Configuring single sign-on (SSO)

You must configure single sign-on to allow federation or console integration between Netcool®/Impact and the IBM Dashboard Applications Services Hub.

Before you begin

For single sign-on to work you need a common user repository between your products, for example LDAP or ObjectServer. Also, your SSO parameter settings must be consistent between your products.

About this task

Enable single sign-on to avoid having to reenter your user credentials across IBM products. To configure single sign-on, complete the following steps.

Procedure

  1. Set up these parameters in the Dashboard Applications Services Hub web administrator console. Customize the parameter values for the SSO Domain name parameters to avoid session issues between the SSO and non-SSO web application products that might be using the same default SSO Domain name name value.
    LTPA cookie name
    Default value is LtpaToken2
    Domain name
    The SSO domain name
    Realm name
    The SSO realm name
  2. In the WebSphere console, set up the global security details.
    1. Log in to the WebSphere Application Server on the Jazz for Service Management dashboard server, by selecting Console Settings and WebSphere Administrative Console.
    2. Select Launch WebSphere Administrative Console.
    3. Under the Security node, select the Global Security link.
    4. Under the User account repository section, select Configure.
    5. Configure the Realm name and make note of the name for the Impact Realm configuration.
    6. Select Ok and save the configuration.
    7. Under the Security node, select the Global Security link.
    8. Under the Authentication section, select the Web and SIP security node.
    9. Select the Single sign-on (SSO) link.
    10. Configure the Domain name to the domain of the hosts running Dash and Impact. Make a note of the domain name for the Impact configuration.
    11. Configure the LTPA V2 cookie name to a unique value. The default is LtpaToken2. Make a note of the LTPA V2 cookie name for the Impact configuration.
    12. Select Ok and save the configuration.
  3. In the WebSphere console, add the Netcool/Impact SSL certificate into the Dashboard Applications Services Hub truststore.
    1. Log in to the WebSphere Application Server on the Jazz for Service Management dashboard server, by selecting Console Settings and WebSphere Administrative Console.
    2. Select Launch WebSphere Administrative Console.
    3. Under the Security node, select the SSL certificate and key management link.
    4. Under the Related Items section, select the Key stores and certificates link.
    5. Select the NodeDefaultTrustStore keystore.
    6. Under the Additional Properties section, select the Signer Certificates link.
    7. Select Retrieve from port.
    8. Enter the Host, Port, and Alias details for theGUI Server.
    9. Select Retrieve signer information.
    10. Select Ok and save the configuration
  4. Export the ltpa.keys file from the Dashboard Applications Services Hub and apply a password to the ltpa.keys file.
    1. Log in to the WebSphere Application Server on the Jazz for Service Management dashboard server, by selecting Console Settings and WebSphere Administrative Console.
    2. Select Launch WebSphere Administrative Console.
    3. Under the Security node, start the Global security page.
    4. On the right, select the LTPA link.
    5. In the password fields, type a password to use for the ltpa.keys.
    6. Enter the location where the key is to be exported.
      For example, /tmp/ltpa.keys.
    7. Select Export Keys.
  5. Copy the exported ltpa.keys file into Netcool/Impact, into the following directories:
    • $IMPACT_HOME/wlp/usr/servers/<server name>/resources/security/ltpa.keys For the Impact Server.
    • $IMPACT_HOME/wlp/usr/servers/ImpactUI/resources/security/ltpa.keys For the GUI Server.
  6. Run the single sign-on configuration script $IMPACT_HOME/install/security/configImpactSSO.sh, specifying the same parameter values that are referenced in step 1, enter the command.

    If you exclude the password parameters, the script will ask you to enter them via a password prompt.

    configImpactSSO.sh <realmname> <LTPA cookie name> <Domain name> 
<LTPA key password> <Admin password>
    Remember: If you run either of the authentication scripts, confAuth4OMNIbus or confAuth4LDAP and you had SSO running previously, you must rerun the SSO configImpactSSO script again.
  7. Clear the cache from the browser.
  8. If there are multiple DASH or Netcool/Impact servers deployed, you must also ensure that the following conditions are met:
    1. All the servers are using the same ltpa.keys file.
    2. Go to the first DASH server and export the keys, then import it into the second DASH and Netcool/Impact Liberty profile. To import LTPA keys into DASH, follow step 3. Use the ltpa.keys file that you exported from the first DASH server, and in the final step of step 3, click Import Keys instead of Export keys.
    3. Ensure that all servers are using a common user repository.

What to do next

Use the Fully Qualified Domain Name (FQDN) to access the URL for Netcool/Impact and Jazz for Service Management SSO console integration.