ShowTable of Contents
Important: Synchronize the time on each instance of WebSphere Application Server for which you plan to set up SSO. LTPA tokens use timestamps from the server to timeout. SSO failures can occur because the time difference between servers is greater than the timeout value of the LTPA tokens.
Enabling single sign-on
Enable single sign-on (SSO) on all the instances of WebSphere Application Server for which you plan to establish SSO.
To enable SSO on WebSphere Application Server, do the following:
1. Log in to the WebSphere Application Server administration console.
2. Navigate to
Security >
Global Security.
3. In the
Authentication cache settings section, expand
Web and SIP security then select
Single sign-on (SSO).
4. In the
General Properties section, specify the following configuration values for single sign-on:
Enabled
Selected by default.
Requires SSL
Specify the domain name that you are using for the servers; for example,
my.companyname.com.
Interoperability Mode
Select this field if not selected by default.
Web inbound security attribute propagation
Selected by default.
5. Click
OK and save to the master configuration.
Repeat the preceding steps for the other instances of WebSphere Application Server for which you plan to establish SSO.
Exporting the LTPA key
Export a Lightweight Third Party Authentication (LTPA) key from WebSphere Application Server to import into other instances of WebSphere Application Server. You only need to export the LTPA key from one server.
Before you begin:
i. Enable SSO on WebSphere Application Server.
To export the single sign-on key, do the following:
1. Log in to the WebSphere Application Server administration console.
2. Navigate to
Security >
Global security >
Authentication >
LTPA.
3. In the
Cross-cell single sign-on section, specify a password for the LTPA key.
4. Enter the LTPA key name and directory to which you want to export the key in the
Fully qualified key file name field. For example, on Windows, enter
C:\my_key_name on Linux, enter
/opt/my_key_name.
5. Click
Export keys.
6. Click
OK and save to the master configuration.
7. Navigate to the directory where you exported the LTPA key.
8. Copy the LTPA key to the file system where you plan to import it.
Importing the LTPA key
Import the LTPA key into WebSphere Application Server. You can import the same LTPA key into multiple servers.
Before you begin:
i. Export the LTPA key.
ii. Copy the LTPA key from the file system where you exported it to the file system where you plan to import it.
To import the LTPA key, do the following:
1. Log in to the WebSphere Application Server administration console.
2. Navigate to
Security >
Global security >
Authentication >
LTPA.
3. In the
Cross-cell single sign-on section, specify the password for the LTPA key.
4. Enter the directory on your file system where you copied the LTPA key in the
Fully qualified key file name field.
5. Click
Import keys.
6. Click
OK and save to the master configuration.
7. Restart both the server you exported the LTPA key from and the server into which you imported the LTPA key. Restart the servers only after you have imported the LTPA key into all the servers for which you plan to establish SSO.
Repeat the steps in this task for all servers for which you plan to set up SSO, then restart all servers.
Verifying single sign-on
You have successfully established SSO between multiple instances of WebSphere Application Server when you can log in to one administration console then access the other administration consoles without having to log in again.
To verify SSO, do the following:
1. Log in to the WebSphere Application Server administration console where you exported the LTPA key.
2. In your browser's address bar, enter the URL for the WebSphere Application Server administration console where you imported the LTPA key.
If the WebSphere Application Server administration console opens without requiring you to log in, you have successfully set up SSO.