InfoCenter Home >
5: Securing applications -- special topics >
5.8: Single Sign-On >
5.8.1: Configuring SSO for WebSphere Application Server

5.8.1: Configuring SSO for WebSphere Application Server

To use SSO between WebSphere Application Server and Domino or between two WebSphere application servers, you must first configure SSO for WebSphere Application Server. SSO for WebSphere Application Server allows authentication information to be shared across multiple WebSphere Application Server administrative domains and with Domino servers.

To provide SSO to WebSphere application servers in more than one WebSphere Application Server administrative domain, you must configure each of the administrative domains to use the same DNS domain, user registry (using LDAP or a custom registry), and a common set of LTPA keys as described in the detailed sections below:


Note   This section assumes that you have already installed WebSphere Application Server and configured one or more application servers in one or more WebSphere Application Server administrative domains.

Note   This section assumes that you are using LDAP as the user registry. The SSO setup is the same, regardless of the use of an LDAP registry or a custom registry. The difference is in the configuration of the registry itself. For more information on custom registries, see 5.2: Introduction to custom registries.

Before attempting to configure SSO for WebSphere Application Server, you can verify the accessibility of WebSphere Application Server by doing the following:

  • Verify that the application servers are configured correctly by using a Web browser to access application resources.
  • Verify the LDAP directory you are going to use is available and configured with at least one user. Configuring SSO for WebSphere Application Server requires access to the LDAP directory. You can use the Domino Directory or another LDAP directory.

Modify WebSphere Application Server security settings

SSO configuration is included as part of the overall security configuration of a WebSphere Application Server administrative domain.

  1. Start the WebSphere administrative server for the administrative domain.
  2. Start the WebSphere administrative console.
  3. On the administrative console, select Security Center from the console menu.
  4. Select the General tab if it is not already selected. On this panel,
    1. Enable WebSphere Application Server security by checking the Enable Security check box.
    2. Verify that the Security Cache Timeout field is set to a reasonable value for your application. When the timeout is reached, WebSphere Application Server clears the security cache and rebuilds the security data. If the value is set too low, the extra processing overhead can be unacceptable. If the value is set too high, you create a security risk by caching security data for a long period of time. The default value is 600 seconds.
  5. Click the Authentication tab. In this window:
    1. Set the Authentication Mechanism field to Lightweight Third Party Authentication (LTPA), to use an LDAP directory as the user registry.
    2. Check the Enable Single Sign On (SSO) box to enable SSO and authentication information to be placed in HTTP cookies.
    3. Set the Domain field to the domain portion of your fully qualified DNS name for the system running your WebSphere Application Server administrative domain. For example, if your system's host name is myhost.mycompany.com, type mycompany.com in this field.
    Before closing this window, you also need to configure the LTPA keys to be used by the administrative domain that you are configuring. You must perform one of the following steps, based on the number of administrative domains you are configuring:
    • If you are configuring the first or only WebSphere Application Server administrative domain, generate the LTPA keys as follows:
      1. Click Generate Keys to generate keys for LTPA.
      2. When prompted, type the LTPA password to be associated with these LTPA keys. Then click OK to save the LTPA keys. You must use this password when importing these keys into other WebSphere Application Server administrative-domain configurations (if any) and when configuring SSO for Domino.
    • If you are configuring an additional WebSphere Application Server administrative domain, you must import the LTPA keys used during the configuration of the first administrative domain. Import the LTPA keys as follows:
      1. Click Import From File to import the LTPA keys from a file.
      2. When prompted, select the file that was generated previously during the configuration of the initial administrative domain.
      3. Click Open.
      4. When prompted, type the LTPA password you set when initially generating the keys. Then click OK to import the keys.
  6. Click the LDAP button. (If you are using a custom registry, click the Custom User Registry button instead. This discussion assumes the use of an LDAP user registry.)
  7. Fill in the LDAP fields as follows:
    • Security Server ID: The user ID of the administrator for the WebSphere administrative domain.
      Use the short name or user ID for a user already defined in the LDAP directory. Do not specify a Distinguished Name by using cn= or uid= before the value. This field is not case sensitive.
      When you start the WebSphere Application Server administrative console, you are prompted to log in with an administrative account. You must enter exactly the same value that you specify in this field.
    • Security Server Password: The password corresponding to the Security Server ID field. This field is case sensitive.
    • Directory Type: The type of LDAP server you are using. For example, you can select SecureWay for IBM SecureWay LDAP Directory or Domino 5.0 for Domino R5.05 from the list.
    • Host: The fully qualified DNS name of the machine on which the LDAP directory runs, for example myhost.mycompany.com.
    • Port: The port on which the LDAP directory server listens. By default, an LDAP directory server using an unsecured connection listens on port 389. If your server meets this description, you can leave this field blank.
    • Base Distinguished Name: The Distinguished Name (DN) of the directory in which searches begin within the LDAP directory. For example, for a user with a DN of cn=John Doe, ou=Rochester, o=IBM, c=US and a base suffix of c=US, the base DN can be specified as any of:
      • ou=Rochester, o=IBM, c=us
      • o=IBM, c=us
      • c=us
      This field is not case sensitive.
      Note   This field is required for all LDAP directories except the Domino Directory. If you are using the Domino Directory and you specify a Base Distinguished Name, you will not be able to grant permissions to individual Web users for resources managed by your WebSphere application server.
    • Bind Distinguished Name: The DN of the user who is capable of performing searches on the directory. In most cases, this field is not required; typically, all users are authorized to search an LDAP directory. However, if the LDAP directory contents are restricted to certain users, you need to specify the DN of an authorized user, for example, an administrator, cn=administrator.
    • Bind Password: The password corresponding to the Bind Distinguished Name field. This value is required only if you specified a value for the Bind Distinguished Name field. This field is case sensitive.
  8. Click Finish to save the security settings.
  9. Click OK to acknowledge the information dialog box that warns that changes do not take effect until the administrative server is restarted.

Stop and restart the administrative server

Whever changes are made to the global security settings, the WebSphere Application Server administrative server must be stopped and restarted for the changes to take effect.

  1. On the administrative console, expand the Nodes icon.
  2. Click the node representing your administrative server.
  3. Expand the Application Servers icon within your administrative server.
  4. Click the Default Server icon or the icon for the appropriate applicaiton server.
  5. Click either Stop or Force Stop, and wait for the server to stop.
  6. Right-click the node representing the administrative server, and select Stop.
  7. Click Yes on the confirmation dialog box.
  8. Monitor the administrative server task (or job) to ensure that the server stops. Then restart the administrative server, monitoring the server task (or job) to determine when the server is running. As you watch the server job, notice that it starts, stops, and then starts again. This is normal behavior after global security settings have been changed.
  9. Start the administrative console. Specify the user ID and password by using exactly the same values that you specified for the Security Server ID and Security Server Password fields in the Global Security Settings wizard.

Export the LTPA keys to a file

To complete the security configuration for SSO, you need to export the LTPA keys to a file. This file is subsequently used during the configuration of additional administrative domains and during the configuration of SSO for Domino.

  1. Stop the WebSphere administrative domain to insure that the security settings are stored in WebSphere Application Server's configuration files or repository.
  2. Start the administrative server for the domain.
  3. Start the administrative console.
  4. On the administrative console, select Security Center from the console menu.
  5. Select the Authentication tab.
  6. Click the Lightweight Third Party Authentication (LTPA) button.
  7. Click the Export To File tab to export the LTPA keys to a file.
  8. When prompted, specify the name and location of the file to contain the LTPA keys. You can use any file name and extension. Note the name and extension you specify; you must use this file when you configure SSO for any additional WebSphere Application Server administrative domains and for Domino.
  9. Click Save to save the file.
  10. Click Cancel to close the wizard. (This procedure has not changed any global security setting, so there are no new settings to save.)

Authorize users

Before you can test the SSO configuration for WebSphere Application Server, you must grant users permissions to resources so that their access can be tested. These tasks are not specific to SSO configuration and are not covered in detail here. See The WebSphere authorization model for more information.

Verify the configuration of SSO for WebSphere

After configuring each administrative domain, restart the WebSphere administrative console and log onto each of the administrative domains to verify that the LTPA security settings are correct.

To verify the SSO configuration, attempt to configure at least one resource, such as the Hello servlet, to be protected by a WebSphere application server. Use the Role Mapping panel in the security center of the administrative console to authorize Web users to the resource.

The discussion in Verifying SSO between WebSphere and Domino assumes that SSO is being setup between WebSphere and Domino. If you are setting up SSO between two WebSphere application servers, the verification procedure can still be used if you replace the references to the Domino server with references to the second WebSphere application server. Be sure that the LTPA keys are being shared properly before running the test. The keys must be exported from one WebSphere Application Server domain and imported into the second domain so that the LTPA token can be decrypted.

Go to previous article: Single Sign-On Go to next article: Configuring SSO for Lotus Domino

 

 
Go to previous article: Single Sign-On Go to next article: Configuring SSO for Lotus Domino