View the steps to create a single-sign on (SSO) domain
between WebSphere® Portal and the
remote search service. Set up remote search service by using EJB,
since SOAP support for remote search services was deprecated with WebSphere Portal version 8.0.
Procedure
- Export the LTPA keys from the WebSphere Portal server by completing
the following steps.
Cluster note: In a clustered environment, complete these steps on the
Deployment Manager.
- Open the WebSphere Integrated Solutions Console.
- Select .
- Enter a password for the key.
- In the field for the fully qualified key name, enter a key file name and click
Export keys. The keys are written to the file profile_root/Key File Name, where portal_root is
either the Deployment Manager profile or the WebSphere Portal
profile.
- Import the key file to the remote search server. If your
environment contains extra application servers, complete the following
steps on all other servers that you want to be a part of this SSO
domain:
- Copy the key file that you exported in step 1 from the WebSphere Portal server to the remote
search server.
- Log in to the WebSphere Integrated Solutions Console.
- Select .
- In the field for the fully qualified key name, enter
the directory and key file name that you specified in step 2a and
click Import keys. The keys are propagated
to all servers of the SSO domain.
- Restart all WebSphere Application
Server profiles on this
server.
- Ensure that automatic LTPA key generation is disabled on
all servers of the SSO domain by completing the following steps:
- Log in to the WebSphere Integrated Solutions Console.
- Select . In the Authentication mechanisms and expiration pane, click LTPA.
- Within Key generation, select Key set groups
- Click NodeLTPAKeySetGroup.
Cluster note: In a clustered environment,
click CellLTPAKeySetGroup.
- In the Key generation pane, disable
the Automatically generate keys check box.
- Click OK.
- Click Save to save your changes
to the master configuration.
- Log out of the WebSphere Integrated Solutions Console.
- Verify that the system clocks are within 5 minutes of each
other between the WebSphere Portal server or servers and the remote search service server.
Note: Failure to have the clocks in sync will lead to an import failure
in the next step.
- Add the signer certification of the remote search service
server into the portal server by completing the following steps:
- Access the WebSphere Integrated Solutions Console of the portal server.
Cluster note: In a clustered environment, complete these steps on the
Deployment Manager.
- Click .
Cluster note: In a clustered environment, the path is .
- Enter the remote search service server host, its SSL port, and an alias.
- Click Retrieve Signer Information.
- Click OK.
- Add the signer certification of the portal server into the remote search service server by
completing the following steps:
- Access the WebSphere Integrated Solutions Console of the remote search service
server.
- Click .
- Enter the portal server host, its SSL port, and an alias.
- Click Retrieve Signer Information.
- Click OK.
- In the portal server enable CSIv2 identity assertion. To complete this step, proceed as
follows:
Cluster note: In a clustered environment, complete these steps on the
Deployment Manager WebSphere Integrated Solutions Console.
- Enable CSIv2 Identity Assertion on the outbound connection:
- Access the WebSphere Integrated Solutions Console of the portal server.
- Go to .
- Check Use identity assertion.
- When you are done, restart the portal server.
- Enable CSIv2 Identity Assertion on the inbound connection:
- Access the WebSphere Integrated Solutions Console of the remote server.
- Go to .
- Check Use identity assertion.
- Under Trusted identities, enter either an asterisk (*) or the identity of the portal server.
- When you are done, restart the remote server.
For more detailed information, refer to the WebSphere Application
Server
information center.
What to do next
For more details about exporting the LTPA token, refer
to the WebSphere Application
Server information
center by going to. You can also locate this topic
by opening the search feature of the WebSphere Application
Server information
center and searching for ltpa key export.
If you work with EJB on a secure
server, you must set the search user ID. For details about how to
do this step, refer to Setting the search user ID.