Configuring SSO for TRIRIGA on traditional WebSphere with Apache and TDS
There are several steps for configuring single sign-on (SSO) with traditional WebSphere® Application Server, Apache HTTP Server, and Tivoli Directory Server (TDS).
Contents
I. Installing WebSphere Application Server web server plug-in
Install the WebSphere Application Server web server plug-ins. The plug-ins are available in the Supplements package for WebSphere Application Server on Passport Advantage. As with the WebSphere Application Server installation, you use the IBM Installation Manager to install the web server plug-ins.
For details on obtaining the Supplements package from Passport Advantage, see: Part numbers of WebSphere software used by IBM TRIRIGA (http://www-01.ibm.com/support/docview.wss?uid=swg21692375).
II. Configuring traditional WebSphere property trustedSensitiveHeaderOrigin
There was a change on traditional WAS 9.0.0.11 that added a new configuration property named trustedSensitiveHeaderOrigin.
See reference: Potential WebSphere Application Server problems when deployed behind a WebSphere-aware proxy server
On traditional WebSphere, the property is configured as an HTTP channel custom property. This property has a default value of "none", which means that a subset of WebSphere-specific HTTP headers will not be trusted from any host. The property also accepts value a of "*" (all), or a comma-separated list of IP addresses. For a secure deployment in which proxy servers are used, the trustedSensitiveHeaderOrigin property should be configured with a comma-separated list of IP addresses corresponding to those of any WebSphere-aware proxy servers in front of the WebSphere server.
Alternatively, to enable the original unsecured behavior, set trustedSensitiveHeaderOrigin="*", which will direct the WebSphere server to trust all headers sent from any host or proxy. This value must only be used for testing, or if the WebSphere server is isolated from external connections.
For traditional WAS, set trustedSensitiveHeaderOrigin as a custom property of HTTP channel.
See reference: HTTP transport channel custom properties
III. Configuring Apache to pass web requests to WebSphere Application Server
About this task
After you install Apache HTTP Server, you configure it to forward requests to the application server.
The following steps demonstrate how to configure the web server by using the WebSphere Customization Toolbox.
Procedure
- Start the WebSphere Customization Toolbox.
- In the Web Server Plug-in Configuration box, select Create.
- In the Web Server Selection window, select Apache Web Server.
- In the Web Server Architecture Selection window, select the web server architecture: 64-bit or 32-bit.
- In the Web Server Configuration File Selection dialog, select the Apache Web Server httpd.conf file and port. For example, the file location might be C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\httpd.conf.
- In the Web Server Definition Name dialog, specify a unique web server definition, such as the default webserver1.
- In the Configuration Scenario Selection window, specify the location of the application server. If your configuration scenario is local, browse to the location of the \AppServer folder. For example, a common location for the application server is C:\Program Files (x86)\IBM\WebSphere\AppServer.
- In the WebSphere Application Server Profile Selection window, select the WebSphere Application Server profile to configure with the current web server plug-in. For example, AppSrv01.
- In the Plug-in Configuration Summary dialog, review the items you chose and select Configure.
IV. Configuring SSO with Apache HTTP Server
About this task
After you configure Apache HTTP Server to forward web requests to WebSphere Application Server, you set up SSO with Apache HTTP Server.