Start of change

Configure WebSphere Application Server V6.0 for OS/400 with Single sign-on

This example is for users that are not familiar with the Web serving environment. It describes all the steps necessary to get iSeries™ Access for Web running in a WebSphere® Application Server V6.0 for OS/400® environment with single sign-on (SSO) enabled. It also describes how to verify that the setup is working.

When the configuration is completed, iSeries Access for Web uses the authenticated WebSphere user identity to access i5/OS™ resources. iSeries Access for Web does not perform additional prompting for an i5/OS user profile and password in this environment.

Start of changeThis environment requires WebSphere global security to be enabled. When enabled, users must provide WebSphere credentials when accessing secured WebSphere resources. Configuration options enable iSeries Access for Web to be deployed as a secured WebSphere application. WebSphere credentials are required when accessing iSeries Access for Web functions in this environment. In turn, iSeries Access for Web uses Enterprise Identity Mapping (EIM) to map the authenticated WebSphere user to an i5/OS user profile. The mapped i5/OS user profile is used to authorize the user to i5/OS resources using standard i5/OS object level security.End of change

Configuring your Web serving environment consists of these steps: Steps to configure the Web serving environment:
  1. Start the IBM Web Administration for iSeries interface.
    1. Start a 5250 session to the server.
    2. Sign on with a user profile that has at least these special authorities:  *ALLOBJ, *IOSYSCFG, *JOBCTL, and *SECADM.
    3. Run the following server command to start the web administration interface job: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
    4. Minimize the 5250 session.
  2. Create an HTTP web server and a WebSphere Application Server V6.0 for OS/400 Web application server:
    1. Open a browser to: http://<server_name>:2001
    2. Log in with a user profile that has, at least these special authorities:  *ALLOBJ, *IOSYSCFG, *JOBCTL, and *SECADM.
    3. Select IBM Web Administration for iSeries.
    4. Select the Setup tabbed page.
    5. Under Common Tasks and Wizards, select Create Application Server.
    6. The Create Application Server page opens. Select Next.
    7. Select WebSphere Application Server V6.0 for OS/400 then select Next.
    8. The Specify Application Server Name page opens.   For Application server name, specify iwa60sso.  This will be the name of the WebSphere Express Web application server. Select Next.
    9. The Select HTTP Server Type page opens.  Select Create a new HTTP server (powered by Apache) then select Next.
    10. The Create a new HTTP server (powered by Apache) page opens.
      • For HTTP server name, enter IWA60SSO.
      • For Port, specify 4044.
      Select Next.
    11. The Specify Internal Ports Used by the Application Server page opens. For First port in range, change the default value to 41044. Select Next.
    12. The Select Business and Sample Applications page opens. Select Next
    13. The Configure Identity Token SSO for Web to i5/OS Access page opens. Select the Configure Identity Tokens option, then specify these values:
      • For LDAP server host name, specify the fully qualified host name of the LDAP server hosting the EIM domain created during EIM setup. For example, MYISERIES.MYCOMPANY.COM
      • For LDAP Port, specify the port number of the LDAP server hosting the EIM domain created during EIM setup. For example, 389.
      • For LDAP administrator DN, specify the distinguished name of the LDAP administrator. For example, cn=administrator.
      • For LDAP administrator password, specify the password of the LDAP administrator. For example, myadminpwd.
      Select Next.
    14. The Configure Identity Token EIM Domain Information page opens. Specify this information:
      • For EIM Domain Name, select the name of the EIM domain created during EIM setup. For example, EimDomain.
      • For Source Registry Name, select the name of the EIM source registry created during EIM setup. For example, WebSphereUserRegistry.
      Select Next.
    15. The Summary page opens. Select Finish.
    16. The Web page is re-displayed with the Manage > Application Servers tabbed page active. Under Instance/Server, iwa60sso/iwa60sso– WAS, V6.0 is listed with a status of Creating. From this Web page, you can manage the WebSphere application server.

      Use the refresh icon next to the Creating status to refresh the page, if the page does not periodically refresh.

    17. When the status is updated to Stopped, select the green icon next to Stopped to start the WebSphere application server. The status will be updated to Starting. Use the refresh icon next to the Starting status to refresh the page if the page does not periodically refresh. iSeries Access for Web requires that the WebSphere application server is running before it can be configured.
      Important:
      Wait for the status to be updated to Running before moving to the next step.
    18. Minimize the browser window
  3. Configure iSeries Access for Web.
    1. Restore the 5250 session window.
    2. To see the WebSphere application server running, run the server command: WRKACTJOB SBS(QWAS6)
    3. Verify that IWA60SSO is listed as a job running under the QWAS6 subsystem.  iSeries Access for Web requires the WebSphere application server is running before it can be configured.
    4. Verify the Web application server is ready:
      1. Enter option #5 on your IWA60SSO job.
      2. Enter option #10 to display the job log.
      3. Press F10 to display detailed messages.
      4. Verify the message Websphere application server iwa60sso ready is listed.  This message indicates that the application server is fully started and is ready for Web serving.
      5. Press F3 until you return to a command line.
    5. iSeries Access for Web provides commands to configure the product. Two different commands are provided, a CL command and a QShell script command.  Both commands provide and perform the same function.  Use whichever version you prefer.
      • To use the CL command, follow these steps:
        1. Configure iSeries Access for Web for your Web application server by using the following command:   
          QIWA2/CFGACCWEB2 APPSVRTYPE(*WAS60) WASPRF(iwa60sso) 
     APPSVR(iwa60sso) AUTHTYPE(*APPSVR) AUTHMETHOD(*FORM) 
     WASUSRID(myadminid) WAPWD(myadminpwd
          These are the parameters used:
          APPSVRTYPE
          Tells the command which Web application server to configure.
          WASPRF
          Tells the command which profile of the Web application server to configure. In previous releases of WebSphere, the WASINST parameter was used. In WebSphere Application Server V6.0 for OS/400, profiles have replaced instances.
          APPSVR
          Tells the command the name of the Web application server within the profile to configure.
          AUTHTYPE
          Tells the command which authentication type to use. *APPSVR indicates the Web application server should authenticate the user using the WebSphere active user registry.
          AUTHMETHOD
          Tells the command which authentication method to use. *FORM indicates the Web application server should authenticate using form-based HTTP authentication.
          WASUSRID
          Tells the command which WebSphere administrative user ID to use when accessing this Web application server. Replace the example value with an administrator user id defined in the WebSphere active user registry.
          WASPWD
          Tells the command which WebSphere administrative password to use when accessing this Web application server. Replace the example value with the password for the administrative user ID provided with the WASUSRID parameter.
          Refer to the online help for the command for additional options and information.
        2. Several messages similar to these will be displayed:  
          • Configuring iSeries Access for Web
          • Preparing to perform the configuration changes.
          • Calling WebSphere to perform the configuration changes.
          • iSeries Access for Web command has completed. 
          • The WebSphere instance application server must be stopped and then started to enable the configuration changes.
              
        3. Press F3 or Enter when the command completes to exit the display session.
      • To use the QShell script command, follow these steps:
        1. Start the QShell environment using the following server command: QSH
        2. Make the iSeries Access for Web directory the current directory.  Run this server command:   
          cd /QIBM/ProdData/Access/Web2/install 
        3. Configure iSeries Access for Web for the Web application server previously created: 
          cfgaccweb2 -appsvrtype *WAS60 -wasprf iwa60 -appsvr iwa60 
           -authtype *APPSVR -authmethod *FORM 
           -wasusrid myadminid -wapwd myadminpwd
          These are the parameters used:
          -appsvrtype
          Tells the command which Web application server to configure.
          -wasprf
          Tells the command which profile of the Web application server to configure. In previous releases of WebSphere, the -wasinst parameter was used. In WebSphere Application Server V6.0 for OS/400, profiles have replaced instances.
          -appsvr
          Tells the command the name of the Web application server within the profile to configure.
          -authtype
          Tells the command which authentication type to use. *APPSVR indicates the Web application server should authenticate the user using the WebSphere active user registry.
          -authmethod
          Tells the command which authentication method to use. *FORM indicates the Web application server should authenticate using form-based HTTP authentication.
          -wasusrid
          Tells the command which WebSphere administrative user ID to use when accessing this Web application server. Replace the example value with an administrator user id defined in the WebSphere active user registry.
          -waspwd
          Tells the command which WebSphere administrative password to use when accessing this Web application server. Replace the example value with the password for the administrative user ID provided with the -wasusrid parameter.
          For help on this command and the parameters, specify the -? parameter. Refer to the online help for the command for additional options and information.
        4. Several messages similar to these will be displayed:  
          • Configuring iSeries Access for Web.
          • Preparing to perform the configuration changes. 
          • Calling WebSphere to perform the configuration changes. 
          •  iSeries Access for Web command has completed.
          • The WebSphere instance application server must be stopped and then started to enable the configuration changes.
              
        5. Press F3 when the command completes to exit the QShell session.
    6. If the command were to fail or indicate an error, refer to the log files:
      /QIBM/UserData/Access/Web2/logs/cmds.log
      High level, cause and recovery information; translated.
      /QIBM/UserData/Access/Web2/logs/cmdstrace.log
      Detailed command flow for IBM Software Service; English only.
    7. After successfully configuring iSeries Access for Web, the WebSphere application server must be restarted to load the changes to its configuration.  This will be done later.
    8. Signoff the 5250 session window and close the window.
  4. Start the Web environment.
    1. Return to the browser window that is open to the IBM Web Administration for iSeries server management page.
    2. The Manage > Application Servers tabbed page should be active. Under Instance/Server is listed iwa60sso/iwa60sso– WAS, V6 with a status of Running. Stop and restart the WebSphere application server:
      1. Select the red icon next to the Running status to stop the WebSphere server. Select the refresh icon next to the Stopping status to refresh the page if the page does not periodically refresh.
      2. When the status is updated to Stopped, select the green icon next to Stopped to start the WebSphere application server.
      3. The status will be updated to Starting. Select the refresh icon next to the Starting status to refresh the page if it does not periodically refresh.
        Important: Wait for the status to be updated to Running before moving to the next step.
        iSeries Access for Web will load and start as the WebSphere application server starts.
    3. Select the HTTP Servers tabbed page.
    4. Under Server, select IWA60SSO - Apache. The current status of this Apache HTTP server should be Stopped. Select the green icon next to the status to start the HTTP server. The status is updated to Running.
    5. Close the browser window.
  5. Use a browser to access iSeries Access for Web.
    1. Open a browser to either of the following addresses to access iSeries Access for Web:

      http://<server_name>:4044/webaccess/iWAHome
      http://<server_name>:4044/webaccess/iWAMain

    2. Log in using a WebSphere user ID and password defined in the WebSphere active user registry. The initial load of iSeries Access for Web might take a few seconds.  WebSphere Application Server is loading Java™ classes for the first time.  Subsequent loads of iSeries Access for Web will be faster.
    3. The iSeries Access for Web Home or Main page displays.
    4. Close the browser window.
By following the above steps, you completed these tasks:

Start of changeIn this example, only the CFGACCWEB2 command is used to configure iSeries Access for Web. For more information about using all the iSeries Access for Web CL commands, use the CL command finder. End of change

Parent topic: Examples for configuring a new Web application server environment
Related concepts
Single sign-on considerations
Related information
CL command finder
End of change