SSO

Enabling single sign-on (SSO) on all instances of Websphere Application server for which you plan to enable SSO requires 2 steps to (make SSO work) action.

                a) Enable SSO and Export LTPA Keys.

                b) Enable SSO and Import LTPA Keys.

     To enable SSO on Websphere Application Server:

• Log in to the Websphere Application Server Administration Console.
• Navigate to Security > Global Security.
• Expand the Web and SIP Security.
• Click on Single sign-on(SSO).
• In the General Properties, specify the following configuration parameters for single sign-on: 
• Enabled: selected by default(if not enable it)
• Requires SSL: specifies that single sign-on(SSO) is enabled only when requests are made over HTTPS Secure Sockets Layer(SSL) Connections.
• Interoperability Mode: Select this field if not selected by default.
• Web inbound security attribute propagation: selected by default.
• Click OK and save the changes to master configuration.
• Repeat the same steps for the other instances of Websphere Application Server for which you plan to establish SSO.

Exporting LTPA Keys:

Exporting LTPA key from Websphere Application Server to import into other instances of the Websphere Application Server.  We only need to export the LTPA Key from one server.

      To export the LTPA Keys:

• Log in to the Websphere Application Server Administration Console.
• Navigate to Security > Global Security, click on LTPA.
• In the cross-cell sign-on section, specify a password for the LTPA Key.
• Enter the LTPA Key name and directory to which you want to export the key in the Fully Qualified Key File Name file. For ecample, on unix : /opt/IBM/WebSphere/Keys/Cell01_LTPA_Key_Name.
• Click Export Keys.
• Click OK and save the changes to the master configuration.
• Navigate to the deidrecroty where you exported the LTPA Key.
• Copy the LTPA Key to the file system where we plan to import it.

Importing LTPA Keys:

Import the LTPA Key in to the Websphere Application Server. You can import the same LTPA Key into multiple servers.

•        Enable SSO.
•        Export the LTPA Key.
•        Copy the LTPA Key from the file system where you exported it to the file system where you plan to import it.

To import the LTPA Keys:

•      Log in to the Websphere Application Server Administration Console.
•      Navigate to Security > Global Security, click on LTPA.
•      In the cross-cell sign-on section, specify a password for the LTPA Key.
•      Enter the directory on the file system where we copied the LTPA Key in the Fully Qualified Key File Name field.
•      Click Import Keys.
•      Click OK and save the changes to the master configuration.
•       Restart both the server for which we have exported the LTPA Key from and the server into which we imported the LTPA Key. Restart the servers only after the import of the LTPA Keys into all the servers for which we planned to establish the SSO.

Repeat the same steps above for all the servers for which we need to enable the SSO, and then restart all the servers.

Verification: To verify the changes were successful, navigate to one of the servers (using the fully qualified host name) and authenticate. Now, try going to the second server and you should be authenticated automatically without a login prompt.

Note: Using localhost, a short host name, or the IP address in place of the host name is not recommended. Single sign-on requires that the browser pass LTPA cookies to the WebSphere Application Server, and these cookies contain the fully qualified host name.