This article describes the process of configuring single sign-on (SSO) between IBM® WebSphere® Portal and IBM WebSphere Process Server. It also includes some extra security measures, like Identity Assertion between both servers, and compatibility features like Interoperability Mode, which supports backward compatibility between different WebSphere Application Server versions.
Overview
Configuring WebSphere Process Server
Configuring WebSphere Portal Server
Verifying SSO is configured correctly
Resources
About the author
Configuring WebSphere Process Server
1. Log into the Admin Console of Process Server. Select Security > Secure administration, applications, and infrastructure. In the Authentication section, expand Web security and select single sign on (SSO), as shown in figure 1.
Figure 1. Authentication section
2. Under General Properties, ensure that the Enabled, Interoperability Mode, and Web inbound security attribute propagation checkboxes are selected (see figure 2).
Figure 2. General Properties
a) In the Domain name field enter the domain names that are allowed access to the SSO configuration. The domain names must be separated by the | character, for example, .mul.ie.ibm.com.|ibm.com.
b) Click OK and save directly to the master configuration.
3. Back in the Authentication section, expand RMI/IIOP security, and select CSIv2 inbound authentication:
a) In the General Properties section (see figure 3), set both “Basic authentication” and “Client certificate authentication” to Supported.
b) Make sure the Identity assertion checkbox is selected.
c) In the Trusted identities field, enter the fully qualified admin user name of the WebSphere Application Server on which Portal server is installed.
d) The Stateful sessions and Security attribute propagation checkboxes should also be selected.
Figure 3. RMI/IIOP security General Properties
4. In the Authentication section, expand RMI/IIOP security, and select CSIv2 outbound authentication:
a) Set Basic authentication to Supported.
b) Select the Identity assertion checkbox, and enter the fully qualified admin user name of Process Server as an alternative trusted identity.
c) Be sure “Stateful sessions” is selected.
d) Custom outbound mapping does not have to be selected.
e) Security attribute propagation should be selected.
f) In the trusted target realms, enter the domains that you want to be trusted by the server, separated by the | character, for example, .mul.ie.ibm.com|ibm.com
5. Select Authentication mechanisms and expiration, and in the Key generation section select Key set groups > NodeLTPAKeySetGroup > General Properties:
a) Under Key generation, uncheck the Automatically generate keys checkbox.
b) Select OK, and then save to master configuration.
6. Select Authentication mechanisms and expiration from the main security page:
a) Under Cross cell and single sign-on, enter a password, confirm it, and enter the absolute path to a file in which to store the LTPA keys, for example, C:\keyfile.
b) Click Export Keys to export to the specified file and save the changes.
7. Restart the Process Server to update to the new security configuration.
Configuring WebSphere Portal Server
1. Log into the Admin Console of Portal Server. Select Security > Secure administration, applications, and infrastructure.
2. In the Authentication section, expand Web security and select single sign on (SSO), as shown in figure 4.
Figure 4. Authentication section
3. In the General Properties section, ensure that the Enabled, Interoperability Mode, and Web inbound security attribute propagation checkboxes are selected (see figure 5).
Figure 5. General Properties
a) In the Domain name field, enter the domain names that are allowed access to the SSO configuration. The domain names must be separated by the | character, for example, .mul.ie.ibm.com.|ibm.com
b) Select OK, and save to the master configuration.
4. In the Authentication section, expand RMI/IIOP security, and select CSIv2 inbound authentication:
a) Set both “Basic authentication” and “Client certificate authentication” to Supported (see figure 6).
b) Ensure the Identity assertion checkbox is selected.
c) In the Trusted identities field, enter the fully qualified admin user name of the WebSphere Application Server on which Portal server is installed.
d) Ensure that the Security attribute propagation and Stateful sessions checkboxes are also selected.
Figure 6. General Properties
5. In the Authentication section, expand RMI/IIOP security, and select CSIv2 outbound authentication:
a) Basic authentication should be set to Supported.
b) The Identity assertion checkbox should be selected, and the fully qualified admin user name of Process Server should be entered as an alternative trusted identity.
c) Stateful sessions should be selected.
d) Custom outbound mapping does not have to be selected.
e) Security attribute propagation should be selected.
f) In the trusted target realms, enter the domains that you want to be trusted by the server, separated by the | character, i.e. .mul.ie.ibm.com|ibm.com
6. Select Authentication mechanisms and expiration, and in the Key generation section, select Key set groups > NodeLTPAKeySetGroup > General Properties:
a. Under Key generation, uncheck the Automatically generate keys checkbox (see figure 7).
Figure 7. Key generation section
b. Click OK, and save to master configuration.
7. Select Authentication mechanisms and expiration from the main security page:
a) Under Cross cell and single sign-on, enter the same password used in Step 6(a) of the Configuring WebSphere Process Server section, confirm it, and then enter the absolute path to the file containing the LTPA keys exported from the Process Server in Step 6(a) of Configuring Process Server for SSO.
b) Click Import keys to import the LTPA keys from the Process Server.
c) Select OK, and save directly to master configuration.
8. Restart the Portal Server for the changes to take effect; when you restart it, SSO should be configured between Portal and Process servers.
Verifying SSO is configured correctly
Follow these steps to verify that SSO is working:
1. Open the Admin console of both Portal and Process Server in the same browser in separate tabs and log into both. Do not use the localhost address in the URL to connect to both servers.
2. Log out of Process Server, go to the Portal Admin console, and select any menu link. The Portal Server should redirect to the Portal log-in page after you select any link because the Portal Server session was closed when you logged out of the Process Server.
3. If Portal Server does not log out after a link is selected, then SSO has not been configured properly, and you should review the steps outlined above to verify that the servers are configured properly.
Resources
WebSphere Portal Server Information Center:
http://publib.boulder.ibm.com/infocenter/wpdoc/v6r1m0/index.jsp
WebSphere Application Server Information Center:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
WebSphere Process Server Information Center:
http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r1mx/topic/com.ibm.websphere.wps.610.doc/welcome_wps.html
developerWorks white paper, “Configuring single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino”:
http://www.ibm.com/developerworks/lotus/documentation/domino/d-ls-sso-portal-domino2/
About the author
David Rockett joined IBM as a graduate developer in 2006 and has worked on the Lotus Workforce Management project, from versions 1.x up to the current version 6.1.