IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
2 replies Latest Post - ‏2013-02-18T13:44:10Z by kossi
13 Posts

Pinned topic Jetty - SSO

‏2013-02-13T13:58:36Z |
Hi all,

I want to have a SSO with ICA 3 and domino 8.5.3.

Thats what happens:
Installed ICA 3.0.1 with Jetty.
Configure application login settings
  • Requires users to log in
  • Use the LDAP server to authenticate
  • LDAP-server connection against "domino02.ebusiness.local", Port 389, do not use credentials to access the LDAP server
  • Configure LDAP properties for user (cn, not uid) and group entries, Test both entries --> verified, O.K.
  • esadmin system stop and esadmin system start
  • ICA-Admin - only named Administrators (System level security, Administrative roles) can login, RIGHT
  • Search: Users from Domino-LDAP can login, wrong password or cn --> no login, right message on the screen

Next: we configured a secure collection with secure search in Win-FS and in some domino databases.
We have to manage "My profile" - and: Secure search works fine, different matches for different users.
But it requires a login on the domino server if we want to see a match in ICA on his domino-source.
From the LTPA-view, generated in WAS, this domino-server is member of the WAS-LTPA-Token-domain (we've imported the same LTPA-key into the web-SSO docuemnt).

Next step in ICA-Admin: SSO, Configure application login settings again
  • check Use LTPA tokens for single sign-on (SSO)
  • cookie domain ".ebusiness.local"
  • check LTPA interoperability mode (...later try: same result if I uncheck this)
  • LTPA key: get the file LTPAToken.key from the WAS-server and stored local, validate password O.K.
  • Import Key from that existing key file (necessary??? it's done yet...)
--> esadmin system stop and esadmin system start

Now I'm logged in as a search user. If I want to type something in the search line, I get the Windows security window "The server kaw8ica1.ebusiness.local at EnterpriseSearchRealm requires a username and password". If I type username an password (and check "remember my credentials"), then it works fine, in the search.
But: we don't have a SSO with the domino-server, I have to login to the domino-server too.

Get following cookies (read in Firefox)
--> delete all cookies
--> open the search
  • no cookies (some later: google cookies...)
--> after login to the EnterpriseSearchRealm:
  • from website kaw8ica1.ebusiness.local
1. Name: ICASESSIONID, content: rt0xk9toypdk, Host: kaw8ica1.ebusiness.local, path: / sent for: every connection type, valid: to the end of the session
2. Name:, content: true, Host: ...same, path: /search/ sent for: every ... valid to: 14 days
-> after login to the domino server
  • new cookies from the website ebusiness.local
1. Name: LtpaToken2, content: (long string), domain: .ebusiness.local, path: / sent for: every connection type, valid: to the end of the session
2. Name: LtpaToken, content: other (long string); domain, path, sent for and valid: same as LtpaToken2
Wondering that we don't get a LTPA-token for the domain .ebusiness.local from the ICA-Server, we get it from the domino server.
I've mentioned, that the Realm name in the WAS-LTPAToken is "defaultWIMFileBasedREalm", it's federated against the same domino server and some local users on the WAS.

So I added the following entries in the LTPA tokens - SSO-section (security - ICA-Admin)
Additional domain: defaultWIMFileBasedRealm
Additional user name suffix: defaultWIMFileBasedRealm
---> both entries or only one of them --> 3 try --> same result, nothing has changed

Investigation of the string "EnterpriseSearchRealm" in all files of the ES-NODE- and ES-ROOT-directory had 158 files matched ...

By the way: I get systemalerts ...
02/13/2013 12:04:09 CET: kaw8ica1: Monitor (node1): FFQC4823E Die Sitzung ConfigManager Core Service (node1) configmanager ist inaktiv.
02/13/2013 12:04:15 CET: kaw8ica1.ebusiness.local: Search Application (node1): FFQO0277E Eine Ausnahmebedingung mit der Zusatzinformation
' Invalid keystore format' und dem Stack-Trace ' Invalid keystore format
--> see attached file)

Long explanation - the short question is:
Can I use a WAS-LTPA-Token in a jetty application server for SSO purpose?
(and if yes: What I have to do?)

Updated on 2013-02-18T13:44:10Z at 2013-02-18T13:44:10Z by kossi
  • SystemAdmin
    197 Posts

    Re: Jetty - SSO

    ‏2013-02-14T16:57:02Z  in response to kossi
    Hi Michael,

    My name is Thai Tran and I work for ICA team. Let me try to provide you with the SSO's issue. The short anwser is yes. You can import the LTPA key in a jetty application system for SSO. Below are the neccesary steps to configure SSO with LTPA key for ICA:

    1. Assuming that you have the LTPA key generated from Websphere and imported to Domino server. At this point,assuming SSO is working between WAS and Domino.

    2. Configure LDAP for ICA. I assume that the same LDAP is using for Domino, WAS and ICA. Ideally, I would use Domino server as LDAP for both WAS and ICA.

    3. Generate LTPA key store: Go to Security > Configure Security Application Settings:
    - Check "Use LTPA tokens for application single sign-on"
    - Fill in "Cookie Domain name" info (Make sure you put a period in front ex:
    - Make sure "LTPA interoperability mode" is checked
    - Click on "Generate Key" button to create LTPA store. You will be prompt to enter password. Enter password. Make sure that esltpa.jceks is created under <es_NodeRoot>/master_config. You may need to click this button a few times

    4. Import the LTPA key(generated from WAS earlier): Go to security > Configure Security Application Settings:
    - Make sure the Cookie Domain name is filled in (ex:
    - Make sure "LTPA interoperability mode" is checked
    - Fill in "Additional Domain Name" info. That should be the realm name in your WebSphere server setting (ex: defaultWIMFileBasedRealm)
    - Type in the path of the key (ex: c:\ltpa.key) and password when prompt.
    - You should see "The specified LTPA token was succefully imported" check.

    You should check to ensure that real name is the same among all servers and LTPA interoperability mode is enabled for all servers also. I hope these steps will solve the issues. Let me know if you have any problems.


    • kossi
      13 Posts

      Re: Jetty - SSO

      ‏2013-02-18T13:44:10Z  in response to SystemAdmin
      Hi Thai,
      thanks, that was the solution.
      My missunderstood was the step 3: I did not generate the key store, cause I thought "I have the import", not a new one ("generate").
      Now it's clear
      1. Generate the key store
      2. Import the LTPA Token.
      Now it works fine: Jetty with SSO with an LTPA-Token from a WAS.