organization. If users are receiving their privileges through role assignments, they must be placed so that they are within the role’s scope, that is, within the organization or a child of the organization in which the role is defined.

Figure 3-1 illustrates a hierarchical directory structure. In this figure, the top-level organization is Sesta.com. Directly beneath the top-level is the SestaAdminRole to administer the organization and the Corporate and Partners suborganizations. The Corporate organization has three suborganizations: Finance, Operations, and Sales. Because there are multiple types of users within the Sales organization, two roles for are defined: SalesRole1 and SalesRole 2. Within the Partners organization there are three suborganizations: Partner1, Partner2, and Partner3. Each of these organizations, requires its own administrator, so three roles are defined and each one is associated with the appropriate organization.The partner roles are PartnerAdmin1, PartnerAdmin2, and PartnerAdmin3.

Figure 3-1  Hierarchical Directory Structure

This figure illustrates a hierarchical directory structure. See the text preceding the figure for details on the structure.

Scenario 2: Flat Tree Structure

If your organization changes often, a flatter or even totally flat tree structure may be appropriate. A structure with one organization, with one People container, and roles all at the same level is often useful if your enterprise changes frequently. With one organization, enterprise changes will not impact your DIT. All access privileges will be defined using roles and since all users are in the single People container and all roles are at the same level, any user can be assigned any role.

Figure 3-2 illustrates a flat directory structure. In this figure, the top-level and only organization is Sesta.com. All entities are defined directly beneath this top-level organization. They include the SestaAdminRole to administer the organization, four roles for the various corporate functions needed by the Finance, Operations, Sales1 and Sales2 users, and six roles for the user functions required by the partners: Partner1Role, Partner2Role, Partner3Role, Partner1AdminRole, Partner2AdminRole and Partner3AdminRole.

Figure 3-2  Flat Directory Structure

This figure illustrates a flat directory structure. See the text preceding the figure for details on the structure.

Creating New Organizations and Suborganizations

Organizations and suborganizations allow you to structure and group users for administration and access control purposes. Once you have determined the hierarchy or structure for your enterprise you must create the necessary organizations and suborganizations to implement it. By default, when you create a new organization or suborganization, there are no services, policies, users, or roles defined for it. Therefore, whenever you create a new organization or suborganization, you need to perform the following high-level steps to configure it:

  1. Registering all the services you want available to the organization. See To Register a Service for information. Typically, at a minimum you will want to register the following services:
    • Authentication. The Core authentication service and any authentication service with which users in the organization will use to authenticate (LDAP, anonymous). See Configuring Authentication for further information.
    • URL Policy Agent.
    • User.
    • Portal Server Configuration. Any Portal Server services you want to enable for users in the organization (Portal Desktop and NetMail).
  2. Creating templates for each of the registered services. See To Create a Template for a Service for more information.
  3. Creating the policies needed to grant users within the organization access privileges. See Overview of How Sun Java System Portal Server Uses Policy Management for more information on using policies.
  4. Adding users to the organization. See To Add a New User for information.
  5. Creating and assigning any roles you want in the organization. See To Create a New Role and To Assign a Role to a User for information.
  6. Configuring the services enabled for your organization. To configure the Desktop, see Chapter 5, "Administering the Portal Desktop Service" for information. To configure NetMail, see Chapter 8, "Administering the NetMail Service".

For a quickstart procedure to create a new organization and configure it to use portal, see Creating a New Portal Organization Quick Start.

To Create a New Organization or Suborganization

See Planning Organizations, Suborganizations, and Roles for recommendations on how to plan your organizations and suborganizations for use with Sun Java System Portal Server.

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and All created organizations are displayed in the navigation pane.

  3. If you are creating a suborganization, use the navigation pane to select the organization where the suborganization will be created.
  4. Click New in the navigation pane.
  5. The New Organization page displays in the data pane.

  6. Type a value for the name of the organization or suborganization in the New Organization page.
  7. Choose a status of Active or Inactive.
  8. The default is Active. This can be changed at any time during the life of the organization or suborganization by selecting the properties arrow. Choosing inactive disables log in to the organization or suborganization.

  9. Click Create.
  10. The new organization or suborganization displays in the navigation pane.

  11. Choose Services from the View menu.
  12. Click Register.
  13. Enable the desktop service for the new organization.
    1. Select Identity Management from the location pane.
    2. Select Organizations from the View menu.
    3. Select the newly created organization.
    4. Select Services from the View menu.
    5. Select Portal Desktop
    6. Change the valuef rom DummyChannel to JSPTabContainer (or the the name of the op-level container that will be used by the new organization) in Default Channel Name.
    7. Change the value from default to sampleportal (or the desktop type that will be used by the new organization) in Portal Desktop Type .

To Register a Service

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization for which you want to register a service.
  4. Use the View menu in the navigation pane.

  5. Choose Services from the View menu.
  6. Click Register.
  7. Select the service or services to register from the data pane and click Save.

To Create a Template for a Service

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization where the registered service exists.
  4. Use the View menu in the navigation pane.

  5. Choose Services from the View menu.
  6. Click the properties arrow next to the registered service.
  7. Accept or modify the default attribute values for the service and click Save.

  8. Note

    For the LDAP and POLICY CONFIGURATION services blank password fields are located under the DN for Root User Bind (cn=amldapuser,...) This password needs to be supplied and saved to properly configure policy and ldap configurations. The password is NOT the same as the admin user password. Ask your UNIX administrator for these passwords.


    For information on setting Identity Server specific service attributes, see the Identity Server Administration Guide. For information on the setting Sun Java System Portal Server specific service attributes, see the appropriate appendix in this guide.

To Add a New User

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization where the user will be created.
  4. Choose Users from the View menu and click New.
  5. The New User page appears in the data pane.


    Note

    If you do not see Users but instead see People Containers in the drop-down menu, then make sure you have set the Show People Containers attribute for your organization, or up at the top level at some point. This is set in the Identity Server Services under Administration.

    Users do always go into the People Container, but unless the Show People Containers attribute is selected you will just be able to see and interact with them directly under the organization. Show People Containers is not set by default.


  6. Select the services to assign to the user and click Next.
    1. Select the user in the navigation pane and click the Properties arrow.
    2. Select Services from the View menu.
    3. Click Add to choose the services to assign to the users.
    4. Click Save,
    5. Typically, at a minimum you will want to register the Portal Desktop, Authentication Configuration, and Subscription services for most users.

  7. Enter the user information and click Create.
  8. The new user appears in the navigation pane.

To Add a Service to a User

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization where the user will be created.
  4. Choose Users from the View menu
  5. Select the user in the navigation pane and click the Properties arrow.
  6. Select Services from the View menu.
  7. Click Add to choose the services to assign to the users.
  8. Check the services and click Save,
  9. Typically, at a minimum you will want to register the Portal Desktop, and Subscription services for most users.

To Create a New Role

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization where the role will be created.
  4. Choose Roles from the View menu and click New.
  5. The New Role page appears in the data pane.

  6. Enter the role information (Name, Description, Role Type, Access Permissions) and click Create.
  7. The new role appears in the navigation pane.


    Note

    If you are creating a customized role for delegated administration, you must have previously defined the ACI privileges for the role. See Chapter 4, "Configuring Delegated Administration" for information.


To Assign a Role to a User

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization where the role will be created.
  4. Choose Users from the View menu.
  5. Click the properties arrow next to the user who will be assigned the role.
  6. The user profile information appears in the data pane.

  7. Click Roles from the View menu in the data pane.
  8. The Add Roles page appears.

  9. Check the box next to the roles to assign and click Save.
  10. The Roles for this User box is updated with the assigned roles.

  11. Click Save to save the changes.

Enabling Existing Users to Access the Sun Java System Portal Server

When you install the Sun Java System Portal Server on an existing instance of Identity Server, users are not registered to use the Sun Java System Portal Server Desktop. In order to allow users to access the Desktop, you must enable them. Use the following procedures to enable users in the default organization or in another organization.

To Enable Users in the Default Organization

Before you start you will need the to obtain some configuration information. If you do not know all the details of the configuration, the information can be retrieved using a script from the /var/sadm/pkg/SUNWps/pkginfo file.

  1. Determine or retrieve the following information from the /var/sadm/pkg/SUNWps/pkginfo file:
  2. The distinguished name for the directory manager (referred to as DS_DIRMGR_DN/). Default value is cn=Directory Manager.
  3. The directory manager password (referred to as DS_DIRMGR_PASSWORD/).
  4. The fully qualified domain name of the directory server (referred to as DS_HOST/).
  5. The port on which the directory server runs (referred to as DS_PORT/). Default value is 389.
  6. The root suffix of the directory tree (referred to as DS_ROOT_SUFFIX/). Default value is dc=orgname,dc=com (such as dc=sun,dc=com).
  7. The default organization of the Sun Java System Portal Server installation (referred to as DS_DEFAULT_ORG/). Default value is o=domain-name.
  8. The base directory of the Sun Java System Portal Server installation (referred to as /BaseDir/). Default value is /opt.
  1. Change directories to Identity Server utilities directory. For example, if the base directory is /opt, enter:
  2. cd /Identity_Server_BaseDir/SUNWam/bin

  3. If the root suffix of the directory server and the default organization are not the same, execute the following command:
  4. ./ldapsearch -h /DS_HOST/ -p /DS_PORT/ -D /DS_DIRMGR_DN/ -w /DS_DIRMGR_PASSWORD/ \ -b "ou=People,/DS_DEFAULT_ORG/,/DS_ROOT_SUFFIX/" "(uid=*)" dn | \ /usr/bin/sed ’s/^version.*//’ > /tmp/.tmp_ldif_file1

  5. If the root suffix of the directory server and the default organization are the same, execute the following command:
  6. ./ldapsearch -h /DS_HOST/ -p /DS_PORT/ -D /DS_DIRMGR_DN/ -w /DS_DIRMGR_PASSWORD/ \ -b "ou=People,/DS_ROOT_SUFFIX/" "(uid=*)" dn | \ /usr/bin/sed ’s/^version.*//’ > /tmp/.tmp_ldif_file1

  7. Execute the following command
  8. grep "^dn" /tmp/.tmp_ldif_file1 | awk ’{
    print $0
    print "changetype: modify"
    print "add: objectclass"
    print "objectclass: sunPortalDesktopPerson"
    print "objectclass: sunPortalNetmailPerson\n" }’ >
    /tmp/.tmp_ldif_file2

  9. Execute the following command.
  10. ./ldapmodify -c -h DS_HOST -p DS_PORT \ -D DS_DIRMGR_DN -w DS_DIRMGR_PASSWORD -f /tmp/.tmp_ldif_file2

  11. Remove all temporary files.
  12. rm /tmp/.tmp_ldif_file1 /tmp/.tmp_ldif_file2

To Enable Users in a Non-Default Organization

  1. Determine or retrieve the following information from the /var/sadm/pkg/SUNWps/pkginfo file:
  2. The distinguished name for the directory manager (referred to as DS_DIRMGR_DN/). Default value is cn=Directory Manager.
  3. The directory manager password (referred to as DS_DIRMGR_PASSWORD/)
  4. The fully qualified domain name of the directory server (referred to as DS_HOST/)
  5. The port on which the directory server runs (referred to as DS_PORT/). Default value is 389.
  6. The root suffix of the directory tree (referred to as DS_ROOT_SUFFIX/). Default value is dc=orgname,dc=com (such as dc=sun,dc=com).
  7. The organization of the Sun Java System Portal Server installation for which you want to update the users (referred to as DS_ORG_TO_UPDATE/). Default value is ".
  8. The base directory of the Sun Java System Portal Server installation (referred to as /BaseDir/). Default value is /opt.
  9. Register services for the organization or suborganization containing the existing users you want to enable. See To Register a Service for information on the procedure.
  10. Create a template for each service you register. See To Create a Template for a Service for information on the procedure.
  11. Set the URL to which to redirect successfully authenticated users from the organization. See To Redirect Successful Login User to the Portal Desktop URL.
  12. Change directories to Identity Server utilities directory. For example, if the base directory is /opt, enter
  13. cd /Identity_Server_BaseDir/SUNWam/bin

  14. Enable users within the organization or organizations, do one of the following:
    • To enable users only within a particular organization, defined as DS_ORG_TO_UPDATE/, then use the following command:
    • ./ldapsearch -h /DS_HOST/ -p /DS_PORT/ -D /DS_DIRMGR_DN/ -w /DS_DIRMGR_PASSWORD/ \ -b "ou=People,/DS_ORG_TO_UPDATE/,/DS_ROOT_SUFFIX/" "(uid=*)" dn | \ /usr/bin/sed ’s/^version.*//’ > /tmp/.tmp_ldif_file1

    • To enable users in all organizations, then use the following command:
    • ./ldapsearch -h /DS_HOST/ -p /DS_PORT/ -D /DS_DIRMGR_DN/ -w /DS_DIRMGR_PASSWORD/ \ -b "/DS_ROOT_SUFFIX/" "(uid=*)" dn | \ /usr/bin/sed ’s/^version.*//’ > /tmp/.tmp_ldif_file1

  15. Execute the following command:
  16. grep "^dn" /tmp/.tmp_ldif_file1 | awk ’{
    print $0
    print "changetype: modify"
    print "add: objectclass"
    print "objectclass: sunPortalDesktopPerson"
    print "objectclass: sunPortalNetmailPerson\n" }’ > /tmp/.tmp_ldif_file2

  17. Execute the following command:
  18. ./ldapmodify -c -h DS_HOST -p DS_PORT \ -D "DS_DIRMGR_DN" -w DS_DIRMGR_PASSWORD -f /tmp/.tmp_ldif_file2

  19. Remove all temporary files.
  20. rm /tmp/.tmp_ldif_file1 /tmp/.tmp_ldif_file2

  21. Change directory to Portal Server utilities directory.
  22. cd /Identity_Server_BASEDIR/SUNWps/bin

  23. Execute the following to load the display profile for your non-default organization.
  24. ./dpadmin modify -u "uid=amadmin,ou=people,DS_DEFAULT_ORG,DS_ROOT_SUFFIX" -w DS_DIRMGR_PASSWORD -d "NON_DEFAULT_ORG,DS_DEFAULT_ORG,DS_ROOT_SUFFIX" \ IDSAME_BASEDIR/SUNWps/samples/desktop/dp-org.xml

  25. To enable users in another organization, repeat steps Step 7 through Step 13.

Creating a New Portal Organization Quick Start

The following task describes the steps to create a new organization and enable it for portal use. By default, when you log in, Identity Management is selected in the location pane, and Organizations is selected in the Navigation pane.

  1. Create the new organization.
    1. Select Organizations from the View menu.
    2. Click New.
    3. The Create Organization page opens in the data pane.

    4. Type the new organization name. The Organization Status should be Active. Click Create.
    5. The newly created organization appears in the navigation page.

  2. Register services for the new organization.
    1. Select Organizations from the View menu in the navigation pane and select the newly created organization from the Name menu.
    2. Select Services from the View menu.
    3. Click Register.
    4. The Register Services page appears in the data pane. Click the check box for the following minimum services, then click Register.

      • LDAP
      • Membership
      • Policy Configuration
      • Portal Desktop
      • Subscriptions
      • The newly registered services appear in the navigation pane.

    5. Configure each service by clicking the properties arrow. Click Create to modify the configuration attributes. See the Sun Java System Identity Server Administration Guide for a description of attributes that are not specific to Portal Server configuration

      Note

      Suborganizations must register their services independently of the parent organization.


  3. Create templates for the registered services if necessary.
    1. Select Services from the View menu in the navigation pane.
    2. One by one, click the properties arrow icon next to the services and create the templates.
  4. Create the Desktop referral policy for the new organization.
  5. The referral must define the parent organization as the resource in the rule, and it must contain a SubOrgReferral with the suborganization as the value in the referral

    1. Select Identity Management from the location pane.
    2. Select Policies from the View menu.
    3. Click New to create new policy.
    4. The Create Policy page appears in the data pane.

    5. For Name, type SubOrgReferral_Desktop. Then click Create.
    6. Select Portal Desktop in Service and click Next
    7. Click Rules from the View menu in the data pane and click Add. Make sure Portal Desktop is selected and click Create.
    8. Click Referrals from the View menu in the data pane and click Add. Make sure that the name of the suborganization is selected for Value in the data pane and click Create to complete the policy’s configuration.
  6. Create a normal Portal Desktop policy for the new organization.
    1. Choose Policies from the View menu.
    2. The policies for that organization are displayed.

    3. Select New in the navigation pane. The New Policy page opens in the data pane.
    4. Make sure you select Normal in Type of Policy.
    5. Choose Rules from the View menu in the data pane and click Add. The Add Rule page opens in the data pane
    6. Select Portal Desktop from the Service menu and click Next. Make sure Has Privilege to Execute Desktop is checked.
    7. Choose Subjects from the View menu in the data pane and click Add. The Add Subject page opens in the data pane.
    8. If LDAP Bind Password is not configured in the service template for the Policy Configuration Service, then clicking the Add Subject page results in a warning message “There are no matching entries. Please refine you search.”

    9. Select a subject that the Portal Desktop policy will be applied and choose Next to complete the subject configuration.
    10. Click Create to complete the policy’s configuration.
  7. Create the Subscriptions referral policy for the new organization.
  8. The referral must define the parent organization as the resource in the rule, and it must contain a SubOrgReferral with the suborganization as the value in the referral

    1. Select Identity Management from the location pane.
    2. Select Policies from the View menu.
    3. Click New to create new policy.
    4. The Create Policy page appears in the data pane.

    5. For Name, type SubOrgReferral_Subscriptions. Then click Create.
    6. Select Subscriptions in Service and click Next
    7. Click Rules from the View menu in the data pane and click Add. Make sure Subscriptions is selected and click Create.
    8. Click Referrals from the View menu in the data pane and click Add. Make sure that the name of the suborganization is selected for Value in the data pane and click Create to complete the policy’s configuration.
  9. Create a normal Subscriptions policy for the new organization.
    1. Choose Policies from the View menu.
    2. The policies for that organization are displayed.

    3. Select New in the navigation pane. The New Policy page opens in the data pane.
    4. Make sure you select Normal in Type of Policy.
    5. Choose Rules from the View menu in the data pane and click Add. The Add Rule page opens in the data pane
    6. Select Subscriptions from the Service menu and click Next. Make sure Has Privilege to Execute Desktop is checked.
    7. Choose Subjects from the View menu in the data pane and click Add. The Add Subject page opens in the data pane.
    8. Select a subject that the Subscriptions policy will be applied and choose Next to complete the subject configuration.
    9. Click Create to complete the policy’s configuration.
  10. Create a new user in the new organizations.
    1. Select Identity Management from the location pane.
    2. Select Organizations from the View menu.
    3. Select the newly created organization.
    4. Select the user in the navigation pane and click the Properties arrow.
    5. Select Services from the View menu.
    6. Click Add to choose the services to assign to the users.
    7. Click Save,
  11. Enable the desktop service for the new organization.
    1. Select Identity Management from the location pane.
    2. Select Organizations from the View menu.
    3. Select the newly created organization.
    4. Select Services from the View menu.
    5. Select Portal Desktop
    6. Change the valuef rom DummyChannel to JSPTabContainer (or the the name of the op-level container that will be used by the new organization) in Default Channel Name.
    7. Change the value from default to sampleportal (or the desktop type that will be used by the new organization) in Portal Desktop Type .
  12. Access the new organization’s Desktop.
    1. Log out of the admin console.
    2. Open a browser page and type:
    3. http://server:port/amserver/UI/login?org=neworg

      The users’s Desktop should appear.


Configuring Authentication

This section describes how to configure Sun Java System Portal Server authentication. Identity Server provides a framework for authentication. Authentication is implemented through plug-in modules that validate the user’s identity. Identity Server provides seven different authentication modules as well as a Core authentication module. The Identity Server admin console is used to set the default values, to register authentication services, to create an organization’s authentication template, and to enable the service. Because the Core authentication module provides the overall configuration for authentication, the Core authentication module must be registered and a template for it created for each organization before you can configure any of the specific authentication modules.


Note

The authentication menu configuration feature provided by the Sun ONE Identity Server 5.1 administration console is not supported in the Sun Java System Identity Server 6 2004Q2 release. If you need to configure a selectable list of valid authentication modules, use the Identity Server administration console to set each authentication module with the same value in the authentication level attribute. Refer to To Configure the Authentication Menu for information on configuring authentication modules.


During installation the Core authentication is registered and a template is created for it in the default organization. In addition, the installation also registers and creates templates for the following authentication modules:

The high-level steps to configure an authentication module are as follows:

  1. Registering the Core authentication service for each new organization. See To Register a Service for the steps to register a service.
  2. Creating a template for the Core authentication service. See To Create a Template for a Service for the steps to create template for a service.
  3. Registering the authentication services to support for each organization. See To Register a Service for the steps to register a service.
  4. Creating service templates for the authentication services to support for the organization. See To Create a Template for a Service for the steps to create a template for an authentication service. For information on the setting the service attributes, see the Identity Server Administration Guide, Chapter 5, “Authentication Options.”
  5. Configuring the authentication menu. See To Configure the Authentication Menu for the steps to configure the authentication order.
  6. Configuring the order to use authentication services. See To Configure Authentication Order for the steps to configure the authentication order.

Authentication By Authentication Level

Each authentication module can be associated with an integer value for its authentication level. Authentication levels can be assigned by clicking the authentication module's Properties arrow in Service Configuration, and changing the corresponding value for the module's Authentication Level attribute. Higher authentication levels define a higher level of trust for the user once that user has authenticated to one or more authentication modules.

To Configure the Authentication Menu

Users can access authentication modules with a specific authentication level. For example, a user performs a login as a user with the following syntax:

http://hostname:port/deploy_uri/UI/Login?authlevel=auth_level_value

All modules whose authentication level is larger or equal to auth_level_value will displayed as an authentication menu for the user to choose. If only one matching module is found, then the login page for that authentication module will be directly displayed.

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, when you log in, Identity Management is selected in the location pane, and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization that you want to configure authentication for.
  4. Use the View menu in the navigation pan

  5. Choose Services from the View menu and click Register.
  6. Click the properties arrow next to Core.
  7. Enable the appropriate authentication modules by selecting them in the Organization Authentication Modules field of the Organization section.
  8. By default, Sun Java System Portal Server installation enables LDAP and Membership.

  9. Enter a value in the Default Auth Level for each authentication module (default is 0).
  10. The value for each authentication module must be the same in order to appear in the authentication menu.

  11. Click Save.

To Configure Authentication Order

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, when you log in, Identity Management is selected in the location pane, and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization that you want to configure authentication for.
  4. Use the View menu in the navigation pan

  5. Choose Services from the View menu and click Register.
  6. Click the properties arrow next to Core.
  7. Enable the appropriate authentication modules by selecting them in the Organization Authentication Modules field of the Organization section.
  8. By default, Sun Java System Portal Server installation enables LDAP and Membership.

  9. Enter a value in the Default Auth Level for each authentication module (default is 0).
  10. The value for each authentication module must be the same in order to appear in the authentication menu.

  11. Select Edit in Organization Authentication Configuration to specify the attribute information for each authentication module.
    1. Click Add to add an authentication module to the menu.
    2. Click Reorder to change the order that the authentication modules will appear in the authentication module.
    3. Click Save to save the attribute information.
  12. Click Save
  13. Use the following URL to verify that the authentication menu appears with the appropriate choices by logging in to the admin server.
  14. http://host:port/amserver/UI/login

    If this is not the default organization, use the following URL to verify the authentication menu for the organization:

    http://host:port/amserver/UI/login?org=org_name

To Configure LDAP Authentication to an External Directory

When you install the Sun Java System Portal Server, the installation program configures LDAP authentication to directory instance automatically. The installation program allows you to install an internal instance of the directory on the local server and configure LDAP authentication to that internal directory or to configure LDAP authentication to a pre-existing external instance of the directory. Once you have your initial configuration, there are some scenarios where you might want to configure authentication to an external LDAP directory. For example, you may want to isolate authentication information for particular organization onto a dedicated LDAP server for performance or security reasons.


Caution

Do not configure authentication to an external LDAP directory for the organization containing the amadmin user. This can prevent the amadmin user from authenticating and lock you out of the admin console. If you do inadvertently configure the organization containing the amadmin user, you will need to log in using the full DN of the amadmin and then correct the LDAP template. The amadmin DN is listed in the com.sun.authentication.super.user property in the AMConfig.properties file.


  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization that you want to configure authentication for.
  4. Use the View menu in the navigation pane.

  5. Choose Services from the View menu.
  6. Click the properties arrow next to Core from Identity Server Configuration.
  7. Check Dynamically Created from the Dynamic User Profile menu.
  8. Click the properties arrow next to LDAP from the Identity Server Configuration menupeople,dc=sesta.dc=com.
  9. Set the appropriate LDAP Attributes for your server. The following example sets up access to the LDAP server ds-sesta1.sesta.com on port 389 with a search start point of ou=people,dc=sesta,dc=com and using a root user bind to cn=root,ou=people,dc=sesta,dc=com:
  10. Primary LDAP Server and Port: ds-sesta1.sesta.com:389
    Secondary LDAP server and port: ds-sesta1.sesta.com:389
    DN to Start User Search: ou=people,dc=sesta,dc=com
    DN for Root User Bind: cn=root,ou=people,dc=sesta,dc=com
    Password for Root User Bind: root password
    User Naming Attribute: uid
    User Entry Search Attributes: employeenumber
    User Search Filter: blank
    Search Scope: subtree
    Enable SSL to LDAP Server: off
    Return User DN to Auth: off
    Authentication Level: 0

  11. Click Save.

Configuring Anonymous Authentication

The Sun Java System Portal Server supports two methods for implementing anonymous authentication:

To support anonymous authentication, the Sun Java System Portal Server installation program creates a user account, authlessanonymous, and sets up access for this user within the following two Portal Desktop Services global attributes:

Sun Java System Portal Server can support both authentication-less and anonymous authentication to be configured at the same in the sense that you can do the following:

  1. Configure the Desktop to work in authentication-less mode.
  2. Configure the authentication menu so that Anonymous is one of the displayed choices.
  3. Access the Desktop with browser A, thereby accessing it in authentication-less mode.
  4. Access http:/server/amserver/UI/login with browser B, and select Anonymous, and see the Desktop.

At this point you are using authentication-less mode in browser A and anonymous mode in browser B.

The way in which the Desktop is accessed occurs in two different ways. One, authentication-less access, was through a direct reference to /portal/dt and the other (anonymous) was indirectly through /amserver/UI/login.

The Identity Server Login menu could be avoided by configuring Identity Server to only have anonymous login in the menu.

Both authentication-less accessand anonymous authentication are not supported simultaneously in that when you access /portal/dt without an Identity Server session, only one of two things happens:

    1. The Desktop will redirect to /amserver/UI/login, which may automatically do an Anonymous login and redirect you back to /portal/dt.
    2. The Desktop will run in authentication-less access mode.

You do not have to disable anonymous authentication to use authentication-less access. But if you want the above item a to work, you have to disable authentication-less access mode.

To Configure Anonymous Authentication (Anonymous User Session Method)

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization that you want to configure authentication for.
  4. All created organizations are displayed in the navigation pane.

  5. Select Service Configuration in the location pane.
  6. Click the properties arrow next to the Portal Desktop service.
  7. The Portal Desktop attributes appear in the data pane.

  8. Select the value listed in the Authorized Authentication-less User IDs attribute and click Remove.
  9. Select the value listed in the Default Authentication-less User ID attribute and click Remove.
  10. Click Save.
  11. Choose Identity Management from the location pane.
  12. Choose Organizations from the View menu.
  13. All created organizations are displayed in the navigation pane.

  14. Navigate to the organization or suborganization that you want to configure authentication for.
  15. Use the View menu in the location pane.

  16. Choose Services from the Show menu.
  17. Register and configure the Anonymous service.
  18. See To Register a Service and To Create a Template for a Service for information.

  19. Add Anonymous to the Authentication menu.
  20. See To Configure Authentication Order for information.

  21. Create an anonymous user account.
  22. See To Add a New User for information.

To Configure Anonymous Authentication (Authentication-less Access)

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. By default, when you log in, Identity Management is selected in the location pane, and Organizations is selected in the Navigation pane.
  4. All created organizations are displayed in the navigation pane.

  5. Navigate to the organization or suborganization that you want to configure authentication for.
  6. Use the View menu in the navigation pane.

  7. Create an authlessanonymous user account with the password authlessanonymous.
  8. See To Add a New User for information.

  9. Select Service Configuration in the location pane.
  10. Select Portal Desktop in the navigation pane.
  11. Add the fully distinguished name for the authlessanonymous user to the Authorized Authentication-less User IDs attribute. For example:
  12. uid=authlessanonymous, ou=People, dc=sesta, dc=com

  13. Specify the fully distinguished name for the authlessanonymous user in the Default Authentication-less User ID attribute.
  14. Click Save.

You must close and restart your browser to access the Desktop using the newly configured Authentication-less User ID method. The Authentication-less User ID method allows you to specify the UID of the user account in the query string. For example, to access the Desktop from the default organization of sestat.com, use the following URL:

http://server:port/portal/dt?dt.suid=uid= authlessanonymous, ou=People,dc=sesta, dc=com


Note

If a user logs in a browser with locale that is not the user’s own language , all other users will share the same locale at the login prompt.

There are multiple options to get around this problem.

  • Turn off caching by changing the value for refreshTime to 0 for JSPTabContainer in dp-anon.xml.
  • You can specify multiple authentication-less users, one authentication-less user per locale and redirect the authentication-less desktop to the right user based on browser’s locale.

Configuring Portal Server for Federated Users

The Sun Java System Portal Server software supports users that have federated identities conforming to the Liberty Alliance specification. A federated user that are Liberty single signed on can access a personalized desktop at a portal server without the need for further authentication.

See the Sun Java System Identity Server Administration Guide for more information about Liberty-enabled authentication services. Example configurations with Portal Server acting as a service provider can be found in the following location:

PortalServerBaseDir/SUNWps/samples/liberty

To Configure Federated Users

By default, federated users do not have permission to access the Sun Java System Portal Server acting as a service provider. Portal Server can handle federated users as follows:

To Configure Authentication-less Access for Federated Users

By default, federated users do not have permission to access the authentication-less portal desktop.

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization that you want to configure authentication for.
  4. Use the View menu in the navigation pane.

  5. Select Service Configuration in the location pane.
  6. Select Portal Desktop in the navigation pane.
  7. Uncheck Disable Authentication-less Access for Federated Users.
  8. Click Save.

See To Configure Anonymous Authentication (Authentication-less Access) for more information on authentication-less access.

To Configure UNIX Authentication

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Choose Organizations from the View menu in Identity Management.
  4. All created organizations are displayed in the navigation pane.

  5. Select Service Configuration in the location pane.
  6. Click the properties arrow next to UNIX in the navigation pane (under Identity Server Configuration).
  7. Set the appropriate UNIX Attributes for your server.
  8. Click Save.
  9. Navigate to the organization or suborganization that you want to configure authentication for.
  10. Use the View menu in the navigation pane.

  11. Choose Services from the View menu.
  12. Click Register in the navigation pane.
  13. Click Core under Authentication in the data pane.
  14. Select Unix from the Organization Authentication Modules menu in the data pane.
  15. Click Save.

To Configure UNIX Authentication for the Organization Level

The UNIX authentication documented in To Configure UNIX Authentication is for configuring UNIX globally. This procedure is to configure at the organization level.

  1. Log in to the Sun Java System Identity Server administration console as administrator (amadmin) by entering http://fullservername:port/amconsole in your browser’s web address field.
  2. At the logon screen, enter amadmin as the user ID and the passphrase you chose during installation.
  3. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  4. Choose Organizations from the View menu in Identity Management.
  5. All created organizations are displayed in the navigation pane.

  6. Choose Services from the View menu.
  7. Select Register.
  8. Check UNIX in the right pane and click Register.
  9. Select the properties arrow next to UNIX.
  10. Select Create in the right pane.
  11. Set the appropriate UNIX Attributes for your server.
  12. Select Save.
  13. Select the properties arrow next to Core.
  14. Highlight UNIX in Authentication Menu and select Save.


Overview of How Sun Java System Portal Server Uses Policy Management

This section describes how to use Identity Server Policy Management feature. See the Identity Server documentation for procedures to create, modify, and delete policies.

The Identity Server Policy Service enables you to define rules or access to resources. Policies can be role-based or organization-based and can offer privileges or define constraints. Sun Java System Portal Server ships with three policies:

By default, the Policy Configuration service is automatically registered to the top-level organization. Suborganizations must register their policy services independently of their parent organization. Any policy service you create must be registered to all organization. The high-level steps to use policies are:

  1. Registering the Policy service for an organization. (This will be done automatically for the organization specified at installation.) Suborganizations do not inherit their parent’s services, so you need to register a suborganization’s Policy service. See To Register a Service for information.
  2. Creating a referral policy for a peer or suborganization. You can delegate an organization’s policy definitions and decisions to another organization. (Alternately, policy decisions for a resource can be delegated to other policy products.) A referral policy controls this policy delegation for both policy creation and evaluation. It consists of a rule and the referral itself. If the policy service contains actions that do not require resources, referral policies cannot be created for suborganizations. See To Create a Referral Policy for a Peer or Suborganization for information.
  3. Creating a normal policy for a peer or suborganization. You create a normal policy to define access permissions. A normal policy can consist of multiple rules, subjects, and conditions. See To Create a Normal Policy for a Peer or Suborganization for information.

To Register a Policy Service for a Peer or Suborganization

Peer or Suborganizations do not inherit their parent’s services, so you need to register a peer or suborganization’s Policy service.

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization that you want to create a referral policy.
  4. All created organizations are displayed in the navigation pane.

  5. Select Organizations from the View menu in the navigation pane and select desired organization from the Name menu.
  6. Select Services from the View menu.
  7. Click Register.
  8. The Register Services page appears in the data pane. Click the check box for the to the following minimum services, then click Register.

    • LDAP
    • Membership
    • Policy Configuration
    • Portal Desktop
    • NetMail
    • The newly registered services appear in the navigation pane.

  9. Configure each service by clicking the properties arrow. Click Create to modify the configuration attributes. See the Sun Java System Identity Server Administration Guide for a description of attributes that are not specific to Portal Server configuration

To Create a Referral Policy for a Peer or Suborganization

You can delegate an organization’s policy definitions and decisions to another organization. A referral policy controls this policy delegation for both policy creation and evaluation. It consists of a rule and the referral itself. The referral must define the parent organization as the resource in the rule, and it must contain a SubOrgReferral or PeerOrgReferral with the name of the organization as the value in the referral

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization that you want to create a referral policy.
  4. All created organizations are displayed in the navigation pane.

  5. Select Policies from the View menu.
  6. Click New to create new policy.
  7. The Create Policy page appears in the data pane.

  8. For Name, type either SubOrgReferral_organization or either PeerOrgReferral_organization. Make sure you select Referral in Type of Policy. Then click Create.
  9. Select the type of service in Service and click Next.
  10. Click Rules from the View menu in the data pane and click Add. Then click Next.
  11. The Add Rule template appears in the data pane.

  12. Enter the name of the rule in Rule Name and click Create.
  13. Click Referrals from the View menu in the data pane and click Add.
  14. The Add Referral template appears in the data pane.

  15. Enter SubOrgReferralName in Name.
  16. Make sure that the name of the suborganization is selected for Value in the data pane and click Create to complete the policy’s configuration.

  17. Click Save in the data pane.
  18. The message “The policy properties have been saved” is displayed when the data is saved.

To Create a Normal Policy for a Peer or Suborganization

You create a normal policy to define access permissions. A normal policy can consist of multiple rules, subjects, and conditions.

  1. Log in to the Sun Java System Identity Server administration console as administrator.
  2. By default, Identity Management is selected in the location pane and Organizations is selected in the Navigation pane.

  3. Navigate to the organization or suborganization that you want to assign a policy.
  4. All created organizations are displayed in the navigation pane.

  5. Choose Policies from the View menu.
  6. The policies for that organization are displayed.

  7. Select New in the navigation pane. The New Policy page opens in the data pane.
  8. For Name, type either SubOrgNormal_organization or either PeerOrgNormal_organization.Make sure you select Normal in Type of Policy. Click Create
  9. Select a service from the Service menu and click Next. Enter the name of the rule in Rule Name. Make sure the appropriate checkbox is selected to grant execution privilege to the desired service.
  10. Choose Rules from the View menu in the data pane and click Add. The Add Rule page opens in the data pane.
  11. Choose Subjects from the View menu in the data pane and click Add. The Add Subject page opens in the data pane.
  12. Click Create to complete the policy’s configuration.
  13. The message “The policy properties have been saved.” is displayed when the data is saved.


Logging In to the Sun Java System Portal Server Desktop

If you installed the sample portal, users will be able to log in to the sample Desktop. In addition, the Sun Java System Portal Server supports a variety of other user logins. This section describes some of the other user ways users can log in to the Sun Java System Portal Server.

To Log In to the Sample Portal Desktop

To access the sample Desktop, type the following URL:

http://server:port/portal/dt

To Log In to a Suborganization

If users have access privileges to an organization, they can also log in to suborganizations within the organization. For example, if a user has access to the organization A which has a suborganization B, type the following URL to log in to suborganization B:

http://server:port/amserver/UI/login?org=B

To Log On Using Anonymous Authentication


Note

You must register the anonymous authentication module to support anonymous authentication. See Configuring Anonymous Authentication for information on registering and enabling anonymous authentication modules.


  1. Log on using the following URL:
  2. http://server:port/portal/dt

  3. At the Identity Server authentication page, click Anonymous.
  4. The sample Desktop appears.
  5. If desired, and if the Membership authentication module has been register, use the Login screen to create and register a user ID.


Managing Logging

Sun Java System Portal Server uses the Identity Server logging and debugging APIs.

By default, the Sun Java System Portal Server log and debug files are located in:

The Identity Server admin console allows you to define the following logging attributes:

See the Identity Server Administrator’s Guide for further information.



Previous      Contents      Index      Next     


Copyright 2004 Sun Microsystems, Inc. All rights reserved.