+

Search Tips   |   Advanced Search

Configure single sign-on for portlets with SiteMinder and SPNEGO

Configure IBM Connections portlets to use single sign-on with Computer Associates' SiteMinder and SPNEGO.

  1. Enable SiteMinder and SPNEGO for Connections, following the steps in Enable single-sign on for SiteMinder with SPNEGO.

  2. Enable and configure single sign-on for HTTP requests using SPNEGO following the steps in this Enable and configure single sign-on for HTTP requests using SPNEGO.

  3. Configure SiteMinder following the steps in the article Configure eTrust SiteMinder.

  4. Merge all the keytab files to make the dmgr aware of the SPNs for each node. This step is done on the Portal server only.

    The following example demonstrates the procedure for merging keytab files.

    Assuming that you already created the following keytab files:

    • krb5.keytab on the dmgr

    • krb5NodeA.keytab on Node A

    • krb5NodeB.keytab on Node B

    Run the ktab command with the following switch:

    -m source_keytab_name> destination_keytab_name

    where source_keytab_name is the name of the keytab file on the source system, and destination_keytab_name> is the name of the keytab file on the destination system.

    Step 1: merge the keytab file on Node A into the keytab file on the Deployment manager: 

    # ./ktab -m /etc/krb5NodeA.keytab /etc/krb5.keytab
Merging keytab files:   source=krb5NodeA.keytab   destination=krb5.keytab
Done!

    Step 2: merge the keytab file on Node B into the keytab file on the dmgr: 

     # ./ktab -m /etc/krb5NodeB.keytab /etc/krb5.keytab
Merging keytab files:   source=krb5NodeB.keytab   destination=krb5.keytab
Done!

    For an example of how to manage Kerberos keys, see the article Use the ktab command to manage the Kerberos keytab file.

  5. Enable SPNEGO trust association interceptor (TAI) for the Portal server.

    1. Log on to the WebSphere WAS console.

    2. Click Security > Global security.

    3. Click Trust association under Web and SIP security.

    4. Ensure the Enable trust association check box is checked and then click Interceptors.

    5. Click New and then type com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl in the Interceptor class name text field.

    6. Click OK and then click the Save link to save changes to the master configuration.

  6. Configure the Virtual Member Manager (VMM), following the steps in the topic Configuring the Connections repository for VMM. If we did not already do so, follow the instructions in Configuring portlets to use common directory services, to copy sonata.services.xml to <wp_root>\config\cells\<cell name>\

  7. Ensure that once Portal has Siteminder and SPNEGO is enabled the computer can ping the LDAP and the IIS servers in the SPNEGO domain. For example, ping ldap.spengo.com and iisserver.spnego.com to have a connection.


Parent topic:
Configure authentication for the portlets