Configuring single sign-on using the trust association interceptor

This task is performed to enable single sign-on using the trust association interceptor. These steps involve setting up trust association and creating the interceptor properties.

Before you begin

Lightweight Third Party Authentication (LTPA) is the default authentication mechanism for WebSphere Application Server. However, you may need to configure LTPA prior to configuring the WebSealTrustAssociationInterceptor. LTPA is the required authentication mechanism for all trust association interceptors. You can configure LTPA by clicking Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration.
Note: Enabling Web security single sign-on (SSO) is optional when you configure the WebSealTrustAssociationInterceptor. For more information, see Implementing single sign-on to minimize Web user authentications.
The following steps are required when setting up security for the first time. Ensure that Lightweight Third Party Authentication (LTPA) is the active authentication mechanism:
  1. From the WebSphere Application Server console click Security > Global security.
  2. Ensure that the Active authentication mechanism field is set to Lightweight Third Party Authentication (LTPA). If not, set it and save your changes.

To establish the trust association for the single sign-on, perform the following steps:

Procedure

  1. From the administrative console for WebSphere Application Server, click Security > Global security.
  2. Under Authentication mechanisms, click LTPA.
  3. Under Additional properties, click Trust association.
  4. Select the Enable trust association option.
  5. Under Additional properties, click the Interceptors link.
  6. Click com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus to use a WebSEAL interceptor. This interceptor is one of two WebSEAL interceptors that are supplied for your use. You choose to use this interceptor by supplying properties as described in the next step.
    Attention: WebSphere Application Server attempts to initialize both of these interceptors even if you only supplied properties for the com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus interceptor. As a result, messages AWXRB0008E and SECJ0384E can appear during initialization to indicate that the interceptor you did not choose has failed to initialize. This is normal processing and does not affect the initialization of the interceptor you did select. To inhibit the display of messages AWXRB0008E and SECJ0384E, you can delete the interceptor you do not want to use prior to beginning the initialization. You can add that interceptor back later if your environment changes.
  7. Under Additional properties, click Custom Properties.
  8. Click New to enter the property name and value pairs. Ensure the following parameters are set:
    Table 1. Trust association interceptor properties
    Option Description
    com.ibm.websphere.security.
    trustassociation.types
    Ensure that webseal is listed.
    com.ibm.websphere.security.
    webseal.loginId
    The WebSEAL trusted user as created in Creating a trusted user account in Tivoli Access Manager The format of the username is the short name representation. This property is mandatory. If the property is not set in the WebSphere Application Server, TAI initialization fails.
    com.ibm.websphere.security.
    webseal.id
    The iv-user header, which is com.ibm.websphere.security.webseal.id=iv-user
    com.ibm.websphere.security.
    webseal.hostnames
    Do not set this property if using Tivoli Access Manager plug-in for Web servers. The host names (case sensitive) are trusted and expected in the request header. The host names defined in this property are compared against the via header.

    For example: com.ibm.websphere.security.webseal.hostnames=host1

    This includes the proxy host names unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true. Obtain a list of servers using the server list pdadmin command.

    Note: The via header is part of the standard HTTP header that records the server names the request passed through.
    com.ibm.websphere.security.
    webseal.ports
    Do not set this property if using Tivoli Access Manager Plug-in for Web Servers. The corresponding port number of the host names that are expected are in the request header. This includes the proxy ports unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true. For example: com.ibm.websphere.security.webseal.ports=80,443
    com.ibm.websphere.security.
    webseal.ignoreProxy
    An optional property that if set to true or yes ignores the proxy host names and ports in the IV header. By default this property is set to false.
  9. Click OK.
  10. Save the configuration and log out.
  11. Restart WebSphere Application Server.



In this information ...


Related concepts

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 8:25:23 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=tsec_step4_TAI_SSO
File name: tsec_sso_ws_step4_sso_using_TAI_for_WAS.html