SSO with WAS Liberty for CLM Not Working
Hi - I am trying to configure multiple WAS liberty profiles to use SSO with ltpa keys. Here is my environment - CLM version = 6.0.6.1, IHS = 8.5, LDAP = Apache DS 2.0. Note: Everything related to LDAP works prior to enabling SSO.
SSO is being enabled based on the following directions: https://jazz.net/wiki/bin/view/Deployment/ConfigureSSOforLibertyProfile
Based on our understanding, the only files needed to be changed in support of going to SSO are the lpta.keys file and the server.xml file. Here are copies of both:
#lpta.keys Tue Jan 14 13:09:41 EST 2020
com.ibm.websphere.CreationDate=Tue Jan 14 13\:09\:41 EST 2020
com.ibm.websphere.ltpa.version=1.0
com.ibm.websphere.ltpa.3DESKey=8Y3E9gRwxSEZPQsqoCax64rMiIZ3FFwK3/cGjIn+mR4\=
com.ibm.websphere.CreationHost=localhost
com.ibm.websphere.ltpa.PrivateKey=/IAAt3KmlUF6xvpRBCrBqwF5taLi7h1JIqmWb5UzESUvPPQ3CbwmJDoA9GC07TZzsya9qbbTY/3If5gFyeO9cvtUdRoInOXL1IWytYuTuXzWptRArb0Fif5BzKR/JO3nzjUuVAlTG86v0A8I+io+OS1iVcGpdL1IRnrLXbIYs+/+DsPyQOOofRwT8OuO8bisVeC98sdRAFpxBkWZHMjWm+5xRP5sWsXn+EMUgYQlecdB4V7tRdUNFI7dbxXWHZRKBgbquenHMg18nTixloqY6561O0yButNMPxqV2NIkcge6Z6smSoQgqODP4cWsMDWGK7526T0gzW4TSGrGDTJZXQNsfeDjBMuUXVoU8DL4xts\=
com.ibm.websphere.ltpa.Realm=dsserver.domain.com:10389
com.ibm.websphere.ltpa.PublicKey=ALlOotBUOPN/N14vTE8+7aAaSJV7cIQLvPnApKiS+0cvv41R7l3vSGExcvAgoikso/vcnqjJSdmB3xLxbV5lMovTXnW0bj54Kn2PmZNoeBG+HY1zvQHeXiZPKTaWBl0sNKLxbeeR0UAvfJb/jFvc0AOy0xxJujWfRD4MqCSVGr2zAQAB
<server description="CLM server">
<!--
Licensed Materials - Property of IBM
(c) Copyright IBM Corporation 2015, 2017. All Rights Reserved.
Note to U.S. Government Users Restricted Rights:
Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
-->
<!-- Enable features -->
<featureManager>
<feature>monitor-1.0</feature>
<feature>jsp-2.2</feature>
<feature>servlet-3.0</feature>
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>adminCenter-1.0</feature>
</featureManager>
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>
<keyStore id="defaultKeyStore" location="ibm-team-ssl.keystore" type="JCEKS" password="{xor}Nj0ycis6PjI="/>
<httpEndpoint id="defaultHttpEndpoint"
host=""
httpPort="9080"
httpsPort="9443" />
<httpSession invalidateOnUnauthorizedSessionRequestException="true" cookieSecure="true"/>
<!-- <include location="conf/basicUserRegistry.xml"/> -->
<include location="conf/ldapUserRegistry.xml"/>
<include location="conf/application.xml"/>
<webAppSecurity ssoRequiresSSL="true"/>
<webAppSecurity singleSignonEnabled="true"/>
<webAppSecurity ssoDomainNames="domain.com" />
<ltpa keysFileName="resources/security/ltpa.keys" keysPassword="WebAS" expiration="120"/>
<!-- The deferServletLoad attribute value can be changed to "false" to force all applications
to load on startup, instead of when they are first accessed -->
<webContainer deferServletLoad="false"/>
<executor coreThreads="100"/>
<!-- Edit the following, after setting up the user registry,
to define the user(s) and/or group(s) that can perform Liberty server administration
(e.g. access the Admin Center) -->
<administrator-role>
<user>ADMIN</user>
<group>JazzAdmins</group>
</administrator-role>
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
<!-- do not allow dropped-in applications, and reduce frequency of config file change polling -->
<applicationMonitor dropinsEnabled="false" pollingRate="10s" updateTrigger="mbean"/>
<config onError="WARN" monitorInterval="1s" updateTrigger="polled"/>
<!-- suppress messages about references to missing third party jars that are not used -->
<logging hideMessage="SRVE9967W"/>
</server>
Any help is greatly appreciated.
Thank you.
One answer
Did you ever solve this?
I notice you are using ssoDomainNames="domain.com" in your server.xml file. I would recommend leaving that out and putting in ssoUseDomainFromURL="true".
After multiple days spent fiddling, I discovered that Traditional WebSphere is case-insensitive for the SSO Domain name property. But Liberty appears to be case sensitive (in my case, all lower case).
If you are like me and have some Traditional WAS servers in the mix, then you must change the SSO Domain in the TWAS admin console to be all lower case, and then you can use ssoUseDomainFromURL="true" for all of the Liberty servers.