Lightweight Third Party Authentication (LTPA) is an
IBM WebSphere Application Server
security protocol that enables a secure single signon (SSO) environment among
WebSphere Application Servers.
Set up single
sign-on (SSO) between two or more instances of WebSphere Application Server
so users can authenticate to all applications running on WebSphere Application
Server with a single log in. SSO on WebSphere Application Server is established
through Lightweight Third Party Authentication (LTPA) keys. You export the LTPA
key from one instance of WebSphere Application Server then import that key into
a different instance of WebSphere Application Server to establish SSO.
You must configure each of the administrative domains to use the same DNS domain, user registry (using LDAP or a custom registry), and a common set of LTPA keys
Configuring single sign-on (SSO) on WebSphere Application Server
1 Enabling single sign-on
2 Exporting the LTPA key
3 Importing the LTPA key
4 Verifying single sign-on
Important: Synchronize the time on each instance of
WebSphere Application Server for which you plan to set up SSO. LTPA tokens use
timestamps from the server to timeout. SSO failures can occur because the time
difference between servers is greater than the timeout value of the LTPA
tokens.
Enabling
single sign-on
Enable single sign-on (SSO) on all the instances of
WebSphere Application Server for which you plan to establish SSO.
To enable SSO on WebSphere Application Server, do
the following:
1. Log in to the WebSphere Application Server
administration console.
2. Navigate to Security
> Global Security.
3. In the Authentication cache settings section,
expand Web and SIP security then
select Single sign-on (SSO).
4. In the General Properties section, specify the
following configuration values for single sign-on:
Ø Enabled : Selected by default.
Ø Requires SSL : If you want select otherwise leave it
Ø Domain Name: Specify the domain name
that you are using for the servers. or you can leave it
Ø Interoperability
Mode Select this field if not selected by default.
Ø Web inbound security attribute propagation Selected by default.
Ø Web inbound security attribute propagation Selected by default.
5. Click OK and
save to the master configuration.
Repeat the preceding steps for the other instances
of WebSphere Application Server for which you plan to establish SSO.
Exporting
the LTPA key
Export a Lightweight Third Party Authentication
(LTPA) key from WebSphere Application Server to import into other instances of
WebSphere Application Server. You only need to export the LTPA key from one
server.
Before you
begin: Enable SSO on WebSphere
Application Server.
To export the single sign-on key, do the following:
1. Log in to the WebSphere Application Server
administration console.
2. Navigate to Security
> Global security > Authentication > LTPA.
3.In
the Cross-cell single sign-on section, specify a password for the LTPA key.
4. Enter the LTPA key name and directory to which
you want to export the key in the Fully qualified key
file name field. For example, on Linux, enter /u03/local/opt/was/was70/profiles/my_key_name.
5. Click Export keys.
6. Click OK and save to the master configuration.
7. Navigate to the directory where you exported the
LTPA key.
8. Copy the LTPA key to the file system where you
plan to import it.
Importing
the LTPA key
Import the LTPA key into WebSphere Application
Server. You can import the same LTPA key into multiple servers.
Before you
begin
- Export the LTPA key.
- Copy the LTPA key from the file system where you exported it to the file system where you plan to import it.
1. Log in to the WebSphere Application Server
administration console.
2. Navigate to Security
> Global security > Authentication > LTPA.
3. In the Cross-cell single sign-on section,
specify the password for the LTPA key.
4. Enter the directory on your file system where
you copied the LTPA key in the Fully qualified key file name field.
5. Click Import keys.
6. Click OK and save to the master configuration.
7. Restart both the server you exported the LTPA
key from and the server into which you imported the LTPA key. Restart the
servers only after you have imported the LTPA key into all the servers for
which you plan to establish SSO.
Repeat the steps in this task for all servers for
which you plan to set up SSO, then restart all servers.
Verifying
single sign-on
You have successfully established SSO between
multiple instances of WebSphere Application Server when you can log in to one
administration console then access the other administration consoles without
having to log in again.
To verify SSO, do the following:
1. Log in to the WebSphere Application Server
administration console where you exported the LTPA key.
2. In your browser's address bar, enter the URL for
the WebSphere Application Server administration console where you imported the
LTPA key.
If the WebSphere Application Server administration
console opens without requiring you to log in, you have successfully set up
SSO.
LTPA timeout value for forwarded credentials
between servers
This value refers to how long the server
credentials from another server are valid before they expire. The default value
is 120 minutes. The value in the LTPA timeout value for forwarded credentials
between servers field must be greater than the value in the Cache timeout field
on the Authentication cache settings panel.
Admin Console> Security> Global Security>
Under Authentication > LTPA
No comments:
Post a Comment