Configuring single sign-on (SSO) with the Tivoli Integrated Portal

You can configure SSO authentication between the Tivoli® Integrated Portal and IBM® Operations Analytics - Log Analysis.

1. To export the Lightweight Third-Party Authentication (LTPA) keys file from the Tivoli Integrated Portal, complete the following steps:
   1. Log on to the Tivoli Integrated Portal as an administrator.
   2. In the Security area, click Global security.
   3. In the Authentication area, click LTPA.
   4. In the Cross-cell single sign on area, enter a password for the keys file in the Password field. Confirm the password.
   5. Create a blank plain text file to use as the keys file. Note the directory that you store the file in.
   6. Enter the location where the keys file that you created in the previous step is stored in the Fully qualified key file name field. The value must point to the properties file that contains the keys that you want to export. For example, for a Windows operating system, enter C:\keys.properties. For a Unix-based operating system, enter <tip_home_dir>/profiles/TIPProfile.
   7. Click Export keys.
2. Add the Tivoli Integrated Portal LDAP realm to the IBM Operations Analytics - Log Analysis LDAP configuration. Ensure that the LDAP realm that is specified here is the same as the one used by Tivoli Integrated Portal. To specify the realm, edit the ldap_realm_property property in the ldapRegistryHelper.properties file:

   ldap_realm_property=<LdapRegistryRealm>

   where <LdapRegistryRealm> is the realm that is used by the Tivoli Integrated Portal. To find this value:
   1. Log on to the Tivoli Integrated Portal.
   2. In the Security area, click Global security.
   3. In the User account repository area, click Configure.
   4. The LDAP realm value is displayed in the Realm name field. You specify this same value in the ldapRegistryHelper.properties file.
3. To add the updated realm to the LDAP configuration for IBM Operations Analytics - Log Analysis and to enable LDAP authentication, run the ldapRegistryHelper.sh script. For more information, see ldapRegistryHelper.sh command.
4. Configure LTPA on the Liberty Profile for the WebSphere® Application Server:
   1. Copy the LTPA keys file that you exported from the Tivoli Integrated Portal server in step 1 to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity/resources/security directory on the IBM Operations Analytics - Log Analysis server. The folder contains a default keys file. Do not change this file. Use a different name for your own key file.
   2. Go to the <HOME>/IBM/LogAnalysis/wlp/usr/servers/Unity directory.
   3. To add the SSO tag to the IBM Operations Analytics - Log Analysis server, add the following line to the server.xml file before the final server tag:

      <webAppSecurity ssoDomainNames="<SSO_domain>" />

      where <SSO_domain> is the SSO domain, for example example.com. This value must match the SSO domain that is used by the Tivoli Integrated Portal server. Specify the same value as the one that is entered in the Domain name field on the Tivoli Integrated Portal UI.
   4. To add the LTPA tag to the IBM Operations Analytics - Log Analysis server, add the following line to the server.xml file before the final server tag:

      <ltpa keysFileName="${server.output.dir}/resources/security/<ltpa_key_file>" 
      keysPassword="<keysPassword>" expiration="120" />

      • where <ltpa_key_file> is the LTPA key file, for example example_ltpa.keys.
      • <keysPassword> is the LTPA password that you entered in step 1 when you created the LTPA key file on the Tivoli Integrated Portal server.

      (Optional) You can use the unity_securityUtility command that is in the <HOME>/IBM/LogAnalysis/wlp/bin/ directory to generate an encrypted password. After you generate the encrypted password, enter it as the value for the keysPassword parameter.

5. Restart the IBM Operations Analytics - Log Analysis server and verify that the SSO connection between the two servers is working.