Tip: Single Sign-on using WebSphere Application Server

Last Updated: February 8, 2010
Author: Jason Wagner


This article will explain how to setup Single sign-on using WebSphere Application Server. This will allow users to share authentication tokens across multiple Jazz-based products installed on different servers within the same domain.

More Information

Prerequisite: This article assumes that you have two or more Jazz-based products installed, each on a separate instance of WebSphere Application Server.

  1. First, make sure each instance of WAS is using the same user registry (ideally LDAP). The user registry settings should be identical on all servers.
  2. From the WAS Integration Solutions Console:
    • Open the Global Security section from the Security menu in the left sidebar.
    • In the Authentication section, select the LTPA option.
    • Expand ‘Web and SIP Security’ and click on Single sign-on (SSO).
      Single sign-on Section
      – Enter domain name. This is the domain containing the participating servers. (e.g. raleigh.ibm.com, yourcompany.org, etc.)
      – Check “Requires SSL”.
      – Click OK then Save.
      Single sign-on Settings
    • On the Global Security page, click on LTPA.
      LTPA Section
      – Create a password and confirm it.
      – Enter a name for the LTPA keys
      – Click Export Keys to export them to the filesystem.
      – Click OK then Save.
      Export LTPA Keys
  3. Next, move these keys over to the other server(s) participating in Single sign-on.
    • Find the exported keys (from the above server) in: /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/.
    • Upload the keyfile to each of the other severs you want in the SSO group. The file needs to be placed in the same directory as above on each of the other servers.
  4. Next, setup each of the other servers to use SSO, completing the same steps as above, except IMPORT the keys from the file above instead of exporting them.
    Import LTPA Keys
  5. Restart each WebSphere Application Server after making all of the changes.
  6. To verify that the changes were successful, navigate to one of the servers (using the fully qualified host name) and authenticate. Now, try going to the second server and you should be authenticated automatically without a login prompt.
Note: Using localhost, a short host name, or the IP address in place of the host name is not recommended. Single sign-on requires that the browser pass LTPA cookies to the WebSphere Application Server server, and these cookies contain the fully qualified host name.

Related Information

The following links point to related information:

Was this information helpful? Yes No 8 people rated this as helpful.