Container-based Authentication for MDM

Container-based Authentication for MDMActiveVOS in WebSphere
© 2014 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any
means (electronic, photocopying, recording or otherwise) without prior consent of Informatica Corporation. All other
company and product names may be trade names or trademarks of their respective owners and/or copyrighted
materials of such owners
Abstract
In Informatica MDM Multidomain Edition version 10, a bundled, licensed version of Informatica ActiveVOS Server is the
default workflow engine. This document describes how to add MDM Hub users and administrators to the application
server so that they can authenticate with the ActiveVOS Server.
Supported Versions
•
MDM Multidomain Edition 10.0.0
Table of Contents
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Verifying the MDM Hub Administrator Has the DataSteward Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Updating the MDM Hub Administrator Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Verifying the MDM Hub Administrator for ActiveVOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Creating a Secure Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Adding Users and Groups to the Secure Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Mapping Groups to ActiveVOS Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview
To enable MDM Hub users to authenticate with the ActiveVOS Server, you need to set up container-based
authentication in the application server and add the MDM Hub administrators and users to the container. User
credentials are stored in text files. The application server communicates the results of the user authentication to the
ActiveVOS Server.
In the Hub Console, you need to ensure that the ActiveVOS workflow engine uses the user credentials for an MDM
Hub administrator that is defined in the container.
Before You Begin
Before you set up container-based authentication, decide which MDM Hub administrator account to coordinate with the
ActiveVOS Server.
In the Hub Console, verify that the MDM Hub administrator configuration meets the following requirements:
•
The account has the DataSteward role assigned.
•
The account password meets the requirements of the application server password policy.
•
The ActiveVOS workflow engine specifies this account and password.
Later, when you add MDM Hub administrators to the application server container, ensure that you add this MDM Hub
administrator.
Verifying the MDM Hub Administrator Has the DataSteward Role
In the Hub Console, verify that the MDM Hub administrator account has the DataSteward role.
1.
2
Log in to the Hub Console.
2.
Select the Operational Reference Store.
3.
Open the Security Manager workbench, and click Users and Groups.
4.
Click Assign Roles To Users/Groups.
5.
Find the node that displays the MDM Hub administrator user name.
6.
Expand the node and verify that the DataSteward role is assigned.
7.
If the role is not assigned, acquire a write lock and assign the role.
Updating the MDM Hub Administrator Password
If the password for the MDM Hub administrator does not satisfy the password policy of the application server, change
the password in the Hub Console.
1.
In the Hub Console, open the Configuration workbench, and click Users.
2.
Click Connect to master database.
3.
Acquire a write lock.
4.
Select the MDM Hub administrator account.
5.
Click the Password icon.
6.
Type a password that satisfies the password policy of the application server.
7.
Click OK.
Verifying the MDM Hub Administrator for ActiveVOS
In the Hub Console, verify that the ActiveVOS workflow engine settings specifies this MDM Hub administrator. If you
updated the administrator password, you also need to update the password in the ActiveVOS workflow engine.
1.
In the Hub Console, on the Configuration workbench, click Workflow Manager.
2.
Select the Workflow Engines tab.
3.
Acquire a write lock.
4.
Select ActiveVOS and click the Edit button.
5.
In the Edit Workflow dialog box, enter the user name and password of the MDM Hub administrator.
6.
Click OK.
Creating a Secure Profile
In WebSphere, configure a secure profile to use with Informatica MDM Multidomain Edition and Informatica
ActiveVOS.
1.
From a command line, create a secure profile as shown in the following sample code:
On Windows
<app_server_root>\bin\manageprofiles.bat -create -profileName AppSrv01
-profilePath <app_server_root>\profiles\AppSrv01
-templatePath <app_server_root>\profileTemplates\default
-adminUserName administrator -adminPassword password1 -enableAdminSecurity true
On UNIX
<app_server_root>/bin/manageprofiles.sh -create -profileName AppSrv01
-profilePath <app_server_root>/profiles/AppSrv01
-templatePath <app_server_root>/profileTemplates/default
-adminUserName administrator -adminPassword password1 -enableAdminSecurity true
3
2.
Follow the instructions in the Informatica MDM Multidomain Edition Installation Guide to configure
WebSphere.
3.
In the WebSphere console, change the security Transport type to SSL-Supported.
a.
Expand Security and click Global Security.
b.
Under Authentication, expand RMI/IIOP security and click CSIv2 inbound communications
c.
Under CSIv2 Transport Layer, from the Transport list, select SSL-Supported.
d.
Click Apply, and then click Save.
4.
Follow the instructions in the Informatica MDM Multidomain Edition Installation Guide to install the MDM Hub
Server and install the embedded ActiveVOS Server.
5.
In the WebSphere console, ensure that application security is set.
6.
7.
a.
Expand Security and click Global Security.
b.
Under Application Security, select Enable application security.
c.
Click Apply, and then click Save.
Set up federated repositories.
a.
Expand Security and click Global Security.
b.
Under User account repository, from the Available realm definitions list, select Federated repositories.
c.
Click Configure.
d.
Under Repositories in the realm, click Use built-in repository.
e.
Specify a password for the administrative user.
f.
Click Apply, and then click Save.
Restart the WebSphere profile.
Adding Users and Groups to the Secure Profile
Create users and groups for MDM Hub administrators and users. For more information about how to create users and
groups, see the WebSphere documentation.
Note: The user names, passwords, and roles must match in the MDM Hub, ActiveVOS, and WebSphere. The
passwords must adhere to WebSphere password standards.
1.
In the WebSphere console, create a user for each MDM Hub administrator and user that you want to
authenticate with the ActiveVOS Server.
2.
Create a group for the MDM Hub administrators.
3.
Create a group for the MDM Hub users.
4.
Add the administrators to the MDM Hub administrators group.
5.
Add the users to the MDM Hub users group.
Mapping Groups to ActiveVOS Roles
Map groups to ActiveVOS roles.
1.
Expand Applications > Application types > WebSphere enterprise applications > ave_websphere.ear.
2.
Click ave_websphere.ear to open it.
3.
Under Detail Properties, click Security role to user/group mapping.
4
4.
Select the ActiveVOS security roles abAdmin, abTaskClient, and abServiceConsumer, click Map Groups,
and map the roles to your MDM Hub administrators group.
5.
Select the ActiveVOS security role abTaskClient, click Map Groups, and map the role to your MDM Hub
users group.
6.
Click OK.
7.
Click OK.
8.
Click Save.
Authors
Robert Howard
Lead QA Engineer
Jennifer Smith
Lead Technical Writer
5