Configuring single sign-on with WebSphere Portal

If you will use IBM® Sametime® with IBM WebSphere® Portal, you can enable single sign-on by importing the WebSphere Portal LTPA token into the IBM Domino® server used by Sametime, and then configuring WebSphere-based servers from both deployments to use the same realm.

About this task

For more additional information on integrating Sametime with WebSphere Portal, see the Sametime 9.0.1 Integration Guide in the Sametime wiki.

Procedure

Retrieve the realm name used in WebSphere Portal:
1. On the server hosting WebSphere Portal, log into the Integrated Solutions Console as the WebSphere administrator.
2. In the navigator, click Security > Global Security.
3. In the "User account repository" section, select the federated repository and then click the Configure button.
4. Write down the name shown in the Realm name field; you will need the name in step 4 of this task.
5. Click Cancel to ensure you do not make any accidental changes.
6. Leave the Integrated Solutions Console open for the next step.
Export the LTPA used by WebSphere Portal:
1. In the Integrated Solutions Console navigator, click Security > Global Security.
2. In the "Authentication" section, click Authentication mechanisms > LTPA.
3. In the "Additional properties" section, click Single signon (SSO).
4. Make sure Web inbound security attribute propagation is not selected (if you must make a change to it now, click Apply to save it).
5. Click the LTPA link to return to the Configuration page.
6. Type a password in the Password field and note it down for use in step 3.
7. Type a name, path, and file name in the Key File Name field.
8. Click the Export Keys button
9. If you changed any settings (for example, in substep 2e), save the changes to the master configuration by clicking the Save link in the "Messages" box at the beginning of the page.
10. Log out of the Integrated Solutions Console.
11. Copy the exported file to a place that is accessible by the Domino servers hosting the Sametime Community Servers.
Import the LTPA token into Domino on every Sametime Community Server:
1. On the Sametime Community Server, open the Domino server's names.nsf file.
2. Click Configuration > Web > Web Configurations.
3. Open the Web SSO Configuration for LtpaToken document.
4. Click Edit SSO Configuration.
5. Click Keys > Import WebSphere LTPA keys.
6. Type the exact path and file name of the key file you exported from WebSphere Portal in step 2.
7. Type the password you created with the key file when you exported it from WebSphere Portal in step 2.
8. Click OK to import the LTPA token from the key file into Domino.
  The message Successfully imported WebSphere LTPA keys appears after the key has been imported.
9. Important: Make sure the realm name matches the realm used by WebSphere Portal.
  A Portal realm often uses the value ldaphost:389 as display, which must be modified toldaphost/:389 in Domino before saving the SSO configuration.
10. Click Save to update the SSO configuration for this Domino server.
11. Repeat this process on every Sametime Community Server.
Configure all WebSphere-based Sametime servers to use the same LTPA realm as WebSphere Portal.
1. On the Sametime server cell's (or cluster's) deployment manager, log into the WebSphere Application Server's Integrated Solutions Console as the WebSphere administrator.
  In Sametime, the System Console typically serves as the deployment manager for cells and clusters.
2. In the navigator, click Security > Global Security.
3. In the "User account repository" section, select the federated repository and then click the Configure button.
4. In the Realm name field, delete the existing name and type the realm name used in WebSphere Portal, making sure to match it exactly (including spelling and capitalization).
  This is the realm name that you wrote down in step 1.
5. Click OK.
6. Save the changes to the master configuration by clicking the Save link in the "Messages" box at the beginning of the page.
7. In the navigator, click Users and Groups > Administrative user roles.
8. Select all administrators (click the check box that precedes each user name), and reassign all roles to those users.
  Important: After you change the realm definition, you must map the wsadmin account to the required security and administrative roles for use within the new realm.
9. Save the changes to the master configuration by clicking the Save link in the "Messages" box at the beginning of the page.
10. Restart the deployment manager.
11. If you deployed multiple cells or clusters, repeat this process on every deployment manager.
  For example, you must update the deployment manager associated with each type of Sametime server, whether it is deployed as a single-server cell or as a cluster.
After all of the Sametime cells and clusters have been updated to use the WebSphere Portal realm, manually synchronize the nodes within each cell or cluster:
1. On a node, stop the node agent and all application servers.
2. Open a command prompt and navigate to the following directory: websphere/appserver/profiles/Profile_Name/bin.
3. Run the following command:
  IBM AIX®, Linux™
```
syncNode.sh dMgr_Host_Name.company.com SOAP_port
```
  Microsoft™ Windows™
```
syncNode.bat dMgr_Host_Name.company.com SOAP_port
```
  where:
  - dMgr_Host_Name.company.com is the fully qualified host name of the cell or cluster's deployment manager.
  - SOAP_port is the deployment manager's SOAP port; typically 8703.
4. Restart the node agent and application servers.
5. Repeat for every node within the current cell or cluster; then proceed to the next cell or cluster and repeat the manual synchronization process.
Monitor each cell or cluster's startserver and systemout logs for any errors related to security, as this may indicate that the new realm information is not entirely in sync and you may need repeat the synchronization process in step 5.