写在最前面的,好久好久没更新博客了,果然懒惰是无边界的,正好最近真的很闲很闲,就把之前帮朋友测试的WebSeal和TIP(eWAS)如何做单点登录放上来了,果然好无聊啊我~~~~~~

本文中用的TIP是Netcool/OMNIbus Web GUI的TIP,同理TSM的admin center也可以,同理貌似WebSphere Portal也可以~~~~貌似ITM TEPS6.2.3以后的版本才可以~~~ 真是懒得写字啊~啊~~啊~~~

WebSeal TIP SSO

在TAM中创建appaccount组:

dn: cn=groups,o=tivoli

cn: group

objectclass: top

objectclass: container

dn: cn=AppAccount,cn=groups,o=tivoli

cn: AppAccount

objectclass: top

objectclass: container

[root@rhel5 ldif]# idsldapadd -D cn=root -w 111111 -p 389 -i add_groups.ldif

Operation 0 adding new entry cn=groups,o=tivoli

Operation 1 adding new entry cn=AppAccount,cn=groups,o=tivoli

配置TIP到LDAP中

登录TIP,并启动WAS管理控制台

clip_p_w_picpath002

配置WAS安全性

clip_p_w_picpath004

添加管理存储库

clip_p_w_picpath006

clip_p_w_picpath008

配置LDAP连接信息

clip_p_w_picpath010

将配置的LDAP添加到WAS安全域中

clip_p_w_picpath012

添加刚刚创建的组DN

clip_p_w_picpath014

重启TIP WAS并添加测试用户

clip_p_w_picpath016

pdadmin sec_master> user create ssotest "uid=ssotest,cn=AppAccount,cn=groups,o=tivoli" "ssotest" "ssotest" 111111

pdadmin sec_master> user modify "ssotest" account-valid yes

pdadmin sec_master>

pdadmin sec_master> user show ssotest

Login ID: ssotest

LDAP DN: uid=ssotest,cn=AppAccount,cn=groups,o=tivoli

LDAP CN: ssotest

LDAP SN: ssotest

Description:

Is SecUser: Yes

Is GSO user: No

Account valid: Yes

Password valid: Yes

确认 TIP WAS LDAP认证配置成功,为测试用户分配角色,并测试用户登录

clip_p_w_picpath018

clip_p_w_picpath020

clip_p_w_picpath022

clip_p_w_picpath024

导出TIP WAS LTPA Key

clip_p_w_picpath026

clip_p_w_picpath028

clip_p_w_picpath030

确认LTPA Key被成功导出

clip_p_w_picpath031

配置双向SSL
将TIP WAS SSL证书导入到WebSeal中

clip_p_w_picpath033

clip_p_w_picpath035

clip_p_w_picpath037

clip_p_w_picpath039

默认密码为WebAS

clip_p_w_picpath040

clip_p_w_picpath041

将WebSeal证书导入到TIP WAS中

clip_p_w_picpath043

clip_p_w_picpath045

clip_p_w_picpath047

clip_p_w_picpath049

默认密码为pdsrv

clip_p_w_picpath051

clip_p_w_picpath053

重启WebSeal、TIP WAS

创建Junction

pdadmin sec_master> server task default-webseald-rhel5 create -t ssl -h 10.1.1.134 -p 16311 -A -F /opt/pdweb/certs/TIP_WAS_LTPA.key -Z 111111 -j -c all -f /tip

Created junction at /tip

测试SSO登录

clip_p_w_picpath055

clip_p_w_picpath057

创建ACL保护TIP WAS

acl create tip_acl

acl modify tip_acl set user sec_master TcmdbsvaBRl

acl modify tip_acl set user ssotest Trx

acl modify tip_acl set any-other T

acl modify tip_acl set unauthenticated T

acl attach /WebSEAL/rhel5-default/tip/ibm/console tip_acl

clip_p_w_picpath059

pdadmin sec_master> acl show tip_acl

ACL Name: tip_acl

Description:

Entries:

User sec_master TcmdbsvaBRl

User ssotest Trx

Any-other T

Unauthenticated T

为WebSeal和TIP配置单点注销

路径根据版本可能有差别,可在TIP目录搜索customizationproperties,得到该文件位置

C:\IBM\Tivoli\tipv2\profiles\TIPProfile\config\cells\TIPCell\applications\isc.ear\deployments\isc\isclite.war\WEB-INF

clip_p_w_picpath061

clip_p_w_picpath063

重启TIP

经过测试不太成功哈~~~~