Installing on a separate system than where the IBM Verify Identity Governance is installed

You must install the single sign-on application by using the IBM WebSphere Application Server administrative console.

Before you begin

Familiarize yourself with the SSO application details and installation requirements before you install it.

You must install the IBM WebSphere Application Server fixes that are specified in the IBM Verify Identity Governance Release Notes. Use the installation instructions in the Release Notes to install the fixes. Install the SSO application on the IBM WebSphere Application Server where the IBM Security Identity Manager is installed.

About this task

When the SSO application is installed on a separate system, the IBM® Security Verify Access is positioned as a single sign-on front. It returns an LTPA token from the WebSphere® Application Server or the IBM Security Verify Access depending on if the junction has LTPA enabled.

Procedure

  1. Prepare the WebSphere Application Server environment.
  2. Build the SSO application to create the itim_ws.war file.
    For information about building the application, see Building the SSO application.
  3. Use File Transfer Protocol (FTP) to copy the itim_ws.war file to the location in the system where the SSO application is going to be deployed.
  4. Install the application by using the IBM WebSphere Application Server administrative console.
    1. Log on to the IBM WebSphere Application Server administrative console.
      For example, http://localhost:9060/ibm/console
    2. Click Applications > New Applications > New Enterprise Application.
    3. In the Path to the new application area, select Local file system.
    4. Click Browse to set Full path to the location of the itim_ws.war file.
    5. Click Next.
    6. In the How do you want to install the application area, select Detailed - Show all installation options and parameters.
    7. Click Next.
    8. At the Application Security Warnings window, click Continue.
    9. Click the Map context roots for Web modules step and specify the context root value as /itim_ws.
    10. Click Map security roles to users or groups step. Select the ITIM_CLIENT role
    11. Click Map Special Subjects > All Authenticated in Trusted Realms.
    12. Click Next repeatedly until the Summary window is displayed.
    13. Click Finish.
    14. Click Save to save your changes directly to the master configuration.
  5. Update the class loader properties
    1. Click Applications > Application Types > WebSphere enterprise applications.
    2. Click itim_ws.war.
    3. Under Detailed Properties, click Class loading and update detection.
    4. Select Classes loaded with local class loader first (parent last) for the Class loader order and Single class loader for application for the WAR class loader policy.
    5. Click OK.
    6. Click Save to save your changes directly to the master configuration.
  6. Ensure that you properly export and import the LTPA keys for correct encryption and decryption of the identity tokens (LTPA). See the IBM WebSphere Application Server documentation for setting up SSO by using LTPA with multiple servers.
  7. Make the security realm that the sample SSO application is deployed a trusted realm of the IBM Verify Identity Governance server.
    Perform the following steps where IBM Verify Identity Governance is installed.
    1. Log on to the IBM WebSphere Application Server administrative console.
      For example, http://localhost:9060/ibm/console
    2. Click Security > Security domains > ISIMSecurityDomain > User Realms:Customized - itimCustomRealm > Trusted authentication realms - inbound.
    3. Click Add External Realm
      Type in the security realm of the SSO application.
      For example,
      appCustomRealm
    4. In the ISIM_HOME/data directory, modify the enRoleAuthentication.properties file.
      Change enrole.authentication.idmapper to com.ibm.itim.authentication.mapping.SSOIDMapper.
    5. Restart the IBM Verify Identity Governance server.

What to do next

The SSO application works only with its own authentication by using the IBM Verify Identity Governance user registry. You must enable authentication with WebSEAL.