Configure single signon and LTPA for WebSphere Application Server - Express

To use single signon between WebSphere Application Server - Express and Domino or between two WebSphere application servers, you must first configure single signon for WebSphere Application Server - Express. Single signon for WebSphere Application Server allows authentication information to be shared across multiple WebSphere administrative domains and with Domino servers.

To provide single signon to WebSphere application servers in more than one WebSphere administrative domain, you must configure each of the administrative domains to use the same DNS domain, user registry (using LDAP or a custom registry), and a common set of LTPA keys as described in the detailed sections below:

This topic assumes that you have already installed WebSphere Application Server - Express and configured one or more application servers in one or more WebSphere administrative domains. It is also assumed that you are using LDAP as the user registry. Whether you are using an LDAP registry or a custom registry, the single signon setup is the same. The difference is in the configuration of the registry itself. For more information on custom registries, see Custom registries.

Before you configure single signon for WebSphere Application Server - Express, verify that WebSphere Application Server - Express is accessible:

1. Verify that the application servers are configured correctly. Use a Web browser to access application resources.
2. Verify that the LDAP directory is available and configured with at least one user. Configuring single signon for WebSphere Application Server - Express requires access to the LDAP directory. You can use the Domino Directory or another LDAP directory.

To configure single signon for WebSphere Application Server - Express, perform the following steps:

1. Modify WebSphere Application Server - Express security settings.
2. Stop and restart the WebSphere instance.
3. Export LTPA keys to a file.
4. Authorize users.
5. Import the LTPA keys file into other WebSphere administrative domains.

Modify WebSphere Application Server - Express security settings

Single signon configuration is included as part of the overall security configuration of a WebSphere administrative domain.

To change your WebSphere security configuration to support single signon, perform the following steps in the WebSphere administrative console:

1. In the navigation menu, click Security --> Authentication mechanisms --> LTPA.

2. Under Additional properties, click Single Signon (SSO). Single signon is enabled by default. If it has been disabled, click Enable.

3. Select the Requires SSL field if all the requests are expected to come over HTTPS transport.

4. In the Domain Name field, enter the name of the DNS domain for which single signon is effective (the single signon cookie is sent for all servers only in this domain). For example, if the domain is ibm.com, single signon works between the domains rochester.ibm.com and austin.ibm.com--but not austin.otherCompany.com.

   Note: The domain field is optional, and, if left blank, the Web browser defaults to the domain name of the single signon cookie, which is the WebSphere application server that created it. In this case, single signon is only be valid for the server that created the cookie. This behavior may be desirable when you have defined multiple virtual hosts and each virtual host needs its own or separate domain to be specified in the single signon cookie.

5. Click OK.

6. Before you exit the LTPA settings page, you also need to configure the LTPA keys which are used by the administrative domain that you are configuring. You must perform one of the following steps, based on the number of administrative domains you are configuring:

   • If you are configuring the first or only WebSphere administrative domain, generate the LTPA keys:
     1. Type the LTPA password to be associated with these LTPA keys in the Password and Confirm Password fields. You must use this password when importing these keys into other WebSphere Application Server administrative domain configurations (if any) and when you configure single signon for Domino.
     2. Click Generate Keys to generate keys for LTPA.
     3. Click Save to save the LTPA keys.

   • If you are configuring an additional WebSphere administrative domain, you must import the LTPA keys used during the configuration of the first administrative domain. See Import the LTPA keys file into other WebSphere administrative domains for more information.

7. In the navigation menu, click Security --> User Registries --> LDAP. (This topic assumes you are using an LDAP user registry. If you are using a custom registry, click Custom instead.)

8. Enter your settings in the LDAP User Registry page:

   • Server User ID
     The user ID of the administrator for the WebSphere administrative domain. Use the short name or user ID for a user already defined in the LDAP directory. Do not specify a Distinguished Name by using cn= or uid= before the value. This field is not case sensitive.

     When you start the WebSphere administrative console, you are prompted to login with an administrative account. You must enter exactly the same value that you specify in this field.

   • Server User Password
     The password corresponding to the Server User ID field. This field is case sensitive.

   • Type
     The type of LDAP server you are using. For example, from the list you can select SecureWay for IBM SecureWay LDAP Directory or Domino for a Domino LDAP Directory.

   • Host
     The fully qualified DNS name of the machine on which the LDAP directory runs, for example myhost.mycompany.com.

   • Port
     The port on which the LDAP directory server listens. By default, an LDAP directory server using an unsecured connection listens on port 389.

   • Base Distinguished Name
     The Distinguished Name (DN) of the directory in which searches begin within the LDAP directory. For example, for a user with a DN of cn=John Doe, ou=Rochester, o=IBM, c=US and a base suffix of c=US, the base DN can be specified in any of the following ways:

     • ou=Rochester, o=IBM, c=us
     • o=IBM, c=us
     • c=us

     This field is not case sensitive. This field is required for all LDAP directories.

   • Bind Distinguished Name
     The DN of the user who is capable of performing searches on the directory. In most cases, this field is not required; typically, all users are authorized to search an LDAP directory. However, if the LDAP directory contents are restricted to certain users, you need to specify the DN of an authorized user, for example, an administrator, cn=administrator.

   • Bind Password
     The password corresponding to the Bind Distinguished Name field. This value is required only if you specified a value for the Bind Distinguished Name field. This field is case sensitive.

   • Ignore Case
     By default WebSphere Application Server - Express does a case-sensitive comparison for authorization. This implies that a user who is authenticated by Domino should match exactly the entry (including the base distinguished name) in the WebSphere Application Server authorization table. If case sensitivity should not be considered for the authorization, the Ignore Case property should be enabled in the LDAP user registry settings.

9. Click OK.

10. In the navigation menu, click Security --> Global Security. Enable WebSphere security by checking the Enabled check box.

11. Verify that the Cache Timeout field is set to a reasonable value for your application. When the timeout is reached, WebSphere Application Server - Express clears the security cache and rebuilds the security data. If the value is set too low, the extra processing overhead can be unacceptable. If the value is set too high, you create a security risk by caching security data for a long period of time. The default value is 600 seconds.

12. For the Active Authentication Mechanism setting, select LTPA.

13. For the Active User Registry setting, select LDAP.

14. Click OK and save the changes.

Stop and restart the WebSphere instance

Whenver changes are made to the global security settings, the instance must be stopped and restarted for the changes to take effect.

1. Logout from the administrative console.

2. Stop the server instance, and then start it. For more information, see the Start and test your application server topic in the Administration section.

3. Start the administrative console. Use the domain that you specified during single signon configuration.

   Note: If the hostname is not fully qualified, you cannot log into the administrative console. If the login fails, the login screen is shown again.

4. Specify the user ID and password, exactly as you specified them in the Server User ID and Server User Password fields in the Global Security settings.

Export the LTPA keys to a file

To complete the security configuration for single signon, you need to export the LTPA keys to a file. Do this for just one WebSphere administrative server if you are configuring single signon for use with multiple WebSphere administrative domains. This file is subsequently used during the configuration of additional administrative domains and during the configuration of single signon for Domino.

To export the LTPA keys to a file, perform the following steps in the administrative console:

1. In the navigation menu, click Security --> Authentication mechanisms --> LTPA.

2. In the Password and Confirm Password fields, specify the password that is associated with the keys to be exported.

3. In the Key File Name field, specify the name and location of the file (in the iSeries integrated file system) to contain the LTPA keys. You can use any file name and extension. Note the name and extension you specify; you must use this file when you configure single signon for any additional WebSphere administrative domains and for Domino.

4. Click Export Keys to export the LTPA keys to the specified file.

5. Click Save to apply the changes to your server configuration.

Authorize users

Before you can test the single signon configuration for WebSphere Application Server, you must grant users permissions to resources so that their access can be tested. For more information, see Assign users to administrative roles.

Import the LTPA keys file into other WebSphere administrative domains

If you are configuring single signon for use with multiple WebSphere administrative domains, import the LTPA keys file into all the administrative domains, excluding only the administrative domain from which you exported the file. Before proceeding, ensure that you have completed all of the preceeding steps (except Export the LTPA keys to a file) for these administrative domains.

To import the LTPA keys file, complete the following steps:

1. Start the WebSphere server for the domain.
2. Start the administrative console.
3. In the navigation menu, click Security --> Authentication mechanisms --> LTPA.
4. In the Password and Confirm Password fields, specify the password that is associated with the keys to be imported.
5. In the Key File Name field, specify the name and location of the LTPA keys file.
6. Click Import Keys to import the LTPA keys from a file.
7. Click Save to apply the changes to the master configuration.
8. Click Logout to exit the administrative console.
9. Stop and then restart the application server.