Configuring single sign-on on the Jazz for Service Management server

Use these instructions to establish single sign-on support.

About this task

To configure Global Security to enable SSO, follow these steps:

Procedure

  1. Log in to Jazz® for Service Management server as an admin user.
  2. In the navigation pane, click Console Settings > Websphere Administrative Console and click Launch Websphere administrative console.
  3. In the WebSphere Application Server administrative console navigation pane, click Security > Global security.
  4. In the Administrative Security section, select the Enable administrative security checkbox.
  5. In the Application Security section, select the Enable application security checkbox.
  6. In the Authentication section, expand Web and SIP security and click Single sign-on (SSO).
  7. Click Enabled option if the SSO is disabled.
  8. Click Requires SSL if all the requests are expected to use HTTPS.
  9. Enter the fully qualified domain names in the Domain name field where SSO is effective.
    For example, .ibm.com

    If the domain name is not fully qualified, the Jazz for Service Management Server does not set a domain name value for the LtpaToken cookie and SSO is valid only for the server that created the cookie. Single sign-on feature is necessary for different components of Netcool Operations Insight to interact with each other. For SSO to work across the Tivoli applications, their application servers must be installed in same domain (use the same domain name).

  10. Set the LTPA V2 Cookie name to LtpaToken2.
  11. Optional: Enable the Interoperability Mode option if you want to support SSO connections in WebSphere Application Server version 5.1.1 or later to interoperate with previous versions of the application server.
  12. Select the Web inbound security attribute propagation checkbox to propagate information from the first login application server to the other application servers.
  13. Clear the Set security cookies to HTTPOnly to help prevent cross-site scripting attacks checkbox.
  14. Click OK to save your changes.
  15. Stop and restart all the Jazz for Service Management server instances.

What to do next

When you start Jazz for Service Management, you must use a URL in the format protocol://host.domain:port /*. If you do not use a fully qualified domain name, Jazz for Service Management cannot use SSO between Tivoli products.

The configured single sign-on uses SSO tokens that are set in HTTP cookies to carry authenticated sessions. By default, these cookies expire after 120 minutes. To change this value, follow these steps:
  1. In the WebSphere Application Server administrative console navigation pane, click Security > Global security.
  2. In the Authentication section, click LTPA.
  3. Change the LTPA timeout value to a different value.

    This value must be greater than the Cache timeout.

The credentials expire after the specified period you might have to validate your credentials again.