FileNet P8 Workplace XT, Version 1.1.5       Application server:  WebLogic Application Server     

Editing web.xml for SSO (WebLogic)

If you plan to use Workplace XT in an SSO environment, you must edit the web.xml file to create the appropriate settings.

SSO in an IBM® Tivoli® Access Manager environment might require additional configuration. For more details, see your IBM product documentation.

For more detail regarding configuring SSO for Workplace XT refer to the following technote:

To edit web.xml for SSO:

  1. Make a backup copy of web.xml.

    The file is in the following path: install_path/IBM/FileNet/WebClient/WorkplaceXT/WEB-INF/web.xml

  2. Edit web.xml.
  3. Set the parameter perimeterChallengeMode to true, as in:
    <init-param>
    <param-name>perimeterChallengeMode</param-name>
    <param-value>true</param-value>
    </init-param>
  4. As needed, set the ssoProxyContextPath, ssoProxyHost, ssoProxyPort, and ssoProxySSLPort. These parameter values are used to modify one or more elements of the native URL that Workplace XT sees on a request. Wherever the value of an SSO proxy host element in the URL request is different from the equivalent information for the host where Workplace XT is deployed, then you must set the corresponding sso* parameter for that element in the URL to the value for the SSO proxy host. The default settings are:
    <init-param> 
    <param-name>ssoProxyContextPath</param-name>
    <param-value></param-value>
    </init-param>
    <init-param>
    <param-name>ssoProxyHost</param-name>
    <param-value></param-value>
    </init-param>
    <init-param>
    <param-name>ssoProxyPort</param-name>
    <param-value></param-value>
    </init-param> 
    <init-param>
    <param-name>ssoProxySSLPort</param-name>
    <param-value></param-value>
    </init-param>
    In general, the init parameters above should be configured as follows:
    • ssoProxyContextPath: Set the value to the context path of the SSO proxy host URL. This is the path portion of the URL that appears after the server name, and which represents top-level access to the Workplace XT application. For example, if the Workplace XT deploy host URL is
      http://deploy_server:7001/WorkplaceXT
      and the SSO proxy host URL is
      http://sso_proxy_server.domain.com/WorkplaceXT
      then use the following value:
      <param-name>ssoProxyContextPath</param-name>
      <param-value></param-value>
    • ssoProxyHost: Set the value to the SSO proxy host server name. Typically, this will be a full domain-qualified hostname. For example, if the host URL where Workplace XT is deployed is
      http://deploy_server/WorkplaceXT
      and the corresponding SSO proxy host URL is
      http://sso_proxy_server/WorkplaceXT
      then use the following value:
      <param-name>  ssoProxyHost  </param-name>
      <param-value>sso_proxy_server</param-value>
    • ssoProxyPort: Set the value to the HTTP port on the SSO proxy host. For example:
      <param-name>ssoProxyPort</param-name>
      <param-value>80</param-value>
    • ssoProxySSLPort: Set the value to the HTTPS port on the SSO proxy host, if it is defined or used to access Workplace XT pages. For example:
      <param-name>ssoProxySSLPort</param-name>
      ram-value>443</param-value>
  5. (For SSO with Kerberos only ) In the exclude list of the AE PreprocessorFilter section, remove the following entries:
    /integrationCommand*
    /transport*
    /bootstraptransport
    as shown in the following sample exclude list:
    <filter>
    <filter-name>AE PreprocessorFilter</filter-name>
    <filter-class>
    com.filenet.ae.toolkit.server.servlet.filter.PreprocessorFilter
    </filter-class>
    <init-param>
    <param-name>challenge</param-name>
    <param-value>false</param-value>
    </init-param>
    <init-param>
    <param-name>exclude</param-name>
    <param-value>
    /css/*,
    /download/*,
    /FnJavaV1Files/*,
    /images/*,
    /js/*,
    /scripts/*,
    /Samples*,
    /Source*,
    /UI-INF/*,
    /integrationCommand*,
    /integrationResponse*,
    /transport*,
    /ContainerError.jsp,
    /ContainerLogin.jsp,
    /ContainerSignout.jsp,
    /ServerErrorDisplay.jsp,
    /containerSecured/*,
    /WcmError.jsp,
    /WcmSignIn.jsp,
    /GetUserToken.jsp,
    /GetTokenSignIn.jsp,
    /GetUserInformation.jsp,
    /axis,
    /axis/services/*,
    /servlet/AdminServlet,
    /setCredentials,
    /SOAPMonitor,
    /webdav*,
    /P8BPMWSBroker/*,
    *j_security_check*,
    /bootstraptransport,
    /pingSession,
    /unitTests*,
    /NoContent.jsf,
    /ServerErrorDisplay.jsf,
    /LoadJSResources.jsf,
    /SessionError.jsf
    </param-value>
    </init-param>
    </filter>
  6. (For SSO with Kerberos only) In the security-constraint section, add the following URL patterns:
    <url-pattern>/integrationCommand</url-pattern>
    <url-pattern>/transport</url-pattern>
    <url-pattern>/bootstraptransport</url-pattern>
    <url-pattern>/getContent</url-pattern>
    as shown in the following sample:
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>action</web-resource-name>
    <description>Define the container secured resource</description>
    <url-pattern>/containerSecured/*</url-pattern>
    <url-pattern>/integrationCommand</url-pattern>
    <url-pattern>/transport</url-pattern>
    <url-pattern>/bootstraptransport</url-pattern>
    <url-pattern>/getContent</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>
    </auth-constraint>
    <user-data-constraint>
    <description>User data constraints</description>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
  7. Save your changes to web.xml and close the file.


Feedback

Last updated: March 2013
wxtip024.htm

© Copyright IBM Corporation 2013.
This information center is powered by Eclipse technology. (http://www.eclipse.org)