The single sign-on (SSO) feature provides users the ability
to launch out of the Tivoli® Enterprise
Portal to other Tivoli Web-based
or Web-enabled applications, or to launch into the Tivoli Enterprise Portal from those applications,
without having to re-enter their user IDs and passwords.
Single sign-on is also required if you are using monitoring dashboard
applications such as IBM® Infrastructure
Management Dashboards for Servers, IBM Infrastructure
Management Dashboards for VMware, IBM Infrastructure
Management Capacity Planner for VMware, IBM Infrastructure
Management Capacity Planner for PowerVM® or
custom dashboards with Dashboard Application Services Hub and you
want to assign different permissions to your dashboard users or launch
from the monitoring dashboards to the Tivoli Enterprise
Portal client.
For SSO to be enabled for these scenarios, authentication must
be configured through the Tivoli Enterprise Portal Server and
the LDAP registry defined to the portal server must
be a central registry shared by all participating Tivoli applications. All the participating
applications must be configured for SSO and must belong to the same
internet or intranet domain and realm.
If you are using the Performance Monitoring service provider, it
uses the Security Services component of Jazz™ for
Service Management to support single sign-on. When the Performance
Monitoring service provider receives an HTTP GET request from an OSLC
client, it forwards the LTPA token to Security Services to authenticate
the request. If the request does not contain a LTPA token or Security
Services indicates that the token is not valid or has expired, the
Performance Monitoring service provider returns an HTTP 401 status
code to indicate that the request could not be authenticated. To enable
single sign-on support for the Performance Monitoring service provider,
perform the following steps:
- Install Security Services on the same application server as the
Registry Services component of Jazz for
Service Management.
- Enable WebSphere® Global
Security in the application server for Registry Services and Security
Services, configure the application server to use a central LDAP registry
and enable single sign-on. For more information, see Configuring Jazz for Service Management for
a central user registry and Configuring Jazz for Service Management for SSO in the Jazz for Service Management Information Center.
- Configure the application servers for OSLC client applications
to use the same LDAP registry and enable LTPA based single sign-on
with Security Services. The applications must also be configured to
use the same LTPA key.
- Configure the Performance Monitoring service provider to use Security
Services by setting the Tivoli Enterprise
Monitoring Automation Server KAS_SECURITY_SERVICES_ENABLED environment
variable to Yes and restart the automation server.
For instructions on using SSO, see the Enabling user authentication chapter
in the IBM Tivoli Monitoring Administrator's
Guide.