InfoCenter Home >
5: Securing applications -- special topics >
5.8: Single Sign-On >
5.8.1: Configuring SSO for WebSphere Application Server
To use SSO between WebSphere Application Server and Domino or between
two WebSphere application servers, you must
first configure SSO for WebSphere Application Server. SSO for WebSphere
Application Server allows authentication information to be shared across
multiple WebSphere Application Server administrative domains and with
Domino servers.
To provide SSO to WebSphere application servers in more than one WebSphere
Application Server administrative domain, you must configure each of the
administrative domains to use the same DNS domain, user registry (using LDAP
or a custom registry), and a common set of LTPA keys as described in the detailed sections below:
This section assumes that you have already installed WebSphere
Application Server and configured one or more application servers
in one or more WebSphere Application Server administrative domains.
This section assumes that you are using LDAP as the user registry.
The SSO setup is the same, regardless of the use of an LDAP
registry or a custom registry. The difference is in the
configuration of the registry itself.
For more information on custom registries, see
5.2: Introduction to custom registries.
Before attempting to configure SSO for WebSphere Application Server, you
can verify the accessibility of WebSphere Application Server by doing the
following:
- Verify that the application servers are configured correctly
by using a Web browser to access application resources.
- Verify the LDAP directory you are going to use is available and
configured with at least one user. Configuring SSO for WebSphere
Application Server requires access to the LDAP directory.
You can use the Domino Directory or another LDAP directory.
SSO configuration is included as part of the overall security configuration
of a WebSphere Application Server administrative domain.
- Start the WebSphere administrative server for the administrative
domain.
- Start the WebSphere administrative console.
- On the administrative console, select Security Center
from the console menu.
- Select the General tab if it is not already selected. On
this panel,
- Enable WebSphere Application Server security by checking the
Enable Security check box.
- Verify that the Security Cache Timeout field
is set to a reasonable value for your application. When
the timeout is reached, WebSphere Application Server clears
the security cache and rebuilds the security data. If the
value is set too low, the extra processing overhead can be
unacceptable. If the value is set too high, you create a
security risk by caching security data for a long period of
time. The default value is 600 seconds.
- Click the Authentication tab. In this window:
- Set the Authentication Mechanism field to
Lightweight Third Party Authentication (LTPA),
to use an LDAP directory as the user registry.
- Check the Enable Single Sign On (SSO) box to enable
SSO and authentication information to be placed in
HTTP cookies.
- Set the Domain field to the domain portion of your fully
qualified DNS name for the system running your WebSphere
Application Server administrative domain. For example, if your
system's host name is myhost.mycompany.com, type
mycompany.com in this field.
Before closing this window, you also need to configure the LTPA keys
to be used by the administrative domain that you are
configuring. You must perform one of the following steps,
based on the number of administrative domains you are configuring:
- If you are configuring the first or only WebSphere Application
Server administrative domain, generate the LTPA keys as follows:
- Click Generate Keys to generate keys for LTPA.
- When prompted, type the LTPA password to be associated
with these LTPA keys. Then click OK to save
the LTPA keys. You must use this password when importing
these keys into other WebSphere Application Server
administrative-domain configurations (if any) and when
configuring SSO for Domino.
- If you are configuring an additional WebSphere Application Server
administrative domain, you must import the LTPA keys used during
the configuration of the first administrative domain. Import the
LTPA keys as follows:
- Click Import From File to import the
LTPA keys from a file.
- When prompted, select the file that was generated
previously during the configuration of the initial
administrative domain.
- Click Open.
- When prompted, type the LTPA password you set when
initially generating the keys. Then click OK
to import the keys.
- Click the LDAP button. (If you are using a custom
registry, click the Custom User Registry button instead.
This discussion assumes the use of an LDAP user registry.)
- Fill in the LDAP fields as follows:
- Security Server ID: The user ID of the administrator for the
WebSphere administrative domain.
Use the short name or user ID for a user already defined in the
LDAP directory. Do not specify a Distinguished Name by using
cn= or uid= before the value. This
field is not case sensitive.
When you start the WebSphere Application Server administrative
console, you are prompted to log in with an administrative
account. You must enter exactly the same value that you specify
in this field.
- Security Server Password: The password corresponding to the
Security Server ID field. This field is case sensitive.
- Directory Type: The type of LDAP server you are using.
For example, you can select SecureWay for IBM SecureWay LDAP
Directory or Domino 5.0 for Domino R5.05 from the list.
- Host: The fully qualified DNS name of the machine on which
the LDAP directory runs, for example myhost.mycompany.com.
- Port: The port on which the LDAP directory server listens.
By default, an LDAP directory server using an unsecured connection
listens on port 389. If your server meets this description, you
can leave this field blank.
- Base Distinguished Name: The Distinguished Name (DN) of the
directory in which searches begin within the LDAP directory.
For example, for a user with a DN of
cn=John Doe, ou=Rochester, o=IBM, c=US and
a base suffix of c=US , the base DN
can be specified as any of:
ou=Rochester, o=IBM, c=us
o=IBM, c=us
c=us
This field is not case sensitive.
This field is required for all LDAP directories except the
Domino Directory. If you are using the Domino Directory and
you specify a Base Distinguished Name, you will not be
able to grant permissions to individual Web users for resources
managed by your WebSphere application server.
- Bind Distinguished Name: The DN of the user who is capable
of performing searches on the directory. In most cases, this field
is not required; typically, all users are authorized to search
an LDAP directory. However, if the LDAP directory contents are
restricted to certain users, you need to specify the DN of
an authorized user, for example, an administrator,
cn=administrator .
- Bind Password: The password corresponding to the Bind
Distinguished Name field. This value is required only if you
specified a value for the Bind Distinguished Name field. This
field is case sensitive.
- Click Finish to save the security settings.
- Click OK to acknowledge the information dialog box
that warns that changes do not take effect until the
administrative server is restarted.
Whever changes are made to the global security settings, the
WebSphere Application Server administrative server must be stopped
and restarted for the changes to take effect.
- On the administrative console, expand the Nodes icon.
- Click the node representing your administrative server.
- Expand the Application Servers icon within your administrative
server.
- Click the Default Server icon or the icon for the
appropriate applicaiton server.
- Click either Stop or Force Stop, and wait for the
server to stop.
- Right-click the node representing the administrative server,
and select Stop.
- Click Yes on the confirmation dialog box.
- Monitor the administrative server task (or job) to ensure that the
server stops. Then restart the administrative server, monitoring
the server task (or job) to determine when the server is running.
As you watch the server job, notice that it starts,
stops, and then starts again. This is normal behavior after
global security settings have been changed.
- Start the administrative console. Specify the user ID and password
by using exactly the same values that you specified for the
Security Server ID and Security Server Password fields
in the Global Security Settings wizard.
To complete the security configuration for SSO, you need to export the
LTPA keys to a file. This file is subsequently used during the
configuration of additional administrative domains and during the
configuration of SSO for Domino.
- Stop the WebSphere administrative domain to insure that the
security settings are stored in WebSphere Application Server's
configuration files or repository.
- Start the administrative server for the domain.
- Start the administrative console.
- On the administrative console, select Security Center
from the console menu.
- Select the Authentication tab.
- Click the Lightweight Third Party Authentication (LTPA) button.
- Click the Export To File tab to export the LTPA keys to a file.
- When prompted, specify the name and location of the file
to contain the LTPA keys. You can use any file name and extension.
Note the name and extension you specify; you must use this file
when you configure SSO for any additional WebSphere Application
Server administrative domains and for Domino.
- Click Save to save the file.
- Click Cancel to close the wizard. (This procedure
has not changed any global security setting, so there are no
new settings to save.)
Before you can test the SSO configuration for WebSphere Application
Server, you must grant users permissions to resources so that their access can
be tested. These tasks are not specific to SSO configuration and are not
covered in detail here. See The WebSphere
authorization model for more information.
After configuring each administrative domain, restart the
WebSphere administrative console and log onto each of the
administrative domains to verify that the LTPA security settings
are correct.
To verify the SSO configuration, attempt to configure at least
one resource, such as the Hello servlet, to be protected by
a WebSphere application server. Use the Role Mapping panel in
the security center of the administrative console to authorize
Web users to the resource.
The discussion in Verifying SSO between
WebSphere and Domino assumes that SSO is being setup between
WebSphere and Domino. If you are setting up SSO between two
WebSphere application servers, the verification procedure can
still be used if you replace the references to the
Domino server with references to the second WebSphere application
server. Be sure that the LTPA keys are being shared properly
before running the test. The keys must be exported from one
WebSphere Application Server domain and imported into the
second domain so that the LTPA token can be decrypted.
|
|