WebSphere Application Server & Liberty

 View Only

WebSphere Automation "How To" Series #3 : How to configure WebSphere Automation with an Enterprise LDAP

By Brian Hanczaryk posted Fri April 01, 2022 05:59 AM

WebSphere Automation "How To" Series #3 : How to configure WebSphere Automation with an Enterprise LDAP

Previous blogs in this WebSphere Automation "How To" series :
WebSphere Automation "How To" Series #1 : How to get WebSphere Automation UI 
WebSphere Automation "How To" Series #2 : How to specify user roles and permissions 

This post will focus on how to configure WebSphere Automation with an Enterprise LDAP.

When the user initially attempts to log into the WebSphere Automation UI, the following page is displayed for the user to choose their authentication type.


Initially the two authentication types displayed are 'OpenShift authentication' and 'IBM provided credentials (admin only)'. This post will describe the steps necessary to configure WebSphere Automation with an Enterprise LDAP, which will add a third authentication type 'Enterprise LDAP'. For this example, we'll initially login using 'Openshift authentication' and then navigate to 'Administration -> Access control'. In the upper right hand corner, we can click the 'Identity provider configuration' button to configure our Enterprise LDAP. Here is the WebSphere Automation UI screenshot showing the 'Identity provider configuration' button.


After clicking the 'Identity provider configuration' button, a new browser tab is opened where the user is routed to log in to 'IBM Cloud Pak | Administration' using either 'Openshift authentication' or 'IBM provided credentials (admin only)'. Here is the screenshot showing the initial login to 'IBM Cloud Pak | Administration' in preparation to configure identity provider.


Initially, no identity providers will be found. To create a new connection, we'll click the 'New connection' button in the top right side of the page.


The user is then prompted to enter the details for their new LDAP server connection. The user will be prompted for the following information, where * specifies a required field :
Connection name *
Server type *
Base DN *
Bind DN
Bind DN password
Group filter
Group ID map
Group member ID map
User filter *
User ID map *

Here are the set of screenshots showing the information for creating this new LDAP server connection.


Once this new connection is created, the Identity providers page now shows that connection.


You should now logout of the 'IBM Cloud Pak | Administration' and close the browser tab that was previously opened. Using the initial browser tab that was logged into to WebSphere Automation UI, you can now add LDAP users under the 'Access control' page and assign the LDAP users specific roles and permissions. On the right side of the 'Access control' page, you can click the 'Add users' button.


After clicking the 'Add users' button, first you are prompted to search for the users that you want to add from your connected identity providers. For this example, we are searching for user 'personaAD1'. You can search and select one or multiple users before clicking 'Next'.


After selecting the desired users, you can choose the platform access by selecting to either 'Assign roles directly' or 'Add to user group'. For this example, we've chosen to 'Assign roles directly' and clicked 'Next'.


After selecting the platform access, you can specify the roles for the user or users. For this example, we've chosen to assign only the 'WebSphere Automation Security' role to the user 'personaAD1'.


Finally, you are presented with the summary before prompted to add the user. When you are ready to authorize the user, click 'Add' button on the bottom right side of the page.


At this point the new user or users have been added. To login as this newly added user on your current system that has already authenticated using 'OpenShift authentication' or 'IBM provided credentials (admin only)', you will first need to logout and then log back in with the new 'Enterprise LDAP' authentication type. This logout step would not be necessary if attempting to access from a system where previous authentication had not already occurred. You can logout by clicking the user icon near the top right of the page and then clicking 'Log out'.


Here is the screenshot showing the newly added 'Enterprise LDAP' authentication type added to the previous 'OpenShift authentication' and 'IBM provided credentials (admin only)' authentication types when we now attempt to log into the WebSphere Automation UI.


Clicking the 'Enterprise LDAP' authentication type, shows the following login page where we enter our user 'personaAD1' credentials.


In this example, after logging in as 'personaAD1' with only the 'WebSphere Automation Security' role, the Navigation Menu shows 'Operate -> Application runtimes'.


After clicking 'Application runtimes', you are taken to the 'Security' page. In this example, two application servers are registered and we can observe that 'personaAD1' has permission to manage and view the servers.


Attempting to navigate to the 'Health' page using the icon on the left side of the page, shows that 'personaAD1' is not authorized to view health investigations as expected.


You can find more IBM Docs related to WebSphere Automation at https://www.ibm.com/docs/en/ws-automation and more specific information on managing users at https://www.ibm.com/docs/en/ws-automation?topic=administering-managing-users.