ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamm_5.4.0.1/rzammconfigapsrvsso.htm

356 lines
24 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure WebSphere Application Server V6.0 for OS/400 with Single sign-on" />
<meta name="abstract" content="This example is for users that are not familiar with the Web serving environment. It describes all the steps necessary to get iSeries Access for Web running in a WebSphere Application Server V6.0 for OS/400 environment with single sign-on (SSO) enabled. It also describes how to verify that the setup is working." />
<meta name="description" content="This example is for users that are not familiar with the Web serving environment. It describes all the steps necessary to get iSeries Access for Web running in a WebSphere Application Server V6.0 for OS/400 environment with single sign-on (SSO) enabled. It also describes how to verify that the setup is working." />
<meta name="DC.Relation" scheme="URI" content="rzammservxmpbeg.htm" />
<meta name="DC.Relation" scheme="URI" content="../clfinder/finder.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammsso.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzammconfigapsrvsso" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure WebSphere Application Server V6.0 for OS/400 with
Single sign-on</title>
</head>
<body id="rzammconfigapsrvsso"><a name="rzammconfigapsrvsso"><!-- --></a>
<img src="./delta.gif" alt="Start of change" /><!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure WebSphere Application Server V6.0 for OS/400 with
Single sign-on</h1>
<div><p>This example is for users that are not familiar with the Web serving
environment. It describes all the steps necessary to get iSeries™ Access
for Web running in a WebSphere<sup>®</sup> Application Server V6.0 for OS/400<sup>®</sup> environment
with single sign-on (SSO) enabled. It also describes how to verify that the
setup is working. </p>
<div class="section"><p>When the configuration is completed, iSeries Access for Web uses the authenticated WebSphere user
identity to access i5/OS™ resources. iSeries Access for Web does not perform
additional prompting for an i5/OS user profile and password in this environment.</p>
<p><img src="./delta.gif" alt="Start of change" />This environment requires WebSphere global security to be enabled.
When enabled, users must provide WebSphere credentials when accessing
secured WebSphere resources.
Configuration options enable iSeries Access for Web to be deployed as a secured WebSphere application. WebSphere credentials
are required when accessing iSeries Access for Web functions in this environment.
In turn, iSeries Access
for Web uses Enterprise Identity Mapping (EIM) to map the authenticated WebSphere user
to an i5/OS user
profile. The mapped i5/OS user profile is used to authorize the user to i5/OS resources
using standard i5/OS object
level security.<img src="./deltaend.gif" alt="End of change" /></p>
Configuring your Web serving environment consists of these
steps: <ul><li>Configure the EIM environment. See the "<a href="rzammeimconfig.htm">Configure Enterprise Identity Mapping</a>"
topic for information about how to do this.</li>
<li>Start the IBM<sup>®</sup> Web
Administration for iSeries interface (also known as IBM HTTP Server
for iSeries).
See step <a href="#rzammconfigapsrvsso__was60ssostart">1</a>.</li>
<li>Create an HTTP web server and a WebSphere Application Server V6.0
for OS/400 Web
application server. See step <a href="#rzammconfigapsrvsso__was60ssocreate">2</a>.</li>
<li>Configure global security for WebSphere Application Server V6.0
for OS/400.
For detailed steps to configure WebSphere global security, refer to <span class="menucascade"><span class="uicontrol">Securing applications and their environment</span> &gt; <span class="uicontrol">Administering
security</span> &gt; <span class="uicontrol">Configuring global security</span></span> in
the <a href="http://publib.boulder.ibm.com/infocenter/wsdoc400/index.jsp" target="_blank">WebSphere Application Server for OS/400®, Version
6 Information Center</a>.</li>
<li>Configure iSeries Access
for Web. See step <a href="#rzammconfigapsrvsso__was60ssoconfig">3</a>.</li>
<li>Start the web environment. See step <a href="#rzammconfigapsrvsso__was60ssostartweb">4</a>.</li>
<li>Use a browser to access iSeries Access for Web. See step <a href="#rzammconfigapsrvsso__was60ssoaccess">5</a>.</li>
</ul>
<strong>Steps to configure the Web serving environment: </strong></div>
<ol><li id="rzammconfigapsrvsso__was60ssostart"><a name="rzammconfigapsrvsso__was60ssostart"><!-- --></a><span>Start the IBM Web Administration for iSeries interface. </span><ol type="a"><li><span>Start a 5250 session to the server.</span></li>
<li><span>Sign on with a user profile that has at least these special
authorities:  *ALLOBJ, *IOSYSCFG, *JOBCTL, and *SECADM.</span></li>
<li><span>Run the following server command to start the web administration
interface job: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)</span></li>
<li><span>Minimize the 5250 session.</span></li>
</ol>
</li>
<li id="rzammconfigapsrvsso__was60ssocreate"><a name="rzammconfigapsrvsso__was60ssocreate"><!-- --></a><span>Create an HTTP web server and a WebSphere Application
Server V6.0 for OS/400 Web
application server:</span><ol type="a"><li class="substepexpand"><span>Open a browser to: http://&lt;<em>server_name</em>&gt;:2001</span></li>
<li class="substepexpand"><span>Log in with a user profile that has, at least these special
authorities:  *ALLOBJ, *IOSYSCFG, *JOBCTL, and *SECADM.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">IBM Web Administration for iSeries</span>.</span></li>
<li class="substepexpand"><span>Select the <span class="uicontrol">Setup</span> tabbed page.</span></li>
<li class="substepexpand"><span>Under Common Tasks and Wizards, select <span class="uicontrol">Create Application
Server</span>.</span></li>
<li class="substepexpand"><span>The Create Application Server page opens. Select <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">WebSphere Application Server V6.0 for OS/400</span> then
select <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>The Specify Application Server Name page opens.   For <span class="uicontrol">Application
server name</span>, specify iwa60sso.  This will be the name of
the WebSphere Express
Web application server. Select <span class="uicontrol">Next</span>.</span></li>
<li class="substepexpand"><span>The Select HTTP Server Type page opens.  Select <span class="uicontrol">Create
a new HTTP server (powered by Apache)</span> then select <span class="uicontrol">Next</span>. </span></li>
<li class="substepexpand"><span>The <strong>Create a new HTTP server (powered by Apache)</strong> page
opens. </span> <ul><li>For <span class="uicontrol">HTTP server name</span>, enter IWA60SSO.</li>
<li>For Port, specify 4044.</li>
</ul>
Select <span class="uicontrol">Next</span>.</li>
<li class="substepexpand"><span>The <span class="uicontrol">Specify Internal Ports Used by the Application
Server</span> page opens. For <span class="uicontrol">First port in range</span>,
change the default value to 41044. Select <span class="uicontrol">Next</span>. </span></li>
<li class="substepexpand"><span>The <span class="uicontrol">Select Business and Sample Applications</span> page
opens. Select <span class="uicontrol">Next</span>. </span></li>
<li class="substepexpand"><span>The <span class="uicontrol">Configure Identity Token SSO for Web to i5/OS
Access</span> page opens. Select the <span class="uicontrol">Configure Identity Tokens</span> option,
then specify these values:</span> <ul><li>For <span class="uicontrol">LDAP server host name</span>, specify the fully qualified
host name of the LDAP server hosting the EIM domain created during EIM setup.
For example, <samp class="codeph">MYISERIES.MYCOMPANY.COM</samp></li>
<li>For <span class="uicontrol">LDAP Port</span>, specify the port number of the LDAP
server hosting the EIM domain created during EIM setup. For example, <samp class="codeph">389</samp>.</li>
<li>For <span class="uicontrol">LDAP administrator DN</span>, specify the distinguished
name of the LDAP administrator. For example, <samp class="codeph">cn=administrator</samp>.</li>
<li>For LDAP administrator password, specify the password of the LDAP administrator.
For example, <samp class="codeph">myadminpwd</samp>.</li>
</ul>
Select <span class="uicontrol">Next</span>.</li>
<li class="substepexpand"><span>The Configure Identity Token EIM Domain Information page opens.</span> Specify this information:<ul><li>For <span class="uicontrol">EIM Domain Name</span>, select the name of the EIM
domain created during EIM setup. For example, <samp class="codeph">EimDomain</samp>.</li>
<li>For <span class="uicontrol">Source Registry Name</span>, select the name of the
EIM source registry created during EIM setup. For example, <samp class="codeph">WebSphereUserRegistry</samp>.</li>
</ul>
Select <span class="uicontrol">Next</span>.</li>
<li class="substepexpand"><span>The <span class="uicontrol">Summary</span> page opens. Select <span class="uicontrol">Finish</span>.</span></li>
<li class="substepexpand"><span>The Web page is re-displayed with the <span class="menucascade"><span class="uicontrol">Manage</span> &gt; <span class="uicontrol">Application Servers</span></span> tabbed page active.
Under <span class="uicontrol">Instance/Server</span>, iwa60sso/iwa60sso WAS, V6.0
is listed with a status of <span class="uicontrol">Creating</span>. </span> From
this Web page, you can manage the WebSphere application server. <p>Use
the refresh icon next to the <span class="uicontrol">Creating</span> status to refresh
the page, if the page does not periodically refresh.</p>
</li>
<li class="substepexpand"><span>When the status is updated to <span class="uicontrol">Stopped</span>,
select the green icon next to <span class="uicontrol">Stopped</span> to start the WebSphere application
server. The status will be updated to <span class="uicontrol">Starting</span>. Use
the refresh icon next to the <span class="uicontrol">Starting</span> status to refresh
the page if the page does not periodically refresh.</span> iSeries Access
for Web requires that the WebSphere application server is running before
it can be configured.<div class="p"><div class="important"><span class="importanttitle">Important:</span> </div>
Wait for the status
to be updated to <span class="uicontrol">Running</span> before moving to the next
step.</div>
</li>
<li class="substepexpand"><span>Minimize the browser window</span></li>
</ol>
</li>
<li id="rzammconfigapsrvsso__was60ssoconfig"><a name="rzammconfigapsrvsso__was60ssoconfig"><!-- --></a><span>Configure iSeries Access for Web.</span><ol type="a"><li class="substepexpand"><span>Restore the 5250 session window.</span></li>
<li class="substepexpand"><span>To see the WebSphere application server running, run the server
command: WRKACTJOB SBS(QWAS6)</span></li>
<li class="substepexpand"><span>Verify that IWA60SSO is listed as a job running under the QWAS6
subsystem.  iSeries Access
for Web requires the WebSphere application server is running before
it can be configured.</span></li>
<li class="substepexpand"><span>Verify the Web application server is ready: </span> <ol type="i"><li>Enter option #5 on your IWA60SSO job.</li>
<li>Enter option #10 to display the job log.</li>
<li>Press F10 to display detailed messages.</li>
<li>Verify the message <span class="uicontrol">Websphere application server iwa60sso ready</span> is
listed.  This message indicates that the application server is fully
started and is ready for Web serving.</li>
<li>Press F3 until you return to a command line.</li>
</ol>
</li>
<li class="substepexpand"><span>iSeries Access
for Web provides commands to configure the product. Two different commands
are provided, a CL command and a QShell script command.  Both commands
provide and perform the same function.  Use whichever version you prefer.</span> <ul><li><strong>To use the CL command, follow these steps:</strong><ol type="i"><li>Configure iSeries Access
for Web for your Web application server by using the following command:  
<pre>QIWA2/CFGACCWEB2 APPSVRTYPE(*WAS60) WASPRF(iwa60sso)
APPSVR(iwa60sso) AUTHTYPE(*APPSVR) AUTHMETHOD(*FORM)
WASUSRID(<var class="varname">myadminid</var>) WAPWD(<var class="varname">myadminpwd</var>) </pre>
These
are the parameters used: <dl><dt class="dlterm">APPSVRTYPE</dt>
<dd>Tells the command which Web application server to configure. </dd>
<dt class="dlterm">WASPRF</dt>
<dd>Tells the command which profile of the Web application server to configure.
In previous releases of WebSphere, the WASINST parameter was used. In WebSphere Application
Server V6.0 for OS/400,
profiles have replaced instances.</dd>
<dt class="dlterm">APPSVR</dt>
<dd>Tells the command the name of the Web application server within the profile
to configure.</dd>
<dt class="dlterm">AUTHTYPE</dt>
<dd>Tells the command which authentication type to use. *APPSVR indicates
the Web application server should authenticate the user using the WebSphere active
user registry.</dd>
<dt class="dlterm">AUTHMETHOD</dt>
<dd>Tells the command which authentication method to use. *FORM indicates
the Web application server should authenticate using form-based HTTP authentication.</dd>
<dt class="dlterm">WASUSRID</dt>
<dd>Tells the command which WebSphere administrative user ID to use when accessing
this Web application server. Replace the example value with an administrator
user id defined in the WebSphere active user registry.</dd>
<dt class="dlterm">WASPWD</dt>
<dd>Tells the command which WebSphere administrative password to use when accessing
this Web application server. Replace the example value with the password for
the administrative user ID provided with the WASUSRID parameter.</dd>
</dl>
Refer to the online help for the command for additional options
and information.</li>
<li>Several messages similar to these will be displayed:   <ul class="simple"><li><tt class="msgph">Configuring iSeries Access for Web</tt></li>
<li><tt class="msgph">Preparing to perform the configuration changes.</tt></li>
<li><tt class="msgph">Calling WebSphere to perform the configuration changes.</tt></li>
<li><tt class="msgph">iSeries Access for Web command has completed. </tt></li>
<li><tt class="msgph">The WebSphere instance application server must be stopped and
then started to enable the configuration changes.</tt></li>
</ul>
     </li>
<li>Press F3 or Enter when the command completes to exit the display session.</li>
</ol>
</li>
<li><strong>To use the QShell script command, follow these steps:</strong><ol type="i"><li>Start the QShell environment using the following server command: QSH</li>
<li>Make the iSeries Access
for Web directory the current directory.  Run this server command:  
<pre>cd /QIBM/ProdData/Access/Web2/install </pre>
</li>
<li>Configure iSeries Access
for Web for the Web application server previously created: <pre>cfgaccweb2 -appsvrtype *WAS60 -wasprf iwa60 -appsvr iwa60
-authtype *APPSVR -authmethod *FORM
-wasusrid <var class="varname">myadminid</var> -wapwd <var class="varname">myadminpwd</var></pre>
These
are the parameters used: <dl><dt class="dlterm">-appsvrtype</dt>
<dd>Tells the command which Web application server to configure. </dd>
<dt class="dlterm">-wasprf</dt>
<dd>Tells the command which profile of the Web application server to configure.
In previous releases of WebSphere, the -wasinst parameter was used. In WebSphere Application
Server V6.0 for OS/400,
profiles have replaced instances.</dd>
<dt class="dlterm">-appsvr</dt>
<dd>Tells the command the name of the Web application server within the profile
to configure.</dd>
<dt class="dlterm">-authtype</dt>
<dd>Tells the command which authentication type to use. *APPSVR indicates
the Web application server should authenticate the user using the WebSphere active
user registry.</dd>
<dt class="dlterm">-authmethod</dt>
<dd>Tells the command which authentication method to use. *FORM indicates
the Web application server should authenticate using form-based HTTP authentication.</dd>
<dt class="dlterm">-wasusrid</dt>
<dd>Tells the command which WebSphere administrative user ID to use when accessing
this Web application server. Replace the example value with an administrator
user id defined in the WebSphere active user registry.</dd>
<dt class="dlterm">-waspwd</dt>
<dd>Tells the command which WebSphere administrative password to use when accessing
this Web application server. Replace the example value with the password for
the administrative user ID provided with the -wasusrid parameter.</dd>
</dl>
For help on this command and the parameters, specify the -?
parameter. Refer to the online help for the command for additional options
and information.</li>
<li>Several messages similar to these will be displayed:   <ul class="simple"><li><tt class="msgph">Configuring iSeries Access for Web.</tt></li>
<li><tt class="msgph">Preparing to perform the configuration changes. </tt></li>
<li><tt class="msgph">Calling WebSphere to perform the configuration changes.</tt> </li>
<li><tt class="msgph"> iSeries Access for Web command has completed.</tt></li>
<li><tt class="msgph">The WebSphere instance application server must be stopped and
then started to enable the configuration changes.</tt></li>
</ul>
     </li>
<li>Press F3 when the command completes to exit the QShell session.</li>
</ol>
</li>
</ul>
</li>
<li class="substepexpand"><span>If the command were to fail or indicate an error, refer to the
log files:</span> <dl><dt class="dlterm">/QIBM/UserData/Access/Web2/logs/cmds.log</dt>
<dd>High level, cause and recovery information; translated.</dd>
<dt class="dlterm">/QIBM/UserData/Access/Web2/logs/cmdstrace.log</dt>
<dd>Detailed command flow for IBM Software Service; English only. </dd>
</dl>
</li>
<li class="substepexpand"><span>After successfully configuring iSeries Access for Web, the WebSphere application
server must be restarted to load the changes to its configuration.  This
will be done later.</span></li>
<li class="substepexpand"><span>Signoff the 5250 session window and close the window. </span></li>
</ol>
</li>
<li id="rzammconfigapsrvsso__was60ssostartweb"><a name="rzammconfigapsrvsso__was60ssostartweb"><!-- --></a><span>Start the Web environment.</span><ol type="a"><li class="substepexpand"><span>Return to the browser window that is open to the <span class="uicontrol">IBM
Web Administration for iSeries server management</span> page.</span></li>
<li class="substepexpand"><span>The <span class="menucascade"><span class="uicontrol">Manage</span> &gt; <span class="uicontrol">Application
Servers</span></span> tabbed page should be active. Under Instance/Server
is listed <span class="uicontrol">iwa60sso/iwa60sso WAS, V6</span> with a status
of <span class="uicontrol">Running</span>. Stop and restart the WebSphere application
server: </span> <ol type="i"><li>Select the red icon next to the <span class="uicontrol">Running</span> status
to stop the WebSphere server.
Select the refresh icon next to the <span class="uicontrol">Stopping</span> status
to refresh the page if the page does not periodically refresh.</li>
<li>When the status is updated to <span class="uicontrol">Stopped</span>, select the
green icon next to <span class="uicontrol">Stopped</span> to start the WebSphere application
server.</li>
<li>The status will be updated to <span class="uicontrol">Starting</span>. Select
the refresh icon next to the Starting status to refresh the page if it does
not periodically refresh. <div class="important"><span class="importanttitle">Important:</span> Wait for the status to be
updated to Running before moving to the next step.</div>
iSeries Access for
Web will load and start as the WebSphere application server starts.</li>
</ol>
</li>
<li class="substepexpand"><span>Select the HTTP Servers tabbed page.</span></li>
<li class="substepexpand"><span>Under <span class="uicontrol">Server</span>, select IWA60SSO - Apache.
The current status of this Apache HTTP server should be <span class="uicontrol">Stopped</span>. </span> Select the green icon next to the status to start the HTTP server. The
status is updated to <span class="uicontrol">Running</span>.</li>
<li class="substepexpand"><span>Close the browser window.</span></li>
</ol>
</li>
<li id="rzammconfigapsrvsso__was60ssoaccess"><a name="rzammconfigapsrvsso__was60ssoaccess"><!-- --></a><span>Use a browser to access iSeries Access for Web.</span><ol type="a"><li class="substepexpand"><span>Open a browser to either of the following addresses to access iSeries Access
for Web:</span> <p>http://&lt;<var class="varname">server_name</var>&gt;:4044/webaccess/iWAHome<br />
http://&lt;<var class="varname">server_name</var>&gt;:4044/webaccess/iWAMain</p>
</li>
<li class="substepexpand"><span>Log in using a WebSphere user ID and password defined in the WebSphere active
user registry. The initial load of iSeries Access for Web might take a few
seconds.  WebSphere Application
Server is loading Java™ classes for the first time.  Subsequent loads
of iSeries Access
for Web will be faster.</span></li>
<li class="substepexpand"><span>The iSeries Access for Web Home or Main page displays.</span></li>
<li class="substepexpand"><span>Close the browser window.</span></li>
</ol>
</li>
</ol>
<div class="section">By following the above steps, you completed these tasks:<ul><li>Configured an EIM environment to enable mapping of WebSphere user identities to i5/OS user profiles.</li>
<li>Created a WebSphere Web
application server named iwa60sso.</li>
<li>Created an HTTP server named IWA60.</li>
<li>Enabled global security for WebSphere web application server iwa60sso.</li>
<li>Configured   iSeries Access for Web for the WebSphere application
server.</li>
<li>Stopped and restarted the WebSphere application server and HTTP
web server.   iSeries Access for Web started when the WebSphere application
server started.</li>
<li>Verified that iSeries Access for Web can be accessed from a Web
browser.</li>
</ul>
<p><img src="./delta.gif" alt="Start of change" />In this example, only the <span class="cmdname">CFGACCWEB2</span> command
is used to configure iSeries Access for Web. For more information about
using all the iSeries Access
for Web CL commands, use the CL command finder. <img src="./deltaend.gif" alt="End of change" /></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzammservxmpbeg.htm" title="These examples provide step-by-step instructions for setting up a complete Web serving environment.">Examples for configuring a new Web application server environment</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzammsso.htm" title="This topic lists considerations for Single sign-on (SSO) with iSeries Access for Web in the Web application server and portal environments.">Single sign-on considerations</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../clfinder/finder.htm">CL command finder</a></div>
</div>
</div>
<img src="./deltaend.gif" alt="End of change" /></body>
</html>