Previous     Contents     Index     Next     
iPlanet Portal Server Administration Guide



Chapter 2   Creating A Multi-Domain Portal




Overview

This chapter is provided to quickly become productive in setting up and managing a corporate intranet portal using iPlanet Portal Server. In this case, the portal will consist of two domains; one for a business to consumer (b-c) solution and one for a business to employee (b-e) solution. The tasks described are to be performed by the Super Administrator unless otherwise noted.

Portions of setting up a multi-domain portal can be done by a delegated Domain Administrator. For each domain, there can be one or more domain admin roles or users. However, domain admin roles and users are assigned to one domain only. No domain admin role or user can be assigned to more than domain.

To create a Domain Administrator, refer to "Setting Up a Delegated Administrator" on page 69. Also, for convenience, the tasks of maintaining roles and users (moving and deleting) are included following setting up a domain administrator.


Note The Super Administrator can create a Domain Administrator to delegate administration tasks and activities for his or her assigned domain. See Setting Up a Delegated Administrator.


The business to consumer facing portal includes the following tasks:

  • Creating a domain specific to the consumers

  • Creating a role for the consumer profiles

  • Configuring self-registration for new consumers

  • Configuring policy for access to the portal and resources

  • Disabling access to intranet applications and resources

The business to employee facing portal inclues the following tasks:

  • Creating a domain specific to your employees

  • Enabling an authentication method for the domain

  • Configuring the Virtual VPN (Netlet) for TCP application access

  • Configuring policy for the domain.

  • Customize the Desktop for the domain


Creating a Business to Consumer Portal

The creation of a business to consumer portal includes, (but is not limited to), the following tasks:

  • Creating a domain

  • Enabling self-registration through the membership module

  • Specifying URL access policies

  • Specifying application access policies


Creating the Business To Consumer Domain



Figure 2-1    Add New Domain Link

To enable a fundamental business-to-consumer portal that allows users to self-register, perform the following steps.

  1. Log in to the console as the Super Administrator.

  2. Click Manage Domains from the left panel of the display.

  3. Click the Add New Domain link. The Add New Domain window is displayed as shown in "Add New Domain Link" on page 43.

  4. Type Consumer in the New Domain Name field.

  5. In the Default Role for this Domain field, type Customer.

  6. Click the Create Button.

  7. Following the prompt indicating that the new domain and role have been created, click the Continue button.

    The Domain screen is redisplayed with the added domain link shown with the domain specified at installation. The Customer role is shown under the Consumer domain link when clicked.


Enabling Self-Registration Using the Membership Module



Figure 2-2    Authentication Module List Window

  1. From the Domains screen, click the Consumer domain link. The Consumer domain page is displayed.

  2. Click the Profiles>Authentication link to call up the Authentication module list window under the Authentication Menu label. The default shows all authentication modules selected, as shown in Figure 2-2.


    Note Authentication applies to a domain and is set only at the Domain level of the role tree.


  3. Select only the Membership authentication module to allow users to self-register. Deselect all other authentication modules.

  4. Click the Submit button at the bottom of this page to update the Consumer domain profile on the Portal Server. A message displays indicating successful update of this profile.

  5. Click the Continue button to return to the previous page.


Verifying User Self Registration Authentication and Self-registered User Role Placement



Figure 2-3    Self Registration Form

  1. Open a second browser instance from the command line.


    Note A second browser instance, versus a second browser window, is necessary to avoid sharing of the same cookie for an iPlanet Portal Server session.


  2. Open the following iPlanet Portal Server gateway URL:

    https://gateway/consumer


    Note There are multiple options available to the user to contact the portal. It may be desirable to use virtual IP or multiple DNS names as opposed to distinguishing between the two different domains. Refer to Chapter 9, Add Gateway Server, for information on setting up a gateway using virtual IP and DNS domains.


  3. From the displayed log in page, click the New User button to call up the Self Registration Module form, as shown in Figure 2-3.

  4. Select a user name and password (with at least four characters) and add the other pertinent user information indicated. The form can be refreshed to reenter data using the Reset Form button.

  5. Click the Register button to continue the registration process with the display of the disclaimer window.

  6. Read the disclaimer text and click the Agree button to complete the registration process. The iPlanet Portal Server desktop page for the Consumer domain will be displayed as shown in iPlanet Portal Server Desktop Home Page.



Figure 2-4    iPlanet Portal Server Desktop Home Page


Note User registration information may be customized as described in Chapter 4, Membership.


  1. Click the Log out link at the top right to close the desktop session. The logout message window is displayed.

  2. Go back to the Admin Console.

  3. Click the Manage Domains link.

  4. Click the Consumer domain link.

  5. Click the Customer role link to verify the user profile created in Creating a UNIX User Profile That Can Be Authenticated

  6. Click the User link to display the user name specified in step 4 of "Enabling Self-Registration Using the Membership Module" on page 44. Alternatively, the Search link can be used to find the user name.


Specifying URL Access Policy For the Customer Role

For a business to consumer portal, users will typically only access the portal server URLs only and not corporate Intranet URLs.



Figure 2-5    URL Access in Consumer>Customer Role Policy Page

  1. From the Admin Console, click the Customer Role link under the Consumer Domain.

  2. Click the Policy link under Profiles.

  3. Locate the User URL Access attribute with the allow and deny windows, as shown in Figure 2-5.


    Note Shortcut tip: Click the User link in the index section at the top of the Policy page.


  4. Type a valid intranet URL in the Allow URL list entry box. Use the form: http://servername.

  5. Click the Add button to add the URL specified in step 4 to the Allow list window.

  6. Type a valid corporate intranet URL in the Deny URL list entry box.

  7. Click the Add button to add access to the URL specified in step 6 to the Deny list window.

  8. Click the Submit button at the bottom of this page. The profile update message is displayed.

  9. Click the Continue button to return to previous page.


Verifying URL Access Policy From the Desktop



Figure 2-6    Entering URL for Allowed Access

  1. In a second browser instance, type the iPlanet Portal Server gateway login URL (https://gw/Consumer). If needed, refer to step 2 of " on page 46.." Use the same user name and password as that created through self registration earlier.

  2. Type the following URL: http://server:8080 (from step 4 of ""Specifying URL Access Policy For the Customer Role" on page 49."), in the Bookmarks URL entry box and press Enter, as shown in Entering URL for Allowed Access. The webserver index page will be displayed in a new browser window.


    Note Business to consumer users can also access any internet URL.


  3. From the desktop window, type the corporate intranet URL specified in step 6 of ""Specifying URL Access Policy For the Customer Role" on page 49." in the Bookmarks URL entry box and press Enter. A new browser windows opens with a message indicating that access is denied.

  4. Log out of the iPlanet Portal Server Desktop.


Disabling Access To an Application and Other Secure Providers



Figure 2-7    Policy for Customer Role Mail Application

  1. From the Admin console browser instance, click the Policy link within the Consumer domain.

  2. Disable access to NetMail, NetFile, and Netlet by clicking the check box to the right of each application as shown in Figure 2-7. Access to these applications is disabled even if the start up URL is known.

  3. Click the Submit button at the bottom of this page.

  4. Following confirmation of the Profile update, click the Continue button.


Removing the Disabled Applications from the Available List

  1. Click the Consumer domain link to return to the Domain, Roles & Users profile page.

  2. Click the key to the left of the Applications link to expand the list.

  3. Click the Desktop link to display the Desktop Profile page as shown in Desktop Profile Page.



Figure 2-8    Desktop Profile Page

  1. Select iwtAppProvider from the Available Channels list window.

  2. Click the Edit Channel button to display the AppProvider attribute as shown in Figure 2-9.



Figure 2-9    AppProvider Attribute Window

  1. Highlight the NetMail/(java + applet) URL, and the NetFile/(java + applet) URL.

  2. Click the Delete button to remove these channels.


    Note To restore these channels, the Customized pull down will be displayed to the right of the applications attribute window after changes are stored in the Profile Server. Click the pull down arrow and select Make Inherited to restore the NetMail and NetFile URL channel statements.


  3. Click the Submit button at the bottom of this page to update all changes made to the Profile Server.

  4. Click the Continue button to return to the AppProvider page. Then use the Back to Overview link or the Cancel button to return to the Desktop page.


Verifying Disabled Application Access

  1. In a second browser instance, type the iPlanet Portal Server Desktop login URL.

  2. Log in to the desktop with a registered membership account for the user in the Consumer domain. The desktop home page will be displayed.

  3. Verify that the Applications list on the right side of the content window does not include Netfile or Netmail. Also, attempt to start the NetFile application directly by typing the URL http://server:8080/NetFileApplet in the Bookmarks text box. The policy check returns a denial of service message.

  4. Log out of the desktop.


Creating a Business to Employee Portal

The creation of a business to employee portal includes, (but is not limited to), the following tasks:

  • Creating the Employee domain

  • Enabling an authentication method for the domain

  • Setting up VPN for TCP application access

  • Setting up policy for the domain

  • Customizing the desktop for the domain


Creating the Business To Employee Domain

  1. Log in to the console as the Super Administrator.

  2. Click the Manage Domains link from the left frame.

  3. Click the Add New Domain link. The Add New Domain window is displayed.

  4. Type Employee in the New Domain Name field.

  5. In the Default Role for the Domain field, type Engineer.

  6. Click the Create Button.

  7. Following the prompt indicating that the new domain and role have been created, click the Continue button . The Domain screen is redisplayed with the added domain link shown with the domain specified at installation. The role is shown under the domain link when clicked.

  8. Click the Add Role link at the top of the domain screen.

  9. Type Manager in the new role field.

  10. Click the Create button, then click the Continue button. The Engineer and Manager roles are now shown.


Enabling UNIX Authentication


Note In practice, a business to employee portal may be configured with any of the iPlanet Portal Server authentication modules. UNIX is used for this example only.


  1. From the Domains screen, click the Employee domain link. The Employee domain page is displayed.

  2. Click the Profiles>Authentication link to call up the Authentication module list under the Auth Menu attribute. The default shows all authentication modules selected, as previously shown in Figure 2-2.


    Note Authentication applies to a domain and is set only at the Domain level of the role tree.


  3. Select only the UNIX authentication module to employee access to iPlanet Portal Server. Deselect all other authentication modules.

  4. Click the check box indicated as "Authentication requires profile" to restrict iPlanet Portal Server access to employees with an existing profile.


    Note By default, the Authentication requires profile attribute is false so that any user that passes authentication will have a profile dynamically created for them under the default role of Engineer. By setting the attribute true, a pre-population task must be performed to an external LDAP database, as described in the Release Notes.


  5. Click the Submit button at the bottom of this page to update the Employee domain profile on the Portal Server. A message displays indicating successful update of this profile.

  6. Click the Continue button to return to the previous page.


Creating a UNIX User Profile That Can Be Authenticated

  1. Using the Admin Console, click the Engineer role under the Employee domain.

  2. Click the Add User link.

  3. Create a user with a valid UNIX account.

  4. Repeat steps 1 through 3 for the Manager role to allow customization of user access by having a valid user for each role authenticate and access iPlanet Portal Server.


Verifying UNIX Authentication at Desktop Log In Screen

  1. Open a second browser instance.

  2. Open the following iPlanet Portal Server gateway URL:

    https://gateway/Employee


    Note There are multiple options available to the user to contact the portal. It may be desirable to use virtual IP or multiple DNS names as opposed to distinguishing between the two different domains. Refer to Chapter 9, Add Gateway Server, for information on setting up a gateway using virtual IP and DNS domains.


  3. From the displayed log in page indicating UNIX authentication, log in to the desktop using a valid employee account. Upon successful login, the iPlanet Portal Server Desktop home page will be displayed.

  4. Click the Logout link to close the desktop session. The logout message window is displayed.


Setting Up a Virtual VPN for the Employee Domain

When access to a non-Web-based application or a TCP application is needed by your employees, it will become necessary to set up a netlet for communication. A netlet creates a virtual private network on the fly without the need for client software.

The following netlet example allows employees remote access to the Netscape Mail client on their browser as if they were at their corporate workstation on the intranet. A similar netlet may be configured for other secure TCP access such as telnet or remote desktop display.


Note The netlet is fully described in Chapter 4.




Figure 2-10    Netlet Rules Window

  1. From the admin console, select the Employee domain under Manage Domains.

  2. Expand the Applications link.

  3. Click the Netlet link. The Netlet Rules window is displayed as shown in Figure 2-10.

  4. Type the Netlet rule: IMAP|NULL|false|8143|TARGET|143. This rule will enable the use of IMAP mail service for an IMAP client.


    Note Netlet rules exist at the network layer. The warning pop-up for the connections check box applies to multi-user, multi-platform environments, such as UNIX and Linux; this check box does not apply to a Windows-based client environment.


  5. Click the Add button to add this rule to the Netlet application.

  6. Click the Submit button at the bottom of the page to process this change to the Profile Server.

  7. Click the Continue button to return to the previous page.

  8. Open another Netscape browser instance and log in to the desktop using the link: https://gateway/employee.

  9. Click the Netlet Edit button on the left of the desktop. The Edit Netlet window is displayed as showin in Netlet Application Window.



Figure 2-11    Netlet Application Window

  1. Select the IMAP rule name and type the servername to be used for mail hosting in the Host text box.

  2. Click the Add Target button to complete the mail server configuration.

  3. Click the Finished button to process this change to the Profile Server. Remain logged in to the desktop. The indication of `IMAP on servername' is displayed at the lower left of the desktop page.

  4. Open another Netscape browser window and select Edit>Preferences from the Navigator menu.


    Note The layout of the Netscape mail settings may vary depending upon your installed version.


  5. Expand the Mail and Newsgroups option and click on Mail Servers.

  6. Click on Edit to the right of Incoming Mail Servers.

  7. Change the Sever Type to IMAP.

  8. Change Server Name to: localhost:8143.

  9. Click the OK button. At this point, the use of the Netlet with IMAP email service using Netscape Messenger is configured.


Verifying Netlet Service on Port 8143

  1. Open a terminal window.

  2. Run the command: netstat -an|grep 8143. A listening message on port 8143 will be returned.

  3. Alternatively, launch the Netlet IMAP on servername link to start the netlet. Then, open the Netscape Messenger window.


Denying Access to a URL and an Application for a Role



Figure 2-12    Engineer Role User URL Policy Attribute Window

  1. From the Admin Console, click the Engineer role under the Employee domain.

  2. Click the Policy link to display policies.

  3. Click the User link in the index section at the top of the page to display the User policy attributes for the Engineer role profile.

  4. Locate the URL Policy attribute, as shown in Figure 2-12. In the Deny list text box, type a well-known URL on the Intranet that should not be used by the Engineer role. Use the form:

    http://hostname

  5. Click the Add button.

  6. Uncheck the NetFile application in the Application section of the Policy page to deny access for the Engineer role.

  7. Click the Submit button to update the profile and then click Continue.

  8. Click the Employee domain link to return to the Domain, Roles & Users profile page.

  9. Click the key to the left of the Applications link to expand the list.

  10. Click the Desktop link to display the Desktop Profile page as shown in Figure 2-8.

  11. Select iwtAppProvider from the Available Channels list window.

  12. Click the Edit Channel button to display the available applications attribute window as shown in Figure 2-9.

  13. Highlight the NetFile/... URL.

  14. Click the Delete button to remove this URL channel.


    Note To restore this channel, the Customized pull down will be displayed to the right of the applications attribute window after the change is stored in the Profile Server. Click the pull down arrow and select Make Inherited to restore the NetFile URL channel statement.


  15. Click the Submit button at the bottom of this page to update the change to the Profile Server.

  16. Click the Continue button to return to the Profiles page.


Verifying Denied Access to Engineer User to URL and Application

  1. In another browser instance, log in to the Portal Server desktop as the created user from "Creating a UNIX User Profile That Can Be Authenticated".

  2. In the Bookmark URL entry box, type the URL specified in step 4 of on page 65. An error message indicating access denied will be displayed.

  3. Verify that the Netfile application is not in the Application provider list.


Customizing the Desktop With a Welcome Message



Figure 2-13    Welcome Message under Application>Desktop iwtuserinfo Provider

  1. From the Admin console under Manage Domains, click on the Employee domain.

  2. Click the Engineer role.

  3. Expand the Applications link.

  4. Click the Desktop link.

  5. From the Channels section, Available Channels list, click the iwtUserInfoProvider.

  6. Click the Edit Channel button to display the userInfoProvider page.

  7. Scroll to the greeting text entry box and change the greeting to: Welcome Engineer!, as shown in Figure 2-13.

  8. Click the Submit button at the bottom of the page to process this change to the Profile Server.

  9. Repeat steps 1 through 7 for the Manager role and have the greeting say: Welcome Manager!


Verifying the Customized Desktop Welcome Message

  1. From another browser instance, log in to the Desktop as an employee user in the Engineer role.

  2. Verify that the message greeting under User Information is as specified in step 7 of on page 67.


    Note When the iwtAppProvider attributes allow the user to have editable rights, under the Admin Console Policy>Desktop Profile at the role or user level of the role tree, the user can elect to change the greeting using the User Information Edit button to get to the greeting text box.


  3. Repeat steps 1 and 2 for the Manager role to verify the greeting in step 9 of on page 67.

  4. Log out of the desktop.


Setting Up a Delegated Administrator


Note The first delegated Domain Administrator is configured by the Super Administrator only. Thereafter, a domain admin can create other admin roles and users.



Adding a New Role

  1. Click the Employee domain.

  2. Click the Add New Role link.

    The Add New Role window is displayed.

  3. Type the name of the new role (e.g., EmployeeAdmin) in the New Role Name field and click the Create button. A message appears indicating that the new role has been created.

  4. Click the Continue button. The new role is shown at the bottom of the page.


Assigning Admin Privileges to the New Role

  1. Click on the added admin role.

  2. Click on the Administrator link under Profiles. The admin profile for this role is displayed.


    Note The Administrator link under profile is only available at the role level of the role tree.


  3. Click the Role Policy attribute check box to enable admin privileges for this role. The clicked box should appear filled in.

  4. Click the Submit button to submit this change to the Profile Server. Click Continue when the profile update message is displayed.


Adding a New User for the Admin Role

  1. Click the created admin role link under the Employee domain.

  2. Click the Add New User link at the top of the page.The Add New User window is displayed.

  3. Type the name of the new user (with a valid UNIX account) in the New User Name field and click the Create button. A message appears indicating that the new user has been created.

  4. Click the Continue button. The new user is indicated at the bottom of the page.


Managing Roles and Users

This section describes the tasks to:

  • Move a User

  • Delete a User

  • Move and delete a role


Move Users



Figure 2-14    Move Users List Users Window

  1. From the Domain>Role page, click the User link. The List Users screen is displayed as shown in Figure 2-15 on page 71.

  2. Click the box to the left of each user to be moved.

  3. Click the Move Users button to display the Move Users window as shown in Figure 2-15 on page 71..



Figure 2-15    Move Users to Another Role Window

  1. Click the radio button to the left of the desired role assignment to reassign the user(s) to that role.


    Note You may receive a security prompt on this submission action. If so, click OK to proceed. Note that at this point you can use the Cancel Move button to cancel this action and return to the Domain>role page. The Reset button is used to clear selected role radio buttons.


  2. Click the Move button to complete this role reassignment request. You will be prompted that the move has occurred and click the Continue button to proceed back to the Domain>Role page.


Delete Users

  1. From the Domain>Role page, click the Users link to the display the List Users screen as shown in Figure 2-14

  2. Click the radio button next to each user to be deleted.

  3. Click the Delete Users button to commit this change.


    Caution

    		When deleting users, there is no confirm prompt following the Delete Users button. Also, when a user has an active session and is deleted, the session will still continue to be active unless the user's session is invalidated from the Manage User Sessions>servername link to display the user sessions page. From this page, click on the user session to be deleted and click the Invalidate Sessions button to end the user's session immediately.


  4. Click the Continue button to return to the List Users page.


Delete a Role

If a role contains users, the users must first be deleted as described in the section "Delete Users" on page 72. Following that, the role of interest can be deleted by clicking its check box from the subject domain's Domain, Role and Users page. Roles cannot be moved.


Previous     Contents     Index     Next     
Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.

Last Updated May 04, 2000