Home
HCL Digital Experience 9.5 [Legacy content]
Securing
Security tasks include setting up property extension databases and custom user repositories, configuring and activating SSL, and configuring authentication. In addition, tasks such as activating Federal Information Processing Standards (FIPS) and NIST SP800-131a security modules and configuring external security managers such as Security Access Manager might be required to secure your portal environment.
Updating user ID and passwords
HCL Digital Experience and IBM® WebSphere® Application Server use some accounts from the registry (for example, the LDAP server) including administrative and bind IDs for authenticated access to databases and LDAP severs respectively, as well as the HCL Portal and WebSphere Application Server administrative IDs. Often this means that the account passwords are stored in the HCL Portal and WebSphere Application Server bootstraps configuration files, which allows the authentication process to work.
Replacing the WebSphere Application Server administrator user ID
If you change your security configuration, you might need to replace your old IBM WebSphere Application Server administrator user ID with a new WebSphere Application Server administrator user ID.

HCL Digital Experience 9.5 [Legacy content]
- Overview
  HCL Digital Experience provides a single access point to web content and applications, while it delivers differentiated, personalized experiences for each user across multiple touchpoints, such as web, mobile, hybrid mobile/web applications, and more.
- Supported migration paths
  Migration is supported between equivalent HCL Digital Experience offerings.
- Supported installation and upgrade paths
  Installation and upgrade is supported between equivalent HCL Digital Experience offerings.
- Getting the software
  New and existing users need to register at the HCL Software License Portal and download their entitled HCL Digital Experience package(s).
- Creating your website
  Review the following topics to understand how to create your website using the latest HCL Digital Experience.
- Installing HCL Digital Experience
  Review the planning information on HCL Digital Experience, then select your operating system and installation pattern that most reflects your business needs.
- Configuring
  Run the following tasks after you install and deploy HCL Digital Experience. They address tasks that are typically run one time and have a global effect. Some configuration changes are made more frequently or do not have a global effect. These tasks are addressed in the Administering section.
- Backup and restore
  Backup and recovery of data files and databases is an essential operation for any business system, particularly for data and applications that run in production environments. Create and follow a plan for backing up and recovering data on all tiers of your HCL Digital Experience deployment. IBM Installation Manager must also be included in backup and recovery planning. If you back up the HCL Portal file structure and then install a fix pack, your HCL Digital Experience and IBM Installation Manager become out of sync after you restore the HCL Portal file system. This condition is not recoverable.
- Migrating
  Successful migration requires significant planning and preparation, understanding the tools that are involved, and careful execution of the appropriate steps in the order provided.
- Integrating
  Integrate HCL Digital Experience with software such as HCL Sametime to enable your users to collaborate more easily. You can also use the unified task list portlet to integrate HCL with your backend business process software, such as IBM Process Server.
- Administering
  Use the administration tools that are provided with the HCL Digital Experience to do various day-to-day administration tasks.
- Securing
  Security tasks include setting up property extension databases and custom user repositories, configuring and activating SSL, and configuring authentication. In addition, tasks such as activating Federal Information Processing Standards (FIPS) and NIST SP800-131a security modules and configuring external security managers such as Security Access Manager might be required to secure your portal environment.
  - Security and authentication considerations
    Security and authentication are key elements of a production environment. Learn about single sign-on, credential vaults and external security managers.
  - Controlling access
    After creating users and groups, you can assign them different levels of access to specific resources, roles, and policies. This access controls what actions they can perform on various pages, portlets, and applications.
  - Enabling Attribute Based Security
    Attribute based security for HCL Web Content Manager content is an access filter in the product filter chain. You can extend the access control permission checks for HCL Web Content Manager content beyond the user or group-based decisions. You can define your own criteria. The criteria might involve categories, keywords, textComponents, htmlComponents, or shortTextComponents for an item.
  - Java 2 security
    Java 2 (J2SE) security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. J2SE security allows you to set up individual policy files that control the privileges assigned to individual code sources. If the code does not have the required permissions and still tries to execute a protected operation, the Java™ Access Controller will throw a corresponding security exception.
  - Integrating with OpenID authentication
    Web applications provide information and services to public users and personalized information and services to authenticated users. Users often work with multiple web applications, which require multiple IDs and passwords. This requirement can be difficult to maintain. Integrating identity providers (Google, Yahoo, or Facebook) into your site can simplify logging in for your users.
  - Integrating with IBM WebSphere Application Server TAI authentication
    This roadmap outlines integration with IBM WebSphere Application Server Trust Association Interceptors (TAI) authentication for your environment.
  - Enabling step-up authentication and/or the Remember me cookie
    Using step-up authentication and/or the Remember me cookie lets you fine-tune user authentication to pages and portlets.
  - Securing LTPA keys on a production environment
    The Lightweight Third Party Authentication (LTPA) key holds cryptographic keys that secure the user authentication session and cookies. To secure the production server environment, regenerate the LTPA key using the WebSphere Integrated Solutions Console. If you plan to enable single sign-on at a later time, you must first disable the automatic key generation.
  - Configuring SSL
    Secure socket layers (SSL) encrypt traffic between the client browser and the server to secure information exchanged over the network between the browser and HCL Digital Experience. You will need to configure your environment for SSL to activate this additional security feature.
  - Enabling FIPS and (NIST) SP800-131a
    HCL Digital Experience tolerates IBM WebSphere Application Server support of Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) SP800-131a. You can configure WebSphere Application Server to activate FIPS 140-2 compliant security modules. When you enable FIPS, you can use only FIPS to securely encrypt data. For this reason, you must also configure FIPS for systems that require secure transactions, which can include HTTP servers and LDAP servers.
  - Configuring Session Security Integration
    IBM WebSphere Application Server protects your session from access by other users.
  - Enabling HTTP Basic Authentication for simple clients
    HCL Portal provides an HTTP Basic Authentication Trust Association Interceptor that can be enabled to allow specific clients to log into the portal by using HTTP Basic Authentication instead of HTTP Form Based Authentication.
  - Setting up custom user repositories
    A custom user repository is any repository that HCL Portal does not support out-of-box. However, you can configure HCL Portal to support any type of repository in a federated or stand-alone user registry, whether an LDAP directory, database, file system, and so on. Setting up custom user repositories involves tasks such as defining additional repositories to the default federated user registry, creating a custom stand-alone user repository, and updating your user repository to reflect changes in your environment. Learn what steps are required to create and update custom user repositories and what specific interfaces you must implement to enable communication between HCL Portal and a repository.
  - External security managers
    Use external security managers such as IBM Security Access Manager to perform authentication and authorization for HCL Digital Experience. You can use an external security manager for authentication only or for both authentication and authorization. Using an external security manager to perform only authorization is not supported at this time.
  - Deleting passwords from properties files
    The configuration tasks might require you to write security-sensitive information, such as passwords, into multiple properties files. When you no longer need this security-sensitive information for your configuration, you should remove them and move the files to a safe place or set the file permissions so that only authorized users can read them.
  - Updating user ID and passwords
    HCL Digital Experience and IBM® WebSphere® Application Server use some accounts from the registry (for example, the LDAP server) including administrative and bind IDs for authenticated access to databases and LDAP severs respectively, as well as the HCL Portal and WebSphere Application Server administrative IDs. Often this means that the account passwords are stored in the HCL Portal and WebSphere Application Server bootstraps configuration files, which allows the authentication process to work.
    - Changing the HCL Digital Experience administrator password
      HCL Digital Experience treats wpsadmin (the administrator) as any other user, just with more permissions granted. With a normal configuration, it is possible to change the wpsadmin or equivalent password through the user interface, just like any other user can manage their own password through the user interface. However, if the wpsadmin account is also used for more than just the administrator, then additional changes, outlined in other steps in this section, must be made to accommodate the change.
    - Changing the WebSphere Application Server administrator password in the file registry
      If you are using the file registry in the federation repository to store passwords, you need to change the passwords in the file registry.
    - Changing the WebSphere Application Server administrator password in the LDAP server using the LDAP administration interface
      If you are using the IBM Directory Server or IBM SecureWay Security Server for z/OS and OS/390 LDAP server, you can change the IBM WebSphere Application Server administrator password in the LDAP server using the LDAP administration interface. If you are using any other LDAP server, refer to the product documentation for information about changing passwords.
    - Replacing the WebSphere Application Server administrator user ID
      If you change your security configuration, you might need to replace your old IBM WebSphere Application Server administrator user ID with a new WebSphere Application Server administrator user ID.
    - Replacing the HCL Digital Experience administrator user ID
      If you change your security configuration, you might need to replace your old HCL Digital Experience administrator user ID with a new HCL Digital Experience administrator user ID.
    - Changing the LDAP bind password
      If you use an LDAP user registry, you must adapt the LDAP bind user ID.
    - Changing database passwords that are used by HCL Portal
      If database passwords are modified or expired, you must specify the new passwords on the IBM WebSphere Application Server and on the IBM DB2 Universal Database Enterprise Server Edition server so that HCL Portal can access them.
  - Content Security Policy
    The Content-Security-Policy header is used by modern browsers to enhance security of HCL Digital Experience site documents or webpages by allowing HCL Digital Experience administrators or developers declare which dynamic resources are allowed to load.
- Monitoring
  HCL Portal includes tools and features to help you monitor the portal site.
- Setting up a website
  Setting up a website includes, creating pages, adding navigation, setting up search, and adding content to the site. Themes are used to customize the portal's look-and-feel. Out-of-the-box templates and the site wizard can help you set up your portal site faster. You can add wikis and blogs to your site and let users tag and rate content on your site.
- Staging to production
  During portal solution development, the solution is initially developed, tested, and refined on one server or a limited number of servers. The solution is deployed later on live systems, referred to as the production environment. The process of moving the solution from the development environment to the production environment is called staging.
- Developing
  This section includes developer documentation on extending applications and development assets for HCL Portal and HCL Web Content Manager.
- Docker and Containerization
  Find topic information about Docker and Containerization for HCL Digital Experience.
- Practitioner Studio
  Practitioner Studio is a newly designed user experience for HCL Digital Experience. Please see the following pages to understand how the new navigation is organized.
- HCL Experience API
  This shows developers how to provision, configure, and use the HCL Experience API with the HCL Digital Experience 9.5 platform.
- HCL Content Composer
  The HCL Content Composer delivers simplified processes for creating and managing Digital Experience site content.
- HCL Digital Asset Management
  HCL Digital Asset Management (DAM) adds a central platform to store and include rich media assets in Digital Experience site content to present engaging, consistently branded experiences across digital channels.
- The Woodburn Studio demo site
  The Woodburn Studio is a website that demonstrates the use of some of the popular HCL Digital Experience features.
- Reference
  View information that can help you use our product documentation including terms of use, trademarks, and more.

Replacing the WebSphere Application Server administrator user ID | HCL Digital Experience

If you change your security configuration, you might need to replace your old IBM WebSphere Application Server administrator user ID with a new WebSphere Application Server administrator user ID.

About this task

Complete the following steps to replace the WebSphere® Application Server administrator user ID:

Procedure

Create a user in the Manage Users and Groups portlet to replace the current WebSphere® Application Server administrative user.
Run the following task to replace the old WebSphere® Application Server administrative user with the new user:
- AIX® HP-UX Linux™ Solaris: ./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword from the wp_profile_root/ConfigEngine directory.
- IBM® i: ConfigEngine.sh wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword from the wp_profile_root\ConfigEngine directory.
- Windows™: ConfigEngine.bat wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword from the wp_profile_root\ConfigEngine directory.
- z/OS®: ./ConfigEngine.sh wp-change-was-admin-user -DWasPassword=password -DnewAdminId=newadminid -DnewAdminPw=newpassword from the wp_profile_root/ConfigEngine directory. The -DnewAdminGroupID parameter is needed only if you plan to replace the old administrative group ID.
Note: Refer to the description of the newAdminId property in wkplc.properties under wp_profile_root\ConfigEngine\properties\ for guidance on populating the value in the command line.

Additional parameter for stopped servers: This task verifies the user against a running server instance. If the server is stopped, add the -Dskip.ldap.validation=true parameter to the task to skip the validation.
Verify that the task completed successfully. Stop and restart all required servers.

What to do next

If you use an external security manager such as Security Access Manager, you must manually remove the old administrator user ID from the external security manager.