Setting up single sign-on with LTPA between two servers

You can set up a single sign-on environment between two computers that run IBM® WebSphere® Application Server. Then, users can log on to an application on WebSphere Application Server on one computer and access an application on WebSphere Application Server on a second computer without logging on to the second computer.

Before you begin

Procedure

  1. On the first computer, log on to the WebSphere administrative console by entering this URL in a web browser: http://fully_qualified_host_name:port_number/ibm/console
  2. Enable single sign-on and add the domain name:
    1. Select Security > Secure Administration, applications and infrastructure > Web Security-Single Sign-on (SSO).
    2. Make sure that the Enabled, Interoperability Mode, and Web inbound security attribute propagation check boxes are selected.
    3. Enter a domain name.
    4. Click Apply.
  3. Change the web authentication setting for unsecure pages to receive authentication data:
    1. Select Security > Secure Administration, applications and infrastructure > Web Security > General settings.
    2. Select the Use available authentication data when an unprotected URI is accessed check box.
    3. Click Apply.
  4. Enable single sign-on by having both WebSphere Application Server servers exchange their Lightweight Third Party Authentication (LTPA) keys:
    1. Select Security > Secure Administration, applications and infrastructure > Authentication Mechanisms and expiration > Cross-cell single sign-on.
    2. Enter your password and the name of the file to export the keys, and then click Export keys.
  5. Import the keys to the second computer:
    1. Copy the key file to the second computer.
    2. On the second computer, log on to the WebSphere administrative console.
    3. Select Security > Secure Administration, applications and infrastructure > Authentication Mechanisms and expiration > Cross-cell single sign-on.
    4. Use the password that you entered on the first computer, and enter the name of the file that you copied to the second computer. Click Import keys.
    5. Save the configuration.
  6. On the second computer, repeat steps 1 - 5 to change the single sign-on and web security preferences, export the keys from the second computer, and import the keys to the first computer.
  7. Save the configuration on both servers and restart them.
  8. On the first computer, enter this URL in a web browser: http://computer1.example.com:9080/ram
    Important: Do not use localhost, a short host name, or the IP address in place of the host name. Single sign-on requires that the browser pass LTPA cookies to WebSphere Application Server, and these cookies contain the fully qualified host name.
  9. Log on to Rational Asset Manager web client.
  10. In the same browser session, enter the URL to the web client on the second computer: http://computer2.example.com:9080/ram
  11. If single sign-on is configured correctly, you do not need to log on to the second computer. Instead, the user name is displayed on the home page.

Adding IP addresses to host files

If you are using two computers that have dynamic IP addresses, you might need to add entries into the host file of each computer. Whenever the IP addresses of the computers change, you must update the hosts files and restart the servers.

  1. On the first computer, open C:\WINDOWS\system32\drivers\etc\hosts.
  2. On a new line, enter the IP address of the first computer, such as: 
    127.0.0.1 computer1.example.com
  3. On a new line, enter the IP address of the second computer, such as:
    computer2.example.com
  4. Save the file.
  5. On the second computer, open C:\WINDOWS\system32\drivers\etc\hosts.
  6. On a new line, enter this text:
    127.0.0.1 computer2.example.com
  7. On another new line, enter this text:
    IP address of first computer computer1.example.com
  8. Save the file.
Configuring cross-server communication
Feedback