Feature Pack 6 or later

Enabling single sign-on between WebSphere Commerce and IBM Web Content Manager

When you integrate WebSphere Commerce with IBM Web Content Manager, enable single sign-on (SSO) authentication between both applications. Single sign-on provides a secure method of authenticating a user within WebSphere Commerce. Then, SSO uses that authentication during a user session to access IBM Web Content Manager without requiring the user to log on to the application separately. This SSO is provided by using the IBM Lightweight Third-Party Authentication (LTPA).

Before you begin

  • Open the WebSphere Commerce configuration file. Ensure that the MigrateUsersFromWCSdb flag within this file is set to ON.
  • Synchronize the system clocks of all the systems that are included in the single sign-on configuration.

About this task

Single sign-on ensures that the authentication for a WebSphere Commerce user is mapped to the authentication for the user in IBM Web Content Manager. This mapping is handled by LTPA. The LTPA supported single sign-on generates a token with the authentication credentials of a user. This LTPA token is used by the WebSphere Application Server to automatically handle the single sign-on session by passing the token and user credentials between applications. When the user logs off Management Center, the token is removed.

Procedure

  1. On your WebSphere Commerce server, enable single sign-on with the WebSphere Commerce Integration Wizard.
    1. Ensure that the WebSphere Application Server is started.
    2. Open the WebSphere Commerce Integration Wizard.
      • SolarisLinuxAIXWC_installdir/bin/WCIntegrationWizard.sh
      • WindowsWC_installdir\bin\WCIntegrationWizard.bat
    3. Verify the prerequisites. Click Next.
    4. Select your WebSphere Commerce instance name. Enter and confirm your database password. Click Next.
    5. Select Single Sign On as the integration task. Click Next.
    6. Enter the information specific to your single sign-on configuration.
      • Enter the single sign-on domain name.
      • Select the check box for the option Configure JAAS Login Module. When you select this option, WebSphere Commerce is configured to create the LTPA token that is shared between applications through the WebSphere Application Server.
      For more information about the available fields in this configuration, see the descriptions in the following file:

      WC_installdir/components/sso/properties/ltpa.properties

    7. Click Next and verify the summarized information.
    8. Click Next > Finish to complete the WebSphere Commerce Integration Wizard.
    9. Verify that the configuration is complete. Open the file
      • WC_installdir/instances/instance_name/logs/enablesso_time.log
      Search for the string Feature 'ldap','sso' enablement completed sucessfully. string in the log file.
  2. Generate and export the key file for WebSphere Commerce.
    1. Log on as one of the following users:
      • SolarisLinuxAIX non-root user.
      • Windows user with administrative authority.
    2. Ensure that the WebSphere Application Server is started.
    3. Open the WebSphere Integrated Solutions Console.
    4. Expand the Security node. Click Global Security.
    5. In the Authentication section, ensure that the radio button for LTPA is selected. Click LTPA.
    6. In the Cross-cell single sign-on section, enter and verify the password for the LTPA token that you are exporting.
    7. Enter the Fully qualified key file name. This name is the directory location and file name for the key file that must be imported to the IBM Web Content Manager server. Click Export.
    8. Click Apply > Save directly to the master configuration.
    9. Go to the directory that you specified for the key file and verify that the key is generated.
    10. Copy this exported key file from the WebSphere Commerce file system to the file system for the IBM Web Content Manager server.
  3. On your IBM Web Content Manager server, import the WebSphere Commerce key file.
    1. Log on as one of the following users:
      • SolarisLinuxAIXroot user.
      • Windowsuser with administrative authority.
    2. Ensure that the WebSphere Application Server is started.
    3. Open the WebSphere Application Server administrative console.
    4. Expand the Security node. Click Global Security.
    5. In the Authentication section, expand Web and SIP security. Click Single sign-on (SSO).
    6. Enter the Domain name that contains a set of hosts to which the single sign-on applies.
    7. Click Apply > Save directly to the master configuration.
    8. In the Authentication section, ensure that the radio button for LTPA is selected. Click LTPA.
    9. In the Cross-cell single sign-on section, enter and verify the password for the LTPA token that you are importing.
    10. Enter the Fully qualified key file name for the key file that you copied from the WebSphere Commerce file system. Click Import keys.
    11. Click Apply > Save directly to the master configuration.
  4. Optional: Generate and export the key file for IBM Web Content Manager. If you generated and exported the key file for WebSphere Commerce, this step is not necessary.
    1. In the WebSphere Application Server administrative console, expand the Security node. Click Global Security.
    2. In the Authentication section, click LTPA.
    3. In the Cross-cell single sign-on section, enter and verify the password for the LTPA token that you are exporting.
    4. Enter the Fully qualified key file name for the key file that you are exporting to WebSphere Commerce. Click Export.
    5. Click Apply> > Save directly to the master configuration.
    6. Go to the directory that you specified for the key file and verify that the key is generated.
    7. Copy this exported key file from the IBM Web Content Managerfile system to the file system for the WebSphere Commerce server.
  5. Optional: On your WebSphere Commerce server, import the IBM Web Content Manager key file. If you imported the key file for WebSphere Commerce into IBM Web Content Manager, this step is not necessary.
    1. In the WebSphere Application Server administrative console, expand the Security node. Click Global Security.
    2. In the Authentication section, click LTPA.
    3. In the Cross-cell single sign-on section, enter and verify the password for the LTPA token that you are importing.
    4. Enter the Fully qualified key file name for the key file that you copied from the IBM Web Content Manager file system. Click Import keys.
    5. Click Apply> > Save directly to the master configuration.
  6. Restart the servers for WebSphere Commerce and IBM Web Content Manager.
  7. Enable single sign-on for Management Center.
    1. Go to the following directory:
      • SolarisLinuxAIXWindowsWC_profiledir/LOBTools/WebContent/WEB-INF
      • WindowsWC_profiledir\LOBTools\WebContent\WEB-INF
    2. Open the struts-extension.xml file for editing.
    3. If the single sign-on actions for Management Center are commented out, uncomment the sections of code.
      • ResolveIdentify - this action is for resolving the identity of users by using the authenticateLTPA service.
        <action path="/ResolveIdentity" parameter="Person" 
type="com.ibm.commerce.foundation.client.lobtools.actions.AuthenticationClientLibraryAction"
className="com.ibm.commerce.foundation.client.facade.bod.servlet.struts.BusinessObject DocumentActionMapping">
  <set-property property="contextParameters" value="channelId" />
  <set-property property="clientLibrary" value="com.ibm.commerce.member.facade.client.MemberFacadeClient" />
  <set-property property="clientLibraryMethod" value="authenticateLTPA" />
  <forward name="success" path="/jsp/commerce/shell/restricted/ResolveIdentitySuccess.jsp">
  </forward>
  <forward name="failed" path="/jsp/commerce/shell/restricted/ResolveIdentityFailed.jsp">
  </forward>
</action>
      • Logon - this action is for generating an LTPA token when a user logs on to Management Center. If this action does not display within the struts-extension.xml file, add this action.
        <action path="/Logon" parameter="Person" 
type="com.ibm.commerce.foundation.client.lobtools.actions.AuthenticationClientLibraryAction" 
className="com.ibm.commerce.foundation.client.lobtools.actions.AuthenticationActionMapping">
  <set-property property="contextParameters" value="channelId" />
  <set-property property="clientLibrary" value="com.ibm.commerce.member.facade.client.MemberFacadeClient" />
  <set-property property="clientLibraryMethod" value="authenticatePassword" />
  <set-property property="aliasParameters" value="password:logonPassword" />
  <set-property property="generateLTPAToken" value="true" />
  <forward name="success" path="/jsp/commerce/shell/restricted/AuthenticationSuccess.jsp">
  </forward>
  <forward name="failed" path="/jsp/commerce/shell/restricted/AuthenticationFailed.jsp">
  </forward>
</action>
      • Logout - this action is for removing the generated LTPA token when a user logs out of Management Center. If this action does not display within the struts-extension.xml file, add this action.
        <action path="/Logout" parameter="Person" 
type="com.ibm.commerce.foundation.client.lobtools.actions.AuthenticationClientLibraryAction" 
className="com.ibm.commerce.foundation.client.lobtools.actions.AuthenticationActionMapping">
  <set-property property="clientLibrary" value="com.ibm.commerce.member.facade.client.MemberFacadeClient" />
  <set-property property="clientLibraryMethod" value="logout" />
  <set-property property="removeLTPAToken" value="true" />
  <forward name="success" path="/jsp/commerce/foundation/restricted/Values.jsp">
  </forward>
  <forward name="failed" path="/jsp/commerce/shell/restricted/AuthenticationFailed.jsp">
  </forward>
</action>
    4. Save your changes and close the file.
  8. Restart the WebSphere Commerce server.

Results

The single sign-on authorization is complete for your integration between Management Center and IBM Web Content Manager.