IBM Tivoli Composite Application Manager for Application Diagnostics, Version 7.1.0.1

---

Configure Tivoli Enterprise Portal Server for single sign on

Overview

To enable single sign on, configure the Tivoli Enterprise Portal Server (TEPS) embedded WAS (eWAS). Then, add every user who needs to access single sign on, using Tivoli Enterprise Portal user administration.

Enable TEPS/e administrative console

To configure eWAS, you need to access the Tivoli Enterprise Portal Server extension server (TEPS/e) administrative console. It is disabled by default.

To enable the administrative console...

1. If TEPS is not started, start it.

2. Start the Manage Tivoli Monitoring Services utility.

3. Highlight the Tivoli Enterprise Portal Server and select...
   Actions | Advanced | TEPS/e Administration | Enable TEPS/e Administration

4. If this is the first time you are enabling the TEPS/e console, set the administrative password. Highlight the Tivoli Enterprise Portal Server and select...
   Actions | Advanced | TEPS/e Administration | TEPS/e Administration Password

To access the TEPS/e administrative console, from a browser...

http://localhost:15205/ibm/console

Use the wasadmin user ID, and the administrative password that you have set up.

Configure a Federated Repository and enable single sign-on

WAS version 6.1 and subsequent versions provide the option of a federated user repository. With this feature, entries from multiple individual user repositories are mapped into a single virtual repository. The federated repository consists of a single named realm, which is a set of independent user repositories. Each repository may be an entire external repository or, in the case of LDAP, a subtree within that repository. The root of each individual repository is mapped to a base entry within the federated repository, which is a starting point within the hierarchical namespace of the virtual realm.

To enable single sign on, configure a federated repository, then enable single sign on in the application server. Perform the following procedure:

1. Log on to the TEPS/e administrative console.

2. In the navigation tree, select Security > Secure administration, applications, and infrastructure.
3. On the page that is displayed, select Federated repositories in Available realm definitions, click Set as current to make sure Federated repositories is the Current realm definition, then click Configure.

4. For the new federated repository, set Realm name to ITMVESSORealm and Primary administrative user name to wsadmin.

5. Under Related items, select Manage repositories.

6. Click Add. The page now displays the properties for the connection of the WAS to LDAP. Set the following properties:

   • Set Repository identifier to VELDAP.

   • Set Bind distinguished name and Bind password to the values you set for Administrator DN and password when you configured the LDAP server.

   • Set Directory type to the version of IBM Tivoli Directory Server that you are using.

   • Set Primary host name to the name of the IBM Tivoli Directory Server host.

7. Click OK to accept the settings.

8. Return to the Secure administration, applications, and infrastructure page and select Configure to configure the federated repositories.

9. Under Related items, click Manage repositories.

10. If you are using existing LDAP users, not LDAP users added specifically for the purpose of single sign on (see Configure LDAP using IBM Tivoli Directory Server), perform the following steps:

    1. Click Add to specify the configured repository.

    2. Under Additional properties, click LDAP entity types.

    3. View the entity types that are supported by the member repositories, or select an entity type to view or change its configuration properties.

    4. Supply the object classes that are mapped to this entity type in the Object classes field. LDAP entries that contain one or more of the object classes belong to this entity type.

    5. Supply the search bases that are used to search this entity type. The search bases specified must be subtrees of the base entry in the repository. For example, you can specify the following search bases, where o=ibm,c=us is the base entry in the repository:
       o=ibm,c=us or cn=users,o=ibm,c=us or ou=austin,o=ibm,c=us

       In this example, you can not specify search bases...

       • c=us
       • o=ibm,c=uk

       Delimit multiple search bases with a semicolon (;). For example:

       ou=austin,o=ibm,c=us;ou=raleigh,o=ibm,c=us

    6. Supply the LDAP search filter used to search this entity type. For example, use...
       (objectclass=ePerson)

       ...to search for users or...

       (|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)

       ...to search for groups in an external LDAP repository. If a search filter is not specified, the object classes and the relative distinguished name (RDN) properties are used to generate the search filter. You must make sure the objectclass for the existing LDAP users maps to the LDAP search filter.

    7. Click OK to accept the settings.

11. Select Add Base entry to Realm, and attach the LDAP repository you just configured:

    • For Repository, select VELDAP.

    • For Distinguished name of a base entry that uniquely identifies this set of entries in the realm, use a unique identifier, for example...
      o=VELDAP

    • For Distinguished name of a base entry in this repository, use dc=ibm,dc=com, as the SSO LDAP entries are located under this node

      If you are using an existing LDAP configuration, use the applicable distinguished name.

12. Click OK to accept the settings.

13. Restart the Tivoli Enterprise Portal Server.

14. Enable TEPS/e administrative console again.

15. Log on to the TEPS/e administrative console and select...
    Security > Secure administration, applications, and infrastructure | Web security | single sign-on (SSO) | Enabled

Add the LDAP user to Tivoli Enterprise Portal user accounts

To add the LDAP user to Tivoli Enterprise Portal user accounts, use Tivoli Enterprise Portal user administration.

In the TEP main menu, select Administer Users.

To create a new user profile from defaults...

Create New User

To create a new user profile as a copy of an existing one...

Create Another User

In the Modify User window, enter the username for the new user in the User ID field. In the Distinguished Name field, enter the following string:

uid=username,cn=users,dc=ibm,dc=com

This string registers the LDAP user with TEP. If you are using an existing LDAP configuration, use the applicable distinguished name.

For more information on managing users in the Tivoli Enterprise Portal, see the online help available in the Portal.

Parent topic:

Set up single sign on into Visualization Engine for Tivoli Enterprise Portal users

---

+

Search Tips   |   Advanced Search