4.7.  Configure single sign-on in WebSphere Application Server Network Deployment V8.0.
Prev Chapter 4. Security Next

4.7.  Configure single sign-on in WebSphere Application Server Network Deployment V8.0.

[Note]

Set up single sign-on (SSO) between two or more instances of IBM® WebSphere Application Server so users can authenticate to all applications running on WebSphere Application Server with a single log in. For example, you can set up SSO on WebSphere Application Server to enable single authentication sessions between IBM WebSphere Portal and IBM WebSphere Process Server or between WebSphere Portal and IBM Lotus Quickr for WebSphere Portal. SSO on WebSphere Application Server is established through Lightweight Third Party Authentication (LTPA) keys. You export the LTPA key from one instance of WebSphere Application Server then import that key into a different instance of WebSphere Application Server to establish SSO.

Important: Synchronize the time on each instance of WebSphere Application Server for which you plan to set up SSO. LTPA tokens use timestamps from the server to timeout. SSO failures can occur because the time difference between servers is greater than the timeout value of the LTPA tokens.

NOTE: make sure each instance of WAS is using the same user registry (ideally LDAP). The user registry settings should be identical on all servers.

Enabling single sign-on

Enable single sign-on (SSO) on all the instances of WebSphere Application Server for which you plan to establish SSO.

To enable SSO on WebSphere Application Server, do the following:

  1. Log in to the WebSphere Application Server administration console (ISC).

  2. Navigate to Security > Global Security.

  3. In the Authentication section, select the LTPA option.

    Figure 4.34. 


  4. In the Authentication cache settings section, expand Web and SIP security then select Single sign-on (SSO).

    Figure 4.35. 


  5. In the General Properties section, specify the following configuration values for single sign-on:

    • Enabled - Selected by default.

    • Requires SSL - Specify the domain name that you are using for the servers; for example, java.boot.by. This is the domain containing the participating servers.

    • Interoperability Mode - Select this field if not selected by default.

    • Web inbound security attribute propagation - Selected by default.

    Figure 4.36. 


  6. Click the OK button and save to the master configuration.

Repeat the preceding steps for the other instances of WebSphere Application Server for which you plan to establish SSO.

Exporting the LTPA key

Export a Lightweight Third Party Authentication (LTPA) key from WebSphere Application Server to import into other instances of WebSphere Application Server. You only need to export the LTPA key from one server.

To export the single sign-on key, do the following:

  1. Log in to the WebSphere Application Server administration console (ISC).

  2. Navigate to Security > Global security > Authentication > LTPA.

  3. In the Cross-cell single sign-on section, specify a password for the LTPA key.

  4. Enter the LTPA key name and directory to which you want to export the key in the Fully qualified key file name field. For example, on Linux, enter /tmp/myKeys.

  5. Click Export keys.

    Figure 4.37. 


  6. Click the OK button and save to the master configuration.

  7. Navigate to the directory where you exported the LTPA key.

  8. Copy the LTPA key to the file system where you plan to import it.

Importing the LTPA key

Import the LTPA key into WebSphere Application Server. You can import the same LTPA key into multiple servers.

To import the LTPA key, do the following:

  1. Log in to the WebSphere Application Server administration console (ISC).

  2. Navigate to Security > Global security > Authentication > LTPA.

  3. In the Cross-cell single sign-on section, specify the password for the LTPA key.

  4. Enter the directory on your file system where you copied the LTPA key in the Fully qualified key file name field.

  5. Click the Import keys button.

    Figure 4.38. 


  6. Click the OK button and save to the master configuration.

  7. Restart both the server you exported the LTPA key from and the server into which you imported the LTPA key. Restart the servers only after you have imported the LTPA key into all the servers for which you plan to establish SSO.

Repeat the steps in this task for all servers for which you plan to set up SSO, then restart all servers.

Verifying single sign-on

You have successfully established SSO between multiple instances of WebSphere Application Server when you can log in to one administration console then access the other administration consoles without having to log in again.

To verify SSO, do the following:

  1. Log in to the WebSphere Application Server administration console where you exported the LTPA key.

  2. In your browser's address bar, enter the URL for the WebSphere Application Server administration console where you imported the LTPA key.

If the WebSphere Application Server administration console opens without requiring you to log in, you have successfully set up SSO.

Note: Using localhost, a short host name, or the IP address in place of the host name is not recommended. Single sign-on requires that the browser pass LTPA cookies to the WebSphere Application Server server, and these cookies contain the fully qualified host name.

Prev Up Next
4.6.  Apply appropriate application and resource security settings (e.g., Java 2 security, SIBus security).  Home 4.8.  Configure LTPA trust between cells.
Professional hosting         Free 'Oracle Certified Expert Web Services Developer 6' Guide     Free SCDJWS 5.0 Guide