ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secssvrf.htm

66 lines
5.5 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Verify single signon between WebSphere Application Server - Express and Lotus Domino</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="secssvrf"></a>Verify single signon between WebSphere Application Server - Express and Lotus Domino</h5>
<p>This topic discusses the verification of single signon between Domino and WebSphere Application Server - Express. Before proceeding, verify that the following conditions are met:</p>
<ul>
<li>The LDAP directory contains at least one user that is defined for testing purposes.</li>
<li>The WebSphere administrative console can be started for each of the WebSphere administrative domains that are involved in single signon.</li>
<li>A user can authenticate to each administrative domain with a security name that is defined in the LDAP directory.</li>
<li>At least one user in the LDAP directory is authorized to access at least one Domino resource, such as the Domino Directory.</li>
<li>At least one user in the LDAP directory is authorized to access at least one WebSphere resource, such as the WebSphere administrative console.</li>
<li>From a Web browser that is configured not to <em>not</em> accept HTTP cookies, you are able to reach the following resources after you enter a user ID and password:
<ul>
<li>WebSphere-protected resources (such as a servlet).</li>
<li>Domino-protected resources (suc as a Lotus Notes database).</li>
</ul></li>
</ul>
<p>If all of the preliminary tests succeed, you are ready to verify that single signon is working correctly.</p>
<p>To test single signon between WebSphere Application Server - Express and Domino, perform the following steps:</p>
<ol>
<li><p>Restart your Web browser.</p></li>
<li><p>Configure the Web browser to accept HTTP cookies. (If you are using Internet Explorer, enable the per-session (not stored) type of cookies.</p></li>
<li><p>Configure the browser to notify you before it accepts HTTP cookies. The warning provides visual confirmation that Domino and WebSphere Application Server are generating and returning HTTP cookies to your browser after the server authenticates you. (You can suppress the cookie notifications after you verify that cookies are being exchanged.)</p></li>
<li><p>From the browser, specify the URL for a resource that is protected by the Domino server; for example, attempt to open a database that does not permit access to anonymous users, as shown in the following example:</p>
<ol type="a">
<li><p>Make sure to use a fully qualified DNS host name in the URL; for example, enter
<tt>http://myhost.mycompany.com/names.nsf</tt> instead of <tt>http://myhost/names.nsf</tt>.</p></li>
<li><p>When you are prompted for a user ID and password, make sure that you specify a user ID that is authorized to resources for both the Domino and WebSphere application servers.</p>
<p>The format of the name depends on the level of restriction that Domino enforces for Web users and whether a Domino directory or another LDAP directory is being used. (For details on the options for basic authentication, see the <a href="http://www.lotus.com/ldd/doc/domino_notes/5.0.3/help5_admin.nsf" target="_blank">Domino 5 Administration Help</a> <img src="www.gif" width="19" height="15" alt="Link outside Information Center"> (http://www.lotus.com/ldd/doc/domino_notes/5.0.3/help5_admin.nsf); in particular, see the information on controlling the level of authentication for Web clients.)</p>
<p>The level of restriction that Domino enforces for Web users is set in the Web server authentication field on the Security window of the Server document. If you are using the default configuration settings, you can specify the user's short name or user ID.</p></li>
<li><p>When you are prompted, accept the HTTP cookie.</p></li>
</ol>
<p>If you can successfully access such a resource, the token that is generated by the Domino server is accepted by WebSphere Application Server - Express.</p></li>
<li><p>From the same browser session, attempt to access a resource that is protected by WebSphere Application Server - Express. If single signon is working correctly, access is granted without prompting you to log in.</p>
<p>Make sure to use the fully qualified DNS host name in the URL. For example, enter <tt>http://myhost.mycompany.com/snoop</tt> instead of <tt>http://myhost/snoop</tt>.</p>
<p><strong>Note:</strong> If you are getting a message about the session being expired or invalid, a possible cause is that the coordinated universal time offset is not set correctly on one of the systems. Verify that the system value QUTCOFFSET is correct.</p></li>
<li><p>From the same browser session, attempt to access resources that are managed by any additional Domino and WebSphere domains which are included in your single signon configuration.</p></li>
<li><p>Restart your browser session and perform the verification steps again; but this time, start by accessing a resource that is protected by WebSphere Application Server - Express. This verifies that the token that WebSphere Application Server generates is accepted by the Domino server or servers. When you are prompted for a user ID and password, use the user's short name or user ID, which is the default naming convention for users in WebSphere Application Server - Express.</p></li>
</ol>
</body>
</html>