Configure PassPort SSO

The arrows represent the direction of the connection initialization.In SSO mode, the user can access the component () server through the SSO Agent which acts as a proxy.

For SSO usage, you must set the following parameters in the component screen () of Administration:

  • CAS SSO – Unchecked
  • SSO Port – Optional. Set this only when SSO URL is not set. Use the value used as SSO port of the Apache Tomcat installed with AIS Tools. On the first usage of the product, the SSO URL will be computed based on the value of SSO Port.
  • SSO URL – The URL the SSO Agent uses to connect to the component ().Must be on the same port used as SSO port of the Apache Tomcat installed with AIS Tools. When WebSphere or another Apache Tomcat installation is used, these must be configured to request a client certificate for connections to this URL.

Change certificates used for SSO

The SSL connection from the UI users is provided by the SSO Agent. To change the server certificate of SSO Agent, refer to the “SSO certificates” section of the PassPort Administrator Guide.

The connection between SSO Agent and is mutually authenticated SSL. SSO Agent connects to the application server that hosts and uses a client certificate to authenticate itself to the server.

To change the server certificate of the application server that hosts :

  • If the application server is the Apache Tomcat installed with AIS Tools, edit <AIS Tools installation>/apache-tomcat/conf/server.xml and update the following attributes in the element Connector that has the same value for the attribute port as the SSO port set during installation:
    • keystoreFile – The location of the keystore file that contains the server certificate. It is recommended to change the keystore file location because otherwise a service pack or patch might overwrite the keystore.
    • keystorePass – The password that protects the keystore file
    • keyAlias (optional) – You need to set this attribute if the keystore contains more than one server certificate in order to reference the proper certificate
    • keyType (optional) – You need to set this if the keystore is not in JKS format; for example you must use pkcs12 as value if the file is in PKCS12 format (.p12 file).
    • keyPass (optional) – You need to set this if the private key in the keystore is protected with a different password.
  • Make the certificate trusted by the SSO Agent – Import the CA that signed the server certificate into <PassPort installation>/sso/webapps/ROOT/truststore.jks. You should also remove the PassPort CA entry if there are no other products that use this SSO Agent and use default certificates. For more information, refer to "SSO certificates" in the PassPort Administrator Guide.

To change the SSO Agent client certificate:

  • Change the client certificate. Refer to "SSO certificates" in the PassPort Administrator Guide.
  • Make this certificate trusted by the application server:
    • Create a truststore that contains the CA that signed the client certificate of SSO Agent:
    • keytool -importcert -trustcacerts -file <fileContainingCA> -keystore <truststoreFile.jks> -alias <nameOfCA>
    • If the application server is Apache Tomcat:
      • Edit the server.xml file. If Tomcat was installed with AIS Tools, the file is located at <AIS Tools installation>/apache-tomcat/conf/
      • Update the following attributes in the appropriate Connector element. If Tomcat was installed with AIS Tools it is the element that has the same value for the attribute port as the SSO port set during installation:
        • truststoreFile – Use the path of the truststore file created before
        • truststorePass – Use the password that was typed during the creation of the truststore
    • If the application server is WebSphere, use the path of the created truststore in the SSL Keystore that is used as a truststore in the SSL Configuration used for SSO connection.

Configure CAS SSO (new SSO)

The arrows represent the direction of the connection initialization. Using CAS SSO, the user accesses the SSO landing page from SSO Agent, and when the user chooses to connect to a product the URL is redirected. The user accesses the product directly, but through an embedded SSO filter which manages the user’s session. The SSO filter needs to communicate with SSO Agent to keep track of the user sessions.

For CAS SSO usage, you must use Administration to set the following parameters for :

  • CAS SSO – Checked
  • SSO Port – Optional. Set this only when SSO URL is not set. Use the value used as HTTPS port of the Apache Tomcat installed with AIS Tools. On the first usage of the product, the SSO URL will be computed based on the value of SSO Port.
  • SSO URL – The URL the SSO Agent uses to redirect to the component (). Usually, this should have the same value as Component URL. This must be the URL where the user’s browser can access the product.

For CAS SSO usage, you must use Administration to set the following parameters for the PASSPORT section in the default or designer application screen:

  • SSO Server host – The hostname of the PassPort SSO Agent. When PassPort is installed with the option Host SSO Agent in PassPort Server, this is the same as Server host.
  • SSO Secured port – The port of the PassPort SSO Agent.
  • SSO Client Authentication port – The SSO client authentication port of the PassPort SSO Agent.

Change certificates used for CAS SSO

To change the server certificate of the SSO Agent:

  • Refer to "SSO certificates" in the PassPort Administrator Guide for how to change the server certificate of SSO Agent
  • In the file < installation>/war/WEB-INF/truststore.jks, add the CA that signed the SSO Agent server certificate, and remove the PassPort CA:
  • keytool -importcert -trustcacerts -file <fileContainingCA> -keystore truststore.jks -alias <nameOfCA>
  • keytool –delete –alias passportca –keystore truststore.jks
  • The default password of this truststore is axway*.

Change the client certificate of the SSO Filter

To change the client certificate of the SSO Filter:

  • Create a new keystore containing the client certificate.
  • Copy this keystore in < installation>/war/WEB-INF/. You should use a keystore file name different from the default one (ssofilter.jks) because a service pack or patch might overwrite it.
  • Edit << installation>/war/WEB-INF/ssofilter.properties and update the following properties:
    • keyStore – with the path of the newly created keystore, relative to < installation>/war
    • keyStorePawd – with the password of the newly created keystore
    • privateKeyEntry – with the alias of the private key entry in the newly created keystore
    • privateKeyPwd – with the password that protects the private key inside the keystore
    • certificateEntry – with the alias of the client certificate in the newly created keystore
Note   The client certificate of SSO Filter must be signed by the same CA that signed the SSO Agent client certificate.

Related Links