Beruflich Dokumente
Kultur Dokumente
A Secure Portal
Extended With Single
gle
Sign-On
WebSphere Portal V5 and Tivoli Access
Manager V4.1 integration
Step-by-step guide
Michele Galic
ibm.com/redbooks Redpaper
International Technical Support Organization
February 2004
Note: Before using this information and the product it supports, read the information in “Notices” on page v.
This edition applies to WebSphere Portal Version 5 and Tivoli Access Manager Version 4.1.
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
The team that wrote this Redpaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Chapter 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Single sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Credential vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Credential vault organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that does
not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions
are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time
without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,
cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and
distribute these sample programs in any form without payment to IBM for the purposes of developing, using,
marketing, or distributing application programs conforming to IBM's application programming interfaces.
Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other
countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
Many portals are required to access external applications that need some form of user
authentication. In most cases, the user credentials required by these applications will differ
from those used by WebSphere® Portal. It is possible for the portlet to prompt the user for
this credential information and then present it to the external application. However, such an
approach is seldom implemented due to the unsatisfactory user experience. Therefore, a
single sign-on (SSO) is required to provide seamless access to the different applications in a
Portal solution.
Implementing a secure Portal using an external security manager is part of solving this
problem. This provides a centralized access management system. It is also a basis for
creating an SSO domain for multiple applications that can share common user credentials.
However, back-end applications can still exist outside of this domain because of a need for
specific custom user IDs and passwords. For these, we can use credential mapping to map
the common credential to the back-end one. This is implemented as Credential Service in
WebSphere Portal.
Alison Halliday is an IT Architect from IBM Global Services, Sweden. She primarily works in
the application architecture, design, and development of e-business and enterprise Java™
solutions. Alison has seven years of experience in the industry and holds a MSc (Computer
Science) from Queen's University, Belfast, Northern Ireland. Her areas of expertise include
the WebSphere family of products, J2EE, and Java.
Maria Munaro is an IT Specialist with IBM Venezuela. She joined Lotus® four years ago as a
Senior Consultant for the Consulting Division in Venezuela. Currently Maria works as a
WebSphere Technical Specialist in the Software Group. She is both an IBM MQSeries®
Certified Specialist and a Lotus Domino® CLP. Before joining Lotus, Maria worked for two
years for a Lotus Business Partner based in Argentina. Her most recent projects have been
with MQSeries and WebSphere Portal Server.
Sailaja Parepalli is a Software Consultant at Miraclesoftware systems, Inc., MI. She has 6
years of experience in software analysis, design, and development. Her software industry
experience includes Business Analysis and Object Modeling using UML and Application,
Web, and Portal development using Java/J2EE and WebSphere family of products. You can
reach her at sparepalli@miraclesoft.com.
David Yang is a staff software engineer in the Solution Test team of the WebSphere Platform
System House organization located in Research Triangle Park, North Carolina. He has
worked with IBM in a variety of development and test roles and has areas of expertise in
Java, Linux, WebSphere, security, and TCP/IP.
Helen Rehn
IBM US
Tinny Ng
IBM Toronto
Margaret Ticknor
International Technical Support Organization, Raleigh Center
Your efforts will help increase product acceptance and client satisfaction. As a bonus, you'll
develop a network of contacts in IBM development labs and increase your productivity and
marketability.
Find out more about the residency program, browse the residency index, and apply online at:
http://ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our papers to be as helpful as possible. Send us your comments about this
Redpaper or other Redbooks™ in one of the following ways:
Use the online Contact us review redbook form found at:
http://ibm.com/redbooks
Send your comments in an Internet note to:
mailto://redbooks@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HZ8 Building 662
P.O. Box 12195
Research Triangle Park, NC 27709-2195
Preface ix
x Secure Portal with Single Sign-On
1
Chapter 1. Introduction
Web technology use has expanded for the delivery of information and services, both inside
and outside a company’s network. Unfortunately most Web applications and packages
provide a plethora of security standards and implementations. Many companies are now
looking for a consolidated authentication and authorization approach to better manage this
distribution of business services. Implementing a secure Portal using an external security
manager is part of solving this problem. This provides a centralized access management
system. It is also a basis for creating a singe sign-on (SSO) domain for multiple applications
that can share common user credentials. However, back-end applications can still exist
outside of this domain because of a need for specific custom user IDs and passwords. For
these, we can use credential mapping to map the common credential to the back-end one.
This is implemented as Credential Service in WebSphere Portal.
This chapter introduces the topic of SSO in broad terms and the credential services structure
as implemented in WebSphere Portal. This publication is build on and extends the redbook A
Secure Portal Using WebSphere Portal V5 and Tivoli Access Manager V4.1, SG24-6077. The
ideas presented there will help you to understand the concepts covered in this IBM Redpaper.
Many portals are required to access external applications that need some form of user
authentication. In most cases, the user credentials required by these applications will differ
from those used by WebSphere Portal. Although it is possible for the portlet to prompt the
user for this credential information and then present it to the external application, such an
approach is seldom implemented due to the unsatisfactory user experience. Therefore, a
Portal solution requires an SSO to provide seamless access to different applications.
The redbook Access Integration Pattern Using IBM WebSphere Portal Server, SG24-6267-00
describes two SSO application patterns.
Web Single Sign-On pattern: This pattern provides seamless access to multiple Web
applications located in the same security domain. This is the typical SSO scenario where
a company wants a common authentication mechanism for a number of applications. User
credential tokens that can be validated by the other applications within the SSO domain
can be generated either by (1) the applications themselves or (2) by using an
authentication proxy. This establishes a trust between the applications. For example
WebSphere Application Server and Domino can generate and validate LTPA (Lightweight
Third Party Authentication) tokens, forming an SSO domain together. The pattern is
depicted in Figure 1-2 on page 3.
synchronous synchronous
Client Single Sign-On Application1
Tier Tier
Application2
Extended Single Sign-On pattern: This pattern provides SSO to back-end applications
that are outside the security domain. It may not be possible for the applications in an SSO
domain to share the same user credentials as in the Web SSO application pattern. For
example, there may only be a system user ID available for an internal back-end
application. To solve this issue, WebSphere Portal provides a credential vault service
where these back-end credentials can be stored in a credential vault and retrieved by
portlets to access the back-end application. This is described in more detail in the next
section. Note that Extended SSO also is often called Double-realm SSO in other
publications. This pattern is shown in Figure 1-3 on page 3.
Chapter 2 will show the available Runtime patterns for SSO application patterns.
Vault Implementations
Vault Service WebSphere Portal Vault
Slot Ua
Slot Ub
Slot Uc
Administrator-managed
Segment (A1)
Slot A1a
Slot A1b
Slot A1c
Chapter 1. Introduction 3
Vault segment
A vault is broken down into vault segments. These can be user- or administrator-managed.
However, portlets can create slots in user-managed segments only. Creating slots in
administrator-managed segments is limited to the administrator. Credential creation and
retrieval can be carried out in both by portlets. Vault segments map on to specific vault
implementations through vault adapters. A vault adapter is a plug-in used to provide the
credential vault service access to a certain credential repository.
Vault slot
A vault segment is partitioned further into vault slots. The slot is the actual location for the
user credential. For non-shared slots, are specific to both the back-end application and the
user. Shared slots are specific only to the back-end application.
The credential vault provided by the WebSphere Portal distinguishes between four different
types of vault slots:
A system slot stores system credentials where the actual secret is shared among all users
and portlets. In this case, a group of portlets shares the same password.
A shared slot stores user credentials that are shared among the user’s portlets.
A portlet private slot stores user credentials that are not shared among portlets.
An administrative slot allows each user to store a secret for an administrator-defined
resource.
Credential objects
Credentials are returned in WebSphere Portal in the form of credential objects. These can be
passive or active. Passive credential objects are containers for the credential’s secret that
can then be retrieved by the portlet to authenticate with back-end. Active credential objects
hide the credential's secret from the portlet in such a way that there is no way of extracting it
out of the credential. In return, active credential objects offer business methods that take care
of all the authentication. A common passive object type returns username and password
credentials. An example of active authentication is Http Basic Authentication. Please see
3.3.3, “Types of credential objects” on page 27 for more information.
1.3 Summary
Single sign-on has two principle application patterns, Web SSO and Extended SSO. In this
publication, we will explain how to implement an Extended SSO application using credential
vaults. Credential vaults are repositories for user credentials to be used for external systems
outside the Web SSO realm. Credential vaults are organized into segments and slots.
The requirements are addressed from both the functional and non-functional business
perspective. Some simple use cases are outlined below in order to depict the core
functionalities of the SSO solution.
The solution design, subsystems, and operational view are then presented. These are
followed by sample portlets and sample back-end applications.
Using SSO, a user can authenticate once when logging into the front-end system
(WebSphere Portal). Then, the user’s identity is passed on to back-end or external
applications without requiring additional identity verification from the user. The SSO approach
focuses on security integration between the products.
This solution is an add-on to A Secure Portal Using WebSphere Portal V5 and Tivoli Access
Manager V4.1, SG24-6077. Please refer to Chapter 2, Requirements and design, in this
redbook for information about authentication and authorization mechanisms.
We discuss the functional and non-functional business requirements for the SSO solution in
the following sections. Together, these provide the baseline for the design of the system.
Note: For additional information about SSO, refer to the WebSphere Portal InfoCenter
using the following URL:
http://publib.boulder.ibm.com/pvc/wp/500/ent/en/InfoCenter/index.html
A use case is initiated by a user/actor with a particular goal in mind; it completes successfully
when that goal is satisfied. It describes the sequence of interactions between actors and the
system necessary to deliver the service that satisfies the goal. Actors are parties outside the
system that interact with the system.
Tip: Although the discussion of UML and use case modeling is out of the scope of this
document, the following URL provides more information about UML and use cases if you
want to explore further:
http://www.rational.com/uml/index.jsp
The sections below present the graphical and textual representations of the identified use
cases for the SSO solution.
UC-ADM-01:Create/Manage
Vault Segment
UC-ADM-02-a:Create/
<<include>> Modify User Credentials
Site
UC-ADM-02:Create/Manage
Administrator Vault Slot
A primary actor is one having a goal requiring the assistance of the system. A secondary
actor is one from which the system needs assistance.
Primary actor(s)
Secondary actor(s)
Table 2-3 UC-01: Access the external system (back end) through portal (front end)
Use case ID and name UC01: Access the external system (back end)
through portal (front end)
Alternatives
Note: The use case detail above also includes the details of use cases UC01-a and
UC01-b. The implementation of the business use cases summarized above is covered in
“Sample applications” on page 59.
Main scenario The system prompts for the vault segment name
and other related information.
The actor inputs the necessary data.
The system creates the new vault segment using
the credential vault service.
The system acknowledges that the new vault
segment has been created.
The use case ends successfully.
Alternatives
Main scenario The system prompts for the vault slot name and
other details, user credential information.
The actor inputs the necessary data to create a
vault slot and user credentials.
The system creates the new vault slot and
associated user credentials using the credential
vault service.
The system acknowledges the new vault slot has
been created.
The use case ends successfully.
Alternatives
In the use case details provided above, the main scenarios talk only about the creation part of
credential vault segment, slot, and user credentials.
This level of detail is provided because the management of the vault segment only allows a
user to delete the segment. If you want to modify an existing segment name or other
information, just delete the segment and create another with the necessary data.
Similarly, managing a vault slot involves the deletion of a vault segment or modification of the
user credentials.
Note: Refer to “Implementing the runtime environment” on page 29 for the implementation
of the administration use cases above.
We can categorize and discuss the non-functional requirements for an SSO solution into
Scalability requirements
Security requirements
Performance requirements
Scalability requirements
Scalability is the degree to which something can be modified to increase its existing
capacities.
The SSO solution is an extension to the secure portal to provide centralized security when
the users are allowed to have access to multiple systems using different sets of user
credentials.
Collaborative features like Lotus Instant Messaging (Sametime®) chat can also take
advantage of SSO.
Other examples of common client security requirements address the physical infrastructure of
the system, such as protecting the internal IP addresses and site structure, providing denial
of service defense, and providing intrusion detection.
Performance requirements
The system performance level depends on the response times and availability of the external
systems.
Additional non-functional requirements that can be captured include usability, reliability, and
portability requirements.
Both of these sample applications follow the Extended SSO Application pattern. Their
Runtime pattern uses the credential mapping approach. This consists of mapping the Web
user identity to another user ID to access the back-end system. In our samples, we use
system credentials stored in the vault to access protected business applications. The
authorization to access the back-end is actually implemented in the front-end. In other words,
if the user has the authorization to access the portlet, then it follows that he or she has
authorization to access the business application.
Https request Authentication Mutual SSL Web Server Mutual Application Server Application Server
Browser Authentication Proxy SSL Credential
WAS Trust Trust
Session Plug-in Association Mapping Association
Portal Portal
Interceptor Interceptor
Server Server
LDAP
over LDAP over SSL
SSL
Directory User
Server Registry
LDAP
over User
SSL Repository
Policy/
Authorization Policy
Server Store
Key
JAAS API
Subsystem Read/Write
Datastore Vault Adapter
Component Credential
Vault
Tier
Synchronous
Connection
Key concepts
The key concepts to the functional view include the following:
Authentication proxy: Manages the authentication process
Directory server: Provides access to the user registry and user repository
Policy/authorization server: Maintains the policy store and manages the authorization
process
Portal Server: The Portal Server where the SSO credential mapping application operates
Customer
Security
Administrator
We show three locations: the Internet, an external network, and the intranet. The Internet and
the external network are as described in the A Secure Portal Using WebSphere Portal V5 and
Tivoli Access Manager V4.1, SG24-6077 solution with no firewall protection. But we have
chosen to place our back-end node in the intranet protected by a firewall. We assume that it is
part of an already existing company infrastructure. As such, the implementation of the firewall
is out of scope for this publication. The system comprises of the following three physical
nodes:
Security node: Responsible for security services such as authentication, access
management, and directory services
Application node: Responsible for providing application services such as the portal
application
Business node: Responsible for the delivery of a company’s business services that must
be accessed via the Web or even internally through other clients. Business data will be
held here. Therefore, this node requires strong security.
The security and application nodes are the same nodes that are covered in A Secure Portal
Using WebSphere Portal V5 and Tivoli Access Manager V4.1, SG24-6077. Please note that
the security and application nodes could also be behind the firewall, assuming that the
firewall is configured correctly.
Component model
The component model describes the IT system from the software viewpoint. It details the
components in terms of their responsibilities, interfaces, and relationships. It also documents
how they collaborate together to fulfill the required functionality. A component is an
independent part of the overall system. It can be large or small, such as a number of classes,
a program, or a software product. The model can be either at a specification (technology- and
product-agnostic) level or a physical (technical) level. In this chapter, we have chosen to
document the specification level.
<<component>>
Security S ervices
<<component >>
Credential Vault Services
<<component>> <<component>>
Dialog Portal Server
<<component>>
Portlet credential applications
Component descriptions
The following components are included:
Dialog: Responsible for controlling the HTTP requests and responses into and out of the
system. It uses the security services component to authenticate the requests. This
component will be implemented using WebSeal.
Security services: Responsible for security management and authentication and
authorization services. This is implemented using TAM.
Portal Server: Responsible for portal services and implemented by WebSphere Portal
Server
Credential vault services: Responsible for managing and storing the credential secrets.
It offers several interfaces to these values. In our sample, we are interested in the
HttpBasicAuthCredential active credential objects and the UserPasswordPassive
credential objects.
Portlet credential application: Represents the portlet credential applications that the
portal offers to the client. In our case, these are the basic authentication and the Web
service authentication portlet application.
callPortlet
check authorization
callCredentialPortlet
getCredentials
getCredentials
callBusiness Service
response
Walkthrough
1. The user requests the credential mapping portlet.
2. The Dialog component receives the request and checks for authentication in combination
with the security services.
3. Once authentication is established, the request is forwarded to the Portal Server.
4. The Portal Server then checks for user authorization on the requested portlet through the
security services component.
5. Once authorized, the portlet then retrieves the credential secrets from the credential vault
services via the Portlet Credential Manager.
6. The external back-end business service is then called using the retrieved credential
secrets.
7. The response is transferred back to portlet, which creates the page fragment to be
displayed.
8. The Portal Server then aggregates the page fragments together to return to the user.
The sequence diagram in Figure 2-6 shows the method calls and interactions that take place
when the portlet is displayed on a page.
: : : : : :
: System BasicAuthPortlet BasicAuthPortletSecretManager CredentialVaultService HttpBasicAuthCredential BasicAuthPort letViewBean BasicAuthPortletView.jsp
doView()
basicAuthConnection()
getCredential()
getAuthenticatedConnection()
setUrlres p(String)
service()
The sequence diagram in Figure 2-7 on page 17 shows the method calls and interactions that
take place when the invoke action is called for this portlet.
getUserId( )
getPassword( )
setUsername(String)
setPassword(String)
service() setUsername()
setPassword()
getStockData()
IBM WebSphere Portal V5, A Guide for Portlet Application Development, SG24-6076
Segment type
Segments can be either administrator- or user-managed. The main technical difference is that
users can create vault slots only in user-managed segments. Only administrators are allowed
to create in administrator-managed segments. Users can set and retrieve credentials in both
types.
Slot type
There are 4 different type of slots: private, user, system, and administrative. See section
“Vault slot” on page 4 for full details. For user-managed credentials, it makes sense to choose
private or user slots. An example of a private slot is a POP3 mail account portlet. In this
scenario, the portlet is unlikely to be used by all users. Therefore, an edit screen can be
created for the each user to define his or her slot and credentials. There also is no need to
share this information between other portlets.
A shared slot example would be if you wanted to allow a user access to various server
applications through a portal: for example, an expenses and time reporting application that
normally runs from a LAN workstation. The user’s LAN ID and password are then stored in
the credential vault and shared between the different portlets. This gives the user access to
his or her desktop applications remotely through a Web interface.
The administrator-created slot types are system and administrative. Only these slots can be
viewed through the WPS admin, and only system credentials can be edited. An example of
system slot usage is, for example, a legacy application that is protected by a single system
ID. This ID can be stored and then shared among the users who wish to access that
resource. It provides seamless SSO accessibility while keeping the system ID secret.
The last example is the administrative slot. This should be used for administrator-defined
resources such as a company’s e-mail system. Since it is assumed that all users will use this
portlet, the slot can be created by the administrator beforehand. The portlet is then written to
allow the users to manage their credentials in that slot.
An example of Webseal and Siteminder usage would be an extranet portal application that
needs to access an existing internal application protected by Webseal or Siteminder.
However, it is probably more common for a company to try to integrate all its applications into
one security management system.
More information about credential vault applications can be found in the redbook IBM
WebSphere Portal V5, A Guide for Portlet Application Development, SG24-6076 and the
following URLs.
The SSO performed in the Web tier is appropriate for environments with no back-end
systems or where access to back-end systems does not need to be executed under the Web
user’s identity.
The key consideration in establishing a Web SSO solution is the diversity of the e-business
environment. There are two key types of environments to consider: a homogeneous
application server environment or a heterogeneous environment (multiple vendors/versions
of application servers).
Web SSO
Web SSSO provides seamless access to multiple Web applications located in the same
security domain. Web SSO runtime patterns include a homogeneous application server and
heterogeneous application servers. The Homogeneous Application Server pattern is where a
single Web tier is used for SSO and all applications are implemented on the same application
server. The Heterogeneous Application Servers pattern uses an authentication proxy to
control SSO access to multiple application servers of various types.
The Application pattern for these Runtime patterns is discussed in “Single sign-on” on
page 2.
Application
Server
Application
Browser
Server
Pros:
Simple, effective security model for applications built within the same application server
environment.
Cons:
Does not support applications outside the application server domain.
Application
Server
Authentication
Browser Application
Proxy
Server
Pros:
Provides a unified, secure authentication model.
Supports multiple vendors/platforms.
Cons:
Will require modification and migration to include existing applications.
Can be difficult to model the separation or aggregation of authorization data across many
applications.
Requires that applications support an externally-managed security proxy.
There are two major approaches to implementing the Extended Single Sign-On Application
pattern discussed in “Single sign-on” on page 2. These approaches are:
Credential Propagation pattern
Directory &
Security Server
Application
Server
Application
Browser Application Server
Server
Cons:
Introduces complexities related to credential management
Introduces requirements for additional error handling and transaction support at each
application node
Directory &
Security Server
Application
Server
Authentication Application
Browser Application
Proxy Server
Server
Cons:
All applications have to support the chosen security proxy and may require complex
modification and migration.
Design considerations
There are some characteristics of the applications that will affect the solution of choice:
Does the application let the application server do the authorization? If not, a proxy solution
may be required.
When incorporating an existing application with its own security model into a larger
security domain, deactivate the application's security mechanism, if possible, and defer
authentication and authorization to the larger secure domain.
If the application requires a form-based login, there may be no solution short of modifying
the application or providing custom code to wrap the application and simulate the posting
of the application's login form.
For further information about the Access Integration patterns please refer to A Portal
Composite Pattern Using WebSphere Portal V5, SG24-6087 and Access Integration Pattern
Using WebSphere Portal Server, SG24-6267.
In the following sections, we review approaches to achieving an SSO. If you decide to use the
portal credential vault, you also have some technology choices. These also are reviewed.
Finally, we implement the portal credential vault in this chapter.
If the back-end application is outside of the portal’s security realm, portlets must be able to
store and retrieve user credentials for the back-end application they need to access.
For accessing applications outside the portal’s security realm, the Portal Server provides a
credential vault service that portlets can use to store user ID and password (or other
credential) information.
LTPA Authentication
WebSphere Application Server can provide single sign-on between itself and certain Web
application servers by sharing Lightweight Third Party Authentication (LTPA) tokens. LTPA
tokens contain user data, expiration time, and a digital signature that is signed with a private
key of the authenticating user. They are stored as encrypted cookies. The key for decrypting
the cookie is normally generated by WebSphere Application Server and shared with any
back-end application servers.
Normally, a shared LTPA token will be used to provide single sign-on between WebSphere
Portal and a back-end Lotus Domino Application Server. It is also possible to use LTPA to
provide single sign-on between WebSphere Portal and other WebSphere Application Servers
(that do not fall within the same WebSphere security realm as the application server used by
WebSphere Portal).
It is important to note that IBM has developed the LTPA mechanism. While they have
published the specification, it is generally only supported by IBM products. The wider
computer security community has largely adopted Kerberos technology to provide the same
functionality. The pros and cons of the LTPA approach and implementation are not discussed
here.
Therefore, those back-end systems should still be able to use their own authentication and
authorization mechanisms. To allow for this and still obtain single sign-on, the portlet must
present appropriate credentials to the back-end system. This, in turn, means that the portlet
requires some method to store and retrieve credentials. The portlet can store credentials as
user-specific portlet data. Of course, the credentials can even be hard-coded into the portlet,
but this approach is not desirable from an architectural and security standpoint.
3.4 Summary
This chapter presents the various SSO solution alternatives. Then, it continues with a
discussion of the technical options available for the WebSphere Portal credential vault
service.
Note: Please refer to chapter 4 of the above redbook for the base runtime environment
implementation.
Hardware:
IBM Netfinity 5100
PIII 933MHz
1152MB RAM
18GB HDD
Software stack:
Windows 2K + SP3
IBM HTTP Server V1.3.26
WebSphere Application Server
Enterprise Edition V5.0
WebSphere Portal Server V5.0.1
Customer
For the WebSphere Application server hardware requirements, installation, and configuration
information about the back-end machine (named as Business Node in the diagram above),
refer to “Installing a WebSphere Application Server” on page 31.
To simplify the installation, install WebSphere Application Server without the HTTP server.
For the Enterprise Edition, select custom install and decline everything except the javadoc.
The sample application doesn’t require any special Enterprise features.
For installation documentation, please refer the WebSphere Application Server installation
guide. The WebSphere library can be found at:
http://www-306.ibm.com/software/webservers/appserv/infocenter.html
Creating users
1. Click Start -> Settings -> Control Panel -> Administrative Tools -> Computer
Management -> Local Users and Groups -> Users to display the screen in Figure 4-2
on page 32.
You can use the restoreconfig command to return to the original settings. See the WebSphere
Info Center for more details.
1. Assuming that WebSphere server1 is started, open a browser and access WebSphere’s
admin console at http://<hostname>:9090/admin where hostname is the host name of the
business node. Log in once you access the administrative console.
2. Click Security -> User Registries -> Local OS and enter the username and password
used when installing WebSphere and click OK. This is normally Administrator. In the
example below use wsuser.
3. Go to Security -> Global Security and check the Enabled checkbox to enable the global
security. By default, this step enables the Enforce J2EE security. We do not need it, so
uncheck it again. The other settings should be left as defaulted, using the local OS and
SWAM. Then, click OK. The screen in Figure 4-6 on page 35 is displayed.
4. You should see the following notification of changes to be made to the master
configuration at the top of your WebSphere window. Click Save to display the screen in
Figure 4-7.
6. For global security to take effect, you need to stop and start server1 either by using the
standard WebSphere commands or by going through the services panel.
Note: With global security enabled, the server username and password will be required
after the first time you stop and start the server or when you access the administrative
console.
The following describes the deployment procedure for both of the EAR files. You need to
perform these procedures twice, one for each EAR file. This process consists of a number of
screens that should retain the default settings (except on the first screen).
14.Step5 - Summary screen: You should see a summary of the EAR installation. If
successful, then click Save to Master Configuration.
15.Save to master configuration screen: This lists the changes to be made to the master
configuration. Click Save to Master Configuration. On the next screen, click “Save:”
Now repeat this process for any other EAR files that you have.
You then should be able to see the two new enterprise applications by clicking on
Applications -> Enterprise Applications. Select the checkboxes and click Start.
3. If the username and password are correct, the response in Figure 4-12 should be seen
from the SimpleServlet.
4. To test that security is really working, try closing the browser and doing the same
procedure with an erroneous username and password. You should be allowed three tries.
Then, a blank screen should be shown.
where hostname is the host name of the business node. A screen similar to Figure 4-13 on
page 40 should be shown.
5. Click the getStockData() link. Then, enter the wsauthuser username and password
created earlier.
6. Click Invoke and the result should appear as above.
7. Try using a non-existent username and password to check that security is working. You
should see an exception message in the result frame.
Note: For more information about the pdurl and where the PDPerm.properties reside,
please review the section “Configure Tivoli Access Manager Java Runtime Environment” in
Chapter 4 of A Secure Portal Using WebSphere Portal V5 and Tivoli Access Manager
V4.1, SG24-6077.
where <host_name> is the fully-qualified name of the machine where you have installed
webSEAL. For example, the URL should be similar to
https://m23caatk.itso.ral.ibm.com/portal/wps/myportal
Click Yes to continue. You will be prompted for the user ID and password in the next screen.
Enter the portal admin user ID and password. For example, we use wpsadmin as the user ID
and sah309r as the password in SSO. Then, click OK.
The portal's welcome page appears on the screen upon successful authentication, as shown
in Figure 4-15 on page 43.
Important: At the time of this writing of this Redpaper, we had the following limitation. If
you have Mutually Authenticated SSL, you must turn off mutual SSL, deploy your portlets,
and then turn mutual SSL back on in order to deploy portlets using the Install Portlets
portlet. For more information refer to Chapter 5, “Modifying WebSphere Web Container to
use Mutually Authenticated SSL” in A Secure Portal Using WebSphere Portal V5 and Tivoli
Access Manager V4.1, SG24-6077.
Browse to the location where you have placed the sample war files, itsoSSOPortal.war and
itsowsPortal.war. We can use these files to demonstrate the usage of active and passive
credentials. See Figure 4-17.
The portlet name that is going to be installed will be displayed on the screen, as shown in
Figure 4-18.
Click Install. The screen in Figure 4-19 on page 46 appears to confirm that the portlet has
been installed.
Install the other portlet (the passive credentials sample) by following the steps above and
selecting the itsowsPortal.war file. After installing these two portlets successfully, navigate to
Administration-> Portlets-> Manage Applications on the portal screen.
Check for the war files in the webmodules list by scrolling down through the existing war files.
The war files discussed above (itsoSSOPortal.war, itsowsPortal.war) should appear in the list
in alphabetical order. You also can find the concrete portlet names deployed through the
above war files in the list box titled Portlets of the Administration->Portlets->Manage
Applications screen, as shown in Figure 4-20 on page 47.
Note: You must start a pdadmin console and log in to issue the command.
Click the Add a vault segment option to create a new vault segment, as shown in
Figure 4-22 on page 49.
Select either the default credential vault (named Default) or the TAM vault (named am) from
the drop-down list. Enter the vault segment name (for example, ITSOsegment) and other
needed details and click OK. A message saying “the vault segment was created successful”
is displayed on top of the screen, as shown in Figure 4-23 on page 50.
You can also delete the created vault segment by clicking Manage vault segments and by
navigating to Administration->Access->Credential Vault.
click Add a vault slot to create a new vault slot, as shown in Figure 4-24 on page 51.
Enter the following data in the displayed fields for the vault slot creation.
Name: Type basicauthslot.
Vault resource associated with vault slot: Select New and enter basicauthportlet (the
portlet instance name).
Vault segment: Enter the segment name that you have created in the previous steps (for
example, ITSOsegment).
Vault slot is shared: Check this box and enter the shared user credentials (for example,
userid:basicuser and password:basicuser; this is the password you created in “Creating
users” on page 31). Also, enter a description of the slot.
The screen should appear as shown in the Figure 4-25 on page 52 after you enter all of the
necessary details.
Click OK. A message saying “the vault slot was created successfully” will be displayed on top
of the screen.
You also can delete the vault slot created or modify the user credentials by selecting the
Manage system vault slots option of Administration->Access->Credential Vault.
Expand the Advanced options option in the next screen. You will be presented with
Figure 4-27 on page 54.
Enter the page title (for example, ITSO_SSO Samples) and other page properties.
Then, select the page layout and set the other properties. (For instance, select single row and
single column page. Then, set the mark up as HTML and leave the other options as they are.)
Click OK. The page Figure 4-28 on page 55 appears on the screen.
click Add portlets. Select the portlets that you want to appear on the screen (such as ITSO
Basic Auth Portlet and ITSO Ws Auth Portlet) by browsing through the available portlets
in the next screen, as shown in Figure 4-29 on page 56.
Click Done.
The portlets will appear on the screen in the order you have added them, as shown in the
Figure 4-31 on page 58.
Note: Refer to Chapter 5, “Sample applications” on page 59 for the portlet execution
details.
4.5 Summary
This chapter contains the implementation guide for the SSO credential mapping sample
applications. It builds on the solution created for A Secure Portal using WebSphere Portal V5
and Tivoli Access Manager V4.1, SG24-6077. First, the environment is introduced, followed
by the installation process for the back-end applications. After that, the creation of the TAM
credential vault is presented. Finally, the sample portlets are installed and deployed.
These portlets are a practical implementation of the programming for credential mapping
outlined in UC-01 in “Use cases list” on page 7.
The portlet then calls the SimpleServlet using the stored credentials.The result should appear
as in Figure 5-1. The settings show the portlet configuration parameters, slotname, and URL.
It also displays the SimpleServlet response that is returned. You can check that this response
is correct by directly calling the URL shown for your back-end application. Note that the
credential’s username and password are not shown because the portlet does not have
access to them using the active credential object method. Therefore, this method is
considered quite secure.
2. The next step is to call the basic authentication portlet. This is described in 5.2, “Running
the basic authentication portlet” on page 60.
3. Figure 5-3 on page 62 shows the exception that is caught when the portlet tries to call
SimpleServlet with the incorrect credentials.
4. The portlet collects the username and password from the slotname defined in the portlet
configuration. Using them, the portlet then calls the StockData Web service located at the
hostname specified in the portlet configuration. The result should appear as in Figure 5-5.
The settings show the portlet configuration parameters, slotname, and hostname. The slot
username and password also are displayed, showing that the portlet has access to those
values. The return data from the StockData Web service is shown just below. Use the
instructions in “StockData Web service sample” on page 39 to call the webservice directly
to check that the return data is correct.
5.4 Summary
The credential mapping sample applications are shown in operation step-by-step. Scenarios
where the user credentials are incorrect are also explained.
WebSphere Studio
The following WebSphere Studio products are supported:
WebSphere Studio Application Developer V5.0.1
WebSphere Studio Application Developer V5.0.1 Integration Edition V5.0.1
WebSphere Studio Site Developer V5.0.1
WebSphere Studio Enterprise Developer V5.0.1
Portal Toolkit
Portal Toolkit V5.0 allows you to set up a portlet development environment by plugging in to
WebSphere Studio. Portal Toolkit provides:
Portlet projects, in which you can create basic portlets based on the PortletAdapter class
WebSphere Portal configuration, with which you can publish your portlet application on
your local WebSphere Portal or on remote WebSphere Portal. Your portlet will appear on
the debug page of your WebSphere Portal.
Portlet application examples for enterprise applications
Local debug
During the installation of Portal Toolkit, the Portal Server is installed to the WebSphere Test
Environment of WebSphere Studio. After installation, you need to create a server with an
environment type of WebSphere Portal Test Environment. Authentication is not provided in
this configuration.
The full portlet development environment with all prerequisite software on a single machine
requires the following:
Important: For local debugging, the following updates must be installed into the
WebSphere Application Server V5 runtime environment:
Attention: WebSphere Studio Site Developer must be installed from the CD. The
installation fails if attempted from a network drive.
Installation steps
We can now perform the following steps to install/update the required software for test
environment:
1. Install WebSphere Studio Site Developer 5.0
2. Install the 5.0.1 PTF (update) for WebSphere Studio Site Developer
3. Update the WebSphere Application Server v5.0 runtime environment with the following:
a. Fixpack1 for WebSphere Application Server
b. Interim fixes for WebSphere Application Server
The WebSphere Studio Installation Launcher starts automatically, as shown in Figure A-1 on
page 69.
Place the mouse pointer over the rectangles in front of the titles to get a brief description of
each of the items listed on the window.
Clicking on a rectangle opens the appropriate HTML document or starts the installation
process of the software.
To start installing WebSphere Studio Site Developer V5.0, click Install IBM WebSphere
Studio Site Developer. This step will displays the installation wizard, as shown in Figure A-2
on page 70.
Click Next to continue. Accept the license agreement shown in Figure A-3.
Choose a different folder to install the software or click Next to continue installation in the
default folder.
The screen in Figure A-5 presents you with a list of available program features.
Make sure that the WebSphere Application Server 5.0 runtime environment is already
selected and click Next. The installation continues in the screen shown in Figure A-6 on
page 72.
You will be prompted for the Disc-2 in the middle of the installation process: Insert the CD
WebSphere Studio Site Developer for Windows V5.0 (Disc-2) into the CD-ROM Drive and
click OK to continue the installation process. The results display in Figure A-8 on page 73.
When installation is complete, launch the WebSphere Studio Site Developer from the Start
Menu and verify that the installation was successful, as shown in Figure A-9 on page 74.
Note: The WebSphere Application Server used for the test environment is installed into the
\runtimes subdirectory of WebSphere Studio.
Note: There are known issues that may result in problems during or after applying the PTF.
To ensure proper installation:
Follow the instructions below carefully.
If you have disabled any plug-ins either through the update manager or by modifying
plugin.xml files, re-enable them prior to installation.
1. Log on to your system with a user ID that has write access to the install location (This is
typically an ID with administrator authority on Windows and root authority on Linux).
2. Insert the CD labelled WebSphere Studio Site Developer PTFs into the CD Drive and
copy the contents of /wssdptf to a temporary directory on to your hard drive (for example,
C:/wssd501_update).
3. Start WebSphere Studio Site Developer 5.0.
5. Details about this update are shown in the Preview view. For more information about what
is included in the update, click the More Info link. Click Update to begin the installation.
6. An install wizard is displayed, as depicted in Figure A-11.
Attention: Do not modify the selections. Changing the default choices may result in errors.
11.The final screen of the Install Wizard displays the Install Location, as shown in Figure A-13
on page 77.
Attention: Errors may occur if you change the default Install Location.
13.If you are warned that you are about to install an unsigned feature, click Install to
continue. This warning will not cause problems during installation.
14.When the installation is complete, you will be asked to restart the product. Click No
because you must now install the second part of the PTF.
15.Return to the Install/Update perspective. Navigate the My Computer section in the Feature
Updates view and select WebSphere Studio Site Developer Product (Windows/Linux), as
shown in Figure A-14.
19.To verify that the installation was successful, switch to the Install/Update Perspective
(select Help → Software Updates → Update Manager). Verify that the two features are
at version 5.0.1 (from the Install Configuration view), as shown in Figure A-16.
Tip: The following PTFs are available for other WebSphere Studio products:
IBM WebSphere Studio Application Developer 5.0.1 PTF
http://www3.software.ibm.com/ibmdl/pub/software/websphere/studiotools/html/501/wsad/i
nstall.html
IBM WebSphere Studio Application Developer Integration Edition PTF 001 -
General Fixes
http://www3.software.ibm.com/ibmdl/pub/software/websphere/studiotools/html/501/wsadie
/instructions/install.htm
IBM WebSphere Studio Enterprise Developer v5.0.1 Fix Pack
http://www-1.ibm.com/support/docview.wss?uid=swg24004902
The installation starts immediately and goes on for quite a while, as shown in Figure A-18.
When complete, install messages are written to the log files in the \runtimes\base_v5
\properties\version\log directory where WebSphere Studio is installed.
Run interim fixes for WebSphere Application Server
a. Insert the CD labelled WebSphere Application Server 5.0 fix pack 1 and eFixes.
e. Run updateWizard.bat from the same command prompt, as shown in Figure A-20 on
page 81.
Figure A-21 WAS Interim fixes Product Info and Installation Directory selection
Enter the directory where you copied the WebSphere Application Server interim fixes (for
example, C:\WASFixes) into the File directory field. Click Next.
Select the following interim fixes on the screen that is displayed:
– PQ73644.jar
– PQ76567.jar
– WAS_Dynacache_05-08-2003_5.0.1_cumulative_fix.jar
– WAS_CM_08_12_2003_5.0.1_cumulative_fix.jar
Click Next to display screen in Figure A-23 on page 83, which displays the list of selected
fixes.
Portal Toolkit
If you have a version of Portal Toolkit prior to V5.0, you should remove it before installing
Portal Toolkit V5.0. Also, make sure WebSphere Studio is installed but not running before
installing Portal Toolkit.
Note: For the local debug configuration, you will also need to have the CD labelled Portal
Server available.
Click Next on the welcome panel to display the screen in Figure A-26 on page 85.
Read and accept the license agreement. Then, click Next to display the screen in
Figure A-27.
Make sure that the folder displayed is the installation folder of WebSphere Studio and click
Next to display the screen in Figure A-28 on page 86.
Note: If you plan to debug only with the remote server, you do not have to install
WebSphere Portal for Test Environment.
Select WebSphere Portal V5.0 for Test Environment and click Next to continue to the
screen displayed in Figure A-29 on page 87.
Note: We use only WebSphere Portal V5.0 for Test Environment to implement the secure
portal.
Click Next to continue. You will be prompted to enter the CD WebSphere Portal V5.0 for Test
Environment, as shown in Figure A-30.
Insert the CD of WebSphere Portal V5.0 into the CD drive and Click Next. The installation
starts, as shown in Figure A-31 on page 88.
Click Finish.
When the update is complete, you are prompted to restart WebSphere Studio. You only need
to restart the WebSphere Studio, not the machine. You are ready to start work in the portlet
development environment after you restart WebSphere Studio.
2. Export the enterprise application into an EAR file by selecting the File->Export->EAR file
menu path in WebSphere Studio.
3. These WAR and EAR files are now ready to be deployed on the Portal Server and on the
back-end WebSphere Application server, respectively.
Note: Refer to Chapter 4, “Implementing the runtime environment” on page 29 of SSO for
information about deploying portlets on Portal Server and for deploying the back-end
application on WAS server.
Select the Additional materials link and open the directory that corresponds with the
Redpaper form number, REDP3743
The publications listed in this section are considered particularly suitable for a more detailed
discussion of the topics covered in this Redpaper.
IBM Redbooks
For information about ordering these publications, see “How to get IBM Redbooks” on
page 96. Note that some of the documents referenced here may be available in softcopy only.
A Secure Portal Using WebSphere Portal V5 and Tivoli Access Manager V4.1,
SG24-6077
Access Integration Pattern Using IBM WebSphere Portal Server, SG24-6267
Web Services Wizardry with WebSphere Studio Application Developer, SG24-6292
WebSphere Version 5.1 Application Developer 5.1.1 Web Services Handbook,
SG24-6891
IBM Websphere Portal V5, A Guide for Portlet Application Development, SG24-6076
Portal Application Design and Development Guidelines, REDP-3829
A Portal Composite Pattern Using WebSphere Portal V5, SG24-6087
IBM WebSphere V5.0 Security, SG24-6573
Online resources
These Web sites and URLs are also relevant as further information sources:
WebSphere Portal InfoCenter
http://publib.boulder.ibm.com/pvc/wp/500/ent/en/InfoCenter/index.html
Rational website
http://www.rational.com/uml/index.jsp
Portlet Coding Guidelines
http://www7b.software.ibm.com/wsdd/zones/portal/portlet/portletcodingguidelines.html
Understanding the Portlet Component Model
http://www7b.boulder.ibm.com/wsdd/library/techarticles/0309_fischer/fischer.html
InfoCenter link (choose left-hand frame option Information Development
http://pvcid.raleigh.ibm.com/
Using Active Credentials Objects to Connect to Secured Web Applications
http://www7b.software.ibm.com/wsdd/library/techarticles/0307_konduru/konduru.html
Using Credential Vault to Provide Single Sign-on for Portlets
http://www7b.software.ibm.com/wsdd/library/techarticles/0211_konduru/konduru.html
WebSphere Application Server installation guide
http://www-306.ibm.com/software/webservers/appserv/infocenter.html
WebSphere Application Server InfoCenter
A D
deployment 90
access control 11
design 5, 17, 24
access management 11
development environment 66, 89
active credential object 4, 17–18, 28, 60
dialog component 14
actors 6
different vendor application servers 20
administrative slot 4, 18
Domino 2
application design 14, 19
double-realm single sign on 2
application node 13
Application pattern 19
application server 13 E
authenticate 2, 6 enterprise archive packaged files (EAR) 36
authentication 26, 60 existing application 24
authentication credential 26 Extended Single Sign-On Application pattern 12
authentication proxy 12, 19–20 Extended Single Sign-On pattern 2, 21
authorization 6, 11–12, 24 Extended Single Sign-On Runtime patterns 21
authorization/access control mechanisms 11 external applications 2
external security manager 26
extranet portal application 19
B
back-end applications 2, 4–5, 21, 23, 26–27, 31, 60
back-end business applications 30 F
back-end credentials 2 firewall 13
back-end systems 19 form-based login 24
business applications 12–13 framework 6
business node 13, 33 functional requirements 5–6
functional view diagram 12
C
Central Authorization Service pattern 21, 23 G
centralized security 10–11 global security 36
component interaction diagram 15 Global Services method 15
component model 14
component relationship diagram 14
components 14 H
creating a vault segment 48 heterogeneous application servers 20
Credential homogeneous application server 19
mapping 22 HTTP server 31
transformation 22 HttpBasicAuthCredential active credential object 11, 60
credential mapping 22, 58
credential object types 18
credential objects 4
I
infrastructure 31
credential propagation 21
Credential Propagation pattern 21
credential repository 4 J
credential retrieval model 15 Java servlet architecture 17
credential secrets 27
credential transformation 21–22
credential vault 3–4, 13, 18, 27, 47 K
credential vault implementation 27 Kerberos technology 26
credential vault organization 3, 27
credential vault portletservice 27 L
credential vault portletservices 18 Lightweight Third Party Authentication (LTPA) 2, 26
credential vault service 2, 14 Lotus Domino Application Server 26
credentials 2–3, 18, 27 Lotus Instant Messaging (Sametime) 10
custom repository 3, 27 LTPA authentication 26
R
repository 27 V
requirements 5, 27 vault adapter 4, 13, 27, 40
requirements analysis 6 vault resource 51
role-based authorization 23 vault segment 4, 10, 47
runtime architecture 29 vault slot 4, 10, 18, 47
Runtime patterns 3, 12, 19
W
S Web applications 17, 19
scalability requirements 10 Web service 62
seamless access 2, 19 Web single sign-on 2, 19
secondary actor 7 Web Single Sign-On Application pattern 2
secret 19 Web Single Sign-On Runtime patterns 19
secure portal 10, 12 Web tier 19
security 6, 27, 31 Web user 12
security domain 19, 24, 26 Webseal 19
security management system 19 WebSeal token 26
security model 24 WebSphere Application Server 2, 26, 30
security node 13 WebSphere global security 31
security realm 26 WebSphere Portal 2–4, 25–27, 67
security requirements 11 WebSphere Portal architecture 17
security server 20 WebSphere Portal credential services 25
security service 23 WebSphere security 13, 33
security services component 14 WebSphere Studio 66
segment type 18 WebSphere Studio Site Developer 68
sequence diagram 16 WebSphere Test Environment 66
WebSphere Portal V5 Many portals are required to access external applications that
need some form of user authentication. In most cases, the user
INTERNATIONAL
and Tivoli Access
credentials required by these applications will differ from those TECHNICAL
Manager V4.1
used by WebSphere Portal. While it is possible for the portlet to SUPPORT
integration
Design guidelines and prompt the user for this credential information and then present ORGANIZATION
technology options it to the external application, such an approach is seldom
implemented due to the unsatisfactory user experience.
Step-by-step guide
Therefore, a single sign-on (SSO) is required to provide seamless
access to the different applications in a portal solution.
BUILDING TECHNICAL
INFORMATION BASED ON
Implementing a secure portal using an external security
PRACTICAL EXPERIENCE
manager is part of solving this problem. This provides a
centralized access management system. It is also a basis for IBM Redbooks are developed
creating an SSO domain for multiple applications that can share by the IBM International
common user credentials. However, back-end applications can Technical Support
still exist outside of this domain because of a need for specific Organization. Experts from
custom user IDs and passwords. For these, we can use IBM, Customers and Partners
from around the world create
credential mapping to map the common credential to the timely technical information
back-end one. This is implemented as Credential Service in based on realistic scenarios.
WebSphere Portal. Specific recommendations
are provided to help you
This publication is intended to help IT architects, IT specialists, implement IT solutions more
security architects, and security administrators with effectively in your
understanding and implementing a secure portal with SSO. This environment.
publication is built on and extends A Secure Portal Using
WebSphere Portal V5 and Tivoli Access Manager V4.1,
SG24-6077.
For more information:
ibm.com/redbooks