After the user IDs available for single sign-on (SSO) have been established in the LDAP user registry, enable SSO by completing the tasks in this topic.
Step | Task | Where to find information |
---|---|---|
1 | Configure
the portal server to use an LDAP user registry and specify the realm
name and domain used for single sign-on. To configure the portal
server to use LDAP, you can use the following options:
You use either IBM Manage Tivoli Enterprise Monitoring Services or
the itmcmd command to enable LDAP user validation
for the portal server. You can also use these utilities to configure
the LDAP connection parameters unless:
Note: You
can also export the portal server's LTPA key or import the LTPA key
from another application at the same time as configuring LDAP user
authentication or you can perform these steps after you have verified
the portal server's LDAP authentication is working.
|
See Prerequisites for configuring LDAP authentication on the portal server. Then, use the instructions in one of the
following topics to enable LDAP user validation on the portal server:
Then, follow the instructions in Using the TEPS/e administration console if you specified an LDAP server type of Other when enabling LDAP user validation for the portal server. Usage notes:
If you are using Microsoft Active Directory, see LDAP user authentication using Microsoft Active Directory for planning and configuration information specific to this type of LDAP server. If you are using Tivoli Directory Server, see Understanding single sign-on between IBM Tivoli Monitoring and Tivoli Integrated Portal using Tivoli Directory Server in the IBM Tivoli Monitoring Wiki. These instructions explain how to map entries configured in Tivoli Directory Server to the information configured using the TEPS/e administration console. Ignore the steps provided for Tivoli Integrated Portal. |
2 | Configure the other participating SSO applications
to use the same LDAP user registry, realm, and Internet or intranet
domain name as the portal server and enable SSO. Also, verify that the date, time, and time zone on the portal server computer and the computers of the participating SSO applications are correctly set and relative to Coordinated Universal Time (UTC). |
If you are using single sign-on with Dashboard
Application Services Hub, see the "Configuring Jazz™ for Service Management for a central
user registry" and "Configuring SSO on the application server" topics
in the Jazz for Service Management Configuration
Guide on the Jazz for Service Management Information Center. For other applications, refer to their product documentation to determine how to configure them to use the LDAP user registry, to enable SSO, and how to specify the realm name and domain name as the portal server. |
3 | Map Tivoli Enterprise Portal user IDs to LDAP distinguished names. | Mapping Tivoli Enterprise Portal user IDs to LDAP distinguished names |
4 | Reconfigure the Tivoli Enterprise Portal browser client for SSO if it will be launched by another application on the same computer as the portal server. | Reconfiguring the browser client for SSO |
5 | Verify your Tivoli Enterprise Portal users
can launch the portal client and successfully login. Note: The portal
client users must specify the value of their relative distinguished
name when they login. For example, if their relative distinguished
name is cn=John Doe then they must specify John
Doe when prompted for their credentials.
|
If the Tivoli Enterprise Portal users
cannot log into the Tivoli Enterprise Portal,
review the TEPS/e log for diagnostic information. This is the SystemOut.log located
on the computer where the portal server is installed at install_dir\CNPSJ\profiles\ITMProfile\logs; install_dir/Platform/iw/profiles/ITMProfile/log.
If you encounter authentication errors and cannot resolve them, you can disable LDAP authentication by following the steps in Disabling LDAP authentication on the portal server. |
6 | Configure TLS/SSL between the portal server and LDAP server if you want to secure this communication. | Configuring TLS/SSL communication between the portal server and the LDAP server |
7 | Verify your Tivoli Enterprise Portal users can still login. | N/A |
8 | You must ensure the following applications are
using the same LTPA key as the portal server:
|
If you decide that the portal server will be
source of the LTPA key, export its LTPA key using the export instructions
in Importing and exporting LTPA keys. If you are using IBM Dashboard Application Services Hub for monitoring dashboards and it will be the source of the LTPA key, see "Exporting LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center. Otherwise, refer to the documentation of the application whose LTPA key will be exported to determine how to perform the export operation. |
9 | The administrators of the other participating SSO applications must import the LTPA key that was exported in the previous step. They need the key file and the password that was used to encrypt the key. | To
import an LTPA key into the portal server, see the import instructions
in Importing and exporting LTPA keys. To import an LTPA key into IBM Dashboard Application Services Hub see "Importing LTPA keys" in the Jazz for Service Management Configuration Guide on the Jazz for Service Management Information Center. See the documentation for the other participating SSO applications for instructions on importing the LTPA key. |
10 | Verify that single sign-on is working between
the portal server and each participating SSO application by performing
the following tasks that apply to your SSO environment:
Note: When accessing the web interface of an application
that supports SSO, enter the fully qualified hostname when specifying
the URL of the application. The application servers participating
in SSO check the LTPA tokens to verify that the request is coming
from a server in the same Internet or Intranet domain.
|
N/A |
11 | Create Tivoli Enterprise Portal user IDs when new users are added in the LDAP user registry. | Managing new LDAP users |