IBM Support

Configuring single sign-on with WebSphere Portal in Sametime

Technote (FAQ)


Question

What are the steps required to configure SSO with WebSphere Portal in Sametime?

Answer

Configuring single sign-on with WebSphere Portal and Sametime
If you will use IBM Sametime with IBM WebSphere Portal, you can enable single sign-on by importing the WebSphere Portal LTPA token into the IBM Domino server used by Sametime, and then configuring WebSphere-based servers from both deployments to use the same realm.

Procedure

1. Retrieve the realm name used in WebSphere Portal.
a. Log into the WebSphere Application Server's Integrated Solutions Console as the WebSphere administrator.
b. In the navigator, click Security > Global Security.
c. Under "User account repository" click the Configure button.

d. Write down the name shown in the Realm name field; you will need the name in step 4 of this task.
e. Click Cancel to ensure you do not make any accidental changes.

2. Export the LTPA used by WebSphere Portal.
a. On the WebSphere Application Server, start the administrative console and log in.
b. Select Security > Global security.
c. Under Authentication, click Authentication mechanisms > LTPA.
d. Under Additional properties (on the right), click Single signon (SSO).
e. Make sure Web inbound security attribute propagation is deselected. If you must make a change to it, click Apply.
f. Click the LTPA link to return to the Configuration tab.
g. Type a password in the Password field and enter a name, path and file name in the Key File Name field.
Tip: Make a note of the password; you will need it during your next SSO task when you import the LTPA key into the Domino server.
h. Click the Export Keys button.
i. If you made changes, click Save to apply the changes to the master configuration, then Save again on the next screen.
j. Log out from the administrative console.
k. Copy the key file that was created during the export process to a location that is accessible to the Domino server.

3. Import the LTPA token into Domino on every Sametime Community Server.
a. Open the names.nsf file on the Domino server for the Sametime Community Server.
b. Click Configuration > Web Web Configurations view.
c. Open the Web SSO Configuration for LtpaToken document.
d. Click Edit SSO Configuration.
e. Click Keys > Import WebSphere LTPA keys.
f. Type in the exact file location of the key file you created when you exported the LTPA token from WebSphere Portal in step 2.
g. Enter the password you created when you exported the LTPA token from WebSphere Portal in step 2
h. Click OK.

The message "Successfully imported WebSphere LTPA keys" appears after the key has been imported.

Important: MAKE SURE THE REALM NAME MATCHES HERE - remember that if it is a Portal realm, it often has the value ldaphost:389 as display, which means it needs to be modified to
ldaphost/:389 in the UI before saving.

Repeat this step on all deployment manager(s).

4. Configure all WebSphere-based Sametime servers to use the same LTPA realm as WebSphere Portal.
a. Log into the WebSphere Application Server's Integrated Solutions Console as the WebSphere administrator.
b. In the navigator, click Security > Global Security.
c. Under "User account repository" click the Configure button.

d. In the Realm name field, delete the existing name and type the realm name used in WebSphere Portal, making sure to match it exactly (including spelling and capitalization).
e. Click OK.
f. Save the change to the master configuration by clicking the Save link in the "Messages" box at the top of the page.
Tip: Repeat on each deployment manager if you have multiple CELLs.

5. Important - After you change the realm definition you must re-map the wsadmin account to the required security/admin roles.
a. In the "Users and Groups" section, select "Admin User roles" and then select the admin user(s) and reassign all roles to them.



b. Then save to the master configuration and restart the deployment manager.

6. Manually synchronize the nodes:
a. Go to each node - shut down nodeagent and all application servers .
b. Open a command prompt and navigate to:
 websphere/appserver/profiles/<profilename>/bin
c. Run the following command:
 syncNode.(bat/sh) dmgrHostname.company.com 8703
where 8703 is the SOAP port for the deployment manager.
d. Rrestart the nodeagents and servers.
e. Monitor the startserver and systemout logs for any errors related to security, as this may indicate that the new realm information is not entirely in sync and you may need to do this one more time. (IF you insure that everything is shutdown except the dmgr, do all the work on the dmgr, manually sync the nodes before starting them, you stand the greatest chance of quick success).

Repeat this step for every Sametime CELL deployment.

Document information

More support for: Lotus End of Support Products
IBM Sametime

Software version: 8.5, 8.5.1, 8.5.1.1, 8.5.2

Operating system(s): AIX, Linux, Windows

Software edition: Standard

Reference #: 1575383

Modified date: 22 August 2017


Translate this page: