Collaboration for Business Console - Configuring Collaboration User Management Component

Before you can start configuring the Collaboration User Management component, perform these steps:

1.    Start the Collaboration server, either by using the Start menu (Start > All Programs > Software AG > Start Server > Start Collaboration 9.8) or  run the “startall” command in the Collaboration Cloud Controller (ACC) console.

On Linux, no start menu shortcuts are available, so you have to use the “startall” command in the ACC console. For information about ACC, see Using Collaboration Cloud Controller (ACC).

2.    Type “list” repeatedly in the ACC console until all the four components are shown as STARTED.

3.    Access the user management configuration UI with a browser, using the URL:

http://localhost:18272/umc

If you installed the Collaboration User Management component in a remote machine, replace “localhost” with the actual host name or IP address of the machine where the component is installed.

Note: In older versions of Collaboration, the default port for the User Management component is different. For example, in version 9.7, the port is 18271. Use the correct port in the URL as shown below:

http://localhost:18271/umc instead.

If the User Management component works fine, you get a login page.

1. Creating a Technical User #

Collaboration is just another client for ACC. Before you continue to work with the graphical user management interface, you must allow Collaboration to access the user management component.

In the ACC console, perform these steps:

1. Type this command (in a single line) to create a dedicated technical user:

invoke enhancement_createUser on umcadmin
tenant.name=default tenant.user.name="system"
tenant.user.pwd="manager"
affected.user="_aris_tech_user_ecp_techuser"
affected.pwd="<SecurePasswordOfYourChoice>"
as.technical.user=true

Where <SecurePasswordOfYourChoice> is a secure password of your choice. Do not change the value for the “affected.user” parameter.

The actual command would be similar to:

invoke enhancement_createUser on umcadmin
tenant.name=default
tenant.user.name="system" tenant.user.pwd="manager" 
affected.user="_aris_tech_user_ecp_techuser"
affected.pwd="YourNewRandomPassword123456"
as.technical.user=true

If the command succeeds, you get this output:

Successfully invoked operation enhancement_createUser on runnable instance umcadmin on node localhost.

2. Type this command to specify Collaboration which user to use to to connect to the User Management component:

set tenant default data for app umc
ecpTechnicalUserName = "_aris_tech_user_ecp_techuser"
ecpTechnicalUserPassword = "<SecurePasswordOfYourChoice>"

For example:

set tenant default data for app umc
ecpTechnicalUserName = "_aris_tech_user_ecp_techuser"
ecpTechnicalUserPassword = "YourNewRandomPassword123456"

2. Changing Passwords of Administrative Users #

User management has two pre-defined administrative users:  “system” and “superuser”. For security reasons, you should change the passwords of these users to some secure string. In addition to the administrative users, Collaboration has an infrastructure administration password. Section 6.5 explains how to change this password.

Warning: If you do not change the passwords of the administrative users in user management, and the password of the infrastructure administrator, your Collaboration installation can be controlled by any person who knows the default passwords.

To change password of an administrative user

1.    Click Start > All Programs > Software AG > Administration > Collaboration Cloud Controller 9.8 to start the Collaboration Cloud Controller

2.    In the User Management log in page, log in as “system” user with “manager” as the default password. Do not change the value “default” in the second input field. If the login is successful, you will see a screen listing the currently available users.

3.    Click system.

4.    Click the little pencil icon in the upper right to edit the user details.

5.    Select the “Change password” checkbox and provide the new password.

6.    Click Save.

7.    Log out and log in again with “system” user by using the new password.

8.    Change the password for “superuser” user.

9.    The users “guest” and “arisservice” are not required for Collaboration. Either change their passwords, or delete these users using the “Garbage bin” icon you get when you move the mouse over these users in the list.

3. Configuring LDAP #

Collaboration requires an LDAP server for authenticating users. The user management components of both My webMethods Server and Collaboration must be configured against the same LDAP system.

This section describes the how to configure LDAP for Collaboration user management. For infor-mation about configuring LDAP for Business Console, see the Administering My webMethods Server guide.

To configure LDAP

1.    Log in to Collaboration User Management.

2.    Click Configuration.

3.    In the Configuration page, to filter and view only the LDAP related configuration settings,  select  “LDAP connectivity”, “LDAP sync behavior”, or “LDAP attribute mapping” from the filter drop-down list.

4.    To change any setting, double-click on the setting or click the edit icon displayed when you hover  over the setting. When you hover over, you also find icons to reste a value to its default settings.

5.    Provide the values according to your system environment and LDAP.Contact your LDAP administrator for necessary details. Only the basic settings are described here. For a complete reference of LDAP settings, see LDAP Attribute Mapping.

3.1. Configuring Basic LDAP Features #

1.    In the Collaboration user management configuration page, choose LDAP connectivity from the drop-down list.

2.    To configure the URL of your LDAP system, specify the value in the com.aris.umc.ldap.url property. If you have several redundant LDAP servers, you can optionally specify the URL of a backup system in the com.aris.umc.ldap.backup.url property.

3.    If you saved users or user groups in subdirectories, set the value of the com.aris.umc.ldap.user.searchpath property to the sub-directory path of the users and set value of the com.aris.umc.ldap.group.searchpath property to the sub-directory path of the user groups.

4.    If you want to enable “follow referrals of users to other directories”, set the com.aris.umc.ldap.referral property to the value follow. Set the value to  ignore (or leave it blank) to not follow referrals.

5.    Optionaly, if you want to ensure that the import of LDAP users is carried out despite of any occurence of errors, select “LDAP sync behavior” from the drop-down list and set the com.aris.umc.ldap.sync.skipOnFault property  to value true. Please note that this setting might slow down user synchronization.

6.    After completing the basic settings (and the additional settings required for your specific LDAP system and environment), enable LDAP by setting the com.aris.umc.ldap.active property to true.

3.2. Synchronizing LDAP Users #

If LDAP is set up correctly, you should be able to synchronize the users in Collaboration user man-agement.

1.    Select the User management tab.

2.    Select Start LDAP import from the Additional functions drop-down list on top right corner.

4. Configuring SAML #

Collaboration for Business Console uses SAML-based single sign-on with Business Console’s user management done through My webMethods Server serving as the SAML provider. The basic idea of SAML is that Business Console provides a SAML assertion that represents the user logged in. This assertion is signed by My webMethods Server using asymmetric cryptography. The SAML assertion is then sent to Collaboration. Collaboration user management verifies this assertion signature against the public key of the SAML provider. If verification is successful, the user will be authenticated in Collaboration. For this process to work properly, a number of settings must be in sync between My webMethods Server and Collaboration user management, and Collaboration user management requires the SAML provider’s public key for signature validation. For information about configuring users in My webMethods Server, see the Administering My webMethods Server guide.

To use SAML

1.    Import the SAML keystore and truststore used by My webMethods Server into the Collaboration user management component.

2.    In the Collaboration user management UI, select the Configuration tab.

3.    Select SAML in the filter drop-down list to display only the settings relevant to SAML configuration.

4.    Specify the location of the keystore file and set a password for the keystore.

        a.    Locate the com.aris.umc.saml.keystore.location configuration property and double-click it.         b.    When prompted for the SAML keystore, browse to the location where you stored the keystore file, select the file, and click Upload.        c.    Set the password for the keystore by editing the com.aris.umc.saml.keystore.password property.

5.   Provide the truststore the public key of the SAML assertion provider and set a password for the keystore.a.    Locate the com.aris.umc.saml.truststore.location configuration property and double-click it. b.    Browse to the location where you stored the truststore file, select the file, and click Upload.c.    Set the password for the truststore by editing the com.aris.umc.saml.trsuststore.password property.

6.    To enable SAML assertion validation against the truststore, set the com.aris.umc.saml.signature.assertion.active property to true.

Important: This step is essential for ensuring that only authorized users get access to Collaboration.

7.    Specify the ID of the assertion provider by setting the com.aris.umc.saml.identity.provider.id property. This setting is optional.

This ID must be the same as the one set in My webMethods Server user management. Set

com.aris.umc.saml.identity.provider.id=‘SAG internal issuer’

to identify My webMethods Server as IDP (Identity Provider) or SP (Service Provider) for SAML communication. If you do not set the com.aris.umc.saml.identity.provider.id property, Collaboration's user management component does not check the SAML issuer.

8.    Specify the algorithm used to by the assertion provider to sign assertions by setting the value of the com.aris.umc.saml.signature.algorithm property. Valid values are “DSAwithSHA1” or “RSAwithSHA1”.

9.    Enable SAML-based SSO by setting the com.aris.umc.saml.active property to true.

See also: #