Preparing servers running on WebSphere Application Server for single sign-on

Prepare for single sign-on (SSO) by exporting a LTPA key from the servers running on an IBM® WebSphere® Application Server. This step configures and exports the WebSphere LTPA keys for use by the IBM Sametime® Community Server. If you have multiple cells in your environment, follow this step and standardize all of the deployments on one set of LTPA keys.

Before you begin

Servers using SSO must use the same LDAP directory that the Sametime Community Server uses.

All servers participating in single sign-on must have the same domain name, for example: servername.renovations.com.

About this task

The Sametime Community Server installation creates a Domino® SSO key. You must replace the Domino SSO key with a WebSphere LTPA key to allow the Sametime Community server running on Domino and the other servers running on WebSphere Application Server to have an identical key for token validation and generation. If Sametime servers running on WebSphere Application Server are managed by different Sametime System Console, you must export the LTPA key from one of the servers (the Media Manager SIP Proxy/Registrar, Meeting Server, or Advanced Server).
Note: Do not generate keys. If you do so, you must synchronize the nodes, sign out, restart and then log in to "export" or you risk exporting the old key set. If you log in and generate keys at a later time, you must re-run the steps and export/import to update the key set on the Sametime servers.

Procedure

  1. Log in to the WebSphere Integrated Solutions Console on the server hosting the Sametime System Console.
  2. Click Security > Global Security > WEB and SIP Security > Single Sign-on (SSO).
  3. Make sure that the Domain name matches the Sametime Server domain.
  4. Use LTPA V2 cookie name and specify LtpaToken2.
    Note: The token name is case-sensitive.
  5. Click OK.
  6. Save the change to the master configuration by clicking the Save link in the "Messages" box at the beginning of the page.
  7. Click Security > Global Security.
  8. In the Authentication section, click LTPA.
  9. (Optional) In the LTPA timeout section, set the timeout value to a value larger than the default to minimize the potential for an LTPA token to expire during an active meeting. A value that covers a period somewhat longer than a typical work day, such as 600 minutes, is recommended. This setting prevents users from being re-prompted if they are in a meeting longer than the timeout value.
    Note: The value used in step 8 should be the same value you use Sametime Community Server configuration. If you have a multiple cell environment, this value should be the same in all cells.
  10. In the "Cross Cell single sign-on" section, enter a password, confirm the password, and specify a file name to store the key. Click Export keys.
    Make a note of the location of the file created. You need to know its location when you import the file to the Sametime Community Server.
  11. Click OK.
  12. Save the change to the master configuration by clicking the Save link in the "Messages" box at the beginning of the page.
  13. Navigate to the directory where you exported the LTPA key.
  14. Copy the LTPA key to a location where you can access the file from the Sametime Community Server.