5.6.  Configure different authentication and authorization mechanisms, including SSO.

[Note]

Setting up single sign-on for WebSphere Application Server

Set up single sign-on (SSO) between two or more instances of IBM® WebSphere Application Server so users can authenticate to all applications running on WebSphere Application Server with a single log in. For example, you can set up SSO on WebSphere Application Server to enable single authentication sessions between IBM WebSphere Portal and IBM WebSphere Process Server or between WebSphere Portal and IBM Lotus Quickr for WebSphere Portal. SSO on WebSphere Application Server is established through Lightweight Third Party Authentication (LTPA) keys. You export the LTPA key from one instance of WebSphere Application Server then import that key into a different instance of WebSphere Application Server to establish SSO.

NOTE: Synchronize the time on each instance of WebSphere Application Server for which you plan to set up SSO. LTPA tokens use timestamps from the server to timeout. SSO failures can occur because the time difference between servers is greater than the timeout value of the LTPA tokens.

NOTE: Ensure that all participating servers are in the same DNS domain. For example, valid SSO domain names for the fictitious systems "http://portal1.java.boot.by" and "http://portal2.java.boot.by" might be "java.boot.by" or "boot.by".

  1. Enabling single sign-on

    Enable single sign-on (SSO) on all the instances of WebSphere Application Server for which you plan to establish SSO.

    To enable SSO on WebSphere Application Server, do the following:

    1. Log in to the WebSphere Application Server administration console.

    2. Navigate to Security > Global Security.

    3. In the Authentication cache settings section, expand Web and SIP security then select Single sign-on (SSO).

      Figure 5.10. Single sign-on (SSO)

      Single sign-on (SSO)


    4. In the General Properties section, specify the following configuration values for single sign-on:

      Figure 5.11. Single sign-on (SSO) Settings

      Single sign-on (SSO) Settings


      • Enabled Selected by default.

      • Requires SSL Select this field if not selected by default.

      • Specify the domain name that you are using for the servers; for example, java.boot.by.

      • Interoperability Mode Select this field if not selected by default.

      • Web inbound security attribute propagation Selected by default.

    5. Click OK and save to the master configuration.

    Repeat the preceding steps for the other instances of WebSphere Application Server for which you plan to establish SSO.

  2. Exporting the LTPA key

    Export a Lightweight Third Party Authentication (LTPA) key from WebSphere Application Server to import into other instances of WebSphere Application Server. You only need to export the LTPA key from one server.

    To export the single sign-on key, do the following:

    1. Log in to the WebSphere Application Server administration console.

    2. Navigate to Security > Global security > Authentication > LTPA.

    3. In the Cross-cell single sign-on section, specify a password for the LTPA key.

    4. Enter the LTPA key name and directory to which you want to export the key in the Fully qualified key file name field. For example, on Linux, enter /tmp/my_ltpa_key.

      Figure 5.12. Export LTPA keys

      Export LTPA keys


    5. Click Export keys.

      Figure 5.13. LTPA keys exported

      LTPA keys exported


    6. Navigate to the directory where you exported the LTPA key.

    7. Copy the LTPA key to the file system where you plan to import it.

  3. Importing the LTPA key

    Import the LTPA key into WebSphere Application Server. You can import the same LTPA key into multiple servers.

    To import the LTPA key, do the following:

    1. Log in to the WebSphere Application Server administration console.

    2. Navigate to Security > Global security > Authentication > LTPA.

    3. In the Cross-cell single sign-on section, specify the password for the LTPA key.

    4. Enter the name of the file on your file system where you copied the LTPA key in the Fully qualified key file name field.

    5. Click Import keys.

    6. Restart both the server you exported the LTPA key from and the server into which you imported the LTPA key. Restart the servers only after you have imported the LTPA key into all the servers for which you plan to establish SSO.

    Repeat the steps in this task for all servers for which you plan to set up SSO, then restart all servers.

  4. Verifying single sign-on

    You have successfully established SSO between multiple instances of WebSphere Application Server when you can log in to one administration console then access the other administration consoles without having to log in again.

    To verify SSO, do the following:

    1. Log in to the WebSphere Application Server administration console where you exported the LTPA key.

    2. In your browser's address bar, enter the URL for the WebSphere Application Server administration console where you imported the LTPA key.

    If the WebSphere Application Server administration console opens without requiring you to log in, you have successfully set up SSO.

Professional hosting         Free 'Oracle Certified Expert Web Services Developer 6' Guide     Free SCDJWS 5.0 Guide