What is the best way to incorporate Siteminder SSO with the WebSphere Liberty Profile Buildpack?

Question

We have a use case where all the apps staged and run with the WebSphere Liberty Profile Buildpack have to authenticate with LDAP and a SiteMinder SSO Proxy.

We have implemented this feature by configuring a TAI in Liberty and pushing the app as a server package.

We don't want to push server packages for each app

How should we package the features like ldapRegistry-3.0, the TAI library and the associated trustAssociation server configuration so that all the apps staged by the buildpack inherit this configuration without pushing server packages. Can this be done with a user feature ?

-cheers, Rohit Kelapure

Answer 1

I can think of three options:

1. Deploy your application with configuration as a server directory instead.
2. Fork and modify the Liberty buildpack to your needs.
3. Create a .profile.d script (as part of your application) that adds a server.xml with your configuration into a configDropins directory of the Liberty server.

Answer 2

Unfortunately, there's no other way to setup the other security mechanisms (TAI Library & trustAssociateion server config) without pushing a server package or pushing a server directory. See (1) for more details on protecting resources in Liberty.

If you were just adding Liberty features or needed to specify a different set of features, then you could set the JBP_CONFIG_LIBERTY environment variable and restage the app:

$ cf set-env myapp JBP_CONFIG_LIBERTY "app_archive: {features: [ldapRegistry-3.0]}"
$ cf restage myapp

For more information on other options for pushing Liberty applications, see (2) below.

(1) https://www.ng.bluemix.net/docs/services/mobileaccess/security/resource_server/index.html#r_oauth_was_wasl

(2) https://www.ng.bluemix.net/docs/starters/liberty/index.html#optionsforpushinglibertyapplications