I want to have a SSO with ICA 3 and domino 8.5.3.
Thats what happens:
Installed ICA 3.0.1 with Jetty.
Configure application login settings
- Requires users to log in
- Use the LDAP server to authenticate
- LDAP-server connection against "domino02.ebusiness.local", Port 389, do not use credentials to access the LDAP server
- Configure LDAP properties for user (cn, not uid) and group entries, Test both entries --> verified, O.K.
- esadmin system stop and esadmin system start
- ICA-Admin - only named Administrators (System level security, Administrative roles) can login, RIGHT
- Search: Users from Domino-LDAP can login, wrong password or cn --> no login, right message on the screen
Next: we configured a secure collection with secure search in Win-FS and in some domino databases.
We have to manage "My profile" - and: Secure search works fine, different matches for different users.
But it requires a login on the domino server if we want to see a match in ICA on his domino-source.
From the LTPA-view, generated in WAS, this domino-server is member of the WAS-LTPA-Token-domain (we've imported the same LTPA-key into the web-SSO docuemnt).
Next step in ICA-Admin: SSO, Configure application login settings again
- check Use LTPA tokens for single sign-on (SSO)
- cookie domain ".ebusiness.local"
- check LTPA interoperability mode (...later try: same result if I uncheck this)
- LTPA key: get the file LTPAToken.key from the WAS-server and stored local, validate password O.K.
- Import Key from that existing key file (necessary??? it's done yet...)
Now I'm logged in as a search user. If I want to type something in the search line, I get the Windows security window "The server kaw8ica1.ebusiness.local at EnterpriseSearchRealm requires a username and password". If I type username an password (and check "remember my credentials"), then it works fine, in the search.
But: we don't have a SSO with the domino-server, I have to login to the domino-server too.
Get following cookies (read in Firefox)
--> delete all cookies
--> open the search
- no cookies (some later: google cookies...)
- from website kaw8ica1.ebusiness.local
2. Name: com.ibm.ica.welcome.search.doNotShow, content: true, Host: ...same, path: /search/ sent for: every ... valid to: 14 days
-> after login to the domino server
- new cookies from the website ebusiness.local
2. Name: LtpaToken, content: other (long string); domain, path, sent for and valid: same as LtpaToken2
Wondering that we don't get a LTPA-token for the domain .ebusiness.local from the ICA-Server, we get it from the domino server.
I've mentioned, that the Realm name in the WAS-LTPAToken is "defaultWIMFileBasedREalm", it's federated against the same domino server and some local users on the WAS.
So I added the following entries in the LTPA tokens - SSO-section (security - ICA-Admin)
Additional domain: defaultWIMFileBasedRealm
Additional user name suffix: defaultWIMFileBasedRealm
---> both entries or only one of them --> 3 try --> same result, nothing has changed
Investigation of the string "EnterpriseSearchRealm" in all files of the ES-NODE- and ES-ROOT-directory had 158 files matched ...
By the way: I get systemalerts ...
02/13/2013 12:04:09 CET: kaw8ica1: Monitor (node1): FFQC4823E Die Sitzung ConfigManager Core Service (node1) configmanager ist inaktiv.
02/13/2013 12:04:15 CET: kaw8ica1.ebusiness.local: Search Application (node1): FFQO0277E Eine Ausnahmebedingung mit der Zusatzinformation
'com.ibm.es.security.ltpa.LTPAKeyStoreException: java.io.IOException: Invalid keystore format' und dem Stack-Trace 'com.ibm.es.security.ltpa.LTPAKeyStoreException: java.io.IOException: Invalid keystore format
--> see attached file)
Long explanation - the short question is:
Can I use a WAS-LTPA-Token in a jetty application server for SSO purpose?
(and if yes: What I have to do?)
Thanks
Michael