Administering the Consumer

This section explains the activities need to be performed at the consumer side.

The following topics are discussed:

• Adding a Configured Producer

• Identity Propagation Mechanism

• Creating User Token Profiles Using WebServices SSO Portlet

• Configuring Digest Passwords

• Creating User Token Profiles Using WebServices SSO Portlet

• Updating Service Description

• Mapping User Categories to Roles

• Mapping Consumer Attributes

• Configuring Proxies

Adding a Configured Producer

To communicate with the portlets offered by the producer, a consumer needs to add a configured producer. If a producer requires registration, add a configured producer using the following methods:

• By entering the registration property values (in-band registration)

• By entering the registration handle (out-of-band registration)

If the producer does not require registration, the consumer is not required to enter any details while adding a configured producer.

To Add a Configured Producer

1. Log in to the Portal Server management console.

2. Select the Portals tab.

3. Select a portal server from Portals.

4. Click the WSRP tab.

5. Select any DN and click New.

6. Type the configured producer name. Select the identity propagation mechanism. By default, None is selected.

   ---

   Note –

   Identity propagation mechanism allows the users of the consumer portal to present their credentials to the producer portal. It is a mechanism by which users can federate their identity from consumer portal to the producer portal.

   ---

7. Type the WSDL URL, and click Next.

   ---

   Note –

   You can also search for a WSDL URL based on the producer or portlet. The search result displays WSDL URL of a producer only if the producer is published.

   ---

8. If the producer requires registration, you can register the producer in two methods: by entering the registration property values (in-band registration) or entering the registration handle (out-of-band registration). Click Next.

9. If you selected the first method in step 7, enter the registration properties and click Next. If you selected the second method, enter the registration handle obtained through out-of-band communication, and click Next.

10. Review the details and click Finish.

Equivalent psadmin Command

psadmin create-configured-producer

Identity Propagation Mechanism

Identity propagation is a mechanism by which the WSRP consumer supplies the identity of the user to the WSRP producer web service. It is a federation mechanism where the user federates its identity between the consumer and producer. After a successful federation, the consumer portal propagates the user identity to the producer portal. The WSRP producer, after receiving the user credentials from the consumer, validates the credentials and allows or denies access to the resource in the specified user context.

The user has two identities for each portal. That is, one for producer portal and the other for consumer portal. The user federates these identities using the identity propagation mechanism provided. This provides a single-sign on mechanism for the consumer and the producer portal. When the user logs into the portal through the consumer portal, the user gets the content that the user gets when logs directly into the producer portal. The changes that the user makes using the federated identity would be available when the user logs into the producer portal.

Sun Java System WSRP producer supports the following identity propagations:

• SSO Token: Select if both the producer portal and the consumer portal are connected to the same Access Manager instance. Typically recommended in configurations where both the producer portal and consumer portal are deployed within the same organization.

• WSS User Name Token Profile (username only): Uses the WSS specification where the user name is propagated as WS Security headers from the consumer portal to the producer portal.

• WSS User Name Token Profile (with password digest): WS Security headers send the user ID that is targeted at the producer with the password in the Digest form.

• WSS User Name Token Profile (with password text): WS Security headers send the user's user ID that is targeted at the producer with the password in the Text form.

In the above list, the last three options implement the OASIS WSS Username token profile specification. This specification describes how to use the Username Token with the Web Services. WSS specification describes how a web service consumer can supply a Username Token by identifying the requestor by username, and optionally using a password to authenticate that identity to the web service producer.

---

Note –

Many portal vendors support and implement the OASIS WSS Username token profile specification. Use one of the three options when interoperability is required.

---

There are two levels of identity propagation mechanism in Portal Server. First, the administrator of the consumer portal discovers that the producer portal supports one of the above specified identity propagation mechanisms. The administrator may allow the users to send their identity. Portal Server consumer supports all the above mentioned Identity Propagation Mechanisms.

After the consumer is created, the administrator has to create remote channels based on the identity propagation mechanism supported by the consumer. After the channels are available on the user Desktop, they are ready to accept identity propagation.

The identity propagation mechanism is set at the producer automatically. Portal Server checks for authentication from Sun SSO, then OASIS user name token profile, and then the No Identity Propagation mode.

Configuring Digest Passwords

Only new users can use the Digest Password facility after running the configuration command to store the LDAP passwords in plain text

Creation of a consumer should involve selecting the WSSO Username Token Profile (with Digest Password) option for User Identity Propagation Mechanism.

The Web Services SSO Portlet must be edited to select the appropriate Web service URL (producer) and provide the new username and password.

To Configure the Accept Digest Passwords

Do the following to configure Sun Java System WSRP Producer to accept Digest Passwords.

1. Run the command /opt/SUNWdsee/ds6/bin/dscfg set-server-prop pwd-storage-scheme:CLEAR to change the password storage scheme of the Directory Server so that plain text passwords are stored.

   ---

   Note –

   It is assumed that the default installed location of the Directory Server is /opt/SUNWdsee.

   ---

2. Create a new user in the AM console, to ensure that the Username Token Profile with Password Digest can be used.

Recommendations

• When using the WSS User Name Token Profile (with PasswordDigest), communication between the producer portal and consumer portal should be secure because the password is sent in plain text between the consumer and the producer.

• Two different consumers that point to the same producer URL should use the same identity propagation mechanism types.

Creating User Token Profiles Using WebServices SSO Portlet

You can create user token profiles to authenticate user credentials if the user uses identity propagation mechanism. You can define the user name and password for specific Web service that the producer offers.

To Provide User Credentials Using WebServices SSO Portlet

1. Log in to Portal Server Desktop.

2. In the WebServices SSO Portlet, click the Edit button.

3. In the Create NewToken Profile section, select the WebService URL for which you want to create a user token profile.

4. Type the user name and password. Click Add.

   You can also edit or remove an existing user token profile.

Updating Service Description

After the consumer configures the producer, use the Update Service Description option to update any changes made to the producer later. For example, addition of new portlets or changes to the registration properties after the registration.

To Update Service Description

1. Log in to the Portal Server management console.

2. Select the Portals tab.

3. Select a portal server from Portals.

4. Click the WSRP tab.

5. Select DN (Distinguished Name).

6. Click the configured producer link.

7. In the Edit Configured Producer screen, click Update Service Description.

Equivalent psadmin Command

psadmin update-configured-producer-service-description

Mapping User Categories to Roles

WSRP supports the concept of user categories, which are included in the service description of the producer. Mapping user categories to the roles allows the user to map the roles that are defined in the consumer portal to the roles that are defined in the portlet. Sun Java System Portal Server maps Java System Access Manager's roles to the portlet's roles. These roles can be mapped to the corresponding WSRP user categories.

You can perform the following tasks:

• To Create Roles in Portlets

• To Map User Categories to Role

Roles can be defined in the portlet while deploying the portlet.

---

Note –

The roles defined in the portlet must exist in the Access Manger of the producer.

---

To Create Roles in Portlets

The following task creates a role in amconsole in Sun Java System Access Manager and Portlets.

1. Log in to the Access Manager console.

2. Create a role and add a user to it.

3. In webxml of the portlet application, add the following code:

   <security-role>

   <role-name>PS_TEST_DEVELOPER_ROLE<role-name>

   </security-role>

4. Add the following lines in portlet.xml of the portal.

   <security-role-ref>

   <role-name>PS_TEST_DEVELOPER_ROLE<role-name>

   <role-link>PS_TEST_DEVELOPER_ROLE<role-link>

   </security-role-ref>

5. Create the portlet application war file.

6. Create a roles file with the following entry.

   cn\=AM_TEST_DEVELOPER_ROLE,o\=DeveloperSample,dc\=india,dc\=sun,dc\=com=PS_TEST_DEVELOPER_ROLE

7. Deploy the portlet using the following command.

   /opt/SUNWportal/bin/psadmin deploy-portlet -u amadmin -f ps_password -d "o=DeveloperSample,dc=india,dc=sun,dc=com"-p portal1 -i stockprice-8080 --rolesfile rolesfile TestPortlet.war

Equivalent psadmin Command

psadmin deploy-portlet

To Map User Categories to Role

Do the following to map user categories to role:

1. In the Consumer tab, click the producer name link.

   The Edit Configured Producer screen displays the following: User Category: The roles in the producer portlet. Local Roles: The roles that are defined at the consumer's Sun Java System Access Manager.

2. In the User Categories to Role Mapping section, map user categories to the roles defined at the consumer, and click OK.

Mapping Consumer Attributes

The Sun Java System Portal Server implementation of WSRP Consumer maps common user attributes stored in the user entry on the Sun Java System Directory Server to the standard set of user attributes that the WSRP specification mandates.

If a consumer portlet uses any of the attributes that are not specified in the LDAP schema, create a custom object class to store these attributes and add this object class to the user entry. After attributes are created, map the LDAP attribute to the corresponding WSRP attribute using Sun Java System Access Manager management console.

Configuring Proxies

Proxies need to be configured for consumer and for web container XML files.

You can perform the following tasks:

• To Configure Proxy for Consumers in Common Agent Container

• To Configure Web Container XML file

To Configure Proxy for Consumers in Common Agent Container

1. Run ./cacaoadm get-param java-flags.

2. Copy the values and paste it to ./cacaoadm set-param java-flags.

3. Now add the following to the command: -Dhttp.proxyHost=webcache.canada.sun.com -Dhttp.proxyPort=8080 -Dhttp.proxyUser=Proxyuser -Dhttp.proxyPassword=Password

4. Press Enter.

5. Restart the common agent container server.

To Configure Web Container XML file

1. Edit the following file:

   vi /var/opt/SUNWappserver/domains/domain1/config/domain.xml

2. Set the following JVM options:

   • Dhttp.proxyHost

   • Dhttp.proxyPort

   • Dhttp.proxyUser

   • Dhttp.proxyPassword