redp4192.pdf - Front cover Enabling WebSphere Application Server with Single Sign-on Configure EIM Create a SSO enabled Application Server Prepare and

redp4192.pdf - Front cover Enabling WebSphere Application...

This preview shows page 1 - 7 out of 212 pages.

ibm.com /redbooks Red paper Enabling WebSphere Application Server with Single Sign-on Ursula Althoff Gary Lakner Configure EIM Create a SSO enabled Application Server Prepare and deploy applications
Image of page 1
Image of page 2
Enabling WebSphere Application Server with Single Sign-on October 2007 International Technical Support Organization REDP-4192-00
Image of page 3
© Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. First Edition (October 2007) This edition applies to Version 5, Release 3, Modification 0 of i5/OS and WebSphere Application Server Version 6.0. Note: Before using this information and the product it supports, read the information in “Notices” on page vii.
Image of page 4
© Copyright IBM Corp. 2007. All rights reserved. iii Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix The team that wrote this Redpaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 SSO with password elimination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Lightweight Directory Access Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Enterprise Identity Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4 LTPA mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.5 Identity tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.6 Identity Token Resource Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.7 Issues to consider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.7.1 Key timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.7.2 Toolbox connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 1.8 Enabling SSO benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.9 Introduction of EIM components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.9.1 EIM domain controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.9.2 EIM domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 1.10 Planning work sheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Chapter 2. Enterprise Identity Mapping Configuration . . . . . . . . . . . . . . . 29 2.1 Use the EIM Configuration wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.2 Post configuration tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Chapter 3. Configuring LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.1 Directory Server Web Administration tool . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.2 Create the directory database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.3 Templates and realms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.3.1 Create a user template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.3.2 Create a realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.3.3 Access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.4 Publish SDD date to the directory database . . . . . . . . . . . . . . . . . . . . . . . 60 3.4.1 Setting up SDD publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Image of page 5
iv Enabling WebSphere Application Server with Single Sign-on 3.5 Create a user for the WebSphere Administrator . . . . . . . . . . . . . . . . . . . . 65 3.6 Test the directory database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.6.1 Optionally test the connection to the EIM Domain Controller . . . . . . 70 Chapter 4. EIM definitions for SSO with WebSphere . . . . . . . . . . . . . . . . . 71 4.1 Create an EIM registry definition for WebSphere . . . . . . . . . . . . . . . . . . . 72 4.2 Create an EIM identifier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.3 Create associations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.4 Test EIM mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Chapter 5. Create a new WebSphere Application Server profile provided for SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 5.1 Create a new WebSphere Application Server. . . . . . . . . . . . . . . . . . . . . . 84 5.2 Components needed for SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.2.1 Start the WebSphere administrator console . . . . . . . . . . . . . . . . . . . 95 5.2.2 J2C Authentication Data Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 5.2.3 Identity Token Resource Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 5.2.4 Connection factories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 5.2.5 Reinstall resource adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 5.2.6 Trace capabilities of the Identity Token Connection Factory . . . . . 114 Chapter 6. Enabling your WebSphere Application Server to use single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 6.1 Defining the LDAP settings for your WebSphere Application Server . . . 118 6.2 Define the LTPA properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 6.2.1 LTPA keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 6.2.2 Exporting LTPA keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 6.2.3 Importing LTPA keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 6.3 Enable Global Security for your WebSphere Application Server . . . . . . 130 6.4 Configure a shared library for the jt400.jar file . . . . . . . . . . . . . . . . . . . . 133 6.4.1 Create an application class loader . . . . . . . . . . . . . . . . . . . . . . . . . 135 6.4.2 Configuring an additional connection factory . . . . . . . . . . . . . . . . . 138 Chapter 7.
Image of page 6
Image of page 7

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture