Considerations for security during cluster installation and fedrations

When setting up a cluster, there are two scenarios that must be considered. The first scenario is when the default VMM file-based repository security is used at both the WebSphere Portal nodes and the deployment manager until after the WebSphere Portal cluster is completely set up. Prior to federating the first WebSphere Portal node into the cell, the required group for WebSphere Portal administrators must be defined in the deployment manager’s security repository. Once the cluster has been set up, you can modify the security settings of the cell. Although it is possible to modify security in the cell using the WebSphere Application Server administrative interfaces, you should use the WebSphere Portal security tasks to change cell security in order to ensure that the security configuration settings for WebSphere Application Server and WebSphere Portal are identical.

The second scenario is when the existing deployment manager cell has already modified its default security setting prior to the first WebSphere Portal node joining the cell. WebSphere Portal supports the capability of using two different sets of administrative user ID and password credentials when federating a WebSphere Portal node into a cell – one set for the WebSphere Portal node authentication and one set for deployment manager authentication. This means that it is not necessary to define a common administrative user ID before WebSphere Portal joins the cell. If the deployment manager cell is using federated VMM with additional repositories, WebSphere Portal will pick up this configuration dynamically from the deployment manager when it joins the cell. If the deployment manager cell is using standalone LDAP security, however, then it is necessary to configure the LDAP values into the WebSphere Portal property files before federation to enable WebSphere Portal to dynamically adapt to the existing standalone LDAP security settings of the cell. As with the first scenario, once the cluster has been set up then security changes to the deployment manager cell security settings can be made using the WebSphere Portal security tasks, and additional WebSphere Portal nodes may be added to the cell following the same procedures.

The tasks under Setting up a clustered production environment recommend configuring security before configuring your additional nodes but if you configure your security after configuring your additional nodes or if you need to update your security configuration after you have created your clustered environment, you will need to run an additional task to update the security settings on the secondary nodes; see Configuring security after cluster creation for information.

No comments: