ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/secsswas.htm

179 lines
14 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Configure single signon and LTPA for WebSphere Application Server - Express</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="secsswas"></a>Configure single signon and LTPA for WebSphere Application Server - Express</h5>
<p>To use single signon between WebSphere Application Server - Express and Domino or between two WebSphere application servers, you must first configure single signon for WebSphere Application Server - Express. Single signon for WebSphere Application Server allows authentication information to be shared across multiple WebSphere administrative domains and with Domino servers.</p>
<p>To provide single signon to WebSphere application servers in more than one WebSphere administrative domain, you must configure each of the administrative domains to use the same DNS domain, user registry (using LDAP or a custom registry), and a common set of LTPA keys as described in the detailed sections below:</p>
<p>This topic assumes that you have already installed WebSphere Application Server - Express and configured one or more application servers in one or more WebSphere administrative domains. It is also assumed that you are using LDAP as the user registry. Whether you are using an LDAP registry or a custom registry, the single signon setup is the same. The difference is in the configuration of the registry itself. For more information on custom registries, see <a href="seccust.htm">Custom registries</a>.</p>
<p>Before you configure single signon for WebSphere Application Server - Express, verify that WebSphere Application Server - Express is accessible:</p>
<ol>
<li>Verify that the application servers are configured correctly. Use a Web browser to access application resources.</li>
<li>Verify that the LDAP directory is available and configured with at least one user. Configuring single signon for WebSphere Application Server - Express requires access to the LDAP directory. You can use the Domino Directory or another LDAP directory.</li>
</ol>
<p>To configure single signon for WebSphere Application Server - Express, perform the following steps:</p>
<ol>
<li><a href="#cfg">Modify WebSphere Application Server - Express security settings</a>.</li>
<li><a href="#bounce">Stop and restart the WebSphere instance</a>.</li>
<li><a href="#export">Export LTPA keys to a file</a>.</li>
<li><a href="#authz">Authorize users</a>.</li>
<li><a href="#import">Import the LTPA keys file into other WebSphere administrative
domains</a>.</li>
</ol>
<p><strong><a name="cfg">Modify WebSphere Application Server - Express security settings</a></strong></p>
<p>Single signon configuration is included as part of the overall security configuration of a WebSphere administrative domain.</p>
<p>To change your WebSphere security configuration to support single signon, perform the following steps in the WebSphere administrative console:</p>
<ol>
<li><p>In the navigation menu, click <strong>Security --&gt; Authentication mechanisms --&gt; LTPA</strong>.</p></li>
<li><p>Under <strong>Additional properties</strong>, click <strong>Single Signon (SSO)</strong>. Single signon is enabled by default. If it has been disabled, click <strong>Enable</strong>.</p></li>
<li><p>Select the <strong>Requires SSL</strong> field if all the requests are expected to come over HTTPS transport.</p></li>
<li><p>In the <strong>Domain Name</strong> field, enter the name of the DNS domain for which single signon is effective (the single signon cookie is sent for all servers only in this domain). For example, if the domain is ibm.com, single signon works between the domains rochester.ibm.com and austin.ibm.com--but not austin.otherCompany.com.</p>
<p><strong>Note:</strong> The domain field is optional, and, if left blank, the Web browser defaults to the domain name of the single signon cookie, which is the WebSphere application server that created it. In this case, single signon is only be valid for the server that created the cookie. This behavior may be desirable when you have defined multiple virtual hosts and each virtual host needs its own or separate domain to be specified in the single signon cookie.</p></li>
<li><p>Click <strong>OK</strong>.</p></li>
<li><p>Before you exit the LTPA settings page, you also need to configure the LTPA keys which are used by the administrative domain that you are configuring. You must perform <i>one</i> of the following steps, based on the number of administrative domains you are configuring:</p>
<ul>
<li>If you are configuring the first or only WebSphere administrative domain, generate the LTPA keys:
<ol type="a">
<li>Type the LTPA password to be associated with these LTPA keys in the <strong>Password</strong> and <strong>Confirm Password</strong> fields. You must use this password when importing these keys into other WebSphere Application Server administrative domain configurations (if any) and when you configure single signon for Domino.</li>
<li>Click <strong>Generate Keys</strong> to generate keys for LTPA.</li>
<li>Click <strong>Save</strong> to save the LTPA keys.</li>
</ol><p></p></li>
<li><p>If you are configuring an additional WebSphere administrative domain, you must import the LTPA keys used during the configuration of the first administrative domain. See <a href="#import">Import the LTPA keys file into other WebSphere administrative domains</a> for more information.</p></li>
</ul></li>
<li><p>In the navigation menu, click <strong>Security --&gt; User Registries --&gt; LDAP</strong>. (This topic assumes you are using an LDAP user registry. If you are using a custom registry, click <strong>Custom</strong> instead.)</p></li>
<li><p>Enter your settings in the LDAP User Registry page:</p>
<ul>
<li><p><strong>Server User ID</strong>
<br>The user ID of the administrator for the WebSphere administrative domain. Use the short name or user ID for a user already defined in the LDAP directory. Do not specify a Distinguished Name by using <tt>cn=</tt> or <tt>uid=</tt> before the value. This field is not case sensitive.</p>
<p>When you start the WebSphere administrative console, you are prompted to login with an administrative account. You must enter exactly the same value that you specify in this field.</p></li>
<li><p><strong>Server User Password</strong>
<br>The password corresponding to the <strong>Server User ID</strong> field. This field is case sensitive.</p></li>
<li><p><strong>Type</strong>
<br>The type of LDAP server you are using. For example, from the list you can select <strong>SecureWay</strong> for IBM SecureWay LDAP Directory or <strong>Domino</strong> for a Domino LDAP Directory.</p></li>
<li><p><strong>Host</strong>
<br>The fully qualified DNS name of the machine on which the LDAP directory runs, for example <tt>myhost.mycompany.com</tt>.</p></li>
<li><p><strong>Port</strong>
<br>The port on which the LDAP directory server listens. By default, an LDAP directory server using an unsecured connection listens on port 389.</p></li>
<li><p><strong>Base Distinguished Name</strong>
<br>The Distinguished Name (DN) of the directory in which searches begin within the LDAP directory. For example, for a user with a DN of <tt>cn=John Doe, ou=Rochester, o=IBM, c=US</tt> and a base suffix of <tt>c=US</tt>, the base DN can be specified in any of the following ways:</p>
<ul>
<li><tt>ou=Rochester, o=IBM, c=us</tt></li>
<li><tt>o=IBM, c=us</tt></li>
<li><tt>c=us</tt></li>
</ul>
<p>This field is not case sensitive. This field is required for all LDAP directories.</p></li>
<li><p><strong>Bind Distinguished Name</strong>
<br>The DN of the user who is capable of performing searches on the directory. In most cases, this field is not required; typically, all users are authorized to search an LDAP directory. However, if the LDAP directory contents are restricted to certain users, you need to specify the DN of an authorized user, for example, an administrator, <tt>cn=administrator</tt>.</p></li>
<li><p><strong>Bind Password</strong>
<br>The password corresponding to the Bind Distinguished Name field. This value is required only if you specified a value for the Bind Distinguished Name field. This field is case sensitive.</p></li>
<li><p><strong>Ignore Case</strong>
<br>By default WebSphere Application Server - Express does a case-sensitive comparison for authorization. This implies that a user who is authenticated by Domino should match exactly the entry (including the base distinguished name) in the WebSphere Application Server authorization table. If case sensitivity should not be considered for the authorization, the Ignore Case property should be enabled in the LDAP user registry settings.</p></li>
</ul></li>
<li><p>Click <strong>OK</strong>.</p></li>
<li><p>In the navigation menu, click <strong>Security --&gt; Global Security</strong>. Enable WebSphere security by checking the <strong>Enabled</strong> check box.</p></li>
<li><p>Verify that the <strong>Cache Timeout</strong> field is set to a reasonable value for your application. When the timeout is reached, WebSphere Application Server - Express clears the security cache and rebuilds the security data. If the value is set too low, the extra processing overhead can be unacceptable. If the value is set too high, you create a security risk by caching security data for a long period of time. The default value is 600 seconds.</p></li>
<li><p>For the <strong>Active Authentication Mechanism</strong> setting, select <strong>LTPA</strong>.</p></li>
<li><p>For the <strong>Active User Registry</strong> setting, select <strong>LDAP</strong>.</p></li>
<li><p>Click <strong>OK</strong> and save the changes.</p></li>
</ol>
<p><strong><a name="bounce"></a>Stop and restart the WebSphere instance</strong></p>
<p>Whenver changes are made to the global security settings, the instance must be stopped and restarted for the changes to take effect.</p>
<ol>
<li><p>Logout from the administrative console.</p></li>
<li><p>Stop the server instance, and then start it. For more information, see the <a href="../admin/guistrtntstapp.htm">Start and test your application server</a> topic in the <em>Administration</em> section.</p></li>
<li><p>Start the administrative console. Use the domain that you specified during single signon configuration.</p>
<p><strong>Note:</strong> If the hostname is not fully qualified, you cannot log into the administrative console. If the login fails, the login screen is shown again.</p></li>
<li><p>Specify the user ID and password, exactly as you specified them in the <strong>Server User ID</strong> and <strong>Server User Password</strong> fields in the Global Security settings.</p></li>
</ol>
<p><strong><a name="export"></a>Export the LTPA keys to a file</strong></p>
<p>To complete the security configuration for single signon, you need to export the LTPA keys to a file. Do this for just one WebSphere administrative server if you are configuring single signon for use with multiple WebSphere administrative domains. This file is subsequently used during the configuration of additional administrative domains and during the configuration of single signon for Domino.</p>
<p>To export the LTPA keys to a file, perform the following steps in the administrative console:</p>
<ol>
<li><p>In the navigation menu, click <strong>Security --&gt; Authentication mechanisms --&gt; LTPA</strong>.</p></li>
<li><p>In the <strong>Password</strong> and <strong>Confirm Password</strong> fields, specify the password that is associated with the keys to be exported.</p></li>
<li><p>In the <strong>Key File Name</strong> field, specify the name and location of the file (in the iSeries integrated file system) to contain the LTPA keys. You can use any file name and extension. Note the name and extension you specify; you must use this file when you configure single signon for any additional WebSphere administrative domains and for Domino.</p></li>
<li><p>Click <strong>Export Keys</strong> to export the LTPA keys to the specified file.</p></li>
<li><p>Click <strong>Save</strong> to apply the changes to your server configuration.</p></li>
</ol>
<p><strong><a name="authz"></a>Authorize users</strong></p>
<p>Before you can test the single signon configuration for WebSphere Application Server, you must grant users permissions to resources so that their access can be tested. For more information, see <a href="seccadm.htm">Assign users to administrative roles</a>.</p>
<p><strong><a name="import"></a>Import the LTPA keys file into other WebSphere administrative domains</strong></p>
<p>If you are configuring single signon for use with multiple WebSphere administrative domains, import the LTPA keys file into all the administrative domains, excluding only the administrative domain from which you exported the file. Before proceeding, ensure that you have completed all of the preceeding steps (except <strong>Export the LTPA keys to a file</strong>) for these administrative domains.</p>
<p>To import the LTPA keys file, complete the following steps:</p>
<ol>
<li>Start the WebSphere server for the domain.</li>
<li>Start the administrative console.</li>
<li>In the navigation menu, click <strong>Security --&gt; Authentication mechanisms --&gt; LTPA</strong>.</li>
<li>In the <strong>Password</strong> and <strong>Confirm Password</strong> fields, specify the password that is associated with the keys to be imported.</li>
<li>In the <strong>Key File Name</strong> field, specify the name and location of the LTPA keys file.</li>
<li>Click <strong>Import Keys</strong> to import the LTPA keys from a file.</li>
<li>Click <strong>Save</strong> to apply the changes to the master configuration.</li>
<li>Click <strong>Logout</strong> to exit the administrative console.</li>
<li>Stop and then restart the application server.</li>
</ol>
</body>
</html>