Configuring SSO for TRIRIGA on traditional WebSphere with IHS and TDS
There are several steps for configuring single sign-on (SSO) with traditional WebSphere® Application Server, IBM® HTTP Server (IHS), and Tivoli Directory Server (TDS).
Contents
- I. Setting up IBM HTTP Server and WebSphere Application Server web server plug-in
- II. Configuring traditional WebSphere property trustedSensitiveHeaderOrigin
- III. Configuring IHS to pass web requests to WebSphere Application Server
- IV. Configuring SSO with IBM HTTP Server
- V. Configuring SSO without SSL
I. Setting up IBM HTTP Server and WebSphere Application Server web server plug-in
Two things are required to have IBM HTTP Server working with WebSphere Application Server: (1) the IBM HTTP Server itself and (2) the WebSphere Application Server web server plug-in. The WebSphere Application Server package includes the IBM HTTP Server and the web server plug-in. Or you can obtain the plug-in from the Supplements package for WebSphere Application Server on Passport Advantage. As with the WebSphere Application Server installation, you use the IBM Installation Manager to install the web server plug-in.
For details on obtaining the Supplements package from Passport Advantage, see: Part numbers of WebSphere software used by IBM TRIRIGA (http://www-01.ibm.com/support/docview.wss?uid=swg21692375).
- Install as a root user.
- IBM HTTP Server installation
instructions can be found in the installation folder (readme > InstallGuide).Note: The installer requires X Window System.
- The web server plug-in installation is part of the IBM HTTP Server installation. Do not forget to install the plug-in.
- The installation path is usually: /opt/IBM/HTTPServer.
- After you finish installing IBM HTTP Server, configure the administrative
server in:
/opt/IBM/HTTPServer/conf/admin.conf.
# Port used to access the Administration Server Listen @LISTENINGPORT@ # Default user and group settings for the server User @USER@ Group @GROUPNAME@ # ServerName gives the name and port that the server uses to identify # itself. This can often be determined automatically, but # specifying it explicitly can prevent problems during startup. # # If this is not set to a valid DNS name for your host, server-generated # redirections do not work. See also the UseCanonicalName directive. # # If your host does not have a registered DNS name, enter its IP # address. You must access it by its address anyway, and this makes # redirections work correctly. # ServerName hostname:@@AdminPort@@
- Set the IBM HTTP Server administrator
password.Note: If the administrator password does not exist, you must first run htpasswd with the -c option to create the password.
- Switch to the HTTPServer_installdir/bin directory on your machine.
- To set the administrator password, enter the following command based on your operating system:
- In AIX, Linux, or Solaris, enter: ./htpasswd -b ../conf/admin.passwd user password.
- In Windows, enter: htpasswd -b conf\admin.passwd user password.
- After the IBM HTTP Server installation
is completed, start the web server administration server by using the following
commands:
<ibm_HTTP_server_path>/bin/adminctl start <ibm_HTTP_server_path>/bin/apachectl start
II. Configuring traditional WebSphere property trustedSensitiveHeaderOrigin
There was a change on traditional WAS 9.0.0.11 that added a new configuration property named trustedSensitiveHeaderOrigin.
See reference: Potential WebSphere Application Server problems when deployed behind a WebSphere-aware proxy server
On traditional WebSphere, the property is configured as an HTTP channel custom property. This property has a default value of "none", which means that a subset of WebSphere-specific HTTP headers will not be trusted from any host. The property also accepts value a of "*" (all), or a comma-separated list of IP addresses. For a secure deployment in which proxy servers are used, the trustedSensitiveHeaderOrigin property should be configured with a comma-separated list of IP addresses corresponding to those of any WebSphere-aware proxy servers in front of the WebSphere server.
Alternatively, to enable the original unsecured behavior, set trustedSensitiveHeaderOrigin="*", which will direct the WebSphere server to trust all headers sent from any host or proxy. This value must only be used for testing, or if the WebSphere server is isolated from external connections.
For traditional WAS, set trustedSensitiveHeaderOrigin as a custom property of HTTP channel.
See reference: HTTP transport channel custom properties
III. Configuring IHS to pass web requests to WebSphere Application Server
About this task
After you install IBM HTTP Server, you configure it to forward requests to the application server.
The following steps demonstrate how to configure the web server by using the WebSphere Customization Toolbox.
Procedure
- Start the WebSphere Customization Toolbox.
- In the Web Server Plug-in Configuration box, select Create.
- In the Web Server Selection window, select IBM HTTP Server.
- In the Web Server Configuration File Selection dialog, select the existing IBM HTTP Server httpd.conf file and port.
- Optionally, in the Setup IBM HTTP Server Administration Server dialog, configure an administrative server to administer the web server and create an administrative user ID and password.
- Optionally, set up the IBM HTTP Server Administration Server as a Windows Service.
- In the Web Server Definition Name dialog, specify a unique web server definition, such as the default webserver1.
- In the Configuration Scenario Selection dialog, specify the location of the application server. If your configuration scenario is local, browse to the location of the \AppServer folder. For example, a common location for the application server is C:\Program Files (x86)\IBM\WebSphere\AppServer.
- In the WebSphere Application Server Profile Selection dialog, select the WebSphere Application Server profile to configure with the current web server plug-in. For example, AppSrv01.
- In the Plug-in Configuration Summary dialog, review the items you chose and select Configure.
IV. Configuring SSO with IBM HTTP Server
About this task
After you configure IBM HTTP Server to forward web requests to WebSphere Application Server, you set up SSO with IBM HTTP Server.
Procedure
V. Configuring SSO without SSL
About this task
If you want to set up your SSO environment without SSL, make the changes below.