Setting up single sign-on with LTPA between two servers

Edit online

You can set up a single sign-on environment between two computers that run IBM® WebSphere® Application Server. Then, users can log on to an application on WebSphere Application Server on one computer and access an application on WebSphere Application Server on a second computer without logging on to the second computer.

Before you begin

  • Both computers must have static IP addresses. Otherwise, see "Adding IP addresses to host files" in this topic.
  • WebSphere Application Server 8.0 must be installed on each computer.
  • The IBM Rational® Asset Manager server must be installed on each instance of WebSphere Application Server. Security on both of the servers must be configured to the same user registry.
  • You must be able to log in to both instances of Rational Asset Manager.

Procedure

  1. Draft comment:
    LJW: This step implies that you must know the fully qualified host name and port number. Will most users know that information? If not, add this line to the "Before you begin" section: "You must know the fully qualified host names and port numbers for the instances of WebSphere Application Server on both computers." RRP - For the admin audience doing this task, they'll know it and/or know how to get it.
    On the first computer, log on to the WebSphere administrative console by entering this URL in a web browser: http://fully_qualified_host_name:port_number/ibm/console
  2. Enable single sign-on and add the domain name:
    1. Select Security > Global security > Web and SIP security > Single Sign-on (SSO).
    2. Make sure that the Web inbound security attribute propagation and Set security cookies to HTTP Only to help prevent cross-site scripting attacks check boxes are selected.
    3. Enter a domain name.
    4. Click Apply.
  3. Change the web authentication setting for unsecure pages to receive authentication data:
    1. Select Security > Global security > Web and SIP security > General settings.
    2. Select the Use available authentication data when an unprotected URI is accessed check box.
    3. Click Apply.
  4. Enable single sign-on by having both WebSphere Application Server servers exchange their Lightweight Third Party Authentication (LTPA) keys:
    1. Select Security > Global security, in Authentication section, select LTPA.
    2. Enter your password and the name of the file to export the keys, and then click Export keys.
  5. Find the exported keys from the first computer in the installed_WAS_folder/profiles/AppSrv01/ directory, and import the keys to the second computer:
    1. Copy the key file to the second computer.
    2. On the second computer, log on to the WebSphere administrative console.
    3. Select Security > Global security, in Authentication section, select LTPA.
    4. Use the password that you entered on the first computer, and enter the name of the file that you copied to the second computer. Click Import keys.
    5. Save the configuration.
  6. On the second computer, repeat steps 1 - 5 to change the single sign-on and web security preferences, export the keys from the second computer, and import the keys to the first computer.
  7. Save the configuration on both servers and restart them.
  8. On the first computer, enter this URL in a web browser:
    Draft comment:
    LJW: Be sure to place any variables in the <varname> tags
    http://computer1.example.com:9080/ram
    Important: Do not use localhost, a short host name, or the IP address in place of the host name. Single sign-on requires that the browser pass LTPA cookies to WebSphere Application Server, and these cookies contain the fully qualified host name.
  9. Log on to Rational Asset Manager web client.
  10. In the same browser session, enter the URL to the web client on the second computer:
    Draft comment:
    LJW: Be sure to place any variables in the <varname> tags
    http://computer2.example.com:9080/ram
  11. If single sign-on is configured correctly, you do not need to log on to the second computer. Instead, the user name is displayed on the home page.

Adding IP addresses to host files

If you are using two computers that have dynamic IP addresses, you might need to add entries into the host file of each computer. Whenever the IP addresses of the computers change, you must update the hosts files and restart the servers.

  1. On the first computer, open C:\WINDOWS\system32\drivers\etc\hosts.
  2. On a new line, enter the IP address of the first computer, such as:
    Draft comment:
    LJW: If any part of the next line is a variable, place that text in the <varname> tags and explain what the variable represents
    127.0.0.1 computer1.example.com
  3. On a new line, enter the IP address of the second computer, such as:
    Draft comment:
    LJW: If any part of the next line is a variable, place that text in the <varname> tags and explain what the variable represents
    computer2.example.com
  4. Save the file.
  5. On the second computer, open C:\WINDOWS\system32\drivers\etc\hosts.
  6. On a new line, enter this text:
    Draft comment:
    LJW: If any part of the next line is a variable, place that text in the <varname> tags and explain what the variable represents
    127.0.0.1 computer2.example.com
  7. On another new line, enter this text:
    Draft comment:
    LJW: If any part of the next line is a variable, place that text in the <varname> tags and explain what the variable represents
    IP address of first computer computer1.example.com
  8. Save the file.
Draft comment:
LJW: Be sure to add related links to this topic