WAS v8.5 > Secure applications > Authenticate users > Implement single sign-on to minimize web user authentications > Configure single sign-on capability with Tivoli Access Manager or WebSEALConfigure WebSEAL for use with WAS
Use this topic to set the SSO password in WebSEAL for single sign-on to WebSphere Application Server.
A junction must be created between WebSEAL and WAS. This junction carries the iv-credentials (for TAI++) or iv-user (for TAI) and the HTTP basic authentication headers with the request. We can configure WebSEAL to pass the end user identity in other ways, the iv-credentials header is the only one supported by the TAI++ and the iv-user is the only one supported by TAI.
Communications over the junction should use SSL for increased security. Setting up SSL across this junction requires that you configure the HTTP Server used by WAS, and WAS itself, to accept inbound SSL traffic and route it correctly to WAS. This activity requires importing the necessary signing certificates into the WebSEAL certificate keystore, and possibly also the HTTP Server certificate keystore.
Create the junction between WebSEAL and WAS using the -c iv_creds option for TAI++ and -c iv_user for TAI. Enter either of the following commands as one line using the variables that are appropriate for the environment:
TAI++
server task webseald-server create -t ssl -b supply -c iv_creds
-h host_name -p websphere_app_port_number junction_name
TAI
server task webseald-server create -t ssl -b supply -c iv_user
-h host_name -p websphere_app_port_number junction_nameNotes:
- If warning messages are displayed about the incorrect setup of certificates and key databases, delete the junction, correct problems with the key databases, and recreate the junction.
- The junction can be created as -t tcp or -t ssl, depending on your requirements.
For single sign-on ( SSO) to WAS the SS) password must be set in WebSEAL. To set the password, complete the following steps:
- Edit the WebSEAL configuration file webseal_install_directory/etc/webseald-default.conf Set the following parameter: basicauth-dummy-passwd=webseal_userid_passwd
where webseal_userid_passwd is the SSO password for the trusted user account set in Create a trusted user account in Tivoli Access Manager.
- Restart WebSEAL.
For more details and options about how to configure junctions between WebSEAL and WAS, including other options for specifying the WebSEAL server identity, refer to the Tivoli Access Manager WebSEAL Administration Guide as well as to the documentation for the HTTP Server you are using with your WAS. Tivoli Access Manager documentation is available at http://publib.boulder.ibm.com/tividd/td/tdprodlist.html.
Related
Configure single sign-on capability with Tivoli Access Manager or WebSEAL
Create a trusted user account in Tivoli Access Manager