Configure IBM® Connections
portlets to use single sign-on with SPNEGO.
About this task
Single sign-on (SSO) enables users to log in to an IBM Connections application and
switch to other applications within the product without having to
authenticate again.
There are several different ways to configure
SSO. This procedure describes an approach that uses the Kerberos authentication
protocol. This authentication method allows users web browsers to
prove their identities to one another in a secure manner. After users
sign in to their Active Directory Windows client
systems, they are automatically signed into IBM Connections.
Configuring IBM Connections and WebSphere® Portal to share a single Deployment manager
saves on administration time by combining administration tasks for
the two applications. Establishing a single-sign on environment benefits
the users by creating a more seamless environment between the two
applications.
Procedure
Follow these steps to configure single sign-on.
- Before federating Portal as a managed node of the Deployment manager
of IBM Connections, make sure
the realms match between Connections Deployment manager and Portal.
If you must change the realm names so they match, follow the steps
in Changing the realm name.
- Perform the following steps to collect files from the primary
node and copy them to the Deployment manager:
- From the <wp_profile_root>/ConfigEngine directory
of the primary node, run this task: ConfigEngine.bat collect-files-for-dmgr
-DWasPassword=password. This creates a compressed file containing
all the files which must be copied to the Deployment manager. The compressed
file, named filesForDmgr.zip, will be placed
in the <wp_profile_root>/filesForDmgr directory.
- Stop the Deployment manager.
- Expand each of the files in the filesForDmgr.zip file
into the proper location on the Deployment manager based on the directory
names within the compressed file. The directory names in the compressed
file are based on the typical default directory names. The directory AppServer/profiles/Dmgr01 is
used to identify the Deployment manager profile root, and the AppServer directory
is used to identify the Deployment manager installation root directory.
If the Deployment manager was installed into the default directory
(AppServer) and the profile was created in the
default directory (AppServer/profiles/Dmgr01),
then the compressed file can be expanded directly into the directory
above the AppServer directory; for example /IBM/WebSphere.
- Start the Deployment manager.
- To augment a Deployment manager profile, run the following
command from the <AppServer_root>/bin directory:
manageprofiles.bat -augment -templatePath c:/IBM/WebSphere/AppServer/profileTemplates/management.portal.augment -profileName Dmgr01
- Restart the Deployment manager.
- Add the same Portal administration group as an administrators
group on the IBM Connections
Deployment manager.
- Run the following command from the <wp_profile_root>/bin directory
to federate the primary node:
addNode.bat dmgr_hostname dmgr_port -includeapps -includebuses
-username was_admin_user
-password was_admin_password
For example:addNode.bat DMhost.cn.ibm.com 8879 -includeapps -includebuses -username adminuser -password adminpwd
- On the Portal server, run syncNode.bat and
then restart the Deployment manager and all node agents.
- To configure the IBM HTTP
Server with Single Sign-On, delete and re-add the webserver on the WebSphere Application Server
Integrated Solutions Console in order to re-map all applications including
Portal, and import the Portal certificate into IBM HTTP Server.
- To Configure the same SPNEGO single sign-on for Portal
and Connections.
- Create user for Portal host server on AD.
- Create keytab file for Portal server on AD:
ktpass -out path_to_keytab –princ SPN
-mapuser account_name -mapOp set –pass account_password
Where:- path_to_keytab is the file path where you want
to store the generated keytab file.
- SPN is the Kerberos service principal name.
- account_name is the service account name.
- account_password is the password that is associated
with the service account.
For example:ktpass -princ HTTP/portal.cn.ibm.com@cn.ibm.com -out c:\portal.keytab -mapuser portaluser -mapOp set -pass Passw0rd
- Merge the portal keytab into the merged Connections
keytab by running the ktab command with the following
switch:
-m source_keytab_name destination_keytab_name
Where:- source_keytab_name is the name of the keytab
file on the source system.
- destination_keytab_name is the name of the
keytab file on the destination system.
For example:c:\IBM\WebSphere\AppServer\java\jre\bin>ktab.exe -m y:\SPNEGO\portal.keytab y:\SPNEGO\merged.keytab
- Recreate the krb5.conf file using
the new merged keytab file:
$AdminTask createKrbConfigFile
{
-krbPath appserver\java\jre\lib\security\krb5.conf
-realm REALM
-kdcHost kdc_hostname
-dns dns_hostname
-keytabPath path_to_keytab
}
For example:wsadmin.bat -user adminuser -password adminpwd
$AdminTask createKrbConfigFile {-krbPath y:\SPNEGO\krb5.conf -realm CN.IBM.COM -kdcHost AD.cn.ibm.com -dns cn.ibm.com -keytabPath y:\SPNEGO\merged.keytab}
- Enable SPNEGO single sign-on by configuring Kerberos
in the WebSphere Application
Server Integrated Solutions Console, following the steps in the Enabling
single sign-on for the Windows desktop topic.
- Synchronize the node and restart the Deployment manager
node. If you cannot manage the Portal node on the WebSphere Application Server Integrated
Solutions Console, manually synchronize the node and restart the Deployment manager
node.