Skip to content

Configure Single Sign-on Authentication for IBM InfoSphere WebSphere

December 23, 2015

This post explain how to implement single sign-on in IBM InfoSphere DataStage 11.5

Environment

  • AIX 7.1
  • Active Directory Schema version 47 (Windows Server 2008 R2).
  • IBM WebSphere Application Server Network Deployment v8.5
  • IBM InfoSphere DataStage v11.5
  • The installation root directory is /IBM

Prerequisites

  1. The Active Directory account for the AIX server has been created.
  2. The keytab file has been generated from the Active Directory.
  3. The keytab file has been transferred to the AIX machine.
  4. Kerberos client has been installed on the AIX machine.

Overview of Steps

  1. Create the Kerberos Configuration File for WebSphere Application Server
  2. Configure WebSphere Application Server to Use SPNEGO
Configure WebSphere Application Server to Use SPNEGO
  1. Log into WebSphere Application Server Integrated Solutions Console as administrator (wasadmin).
  2. In the left pane, select Security > Global Security.
  3. In the User account repository section in the central pane, select Standalone LDAP registry from the “Available realm definitions” scrolling list and click on the Configure button.
  4. In the General Properties section in the central pane, on the Primary administrative user name text field, enter the AD user id that will be the primary administrator of Webphere.
  5. In LDAP server > Type of LDAP Server, select Microsoft Active Directory.
  6. Provide the AD DC host name and port number.
  7. Provide the AD Base distinguished name (DN) (example: DC=myDomain,DC=myCompany,DC=com).
  8. Provide the AD Bind distinguished name (DN) (example: CN=myUser,OU=MyOU,DC=myDomain,DC=myCompany,DC=com).
  9. Provide the Bind password.
  10. Test connection. If connection was successful, continue to the next step, else carefully review the data provided on the previous steps.
  11. Click on the button OK.
  12. Verify that Standalone LDAP registry is selected in Global Security > User account repository > Available realm definitions, click on the button Set as current and click on the button Apply.
  13. Click on the link Save on the message section.

    It is also necessary to configure the Federated repository.

  14. In the User account repository section in the central pane, select Federated repositories from the “Available realm definitions” scrolling list and click on the Configure button.

  15. Provide the Realm name (example: DC=myDomain,DC=myCompany,DC=com).
  16. Provide the Primary administrative user name (same as in step 4).
  17. Click on the button Add repositories (LDAP, custom, etc) ont the Repositories in the realm section.
  18. Click New Repository and select LDAP repository.
  19. In the LDAP server –> Directory type select Microsoft Windows Active Directory.
  20. Provide the AD DC host name and port number.
  21. On the Security section, provide the AD Bind distinguished name (DN) (example: CN=myUser,OU=MyOU,DC=myDomain,DC=myCompany,DC=com).
  22. Provide the Bind password.
  23. click on the button Apply.
  24. Click on the link Save on the message section.
  25. Provide the AD Unique distinguished name of the base (or parent) entry in federated repositories (example: DC=myDomain,DC=myCompany,DC=com).
  26. On the Global security > Federated repositories > Repository reference, click on the button Apply.
  27. Click on the link Save on the message section.
  28. Click on the button OK.
  29. On the Federated repositories, provide the AD Primary adminstrative user name.
  30. click on the button Apply.
  31. Click on the link Save on the message section.
  32. Click on the button OK.
  33. Click on the link Save on the message section.

    It is also necessary to configure the Kerberos configuration authentication.

  34. Click on the Global security > Authentication > Kerberos configuration link.

  35. Click on the SPNEGO web authentication link.
  36. Select Enable SPNEGO.
  37. Select Allow fall back to application authentication mechanism.
  38. Enter the full path of the Kerberos configuration file (example: /etc/kbr5/krb5.conf).
  39. Enter the full path of the Kerberos keytab file (example: /datastage/Kerberos/ohdwetlmsdev03.keytab).
  40. Click on SPNEGO Filters > New to add a new filter.
  41. Provide the AD DC Host name.
  42. Provide the Kerberos realm name (example: DC=myDomain,DC=myCompany,DC=com).
  43. click on the button Apply.
  44. Click on the link Save on the message section.
  45. Enter the full path of the Kerberos configuration file (example: /etc/kbr5/krb5.conf).
  46. On Global security > Kerberos Click the button Cancel.
  47. Log off from WebSphere Application Server Integrated Solutions Console.
  48. Restart the WebSphere server.

After restarting you should be able to log on WebSphere with the AD administrative account.

References

Srinivasa et al. (2013, Feb 21). Implementing Windows desktop single sign-on for InfoSphere Business Glossary. Retrieved from http://www.ibm.com/developerworks/data/library/techarticle/dm-1302single/

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: