Implementing Single-Sign-On(SSO) for APM UI 1.Introduction...2 2.Overview of SSO with LTPA...3 3.Installing and configuring TDS...5 3.1.Installing TDS 6.3...5 3.2.Changing the administrator password (Optional)...7 3.3.Adding the TDS server...8 3.4.Managing TDS services...9 3.5.Creating an LDAP user for SSO...14 4.Configuring Tivoli Enterprise Portal Server...19 4.1.Enabling TEPS/e administrative console...19 4.2.Configuring a federated repository and enabling SSO...20 4.3.Exporting LTPA keys...24 4.4.Adding the LDAP user to Tivoli Enterprise Portal Server...26 5.Configuring TIP for SSO...28 5.1.Configuring a federated repository and enabling SSO...28 5.2.Importing keys...29 6.Conclusion...30 7.Reference...30
1.Introduction The IBM SmartCloud Application Performance Management User Interface (APM UI) is an application deployed on IBM Tivoli Integrated Portal (TIP). It provides customizable dashboards for SmartCloud Application Performance Management, IBM Tivoli Monitoring, and IBM Tivoli Composite Application Manager products. Users generally need to drill down from APM UI to Tivoli Enterprise Portal Server (portal server) for detailed monitoring information for analysis and diagnosis. When a user wants to access the Tivoli Enterprise Portal from APM UI, the user must enter the user name and password again. It is not convenient. To resolve this problem, you can configure single sign-on (SSO) to integrate the APM UI and the portal server, which are both built on WebSphere Application Server (ewas) servers. Remember that all the ewas instances must point to the central user registry, such as LDAP server. With SSO support, TIP users need to authenticate only once when they want to access the applications on both TIP and the portal server running on different ewas servers. The purpose of this article is to introduce the procedure of SSO configuration between TIP and the portal server by using Lightweight Third-Party Authentication (LTPA). The described environment has the following products installed: IBM Tivoli Integrated Portal Version 2.2.0.7 IBM Tivoli Monitoring Version 6.2.3 Fix Pack 1 IBM Tivoli Directory Server Version 6.3
2.Overview of SSO with LTPA SSO capabilities on ewas servers are supported only when LTPA is used as the authentication mechanism. When SSO is enabled, a cookie that contains the LTPA token is created and is inserted into the HTTP response. When the user accesses other Web resources, which is portlet in this article, in any other ewas server processes within the same DNS domain, the cookie is sent in the request. Then the LTPA token is extracted from the cookie and validated. If the request is between different cells of embedded WebSphere Application Servers, the user must share the LTPA keys and the user registry between the cells to get SSO work. The realm names on each system in the SSO domain are case sensitive and must exactly match. LTPA is an implementation of SSO authentication technology that is used by IBM WebSphere Application Server and WebSphere Application Server Express. When a user successfully logs into an application server that is configured for LTPA, a session cookie containing the LTPA token is written to the browser. After the user receives the LTPA token and accesses another server with the same SSO configuration, the user is automatically authenticated and will not be prompted for a user name and password. LTPA provides the following capabilities: Forwardable credentials and single sign-on. Cryptographic keys to encrypt, digitally sign, and securely transmits authenticationrelated data between servers. The same key is used to decrypt the data after it is received. The following table lists the LTPA single sign-on configuration items. Realm Name Alias for the user registry that is used. Federated Repository LDAP or custom user repository. SSO Domain Name The domain or site value for the LTPA cookie. All cookies have a restriction that the value must contain at least two dots. For example, a value of.ibm.com allows the cookie to pass between servers whose URL contains.ibm.com, such as machinea.tivlab.austin.ibm.com and machineb.raleigh.rtp.ibm.com. LTPA Key The LTPA key that is exported from one
server in the SSO configuration and imported into all the other servers participating in SSO. Tivoli Directory Server (TDS) is one type of the LDAP servers. In this article, TDS 6.3 is used. Other LDAP servers can also be used. You can refer to this article for their configuration. In the following sections, how to set up TDS 6.3 as the LDAP server is described.
3. Installing and configuring TDS The following table lists the the LDAP information that is used in the example here: LDAP Host name MyLDAPSrv.cn.ibm.com LDAP Port 389 LDAP Type IBM Tivoli directory server LDAP Bind ID cn=root LDAP Bind Password password 3.1. Installing TDS 6.3 To install the TDS 6.3, complete the following steps: 1. Log on to the system as an administrator. 2. Start the installation program by double-clicking the installation file (tdsv6.3\tds\install_tds.exe). 3. Select the language that you want to use during the installation and click OK. 4. On the Welcome window, click Next. 5. Accept the software license agreement to proceed and click Next. 6. Any supported versions of previously installed components and their corresponding version levels are displayed. Click Next. 7. Specify the installation directory or accept the default (C:\Program Files\IBM\LDAP\V6.3), and click Next. 8. Select Typical and click Next. 9. If a supported version of DB2 is not installed, DB2 will be installed. A window is displayed for specifying a user ID and password for the DB2 system ID. 10. A window summarizing the components to be installed and configured is displayed. To start the installation, click Install. 11. Create the default directory server instance, which is named dsrdbm01. A window is displayed requesting passwords and an encryption seed. Specify the passwords and encryption seed. You will need the password to log on to TEPS/e administrative console later in section 4.
12. When the installation is complete, the default directory server instance has been created. Click Finish. The TDS server named dsrdbm01 is installed.
3.2. Changing the administrator password (Optional) To change the administrator password, complete the following steps: 1. Launch the Web Administration Tool. On a Windows system, the application is started automatically after installation, you can also start it from the start menu as follows or launch it from the following address: http://localhost:12100/idswebapp/ 2. Log in as the console administrator (superadmin). 3. In the navigator tree, to change the password, click Change console administrator password.
4. Provide the required confidential information and click OK. 3.3. Adding the TDS server To add the TDS server, complete the following steps: 1. Launch the Web Administration Tool. 2. In the navigation area, expand the Console administration item. 3. Click Manage console servers. A table listing the server host names and port numbers is displayed. 4. Click Add. 5. Specify the server name, host name, and the port number of the server to be added.
6. Select the Admin daemon supported check box to enable the administration port control. 7. Specify the port numbers or accept the defaults. 8. Click OK to apply the changes. 3.4. Managing TDS services To manage the TDS services, complete the following steps: 1. Launch the Instance Administration Tool.
2. Make sure that the directory server instance is stopped. 3. Select the server instance and click Manage.
4. From the task list on the left, click Manage suffixes. 5. In the Manage suffixes window, type the suffix that you want to add in the Suffix DN field (dc=ibm.dc=com), click Add, and then OK. 6. Open the TDS web configuration tool. Go to the following address and provide the required authentication information: http://localhost:12100/idswebapp/idsjsp/login.jsp 7. Click Directory Management -> Add an entry. 8. Select domain from the Structural object classes list, and click Next.
9. For Auxiliary Object Classes, use the default setting, and click Next. 10. Specify the relative distinguished name and required attributes (dc=ibm,dc=com, dc = ibm, keep Parent DN as blank) as follows and click Next.
11. Keep the optional attributes as default, and click Finish.
You will get the successful result similar to the following one. 3.5. Creating an LDAP user for SSO 1. Launch the TDS Web configuration tool. 2. Click Directory management -> Manage entries, and add a new entry. 3. Select groupofnames from the Structural object classes list. 4. For auxiliary object classes, use the default setting, and click Next.
5. Specified the required attributes as follows and click Next. The user_name is the one that will be used for SSO. Relative DN: cn=users Parent DN: dc=ibm,dc=com cn: users member: uid=user_rname,cn=users,dc=ibm,dc=com 6. Keep the default settings of optional attributes, and click Finish.
7. In Manage entries area, select the dc=ibm,dc=com entry that was just added, and click Expand. 8. Select the entry of cn=users, and click Add to add a new entry.
9. Select inetorgperson from the Structural object classes list and click Next. 10. For Auxiliary Object Classes, use the default setting, and click Next.
11. Specify the required attributes as follows and click Next. Relative DN: uid=user_name cn: user_name sn: user_name 12. For optional properties, set uid to user_name and set the user password that will be used for SSO. You need to remember this password; however, the users do not need to know it. Click Finish.
4.Configuring Tivoli Enterprise Portal Server To enable SSO, you need to configure the portal server embedded ewas. After that, add the user of SSO with Tivoli Enterprise Portal user administration. 4.1. Enabling TEPS/e administrative console To configure ewas, you must access the Tivoli Enterprise Portal Server extension server (TEPS/e) administrative console. It is disabled by default. To enable the administrative console, perform the following procedure: 1. Start the Manage Tivoli Enterprise Monitoring Services utility by running the./itmcmd manage command from the IBM Tivoli Monitoring installation directory. 2. If the portal server is not started, start it. 3. Right-click the Tivoli Enterprise Portal Server and click TEPS/e Administration --> Enable TEPS/e Administration. 4. If this is the first time that you enable the TEPS/e console, right-click the Tivoli Enterprise Portal Server and click TEPS/e Administration --> Update TEPS Extension Password.
4.2.Configuring a federated repository and enabling SSO 1. Go to http://< TEPS hostname/ip>:15205/ibm/console and log on to the TEPS/e administrative console as wasadmin. The password is what you have specified in Section 3.1 Installing TDS 6.3. 2. In the navigation tree, click Security -> Global security. 3. From the Available realm definitions list, select Federated repositories. And click Set as current to make sure that federated repositories is the current realm definition.
4. Click Configure. 5. Click Add Base entry to Realm. 6. Click Add Repository.
7. Complete the following properties: Repository identifier: SSOLDAP. Bind distinguished name: The administrator DN that you have specified when you configure the LDAP server. Bind password: The password for the administrator DN. Directory type: The version of IBM Tivoli Directory Server that you are using. (It is IBM Tivoli Directory Server in this example here.) Primary host name: The name of the IBM Tivoli Directory Server host.
8. Click Apply and when prompted click Save. 9. Complete the general properties. 10. Click Apply and when prompted click Save. 11. Return to the Global security page. In the Authentication area, expand Web security and click Single sign-on (SSO).
12. Make sure that the Enabled check box is selected. Enter cn.ibm.com in the Domain name field. 13. Click Apply and when prompted click Save. 14. Restart the Tivoli Enterprise Portal Server. 4.3. Exporting LTPA keys To support SSO in ewas across multiple WebSphere Application Server domains or cells, you must share the LTPA keys and the password among the domains.
Complete the following steps on the administrative console to export key files for LTPA so that they can be shared across domains. To export LTPA keys from the portal server ewas, perform the following procedure: 1. Log on to the TEPS/e administration console as wasadmin. 2. In the navigation tree, click Security -> Global security. 3. In the Authentication area, select LTPA. 4. In the Cross-cell single sign-on section, provide a password and the path to the key file, and then click Export Keys. Note that the password is used to encrypt the LTPA keys. Memorize the password so that you can use it later when the keys are imported into TIP.
4.4.Adding the LDAP user to Tivoli Enterprise Portal Server 1. Log on to Tivoli Enterprise Portal and click Edit-> Administer Users. 2. Click Create New User. 3. In the Create New User window, provide the user information and click OK. To search for a user, enter a keyword in Distinguished Name field and click Find.
5. Configuring TIP for SSO 5.1.Configuring a federated repository and enabling SSO This procedure is similar to Section 4.2, except that here you need to do it with the WebSphere administrative console instead of TEPS/e administrative console. To launch the WebSphere administrative console, complete the following steps: 1. Go to http://<tip Host/IP>:16310/ibm/console and log on to the TIP console as tipadmin. 2. In the navigation tree, expand Settings and click WebSphere Administrative Console. 3. Click Launch WebSphere administrative console. 4. With the WebSphere administrative console, repeat the step 2~10 that you have done with the TEPS/e administrative console in section 4.2. 5. Restart the TIP server.
5.2. Importing keys After you export LTPA keys from one cell, you must import these keys into another cell. To import keys, you must know the password for the exported key file to access the LTPA keys. Verify that key files are exported from one of the cells into a file. Note: Before you import LTPA keys, restart TIP servers to make sure that all configuration changes have taken effect. To export LTPA keys from the portal server ewas, perform the following procedure: 1. Go to http://<tip Host/IP>:16310/ibm/console and log on to the TIP console as tipadmin. 2. Launch the WebSphere administrative console. To do this, expand Settings in the navigation tree and click WebSphere Administrative Console. And click Launch WebSphere administrative console. 3. In the navigation tree, click Security -> Global security. 4. In the Authentication area, select LTPA.
5. Copy the key file from the portal server to a local temporary path. 6. In the Cross-cell single sign-on section, provide a password and the path to the copied key file, and then click Import Keys. 6. Conclusion After completing all the above procedures in Section 3 ~ 5, restart both ewas servers. You can test the SSO feature by logging on to TIP with a user account that was created on the LDAP and registered in both the portal server and TIP. If the SSO configuration is correct, you will not be prompted for the user name and password when you want to access the portal server from APM UI. 7. Reference Tivoli Directory Server Information center: http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp? topic=/com.ibm.ibmds.doc/install.htm IBM Tivoli Monitoring 6.2.3.FP1 Information center: http://pic.dhe.ibm.com/infocenter/tivihelp/v15r1/index.jsp?topic= %2Fcom.ibm.itm.doc_6.2.3fp1%2Fwelcome.htm IBM Tivoli Monitoring LDAP SSO:
http://pic.dhe.ibm.com/infocenter/tivihelp/v30r1/index.jsp?topic= %2Fcom.ibm.itm.doc_6.2.2fp2%2Fitm_install08.htm Tivoli Integrate Portal SSO: http://publib.boulder.ibm.com/infocenter/tivihelp/v24r1/index.jsp?topic= %2Fcom.ibm.itcamfad.doc_7101%2FMS_install_guide %2FConfiguringLDAPUsingIBMTivoliDirectoryServer.html TBSM SSO configuration http://www.ibm.com/developerworks/wikis/download/attachments/143984644/quick+configur ation+guide+for+sso.pdf?version=3