Scope: Using this document you could configure Single Sign-on(SSO) between WebSphere Application Server(6.x) and Tivoli Access Manager e-Business (6.0) using LTPA(Lightweight Third Party Authentication) tokens, the document provides a practical approach with details steps on how to configure, I will update this document to include any special instructions for other versions.
Product and Versions:
* WebSphere Application Server(6.x)
* Tivoli Access Manager e-Business (6.0)
* WebSphere Application Server(6.x)
* Tivoli Access Manager e-Business (6.0)
* AIX Platform.
Acronyms:
* WAS - WebSphere Application Server.
* TAMeb - Tivoli Access Manager e-Business.
* LDAP - Lightweight Directory Access Protocol.
Assumptions:
* TAMeb is installed and configured.
* TAMeb WebSeal is configured and running on AIX.
* WAS installed and configured on AIX.
* Security on WAS is enabled using TAMeb LDAP, Click here to learn more.
Step 1: Export the LTPA key from WAS Admin Console.
a) Access the WAS Admin Console -> Click Security -> Click Authentication Mechanisms and expiration
Note: Below screenshot shows the "Administrative Security" and "Application Security" is enabled.
b) Enter the LTPA password in the "Password" field ->; re-enter the password on "Confirm password" field ->; Enter the LTPA key file name in out example its "example.com.ltpa.key" -> Click on "Export Keys" button.
Acronyms:
* WAS - WebSphere Application Server.
* TAMeb - Tivoli Access Manager e-Business.
* LDAP - Lightweight Directory Access Protocol.
Assumptions:
* TAMeb WebSeal is configured and running on AIX.
* WAS installed and configured on AIX.
* Security on WAS is enabled using TAMeb LDAP, Click here to learn more.
Step 1: Export the LTPA key from WAS Admin Console.
a) Access the WAS Admin Console -> Click Security -> Click Authentication Mechanisms and expiration
Note: Below screenshot shows the "Administrative Security" and "Application Security" is enabled.
b) Enter the LTPA password in the "Password" field ->; re-enter the password on "Confirm password" field ->; Enter the LTPA key file name in out example its "example.com.ltpa.key" -> Click on "Export Keys" button.
Note: The Password and Fully qualified key file name could be anything('somepassword' for our example), this password is used to read the LTPA key while enabling LTPA on the TAMeb junction, the exported LTPA key will be under the Deployment Manager profiles root.
EX: /opt/WebSphere/AppServer/profiles/Dmgr01/example.com.ltpa.key
Step 2: Copy the ltpa key file WAS Server to TAMeb WebSEAL server.
ex: /app/pdweb/ltpa/example.com.ltpa.key
Step 3: Create or Modify the TAMeb Virtualhost junction to enable LTPA authentication.
a) Connect to TAMeb Policy server.
$ pdadmin -a sec_master
Enter Password:
pdadmin sec_master>
b) Create a VirtualHost junction
server task [WebSEAL_Name] virtualhost create -t ssl -h [ServerName-IP] -p [PORT] -v [DomainName] -A -F [path_to_ltpa_key_file] -Z [password] -c iv-user [virtual_Host_Junction_Name]
Ex:
server task Webseal-Exampe virtualhost create -t ssl -h example-ihs-server.com -p 443 -v example.com -A -F /app/pdweb/ltpa/example.com.ltpa.key -Z somepassword -c iv-user example.com
Use the below command if you want to modify an existing virtualhost junction, notice the -f switch.
server task Webseal-Exampe virtualhost create -t ssl -h example-ihs-server.com -p 443 -v example.com -A -F /app/pdweb/ltpa/example.com.ltpa.key -Z somepassword -c iv-user -f example.com
Step 4: Exit from TAMeb Policy server and Test by accessing the TAMeb URL.
The WAS Application would get the username used to login into TAMeb as a iv-user header.
No comments:
Post a Comment