If you will use IBM® Sametime® with IBM WebSphere® Portal,
you can enable single sign-on by importing the WebSphere Portal LTPA token into the IBM Domino® server used by Sametime, and then configuring
WebSphere-based servers from both deployments to use the same realm.
About this task
For more additional information on integrating Sametime with WebSphere Portal, see the Sametime 9.0.1 Integration Guide in the Sametime wiki.
Procedure
- Retrieve the realm name used in WebSphere Portal:
- On the server hosting WebSphere Portal, log into the Integrated
Solutions Console as the WebSphere administrator.
- In the navigator, click .
- In the "User account repository" section, select the
federated repository and then click the Configure button.
- Write down the name shown in the Realm name field;
you will need the name in step 4 of this task.
- Click Cancel to ensure you do
not make any accidental changes.
- Leave the Integrated Solutions Console open for the
next step.
- Export the LTPA used by WebSphere Portal:
- In the Integrated Solutions Console navigator, click .
- In the "Authentication" section, click .
- In the "Additional properties" section, click Single
signon (SSO).
- Make sure Web inbound security attribute
propagation is not selected (if you must make a change
to it now, click Apply to save it).
- Click the LTPA link to return
to the Configuration page.
- Type a password in the Password field
and note it down for use in step 3.
- Type a name, path, and file name in the Key
File Name field.
- Click the Export Keys button
- If you changed any settings (for example, in substep
2e), save the changes to the master configuration by clicking the Save link
in the "Messages" box at the beginning of the page.
- Log out of the Integrated Solutions Console.
- Copy the exported file to a place that is accessible
by the Domino servers
hosting the Sametime Community
Servers.
- Import the LTPA token into Domino on every Sametime Community Server:
- On the Sametime Community
Server, open the Domino server's names.nsf file.
- Click .
- Open the Web SSO Configuration for LtpaToken document.
- Click Edit SSO Configuration.
- Click .
- Type the exact path and file name of the key file you
exported from WebSphere Portal
in step 2.
- Type the password you created with the key file when
you exported it from WebSphere Portal
in step 2.
- Click OK to import the LTPA token
from the key file into Domino.
The message Successfully imported WebSphere
LTPA keys appears after the key has been imported.
- Important: Make sure the realm name matches the realm
used by WebSphere Portal.
A Portal realm often uses the value ldaphost:389
as
display, which must be modified toldaphost/:389
in Domino before saving
the SSO configuration.
- Click Save to update the SSO
configuration for this Domino server.
- Repeat this process on every Sametime Community Server.
- Configure all WebSphere-based Sametime servers to use
the same LTPA realm as WebSphere Portal.
- On the Sametime server
cell's (or cluster's) deployment manager, log into the WebSphere Application Server's
Integrated Solutions Console as the WebSphere administrator.
In Sametime, the System Console
typically serves as the deployment manager for cells and clusters.
- In the navigator, click .
- In the "User account repository" section, select the
federated repository and then click the Configure button.
- In the Realm name field, delete
the existing name and type the realm name used in WebSphere Portal, making sure to match
it exactly (including spelling and capitalization).
This
is the realm name that you wrote down in step 1.
- Click OK.
- Save the changes to the master configuration by clicking
the Save link in the "Messages" box at the
beginning of the page.
- In the navigator, click .
- Select all administrators (click the check box that
precedes each user name), and reassign all roles to those users.
Important: After you change the realm definition, you must map
the wsadmin
account to the required security and
administrative roles for use within the new realm.
- Save the changes to the master configuration by clicking
the Save link in the "Messages" box at the
beginning of the page.
- Restart the deployment manager.
- If you deployed multiple cells or clusters, repeat this
process on every deployment manager.
For example, you
must update the deployment manager associated with each type of Sametime server, whether
it is deployed as a single-server cell or as a cluster.
- After all of the Sametime cells and clusters
have been updated to use the WebSphere Portal
realm, manually synchronize the nodes within each cell or cluster:
- On a node, stop the node agent and all application servers.
- Open a command prompt and navigate to the following
directory: websphere/appserver/profiles/Profile_Name/bin.
- Run the following command:
IBM
AIX®, Linux™
syncNode.sh dMgr_Host_Name.company.com SOAP_port
Microsoft™ Windows™
syncNode.bat dMgr_Host_Name.company.com SOAP_port
where:
- dMgr_Host_Name.company.com is the fully qualified
host name of the cell or cluster's deployment manager.
- SOAP_port is the deployment manager's
SOAP port; typically 8703.
- Restart the node agent and application servers.
- Repeat for every node within the current cell or cluster;
then proceed to the next cell or cluster and repeat the manual synchronization
process.
- Monitor each cell or cluster's startserver and systemout logs
for any errors related to security, as this may indicate that the
new realm information is not entirely in sync and you may need repeat
the synchronization process in step 5.