2.8.1 Security considerations
If your application requires security between the Web modules and EJB modules, configure security to work correctly between the cells by doing the following:
| 1.
| Review the time, date, and time zone on all machines in both cells. The machines in the primary and backup cells need to be within five minutes of each other.
|
| 2.
| Configure a user registry with an LDAP server, OS security or a custom user registry.
|
| 3.
| On the primary cell, go to Security | Global security. Under Authentication, select Authentication mechanisms | LTPA. Enter an LTPA password on the LTPA authentication page. Remember the password for later to use on the backup cluster. Click Apply, then save your changes.
|
| 4.
| Still on the LTPA authentication page, enter a path and file name in the Key file name field and click Export Keys. This exports the LTPA authentication keys. Later, they are imported into the backup cell.
|
Key file name: WebSphereKeys/primarycell.keys
Transfer the LTPA key file to the backup cluster's Deployment Manager's machine.
| 5.
| Back in the Administrative Console, still on the LTPA authentication page, under Additional Properties, select Single signon (SSO). Enter an appropriate Domain name to include both cells.
|
Domain name: ibmredbook.com
| 6.
| Configure any additional necessary security items.
|
| 7.
| On the Global security page, enable global security, and save and synchronize the changes. Make sure that all Node Agents are up and running when enabling global security.
|
| 8.
| Restart the primary cell.
|
| 9.
| On the backup cell, configure the same user registry as on the primary cell.
|
| 10.
| In the Administrative Console, go to Security | Global security. Under Authentication, select Authentication mechanisms | LTPA. In the Password and Confirm password fields, enter the password from the primary cell. Click Apply and save your changes.
|
| 11.
| Enter the path and file name of the exported LTPA key file from the primary cell into the Key file name field. Click Import Keys.
|
If the password is incorrect, you see an error message in the WAS console. Correct the password, click apply, and then repeat this step.
| 12.
| On the same panel, under Additional Properties, select Single signon (SSO). Enter an appropriate Domain name to include both cells. It should be the same as the primary cell.
|
Domain name: ibmredbook.com
| 13.
| Configure any additional necessary security items.
|
| 14.
| On the Global security page, enable global security, and save and synchronize your changes.
|
| 15.
| Restart the backup cell.
|
Security tokens should now flow between the primary and backup cells.
|
