It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×7,482
×6,115
×40
×18
×7

question asked: Jun 17 '12, 10:07 p.m.
question was seen: 9,990 times
last updated: Jul 03 '14, 4:20 a.m.

Related questions

Single Signon across multiple sub-domains in Tomcat

2
1
Benjamin Chodroff (8985231) | asked Jun 17 '12, 10:07 p.m.
edited Jul 21 '12, 11:47 a.m.
The CLM documentation clearly states that single sign-on across multiple servers is not supported in Tomcat:
http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0/topic/com.ibm.jazz.install.doc/topics/t_deploy_single_sign-on.html?resultof=%22%73%69%6e%67%6c%65%22%20%22%73%69%6e%67%6c%22%20%22%73%69%67%6e%22%20

However, for those who have a common domain/sub-domains, I got it working. I have only tested this on a single server -- would this configuration work on multiple servers?

Edit your tomcat server.xml.  On the line that states:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />

Modify it to add a cookieDomain parameter. The JTS must be on a higher common domain than the rest of the applications. If your subdomains are:
JTS = jazz.example.com
RTC = rtc.jazz.example.com
RQM = rqm.jazz.example.com
RRC = rrc.jazz.example.com

Then your line should look like the following:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" cookieDomain="jazz.example.com" />

You would need to register the applications using these domains in jts/setup.
For more information on SingleSignOn in Tomcat, see:
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Single_Sign_On_Valve

4 answers

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Scott Rich (57136) | answered Jun 18 '12, 3:31 a.m.
JAZZ DEVELOPER
Hey Ben, I don't think it will work.  The Tomcat single sign on solution is very simple, it just uses cookies to establish a session which is then recognized across all the web apps on a single virtual host.  As far as I know, there's no mechanism in Tomcat to make this work across hosts, which would require some sort of shared keys or session synchronization.  The simplest true SSO solution I know of is WebSphere's LTPA.

Thanks,
Scott
0
permanent link
Benjamin Chodroff (8985231) | answered Jul 21 '12, 11:44 a.m.
Scott, it can work, but you have to put the JTS on a domain higher than everything else in order to make it work. I'll edit my instructions above. I'm pretty sure it would work in a multiple server configuration, so long as the servers are all in the same domain.

LTPA is clearly a better method, though...

0
permanent link
Benjamin Chodroff (8985231) | answered Jul 21 '12, 11:49 a.m.
If you want to see a working example, send me an email and I'll show you. I found out JTS had to be on a higher common domain by chance... but it works very well.
0
permanent link
David Chaumont (191) | answered Jul 03 '14, 4:20 a.m.
Hello Benjamin,

i try your solution in an environment with multiple server (1 by application). In front of these servers, we have an Apache reverse proxy who redirects all our requests. It means that we access to Jazz's applications by theses URL :
http://name.domain.com/jts or
http://name.domain.com/ccm or
http://name.domain.com/jazz, or
 .....


I added this line in each server.xml : <valve className="org.apache.catalina.authenticator.SingleSignOn" cookieDomain="name.domain.com"/>

But, it doesn't seem to work. Have you some experience in your proposition since this post ?
Thanks for your help.



Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.