One of the components of Tivoli Access Manager is its reverse proxy security server called WebSEAL. WebSEAL can front-end any Web application server or Web server in an enterprise e-business infrastructure. When WebSphere Application Server and WebSphere Portal are implemented with WebSEAL, it is usually necessary to provide a SSO experience for the end user. In order to achieve SSO, the WebSphere Application Server needs to be configured to “trust” the WebSEAL server so that if WebSEAL has already authenticated a user, Application Server will not challenge the user again.
1. User requests a resource protected by WebSEAL. User is challenged by WebSEAL for credentials, and the user supplies them.
2. WebSEAL authenticates the user by communicating with its user registry. It also determines whether the user is authorized to open the requested URL. Upon successful authentication of the end user, WebSEAL creates the LTPA token cookie.
3. The request is passed to the IBM HTTP Server using the junction that is configured for it. The junction from WebSEAL to IBM HTTP Server is configured to pass the iv-user, iv-groups information, and the LTPA Token that was created in Step 2, in the HTTP header.
4. The request is forwarded to the appropriate WebSphere Application Server or clone, as determined by the Application Server plug-in.
5. In WebSphere Application Server, the TAI is not enabled and Application Server gets the LTPA token in the header. Application Server only creates the session cookie for this user and assumes that this user has been authenticated. WebSphere Portal searches LDAP for the group information, gets the resource mapping from the database, and then displays the portal page.
Logging in to portal using webseal some times gives below error even after providing correct user id and password
Which means LTPA token for websphere portal on webseal expired.
Lets see how to export the keys from portal and import to webseal.
Step1 : login to portal console using wpadmin
click Security > Secure administration, applications and infrastructure and then click Authentication Mechanism and Expiration.
In the Cross-cell single sign-on section, type a password and an absolute path for a key file.
Click Export keys. The key file is generated.
Once the keys generated we need to update in webseal
Copy the keys to your local machine which will be imported to webseal servers later
Login to TAM
Go to Junctions and open /wps61dev (one which has problem in this case its dev portal)
Need to update below things
1.Update key file with new file we exported
Copy the the key file to path /opt/pdweb/jct_keys
2.Update password , repeat the steps on other webseal server also
Click on apply on junction and then try to login to portal again and it should be successful now.