Configure WebSphere Application Server V6.0 for OS/400 with Single sign-on
This example is for users that are not familiar with the Web serving environment. It describes all the steps necessary to get iSeries™ Access for Web running in a WebSphere® Application Server V6.0 for OS/400® environment with single sign-on (SSO) enabled. It also describes how to verify that the setup is working.
When the configuration is completed, iSeries Access for Web uses the authenticated WebSphere user identity to access i5/OS® resources. iSeries Access for Web does not perform additional prompting for an i5/OS user profile and password in this environment.
This environment requires WebSphere global security to be enabled. When enabled, users must provide WebSphere credentials when accessing secured WebSphere resources. Configuration options enable iSeries Access for Web to be deployed as a secured WebSphere application. WebSphere credentials are required when accessing iSeries Access for Web functions in this environment. In turn, iSeries Access for Web uses Enterprise Identity Mapping (EIM) to map the authenticated WebSphere user to an i5/OS user profile.
The mapped i5/OS user profile is used to authorize the user to i5/OS resources using standard i5/OS object level security.
Configuring your Web serving environment consists of these steps:
Steps to configure the Web serving environment:
- Start the IBM Web Administration for iSeries interface.
- Start a 5250 session to the system.
- Sign on with a user profile that has at least these special authorities: *ALLOBJ, *IOSYSCFG, *JOBCTL, and *SECADM.
- Run the following command to start the web administration interface job: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
- Minimize the 5250 session.
- Create an HTTP web server and a WebSphere Application Server V6.0 for OS/400 Web application server:
- Open a browser to: http://<system_name>:2001
- Log in with a user profile that has, at least these special authorities: *ALLOBJ, *IOSYSCFG, *JOBCTL, and *SECADM.
- Select IBM Web Administration for iSeries.
- Select the Setup tabbed page.
- Under Common Tasks and Wizards, select Create Application Server.
- The Create Application Server page opens. Select Next.
- Select WebSphere Application Server V6.0 for OS/400 then select Next.
- The Specify Application Server Name page opens. For Application server name, specify iwa60sso. This will be the name of the WebSphere Express Web application server. Select Next.
- The Select HTTP Server Type page opens. Select Create a new HTTP server (powered by Apache) then select Next.
- The Create a new HTTP server (powered by Apache) page opens.
- For HTTP server name, enter IWA60SSO.
- For Port, specify 4044.
Select Next. - The Specify Internal Ports Used by the Application Server page opens. For First port in range,
change the default value to 41044. Select Next.
- The Select Business and Sample Applications page opens. Select Next until the Summary page opens.
- The Configure Identity Token SSO for Web to i5/OS Access page opens. Select the Configure Identity Tokens option,
then specify these values:
- For LDAP server host name, specify the fully qualified host name of the LDAP server hosting the EIM domain created during EIM setup.
For example, MYISERIES.MYCOMPANY.COM
- For LDAP Port, specify the port number of the LDAP server hosting the EIM domain created during EIM setup. For example, 389.
- For LDAP administrator DN, specify the distinguished name of the LDAP administrator. For example, cn=administrator.
- For LDAP administrator password, specify the password of the LDAP administrator.
For example, myadminpwd.
Select Next. - The Configure Identity Token EIM Domain Information page opens. Specify this information:
- For EIM Domain Name, select the name of the EIM domain created during EIM setup. For example, EimDomain.
- For Source Registry Name, select the name of the EIM source registry created during EIM setup. For example, WebSphereUserRegistry.
Select Next. - The Summary page opens. Select Finish.
- The Web page is re-displayed with the Manage > Application Servers tabbed page active.
Under Instance/Server, iwa60sso/iwa60sso– WAS, V6.0 is listed with a status of Creating. From this Web page, you can manage the WebSphere application server.
Use the refresh icon next to the Creating status to refresh the page, if the page does not periodically refresh.
- When the status is updated to Stopped,
select the green icon next to Stopped to start the WebSphere application server. The status will be updated to Starting. Use the refresh icon next to the Starting status to refresh the page if the page does not periodically refresh. iSeries Access for Web requires that the WebSphere application server is running before it can be configured.
Wait for the status to be updated to Running before moving to the next step.
- Minimize the browser window.
- Configure iSeries Access for Web.
- Restore the 5250 session window.
- To see the WebSphere application server running,
run the command: WRKACTJOB SBS(QWAS6)
- Verify that IWA60SSO is listed as a job running under the QWAS6 subsystem. iSeries Access for Web requires the WebSphere application server is running before it can be configured.
- Verify the Web application server is ready:
- Enter option #5 on your IWA60SSO job.
- Enter option #10 to display the job log.
- Press F10 to display detailed messages.
- Verify the message Websphere application server iwa60sso ready is listed. This message indicates that the application server is fully started and is ready for Web serving.
- Press F3 until you return to a command line.
- iSeries Access for Web provides commands to configure the product. Two different commands are provided, a CL command and a QShell script command. Both commands provide and perform the same function. Use whichever version you prefer.
- To use the CL command, follow these steps:
- Configure iSeries Access for Web for your Web application server by using the following command:
QIWA2/CFGACCWEB2 APPSVRTYPE(*WAS60) WASPRF(iwa60sso)
APPSVR(iwa60sso) AUTHTYPE(*APPSVR) AUTHMETHOD(*FORM)
WASUSRID(myadminid) WAPWD(myadminpwd)
These are the parameters used:
- APPSVRTYPE
- Tells the command which Web application server to configure.
- WASPRF
- Tells the command which profile of the Web application server to configure.
In previous releases of WebSphere, the WASINST parameter was used. In WebSphere Application Server V6.0 for OS/400,
profiles have replaced instances.
- APPSVR
- Tells the command the name of the Web application server within the profile to configure.
- AUTHTYPE
- Tells the command which authentication type to use. *APPSVR indicates the Web application server should authenticate the user using the WebSphere active user registry.
- AUTHMETHOD
- Tells the command which authentication method to use. *FORM indicates the Web application server should authenticate using form-based HTTP authentication.
- WASUSRID
- Tells the command which WebSphere administrative user ID to use when accessing this Web application server. Replace the example value with an administrator user id defined in the WebSphere active user registry.
- WASPWD
- Tells the command which WebSphere administrative password to use when accessing this Web application server. Replace the example value with the password for the administrative user ID provided with the WASUSRID parameter.
Refer to the online help for the command for additional options and information.
- Several messages similar to these will be displayed:
- Configuring iSeries Access for Web.
- Preparing to perform the configuration changes.
- Calling WebSphere to perform the configuration changes.
- iSeries Access for Web command has completed.
- The WebSphere instance application server must be stopped and then started to enable the configuration changes.
- Press F3 or Enter when the command completes to exit the display session.
- To use the QShell script command, follow these steps:
- Start the QShell environment using the following command: QSH
- Make the iSeries Access for Web directory the current directory. Run this command:
cd /QIBM/ProdData/Access/Web2/install
- Configure iSeries Access for Web for the Web application server previously created:
cfgaccweb2 -appsvrtype *WAS60 -wasprf iwa60 -appsvr iwa60
-authtype *APPSVR -authmethod *FORM
-wasusrid myadminid -wapwd myadminpwd
These are the parameters used:
- -appsvrtype
- Tells the command which Web application server to configure.
- -wasprf
- Tells the command which profile of the Web application server to configure.
In previous releases of WebSphere, the -wasinst parameter was used. In WebSphere Application Server V6.0 for OS/400,
profiles have replaced instances.
- -appsvr
- Tells the command the name of the Web application server within the profile to configure.
- -authtype
- Tells the command which authentication type to use. *APPSVR indicates the Web application server should authenticate the user using the WebSphere active user registry.
- -authmethod
- Tells the command which authentication method to use. *FORM indicates the Web application server should authenticate using form-based HTTP authentication.
- -wasusrid
- Tells the command which WebSphere administrative user ID to use when accessing this Web application server. Replace the example value with an administrator user id defined in the WebSphere active user registry.
- -waspwd
- Tells the command which WebSphere administrative password to use when accessing this Web application server. Replace the example value with the password for the administrative user ID provided with the -wasusrid parameter.
For help on this command and the parameters, specify the -? parameter. Refer to the online help for the command for additional options and information.
- Several messages similar to these will be displayed:
- Configuring iSeries Access for Web.
- Preparing to perform the configuration changes.
- Calling WebSphere to perform the configuration changes.
- iSeries Access for Web command has completed.
- The WebSphere instance application server must be stopped and then started to enable the configuration changes.
- Press F3 when the command completes to exit the QShell session.
- If the command were to fail or indicate an error,
refer to the log files:
- /QIBM/UserData/Access/Web2/logs/cmds.log
High level, cause and recovery information; translated.
- /QIBM/UserData/Access/Web2/logs/cmdstrace.log
Detailed command flow for IBM Software Service; English only.
- After successfully configuring iSeries Access for Web,
the WebSphere application server must be restarted to load the changes to its configuration. This will be done later.
- Signoff the 5250 session window and close the window.
- Start the Web environment.
- Return to the browser window that is open to the IBM Web Administration for iSeries server management page.
- The Manage > Application Servers tabbed page should be active. Under Instance/Server is listed iwa60sso/iwa60sso– WAS, V6 with a status of Running. Stop and restart the WebSphere application server:
- Select the red icon next to the Running status to stop the WebSphere server.
Select the refresh icon next to the Stopping status to refresh the page if the page does not periodically refresh.
- When the status is updated to Stopped, select the green icon next to Stopped to start the WebSphere application server.
- The status will be updated to Starting. Select the refresh icon next to the Starting status to refresh the page if it does not periodically refresh.
Wait for the status to be updated to Running before moving to the next step. iSeries Access for Web will load and start as the WebSphere application server starts.
- Select the HTTP Servers tabbed page.
- Under Server, select IWA60SSO - Apache.
The current status of this Apache HTTP server should be Stopped. Select the green icon next to the status to start the HTTP server. The status is updated to Running.
- Close the browser window.
- Use a browser to access iSeries Access for Web.
- Open a browser to either of the following addresses to access iSeries Access for Web:
http://<system_name>:4044/webaccess/iWAHome
http://<system_name>:4044/webaccess/iWAMain
- Log in using an i5/OS user ID and password. The initial load of iSeries Access for Web might take a few seconds. WebSphere Application Server is loading Java™ classes for the first time. Subsequent loads of iSeries Access for Web will be faster.
- The iSeries Access for Web Home or Main page displays.
- Close the browser window.
By following the preceding steps, you completed these tasks:
- Configured an EIM environment to enable mapping of WebSphere user identities to i5/OS user profiles.
- Created a WebSphere Web application server named iwa60sso.
- Created an HTTP server named IWA60.
- Enabled global security for WebSphere web application server iwa60sso.
- Configured iSeries Access for Web for the WebSphere application server.
- Stopped and restarted the WebSphere application server and HTTP web server. iSeries Access for Web started when the WebSphere application server started.
- Verified that iSeries Access for Web can be accessed from a Web browser.
In this example, only the CFGACCWEB2 command is used to configure iSeries Access for Web.
For more information about using all the iSeries Access for Web CL commands, use the CL command finder.
Parent topic:
Examples for configuring a new Web application server environment
Related concepts
Single sign-on considerations