{"id":2728,"date":"2014-01-28T19:51:11","date_gmt":"2014-01-28T11:51:11","guid":{"rendered":"http:\/\/rmohan.com\/?p=2728"},"modified":"2014-01-28T19:51:11","modified_gmt":"2014-01-28T11:51:11","slug":"websphere-console-ldap-authentication","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=2728","title":{"rendered":"WebSphere Console LDAP Authentication"},"content":{"rendered":"<h1 id=\"websphere_console_ldap_authentication\">WebSphere Console LDAP Authentication<\/h1>\n<div>\n<p>This is an howto on how to get the WebSphere Integrated Solutions Console to authenticate administrators through <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr>, in our case Microsoft&#8217;s Active Directory 2008. This is installed with <a title=\"windowsserver2008\" href=\"http:\/\/www.getshifting.com\/wiki\/windowsserver2008\">Windows Server 2008<\/a> and <a title=\"adinstall\" href=\"http:\/\/www.getshifting.com\/wiki\/adinstall\">Active Directory<\/a>.<\/p>\n<\/div>\n<h1 id=\"overview\">Overview<\/h1>\n<p>By default, when WebSphere gets installed everybody can access the WebSphere portal because there is no security. This is how the portal looks like:<a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap01.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2729\" alt=\"websphereldap01\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap01.jpg\" width=\"368\" height=\"339\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap01.jpg 368w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap01-300x276.jpg 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap01-150x138.jpg 150w\" sizes=\"(max-width: 368px) 100vw, 368px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>As you can see, the console can be reached with this url:<\/p>\n<pre>http:\/\/fqdn-of-server:9060\/ibm\/console<\/pre>\n<p>And as you can see as well, there&#8217;s no password field.<\/p>\n<p>Now we want secured access to the console, and we want to centrally administrate the users who will access the console. To do so, we have to follow these steps:<\/p>\n<ul>\n<li>\n<div>Enable administrative security<\/div>\n<\/li>\n<li>\n<div>Configure Federated Repositories<\/div>\n<ul>\n<li>\n<div>Configure the InternalFileRepository<\/div>\n<\/li>\n<li>\n<div>Configure a <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> Repository<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<div>Restart the WebSphere Console<\/div>\n<\/li>\n<li>\n<div>Set up Administrative Group Roles<\/div>\n<\/li>\n<li>\n<div>Restart the WebSphere Console<\/div>\n<\/li>\n<\/ul>\n<p>After securing the console will be reachable on this url:<\/p>\n<pre>https:\/\/fqdn-of-server:9043\/ibm\/console<\/pre>\n<h1 id=\"prerequisites\">Prerequisites<\/h1>\n<div>\n<p>Before the above setup can be configured we first have to create the groups on which WebSphere Roles can be associated:<\/p>\n<div>\n<table>\n<tbody>\n<tr>\n<th>GroupName<\/th>\n<th>WebSphere Role<\/th>\n<th>Short Description<\/th>\n<\/tr>\n<tr>\n<td>WebSphereAdministrators<\/td>\n<td>Administrator, iscadmins<\/td>\n<td>Full Permissions and the possibility to grant permissions to users and groups<\/td>\n<\/tr>\n<tr>\n<td>WebSphereOperators<\/td>\n<td>Operator<\/td>\n<td>Change the status of Application Servers (start,stop,etc)<\/td>\n<\/tr>\n<tr>\n<td>WebSphereReadOnly<\/td>\n<td>Monitor<\/td>\n<td>View Application Server status<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>For more information about the WebSphere Roles see the resources below.<\/p>\n<\/div>\n<h2 id=\"backup\">Backup<\/h2>\n<div>\n<p>Create a backup of the existing configuration. See the <a title=\"webspherestartup\" href=\"http:\/\/www.getshifting.com\/wiki\/webspherestartup\">WebSphere Management Script<\/a> for more information on how to do that.<\/p>\n<\/div>\n<h1 id=\"enable_administrative_security\">Enable Administrative Security<\/h1>\n<div>\n<p>Follow these steps to enable administrative security:<\/p>\n<ul>\n<li>\n<div>Login to the console and expand \u201cSecurity\u201d.<\/div>\n<\/li>\n<li>\n<div>Go to \u201cSecure administration, applications and infrastructure\u201d<\/div>\n<\/li>\n<li>\n<div>Select the checkbox for \u201cEnable administrative security\u201d<\/div>\n<\/li>\n<li>\n<div>Select the checkbox for \u201cEnable application security\u201d<\/div>\n<\/li>\n<li>\n<div>Unselect the checkbox for \u201cUse Java 2 security to restrict application access to local resources\u201d<\/div>\n<\/li>\n<li>\n<div>Click Apply and \u201cSave directly to the master configuration\u201d.<\/div>\n<\/li>\n<\/ul>\n<\/div>\n<h1 id=\"configure_federated_repositories\">Configure Federated Repositories<\/h1>\n<div>\n<p>In the same page as for the previous section, follow these steps to configure Federated Repositories:<\/p>\n<ul>\n<li>\n<div>Select from the \u201cAvailable realm definitions\u201d dropdown menu the \u201cFederated repositories\u201d option.<\/div>\n<\/li>\n<li>\n<div>First click \u201cSet as current\u201d, Apply and \u201cSave directly to the master configuration\u201d, and then click \u201cConfigure\u201d.<\/div>\n<\/li>\n<\/ul>\n<p>Now configure the repositories, starting with the InternalFileRepository and than AD-<abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr>.<\/p>\n<\/div>\n<h2 id=\"configure_the_internalfilerepository\">Configure the InternalFileRepository<\/h2>\n<div>\n<ul>\n<li>\n<div>Leave the realm name at it&#8217;s default (defaultWIMFileBasedRealm)<\/div>\n<\/li>\n<li>\n<div>Enter the \u201cPrimary administrative user name\u201d. This value is free to choose, but to prevent confusion, do not enter an existing local account or an account already in <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr>. I&#8217;ve set it to sjoerd. This account will be your fallback when <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> is down.<\/div>\n<\/li>\n<li>\n<div>Then check the \u201cAutomatically generated server identity\u201d radio button.<\/div>\n<\/li>\n<li>\n<div>Select the \u201cIgnore case for authorization\u201d checkbox.<\/div>\n<\/li>\n<li>\n<div>Click Apply you&#8217;ll be prompted to enter a password for the \u201cPrimary administrative user name\u201d which you&#8217;ve just set. Click OK, and than click \u201cSave directly to the master configuration\u201d.<\/div>\n<\/li>\n<\/ul>\n<\/div>\n<h2 id=\"configure_a_ldap_repository\">Configure a LDAP Repository<\/h2>\n<p>In the same page as before click \u201cManage repositories\u201d to start configuring the <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> repository:<\/p>\n<ul>\n<li>\n<div>Click Add<\/div>\n<\/li>\n<li>\n<div>Enter a \u201cRepository identifier\u201d. Also a free value, I&#8217;ve named it to \u201cAD-<abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr>\u201d<\/div>\n<\/li>\n<li>\n<div>Set the <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> server \u201cDirectory type\u201d to \u201cMicrosoft Windows Server 2003 Active Directory\u201d. I&#8217;ve found this server also working for Windows Server 2008 Active Directory.<\/div>\n<\/li>\n<li>\n<div>Set the Primary host name to your primary ldap server: ldap.company.local<\/div>\n<\/li>\n<li>\n<div>Leave the port at it&#8217;s default value of 389<\/div>\n<\/li>\n<li>\n<div>Set the \u201cBind distinguished name\u201d to the service account which is a guest domain account: sa_ldap@company.local<\/div>\n<\/li>\n<li>\n<div>Set the bind password<\/div>\n<\/li>\n<li>\n<div>leave the \u201cLogin properties\u201d to it&#8217;s default value of \u201cuid\u201d<\/div>\n<\/li>\n<\/ul>\n<p>The configuration now looks like this:<a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap02.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2730\" alt=\"websphereldap02\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap02.jpg\" width=\"760\" height=\"666\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap02.jpg 760w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap02-300x262.jpg 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap02-150x131.jpg 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap02-400x350.jpg 400w\" sizes=\"(max-width: 760px) 100vw, 760px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div>Click Apply and \u201cSave directly to the master configuration\u201d<\/div>\n<\/li>\n<\/ul>\n<h1 id=\"configure_federated_repositories_ii\">Configure Federated Repositories II<\/h1>\n<p>Now go back to the \u201cFederated repositories\u201d page to add the <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> repository to the realm:<\/p>\n<ul>\n<li>\n<div>Click \u201cAdd Base entry to realm\u201d<\/div>\n<\/li>\n<li>\n<div>Select \u201cAD-<abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr>\u201d from the Repository dropdown menu.<\/div>\n<\/li>\n<li>\n<div>Now enter the search base (ou=users,dc=company,dc=local) in both the \u201cDistinguished name of a base entry that uniquely identifies this set of entries in the realm\u201d and the \u201cDistinguished name of a base entry in this repository\u201d.<\/div>\n<\/li>\n<li>\n<div>Click Apply and \u201cSave directly to the master configuration\u201d.<\/div>\n<\/li>\n<\/ul>\n<p>Now the federated repositories look like this:<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap03.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2731\" alt=\"websphereldap03\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap03.jpg\" width=\"762\" height=\"661\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap03.jpg 762w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap03-300x260.jpg 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap03-150x130.jpg 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap03-400x346.jpg 400w\" sizes=\"(max-width: 762px) 100vw, 762px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div>Click Apply and \u201cSave directly to the master configuration\u201d<\/div>\n<\/li>\n<\/ul>\n<h1 id=\"set_up_administrative_group_roles\">Set up Administrative Group Roles<\/h1>\n<p>Before we can setup Administrative Group Roles we first have to enable WebSphere to access the just created <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> repository. To do so, we have to restart the WebSphere console. Since the console is part of the deployment manager you can restart the deployment manager. See the <a title=\"webspherestartup\" href=\"http:\/\/www.getshifting.com\/wiki\/webspherestartup\">WebSphere Management Script<\/a> for more information on how to do that.<\/p>\n<p>After restart, you can login, but you&#8217;ll need to login with the configured local account:<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap04.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2732\" alt=\"websphereldap04\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap04.jpg\" width=\"325\" height=\"147\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap04.jpg 325w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap04-300x135.jpg 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap04-150x67.jpg 150w\" sizes=\"(max-width: 325px) 100vw, 325px\" \/><\/a><\/p>\n<p>After logging in expand the \u201cUsers and Groups\u201d section and click \u201cAdministrative Group Roles\u201d to start granting roles:<\/p>\n<ul>\n<li>\n<div>Click Add<\/div>\n<\/li>\n<li>\n<div>Enter the group name you&#8217;ve created in Active Directory and select the role according to the overview at the top. You can select multiple roles by clicking while pressing the &lt;CTRL&gt;-key.<\/div>\n<\/li>\n<li>\n<div>Repeat the last steps for all groups you&#8217;ve created<\/div>\n<\/li>\n<\/ul>\n<p>Now the \u201cAdministrative Group Roles\u201d look like this:<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap05.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2733\" alt=\"websphereldap05\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2014\/01\/websphereldap05.jpg\" width=\"842\" height=\"301\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap05.jpg 842w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap05-300x107.jpg 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap05-150x53.jpg 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2014\/01\/websphereldap05-400x142.jpg 400w\" sizes=\"(max-width: 842px) 100vw, 842px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>\n<div>Now shut down the application servers, node agent, and the deployment manager.<\/div>\n<\/li>\n<li>\n<div>Start the deployment manager.<\/div>\n<\/li>\n<li>\n<div>Resynchronize the nodes like this, and use the local account that you defined when asked for credentials:<\/div>\n<\/li>\n<\/ul>\n<pre>root@aix:\/opt\/sft\/${COMP}-${ENV}\/WAS_Profiles\/${COMP}-${ENV}.AppSrv\/bin&gt;syncNode.sh localhost<\/pre>\n<ul>\n<li>\n<div>Now start the node-agent and the application server.<\/div>\n<\/li>\n<\/ul>\n<blockquote>\n<div>NOTE: If you come across one of these errors you haven&#8217;t synchronized your application servers properly:<\/p>\n<pre>SECJ0305I: The role-based authorization check failed for admin-authz operation Server:stop. The user UNAUTHENTICATED (unique ID: unauthenticated) was not granted any of the following required roles: operator, administrator.<\/pre>\n<\/div>\n<\/blockquote>\n<pre>[11\/5\/10 11:44:58:890 GMT+01:00] 00000034 MBeanHelper ...&lt;cut&gt;... ADMN0022E: Access is denied for the stop operation on Server MBean because of insufficient or empty credentials.<\/pre>\n<h1 id=\"test\">Test<\/h1>\n<div>\n<p>I added myself to the WebSphereReadOnly group and when I logged in to the WebSphere Console the control buttons for stopping and starting the application server were gone.<\/p>\n<p>Then I added myself to the WebSphereAdministrators group and it worked:<\/p>\n<pre>ADMN1020I: An attempt is made to stop the Monitoring_server server. (User ID = defaultWIMFileBasedRealm\/ldapsjoerd)<\/pre>\n<p>Then I tried to stop the application servers from the commandline, and also here was authentication required. I gave incorrect credentials when stopping the last application server. As you can see, the stopping of all application servers was successful, except for the last one:<\/p>\n<pre>Stopping server Front\r\nADMU0116I: Tool information is being logged in file\r\n           ..\/logs\/Front_Server\/stopServer.log\r\nADMU0128I: Starting tool with the AppSrv profile\r\nADMU3100I: Reading configuration for server: Front_Server\r\nRealm\/Cell Name: &lt;default&gt;\r\nUsername: ldapsjoerd\r\nPassword:                                                                                                               \r\nADMU3201I: Server stop request issued. Waiting for stop status.\r\nADMU4000I: Server Front_Server stop completed.\r\n\r\nStopping server JMS\r\nADMU0116I: Tool information is being logged in file\r\n           ..\/logs\/JMS_Server\/stopServer.log\r\nADMU0128I: Starting tool with the AppSrv profile\r\nADMU3100I: Reading configuration for server: JMS_Server\r\nRealm\/Cell Name: &lt;default&gt;\r\nUsername: test\r\nPassword:                                                                                                               \r\nADMU0111E: Program exiting with error: javax.management.JMRuntimeException:\r\n           ADMN0022E: Access is denied for the stop operation on Server MBean\r\n           because of insufficient or empty credentials.\r\nADMU4113E: Verify that username and password information is correct.  If\r\n           running tool from the command line, pass in the correct -username\r\n           and -password.  Alternatively, update the &lt;conntype&gt;.client.props\r\n           file.\r\nADMU1211I: To obtain a full trace of the failure, use the -trace option.\r\nADMU0211I: Error details may be seen in the file:\r\n           ..\/logs\/JMS_Server\/stopServer.log<\/pre>\n<blockquote>\n<div>NOTE: The dmgr can only be stopped with the local account (sjoerd).<\/div>\n<\/blockquote>\n<\/div>\n<h1 id=\"monitoring\">Monitoring<\/h1>\n<div>\n<p>After setting up security, and when running monitoring add authentication information to the monitor. See below for required information (which can all be found inside the node and application server configuration):<\/p>\n<ul>\n<li>\n<div>Display Name: WebSphere_Monitoring_9030<\/div>\n<\/li>\n<li>\n<div>WebSphere Version: 6.x<\/div>\n<\/li>\n<li>\n<div>Deployment Mode: Network Deployment<\/div>\n<\/li>\n<li>\n<div>Port: 9030<\/div>\n<\/li>\n<li>\n<div>User Name: same as configured for the InternalFileRepository (sjoerd)<\/div>\n<\/li>\n<li>\n<div><abbr title=\"Simple Object Access Protocol\">SOAP<\/abbr> Connector Port: 8882<\/div>\n<\/li>\n<li>\n<div>Network Deployer Host: ndhost.copany.local<\/div>\n<\/li>\n<li>\n<div>Network Deployer <abbr title=\"Simple Object Access Protocol\">SOAP<\/abbr> Port: 8879<\/div>\n<\/li>\n<li>\n<div>Advanced Options<\/div>\n<ul>\n<li>\n<div>App Servers to Monitor: node:JMS,Front,Monitoring;<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>You can check the service by going to this url:<\/p>\n<pre>http:\/\/ndhost.company.local:9030\/wasPerfTool\/servlet\/perfservlet?connector=SOAP&amp;port=8879&amp;host=ndhost.company.local&amp;username=test&amp;password=xxxxxxxx<\/pre>\n<\/div>\n<h1 id=\"troubleshooting\">Troubleshooting<\/h1>\n<div><\/div>\n<h2 id=\"logging_as_defined_user_works_but_not_through_group_membership\">Logging as defined user works, but not through group membership<\/h2>\n<p>If you can login using a user defined in the user roles, but not as a user who is defined a member of a group defined in group roles, select the \u201cignore case for authorization\u201d in the federated repositories configuration.<\/p>\n<p>This is why:<\/p>\n<blockquote>\n<div>Optional: Verify that the Ignore case for authorization option is enabled. When you enable this option, the authorization check is case insensitive. Normally, an authorization check involves checking the complete DN of a user, which is unique in the <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> server and is case sensitive. However, when you use either the IBM Directory Server or the Sun ONE (formerly iPlanet) Directory Server <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> servers, you must enable this option because the group information that is obtained from the <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> servers is not consistent in case. This inconsistency affects the authorization check only. Otherwise, this field is optional and can be enabled when a case sensitive authorization check is required. For example, you might select this option when you use certificates and the certificate contents do not match the case of the entry in the <abbr title=\"Lightweight Directory Access Protocol\">LDAP<\/abbr> server.<\/div>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>WebSphere Console LDAP Authentication <\/p>\n<p>This is an howto on how to get the WebSphere Integrated Solutions Console to authenticate administrators through LDAP, in our case Microsoft&#8217;s Active Directory 2008. This is installed with Windows Server 2008 and Active Directory.<\/p>\n<p> Overview <\/p>\n<p>By default, when WebSphere gets installed everybody can access the WebSphere portal because there is [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2728"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2728"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2728\/revisions"}],"predecessor-version":[{"id":2734,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2728\/revisions\/2734"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}