Deploying Apache Tomcat or WebSphere Application Server by using single sign-on authentication
Learn how to deploy applications to use single-sign on
(SSO) on Apache Tomcat and IBM® WebSphere® Application Server.
Note: If Jazz Security Architecture SSO authentication
is enabled, this content does not apply.
Deploying SSO on Tomcat
Apache Tomcat supports
SSO only when all applications are on a single server. If you are
using WebSphere Application
Server, you can use SSO on multiple servers.
Note: By default, single
sign-on is enabled on Apache Tomcat servers. To disable single sign-on,
comment out the line <Valve className="org.apache.catalina.authenticator.SingleSignOn"
/> line in the InstallDir/server/tomcat/conf/server.xml file.
Deploying SSO on WebSphere Application Server
For a better user experience, set up SSO on WebSphere Application Server. With SSO, users can share authentication tokens on multiple Rational solution for Collaborative Lifecycle Management (CLM) applications that are installed on different servers within the same domain. By default, WebSphere Application uses SSO when all applications are on a single server. If you are installing the Jazz Team Server or applications on separate servers, follow this procedure:
- Make sure that each instance of WebSphere Application Server is using the same user registry (ideally LDAP). The user registry settings must be identical on all servers.
- From the WebSphere Application Server Integration Solutions Console,
complete these steps.
- Open the Global Security section from the Security menu in the left sidebar.
- In the Authentication section, expand Web and SIP Security.
- Click Single sign-on.
- Enter the domain name. This name is the domain that contains the participating servers. All the servers must be on the same domain. (For example, the domain name for the following four servers, system1.sample.domain, system2.sample.domain, system3.sample.domain, and system4.sample.domain is sample.domain.)
- Select Requires SSL.
- Click OK; then, click Save.
- For the WebSphere Application Server on the Jazz Team Server,
on the Global Security page, click LTPA.
- Create a password and confirm it.
- Enter a name for the LTPA keys.
- Click Export Keys to export the keys to the file system.
- Click OK; then, click Save.
- Move these keys to the other servers that use SSO.
- Find the exported keys from this server in the /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/ directory.
- Upload the key file name to each of the other severs that you require in the SSO group. The file must be placed in this equivalent directory on each of the other servers.
- Set up each of the other servers to use SSO by completing the
same steps, except that you must import the keys from the file that
is discussed earlier instead of exporting the keys. Note: To import the keys, enter the key file name in the Fully qualified key file name field and click Import.
- Restart each WebSphere Application Server after you make all of the changes.
- To verify that the changes are correct, go to one of the servers
by using the fully qualified host name, and authenticate. Then, go
to the second server to see whether you are authenticated automatically
without a login prompt.Note: Do not use localhost, a short host name, or the IP address in place of the host name. Single sign-on requires that the browser can pass LTPA cookies to WebSphere Application Server and that these cookies contain the fully qualified host name.
|
Jazz.net channel User Education channel |
Agile learning circle Learning circles |
developerWorks forums |
Deployment wiki Support blog |
