Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

How to setup LTPA SSO with Liberty Profile for CLM

 How to setup LTPA SSO with Liberty Profile for CLM

1 vote



2 answers

Permanent link

 Is this valid for Federated User Registry configration?


0 votes


Permanent link

 To setup SSO for CLM using LTPA with liberty profile the following condition needs to be satisfied:

1)All servers need to share the same user directory.
If you are using the liberty basic user registry, the users should be propagated to each of the servers once you register them with JTS and finish the setup. In the case if the users are not propagated, you can copy the basicUserRegsitry.xml(<install directory>\server\liberty\servers\clm\conf) to the target server.
If you are using LDAP, then you need to make sure all servers have the same ldap configurations. (<install directory>\server\liberty\servers\clm\conf\ldapUserRegistry.xml and <install directory>\server\liberty\servers\clm\conf\application.xml)

2)All servers need to share the same ltpa.key file.
By default there is a ltpa.key generated in each of the server. You can take the JTS server's ltpa.key to replace the keys on the other servers. The key is located in the following folder:
<install directory>\server\liberty\servers\clm\resources\security\ltpa.keys
If not specified in the liberty server.xml, liberty will look for the default file path and name(the path and name above) and use the default password. If you have generated your own ltpa key and password you can follow the instruction below to specify it in the server.xml(Needs to be applied on all liberty servers that you want to setup SSO)

Here is some additional information regarding generating new LTPA keys in WAS liberty:

3)All servers need to share the same domain and cookie name.
In the <install directory>\server\liberty\servers\clm\server.xml, the ssoDomainNames and ssoCookieName needs to be consistent across all of the liberty servers. While the ssoCookieName is not required(default value is ltpaToken2), if you run into any issues it may help to specify the cookie name to ensure they are all the same.
Example: <webAppSecurity  ssoCookieName=”myCookieName” ssoDomainNames="domain.com"/>
For more information see the following documentation.

NOTE: For applications such as RS and DCC where they delegate the authentication to JTS server, the above still need be configured. Other wise the SSO will not work properly for those application if they are on different servers.

4 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,487
× 6,117

Question asked: Jul 11 '16, 5:30 p.m.

Question was seen: 7,681 times

Last updated: Jan 17 '22, 2:38 a.m.

Confirmation Cancel Confirm