Configuring SSO for TRIRIGA on WebSphere Liberty with IIS and AD
There are several steps for configuring single sign-on (SSO) with WebSphere® Application Server Liberty, Microsoft Internet Information Services (IIS), and Microsoft Active Directory (AD).
Contents
I. Installing WebSphere Application Server web server plug-in on IIS
Install the WebSphere Application Server web server plug-ins and the WebSphere Customization Toolbox: WAS Supplements 8.5.5. The plug-ins are available in the WAS Supplements package for WebSphere Application Server on Passport Advantage. As with the WebSphere Application Server installation, you use the IBM Installation Manager to install the web server plug-ins and the WebSphere Customization Toolbox.
For details on obtaining the WAS Supplements 8.5.5 package from Passport Advantage, see: Part numbers of WebSphere software used by IBM TRIRIGA (http://www-01.ibm.com/support/docview.wss?uid=swg21692375). Download WAS Supplements 8.5.5 for your Platform. Then install the fix packs for the supplements.
For details on how to install and generate the plug-in on the IIS server, see: Adding a plug-in configuration to a web server.
II. Configuring WebSphere Liberty property trustedSensitiveHeaderOrigin
There was a change on WebSphere Liberty 19.0.0.4 that added a new configuration property named trustedSensitiveHeaderOrigin.
See reference: Potential WebSphere Application Server problems when deployed behind a WebSphere-aware proxy server
On WebSphere Liberty, trustedSensitiveHeaderOrigin is configured as a HttpDispatcher custom property. This property has a default value of "none", which means that a subset of WebSphere-specific HTTP headers will not be trusted from any host. The property also accepts value a of "*" (all), or a comma-separated list of IP addresses. For a secure deployment in which proxy servers are used, the trustedSensitiveHeaderOrigin property should be configured with a comma-separated list of IP addresses corresponding to those of any WebSphere-aware proxy servers in front of the WebSphere server.
Alternatively, to enable the original unsecured behavior, set trustedSensitiveHeaderOrigin="*", which will direct the WebSphere server to trust all headers sent from any host or proxy. This value must only be used for testing, or if the WebSphere server is isolated from external connections.
For WebSphere Liberty servers, add the following line to the server.xml:
<httpDispatcher trustedSensitiveHeaderOrigin="<TRUSTED_PROXY_IP_ADDRESS>"/>
Replace <TRUSTED_PROXY_IP_ADDRESS>
with the IP of the web server machine
where the WebSphere plug-in is installed.
See reference: HTTP Dispatcher (httpDispatcher)
III. Configuring IIS to pass web requests to WebSphere Liberty
About this task
If you are using an already installed web server plug-in on the web server, reconfigure it to use the web server plug-in by using the following procedure.
You can create a web server configuration beforehand by using the WebSphere Customization Toolbox. The configuration will be installed to C:\Program Files (x86)\IBM\WebSphere\Plugins\config\webserver1. When you are prompted for the web server details, point to the URL by using the remote installation.
Procedure
IV. Configuring SSO with Microsoft IIS
About this task
After configuring IIS to pass web requests to WebSphere Liberty, the next step is to set up SSO.
Procedure
V. Troubleshooting IIS and Maximum File Upload Size
About this task
If you have MAXIMUM_UPLOAD_FILE_SIZE_MEGABYTES
property set to a large value
(for example, 50 MB) in the TRIRIGAWEB.properties file, but you are still
running into problems with uploading large files, Microsoft IIS Web Server's default configuration
needs to be changed to allow large files to be uploaded too.