WebSphere Application Server - Express, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Configuring single signon using the trust association interceptor

Before you begin

The following steps are required when setting up security for the first time. Ensure that Lightweight Third Party Authentication (LTPA) is the active authentication mechanism:
  1. From the WebSphere Application Server console click Security > Global security.
  2. Ensure that the Active authentication mechanism field is set to Lightweight Third Party Authentication (LTPA). If not, set it and save your changes.

Why and when to perform this task

This task is performed to enable single signon using the trust association interceptor. The steps involve setting up trust association and creating the interceptor properties.

Steps for this task

  1. From the WebSphere Application Server console, click Security > Global security.
  2. Under Authentication mechanisms, click LTPA.
  3. Under Additional properties, click Trust association.
  4. Select the Enable trust association option.
  5. Under Additional properties, click the Interceptors link.
  6. Click com.ibm.ws.security.web.WebSealTrustAssociationInterceptor to use the WebSEAL interceptor. This interceptor is the default.
  7. Under Additional properties, click Custom Properties.
  8. Click New to enter the property name and value pairs. Ensure the following parameters are set:
    Table 1.
    Option Description
    com.ibm.websphere.security.
    trustassociation.types
    Ensure that webseal is listed.
    com.ibm.websphere.security.
    webseal.loginId
    The WebSEAL trusted user as created in Creating a trusted user account in Tivoli Access Manager The format of the username is the short name representation. This property is mandatory. If the property is not set in the WebSphere Application Server, TAI initialization fails.
    com.ibm.websphere.security.
    webseal.id
    The iv-user header, which is com.ibm.websphere.security.webseal.id=iv-user
    com.ibm.websphere.security.
    webseal.hostnames
    Do not set this property if using Tivoli Access Manager plug-in for Web servers. The host names (case sensitive) are trusted and expected in the request header.

    For example: com.ibm.websphere.security.webseal.hostnames=host1

    This includes the proxy host names unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true. Obtain a list of servers using the server list pdadmin command.

    com.ibm.websphere.security.
    webseal.ports
    Do not set this property if using Tivoli Access Manager Plug-in for Web Servers. The corresponding port number of the host names that are expected are in the request header. This includes the proxy ports unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true. For example: com.ibm.websphere.security.webseal.ports=80,443
    com.ibm.websphere.security.
    webseal.ignoreProxy
    An optional property that if set to true or yes ignores the proxy host names and ports in the IV header. By default this property is set to false.
  9. Click OK.
  10. Save the configuration and log out.
  11. Restart WebSphere Application Server.



Related concepts
Single signon using WebSEAL or the Tivoli Access Manager plug-in for Web servers
Trust associations

Related tasks
Creating a trusted user account in Tivoli Access Manager
Configuring trust association interceptors

Related reference
Trust association interceptor support for Subject creation

Task topic    

Terms of Use | Feedback

Last updated: Jun 8, 2005 12:45:23 PM EDT
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_sso_ws_step4_sso_using_TAI_for_WAS.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)