WebSeal TIP SSO

写在最前面的,好久好久没更新博客了,果然懒惰是无边界的,正好最近真的很闲很闲,就把之前帮朋友测试的WebSeal和TIP(eWAS)如何做单点登录放上来了,果然好无聊啊我~~~~~~

本文中用的TIP是Netcool/OMNIbus Web GUI的TIP,同理TSM的admin center也可以,同理貌似WebSphere Portal也可以~~~~貌似ITM TEPS6.2.3以后的版本才可以~~~ 真是懒得写字啊~啊~~啊~~~

WebSeal TIP SSO

在TAM中创建appaccount组:

dn: cn=groups,o=tivoli

cn: group

objectclass: top

objectclass: container

dn: cn=AppAccount,cn=groups,o=tivoli

cn: AppAccount

objectclass: top

objectclass: container

[root@rhel5 ldif]# idsldapadd -D cn=root -w 111111 -p 389 -i add_groups.ldif

Operation 0 adding new entry cn=groups,o=tivoli

Operation 1 adding new entry cn=AppAccount,cn=groups,o=tivoli

配置TIP到LDAP中

登录TIP,并启动WAS管理控制台

clip_image002

配置WAS安全性

clip_image004

添加管理存储库

clip_image006

clip_image008

配置LDAP连接信息

clip_image010

将配置的LDAP添加到WAS安全域中

clip_image012

添加刚刚创建的组DN

clip_image014

重启TIP WAS并添加测试用户

clip_image016

pdadmin sec_master> user create ssotest "uid=ssotest,cn=AppAccount,cn=groups,o=tivoli" "ssotest" "ssotest" 111111

pdadmin sec_master> user modify "ssotest" account-valid yes

pdadmin sec_master>

pdadmin sec_master> user show ssotest

Login ID: ssotest

LDAP DN: uid=ssotest,cn=AppAccount,cn=groups,o=tivoli

LDAP CN: ssotest

LDAP SN: ssotest

Description:

Is SecUser: Yes

Is GSO user: No

Account valid: Yes

Password valid: Yes

确认 TIP WAS LDAP认证配置成功,为测试用户分配角色,并测试用户登录

clip_image018

clip_image020

clip_image022

clip_image024

导出TIP WAS LTPA Key

clip_image026

clip_image028

clip_image030

确认LTPA Key被成功导出

clip_image031

配置双向SSL

将TIP WAS SSL证书导入到WebSeal中

clip_image033

clip_image035

clip_image037

clip_image039

默认密码为WebAS

clip_image040

clip_image041

将WebSeal证书导入到TIP WAS中

clip_image043

clip_image045

clip_image047

clip_image049

默认密码为pdsrv

clip_image051

clip_image053

重启WebSeal、TIP WAS

创建Junction

pdadmin sec_master> server task default-webseald-rhel5 create -t ssl -h 10.1.1.134 -p 16311 -A -F /opt/pdweb/certs/TIP_WAS_LTPA.key -Z 111111 -j -c all -f /tip

Created junction at /tip

测试SSO登录

clip_image055

clip_image057

创建ACL保护TIP WAS

acl create tip_acl

acl modify tip_acl set user sec_master TcmdbsvaBRl

acl modify tip_acl set user ssotest Trx

acl modify tip_acl set any-other T

acl modify tip_acl set unauthenticated T

acl attach /WebSEAL/rhel5-default/tip/ibm/console tip_acl

clip_image059

pdadmin sec_master> acl show tip_acl

ACL Name: tip_acl

Description:

Entries:

User sec_master TcmdbsvaBRl

User ssotest Trx

Any-other T

Unauthenticated T

为WebSeal和TIP配置单点注销

路径根据版本可能有差别,可在TIP目录搜索customizationproperties,得到该文件位置

C:\IBM\Tivoli\tipv2\profiles\TIPProfile\config\cells\TIPCell\applications\isc.ear\deployments\isc\isclite.war\WEB-INF

clip_image061

clip_image063

重启TIP

经过测试不太成功哈~~~~

你可能感兴趣的:(IBM,SSO,tivoli,webseal,tip)