Chapter 17. Single sign-on 421
17.6 Configuring WebSphere Application Server V5.0
This section discusses the Security administration, LDAP User Registry
configuration, and Lightweight Third Party Authentication (LTPA) in WebSphere
Application Server.
Before continuing the rest of this section, make sure that:
IBM Directory Server V5.1 service is running in the Windows Control Panel.
IBM WebSphere Application Server V5 - server1 service is running in the
Windows Control Panel.
17.6.1 Configuring LTPA
Lightweight Third Party Authentication (LTPA) is intended for distributed, multiple
application server and machine environments. It supports forwardable
credentials, and therefore supports Single Sign-On. LTPA requires a configured
User Registry to be a central shared repository. It could be LDAP user registry, a
Windows Domain type user registry, or a custom user registry. LDAP server is
used for the discussion in this chapter.
1. Launch WebSphere Administrative Console by selecting Start -> Programs
-> IBM WebSphere -> Application Server v5.0 -> Administrative Console.
2. Enter any user ID to log on to WebSphere Administrative Console since you
have not enabled WebSphere security. The sole purpose to enter a user
name on the logon window is for logging.
3. In the Navigation pane on the left, click Security -> Authentication
Mechanisms -> LTPA.
4. Enter the password twice. This password is the password to protect LTPA
keys. You will need this password in order to import the keys into any other
SSO-enabled server.
5. Click OK to make the changes effective.
6. Click Save in the Messages box at the top of the window. See Figure 17-15
on page 422.
422 eClient 101 Customization and Integration
Figure 17-15 Save step #1 in WebSphere
7. Click Save on the Save to Master Configuration window. Your modification
made in WebSphere Administrative Console has not been saved to the
configuration repository until now.
8. In the Navigation pane on the left, click Security -> Authentication
Mechanisms -> LTPA.
9. Click Single Signon (SSO) at the bottom of the LTPA pane on the right. The
Single sign-on window appears.
10.Set the values for the fields in Table 17-13. See Figure 17-16 on page 423.
Table 17-13 Configuring WebSphere single sign-on
The domain name (ibm.com, for example) specifies the set of all hosts to
which single sign-on applies. If this field is not defined, the Web browser
Field Value
Enabled True
Requires SSL False
Domain Name ibm.com
Chapter 17. Single sign-on 423
defaults the domain name to the host name where the Web application is
running. This means single sign-on is restricted to that application server host
name and does not work with other application server host names in the
domain.
When SSL field is checked, it specifies that single sign-on is enabled only
when requests are over HTTPS Secure Socket Layer connections.
Figure 17-16 Configuring WebSphere single sign-on
11.Click OK to make the change effective.
12.Click Save twice to save the change to WebSphere configuration repository.
17.6.2 Generating LTPA keys
Complete the following steps to generate LTPA keys:
1. In the Navigation pane on the left, click Security -> Authentication
Mechanisms -> LTPA.
2. Click Generate Keys. This launches the key generation process in the
background. You will be prompted to save the configuration after the process
is completed.
424 eClient 101 Customization and Integration
3. Click OK to make the change effective.
4. Click Save twice to save the changes. The generated keys are stored in the
security.xml file.
5. In the Navigation pane on the left, click Security -> Authentication
Mechanisms -> LTPA.
6. In the Key File Name field, specify the name of the file where LTPA keys will
be stored when you export them. You need to export the keys in order to
enable single sign-on on another server. Specify the full path name for the key
file, in our example c:\WebSphere\Appserver\etc\SSO_ltpakeys.
7. Click Export Keys. The key has been exported to the specified file.
Example 17-2 shows a sample key file.
Example 17-2 Sample exported key file
#IBM WebSphere Application Server key file
#Thu May 01 23:40:40 CDT 2003
com.ibm.websphere.CreationDate=Thu May 01 23\:40\:40 CDT 2003
com.ibm.websphere.ltpa.version=1.0
com.ibm.websphere.ltpa.3DESKey=vQ0Pjm0XWk3YQFZe1lcgM+ON2gGrPWLbp7ji+BJPSDM\=
com.ibm.websphere.CreationHost=CM71
com.ibm.websphere.ltpa.PrivateKey=7JmY+QzBUThxt2FIJ7F+PKu7RLJcSEMjDkIs2jRp7KQIp
kEFNCCKq44mJ9GYFim/3yYKU8HP+j7EKFxsIXKWJGWc0pMIBMtrriQyKKgZHl8YyZQVR2zuqJO2C1Pr
uc5HeNcWNSKZ6oOov0wQXEGECMJCdPaY2IVkWfH1/3HqODYQGjr1hiUP5BgWO2c/UNva1XmxUJkg4Zz
zQEqSRfcg/zWPtH6NeUWPLZQ9REtKwam8hCd2xbm2+b4gfutJ9rcGiQg/uoQ8UfZyoIiR75nPclGsmY
DIrQHrO8Dt6F4u2VEFtyFF9ebiwZGtd5ZJvyz32K/3jpYJFKtuEWEBuYjSmhbB2JrVkE29Z80bfObvN
oQ\=
com.ibm.websphere.ltpa.Realm=
com.ibm.websphere.ltpa.PublicKey=AKEPdnxl4dWUTgaWQhdDzucH2squnD52GDcvTtf7bZP4DX
JTkuvvoD63NGx3szOPJgEo0JLoUPIsw/UP7z7gABbW2fKmnvluiXytn7jCSOZMy4v2HvVycjUrUycG1
+wIbZ1zaSVWgZvx4vHWKmdmkbyJ55vg7uvIX3Yu5oSUPdvhAQAB
8. Click Save twice to save the change to the configuration repository.
17.6.3 Configuring LDAP user registries
To define WebSphere’s LDAP user registries configuration, complete the
following steps:
1. In the Navigation pane on the left, click Security -> User Registries -> LDAP.
The LDAP user registries window is displayed on the right.
2. Set the values for the fields in Table 17-14 on page 425. See Figure 17-17 on
page 426.
Get eClient 101 Customization and Integration now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
