If you do have a problem with SSO between Domino and WebSphere, check the following:
Ensure that the Web SSO Configuration document in the Domino Directory has been replicated to all servers participating in the SSO relationship. You should also do this if you have modified this document.
Ensure that you are using the same LDAP directory for both Domino and WebSphere and that the directory is accessible from all servers in your SSO domain. The LDAP utility ldapsearch provided by Domino comes in handy here.
Ensure that fully qualified host addresses are used in URLs when accessing the protected resources from a browser. The LTPA cookies are only generated for requests that specify a fully qualified host address.
Ensure that the LDAP Realm Name specified in the Domino Web SSO configuration document is the same hostname and port specified as the LDAP user registry in WAS.
Ensure that the user registry (LDAP directory) contents contain the attributes that will satisfy the search filters used for authentication.
Ensure that the access control information associated with the protected resources is specified correctly. For example, distinguished names in Domino database ACLs should be specified as "cn=SomeName/ou=Dept/o=MyOrg," with "/" separators and not commas.
Ensure that the time zones are specified correctly for the servers participating in SSO.
Re-import the LTPA keys to Domino on any change to the WAS security configuration. (The LTPA keys may be regenerated by WAS on a configuration change.)
Restart the Domino server after any change to the Web SSO Configuration document.
The following trace logs are useful for determining problems with an SSO configuration:
The WAS SystemOut.log and SystemErr.log files under $WASROOT/logs/servern.
A trace log file generated by enabling the following WAS traces: SASRes=all=enabled:com.ibm.ws.security.*=all=enabled . This trace is useful in determining problems with security constraint specifications.
The HTTP WAS plug-in log file (specified in the plug-in XML configuration file).
The Domino Web Server Log (if Domino HTTP server is being used).
The HTTP server log file (if another HTTP server is being used).
A trace log for the LDAP directory server.
Supported Configurations: Domino and WebSphere
At the time of the writing of this book, the most recent version of Domino generally available was R6.5. The first version for which SSO can be enabled was R5.0.5. On the WebSphere side, things are slightly more complicated. The first version of WebSphere Application Server (Advanced Edition) for which SSO can be enabled is version 3.5, with PTF (fixpack) number 1, sometimes expressed as version 3.5.1. The versions of WAS and Domino described in this chapter are WAS 5.0.1 and Domino 6.02 CF2.
