In order for user segment security to work, you must add credentials in two places:
To the
credentialStoreMap
. TheRequestCredentialAccessController
component references this map when determining if a request includes a valid credential.To the Workbench so that it can pass a valid credential along with the user segment request.
Modifications to REST security credentials stored in the credentialStoreMap
are effective immediately after they are saved. Modifications to the Workbench security credential require a restart before those changes become available for use.
Managing Credentials in the credentialStoreMap
You can add a credential to the credentialStoreMap
using either CIM or Dynamo Server Admin. Follow the instructions below to add a security credential to the credentialStoreMap
using CIM.
In the CIM MAIN MENU, select [2] Configure OPSS Security.
In the SECURITY DEPLOYMENT MENU, choose [1] Enter the location to deploy OPSS files.
Press Enter to accept the default location for OPSS files.
In the SECURITY DEPLOYMENT MENU, choose [2] Enter the security credential for REST Services.
Enter the new credential at the prompt. The credential can be any text, similar to a password, however it should correspond to your organization’s OPSS security platform requirements.
Re-enter the credential to confirm it.
In the SECURITY DEPLOYMENT MENU, choose [3] Deploy configuration files.
In the COPY CREDENTIALS TO SHARED DIRECTORY menu, choose [D] Deploy to
/<ATG11dir>/home/../home/security
.In the VERIFY WHETHER TO OVERWRITE CURRENT DIRECTORY CONTENTS menu, choose [D] Deploy OPSS configuration files.
In the SECURITY DEPLOYMENT MENU, choose [D] Done.
Alternatively, you can add or delete security credentials using Dynamo Server Admin.
To enter security credentials in Dynamo Server Admin:
In a browser, navigate to the instance of Dynamo Server Admin that is running on the user segment server:
http://<user_segment_server_host>:<user_segment_server_HTTP_port>/dyn/admin
In the authentication dialog box, enter the Dynamo Server Admin username and password click OK.
(WebLogic only) Depending on how you configured your environment, WebLogic may require an additional login for the WebLogic server. If necessary, enter your WebLogic username and password, and then click OK.
You see the Administration home page.
Click the Component Browser link.
Navigate to
/atg/dynamo/security/opss/csf/CredentialStoreManager
.From the Action drop-down menu, choose Create Generic Credential and then click Select.
In the Map Name field, enter
requestCredentialMap
.Enter a key name in the Credential Key Name field, for example,
key1
. Use a unique key name to enter a new credential. Use an existing key name to replace the credential for that key name.Enter the new credential in the Enter Credential area. The credential can be any text, similar to a password, however it should correspond to your organization’s OPSS security platform requirements.
Click Submit Credentials.
To delete an existing REST security credential:
In a browser, navigate to the instance of Dynamo Server Admin that is running on the user segment server. See the previous section for detailed instructions on how to do this.
Click the Component Browser link.
Navigate to
/atg/dynamo/security/opss/csf/CredentialStoreManager
.From the Action drop-down menu, choose Delete Credential and then click Select.
Select the credential you want to delete.
Click Delete Credential.
Managing Credentials in the Workbench
To manage credentials in the Workbench, you use the manage_credentials
script in the /credential_store/bin
directory under ToolsAndFrameworks
.
To add a credential to the Workbench:
In a UNIX shell or command prompt, navigate to the
ENDECA_TOOLS_ROOT/credential_store/bin
directory, for example,/usr/local/endeca/ToolsAndFrameworks/
version
/credential_store/bin
orC:\Endeca\ToolsAndFrameworks\
version
\credential_store\bin
.Enter one of the following commands.
On UNIX, enter:
./manage_credentials.sh add --user admin --config [
path
to
jps-config.xml
] --type generic --mapName restService --key clientCredential
For example:
./manage_credentials.sh add --user admin --config $ENDECA_TOOLS_ROOT/server/workspace/credential_store/jps-config.xml --type generic --mapName restService --key clientCredential
On Windows, enter:
manage_credentials.bat add --user admin --config [
path
to
jps-config.xml
] --type generic --mapName restService --key clientCredential
For example:
manage_credentials.bat add --user admin --config %ENDECA_TOOLS_ROOT%\server\workspace\credential_store\jps-config.xml --type generic --mapName restService --key clientCredential
Enter the new credential at the prompt.
Re-enter the credential to confirm the addition.
Follow the instructions below to restart the ToolsAndFrameworks service.
To restart the ToolsAndFrameworks service:
In a UNIX shell or command prompt, navigate to the
ENDECA_TOOLS_ROOT/server/bin
directory, for example,/usr/local/endeca/ToolsAndFrameworks/
version
/server/bin
orC:\Endeca\ToolsAndFrameworks\
version
\server\bin
.Execute the
shutdown
script.On UNIX, enter:
./shutdown.sh
On Windows, enter:
shutdown.bat
Execute the
startup
script.On UNIX, enter:
./startup.sh
On Windows, enter:
startup.bat
To delete a credential:
In a UNIX shell or command prompt, navigate to the
ENDECA_TOOLS_ROOT/credential_store/bin
directory, for example,/usr/local/endeca/ToolsAndFrameworks/
version
/credential_store/bin
orC:\Endeca\ToolsAndFrameworks\
version
\credential_store\bin
.Enter one of the following commands.
On UNIX, enter:
./manage_credentials delete --user admin --config [
path
to
jps-config.xml
] --mapName restService --key clientCredential
For example:
./manage_credentials delete --user admin --config $ENDECA_TOOLS_ROOT/server/workspace/credential_store/jps-config.xml --mapName restService --key clientCredential
On Windows, enter:
manage_credentials.bat delete --user admin --config [
path
to
jps-config.xml
] --mapName restService --key clientCredential
For example:
manage_credentials.bat delete --user admin --config %ENDECA_TOOLS_ROOT%\server\workspace\credential_store\jps-config.xml --mapName restService --key clientCredential
You are notified when the credential is successfully deleted.