Configuring single sign-on for an external FileNet Content Manager
To allow access to case information on an external ECM system for an IBM® Business Process Manager user, you must configure cross-cell single sign-on (SSO) access control. This configuration is for the IBM BPM cell and the external IBM FileNet® Content Manager cell. The configuration includes the configuration of the user registry and trusted realm.
Procedure
To configure single sign-on for an external FileNet Content Manager, complete the following steps:
- Ensure that FileNet Content Manager is installed on Websphere Application Server v8.5 or higher.
- Configure access to a shared user repository. Both IBM BPM and FileNet Content
Manager must have access to the same set of
users. Therefore, configure both cells to access the same user repository (such as a Lightweight
Directory Access Protocol (LDAP) directory). To configure access to a shared user repository, follow
these steps:
- In the Websphere administrative console on both systems, select Security > Global Security. The Global Security page opens.
- In the Available realm definitions drop-down list, select one of these
options:
- If FileNet Content Manager is configured with a federated repository, select Federated Repositories and then click Configure. The Federated Repositories page opens.
- If FileNet Content Manager is configured with a stand-alone LDAP, select Standalone LDAP and then click Configure. The Standalone LDAP page opens.
- Configure your shared user repository with matching user and group attributes.
- In any environment, select Require SSL communications for the user repositories (recommended).
- Test your LDAP connection. See Configuring Lightweight Directory Access Protocol (LDAP) for federated repositories or Configuring stand-alone Lightweight Directory Access Protocol (LDAP).
- If the realm names of IBM BPM and FileNet Content Manager are different (for example, because you set different active realm definitions), make certain that in each cell the realm of the other cell is trusted. From the navigation panel, click Security > Global security. Under RMI/IIOP security, click CSIv2 inbound communications. Click Trusted authentication realms - inbound. Select Trust realms as indicated below. Click Add external realm and add the realm of the remote cell. Click Apply.
In the WebSphere administrative console of both systems, select Users and Groups > Manage Users and search for the IBM BPM user ID that you are going to define as the ECM administrative user. Verify that the user ID is unique and it is in the shared user repository.
- Configure single sign-on with Lightweight Third-Party Authentication (LTPA) keys. As all user
IDs are shared, users that are authenticated in either one of the systems, do not need to
authenticate again when they connect to the other system. If you are adding a FileNet Content
Manager system to an existing IBM BPM
installation, you can export the LTPA keys from the IBM BPM system. Then, you can import them to the
FileNet Content
Manager system. You can also import
and export the LTPA keys the other way around. These substeps follow the first approach.
You might want to increase the number of active keys that WebSphere Application Server returns when the server queries for keys for a particular key set. When you import keys into the cell, active keys are overwritten. The replaced keys become the historic keys. WebSphere keeps, by default, a maximum of 2 keys in the cell. This maximum means that, with a second import, the original key of the cell is paged out. For reliability reasons, you might want to keep these keys.
- Select Global security, expand Web and SIP security, select Single sign-on (SSO). Make sure that Enabled is checked and specify a common domain name on both servers
- In the WebSphere administrative console of the ECM system, verify that your LoginModule authentication settings do not prevent Single sign-on.
- In the WebSphere administrative console of the IBM BPM server, select Security > Global Security. The Global Security page opens.
- Click the LTPA link. The LTPA page opens.
- Export the LTPA keys to a file. Use an arbitrary password.
- Copy the exported file to a location that can be shared with the FileNet Content Manager system.
- In the WebSphere administrative console on the FileNet Content Manager system, select Security > Global Security. The Global Security page opens.
- Click the LTPA link. The LTPA page opens.
- Import the exported LTPA keys. Use the same password that was used for the export.
- Restart each WebSphere Application Server.
You are successful in establishing single sign-on (SSO) between the two systems when the following test works. You can log in to one administration console and then access the other administration console without having to log in again. Log in to the WebSphere Application Server administration console where you exported the LTPA key. In your browser's address bar, enter the URL for the WebSphere Application Server administration console where you imported the LTPA key. If the WebSphere Application Server administration console opens without requiring you to log in, you successfully set up SSO.
The previous test for a successful single sign-on works only if the administrative user for both cells is identical. An alternate test is to log on to two URLs with an ordinary user from the shared repository; that is, a user without additional administration rights in both cells. For example, in IBM BPM, log in to the /ProcessPortal URL with a user from shared repository. Then, in a new browser tab, specify the URL for the FileNet Content Manager Administration Console for Content Platform Engine.Note: Using localhost, a short host name, or the IP address in place of the host name does not work. Single sign-on requires that the browser pass LTPA cookies to the WebSphere Application Server server. These cookies contain the fully qualified host name that must match the specified SSO domain name. - Update the ECM system to support SSL. The default installation of IBM BPM uses SSL. The default
installation of FileNet Content
Manager uses TCP-IP
without SSL. Update the FileNet Content
Manager system
to support SSL by completing the following substeps:
- In the WebSphere administrative console on the FileNet Content Manager system, select Security > Global Security. The Global Security page opens.
- Expand the RMI/IIOP security section. A list of inbound and outbound links is displayed.
- Click each inbound and outbound link, and then in the Transport drop-down list, select either SSL-required or SSL-supported.
- On both the IBM BPM and FileNet Content
Manager
systems, configure SSL to exchange SSL certificates in both directions between the servers by
completing the following substeps:
- In the WebSphere admin console, select Security > SSL certificate and key management. The SSL certificate and key management page opens.
- Select the Key stores and certificates link. The Key stores and certificates page opens.
- Select NodeDefaultTrustStore (for Base Server) or CellDefaultTrustStore (if on a Network Deployment cell).
- Either extract the certificate to a file and copy it to the other system to add, or use the Retrieve from port button to connect and retrieve the certificate. For details on retrieving from the port, see Configuring cross-cell security for IBM Process Center