IBM Support

Using OpenID Connect in IBM InfoSphere Information Server 11.7.1.1 Service Pack 2 (or later) installations

How To


Summary

In InfoSphere Information Server 11.7.1.1 Service Pack 2, support for usage of OpenID Connect is added to a limited set of Information Server web applications.
After the Service Pack is installed, OpenID Connect must be installed and configured. OpenID Connect is only supported in WebSphere Application Server Network Deployment installations.

Objective

Setup and use OpenID Connect in some Information Server web applications.

Environment

Information Server 11.7.1.1 with Service Pack 2, and OpenID Connect.

Steps

1) Install OpenID Connect

  1. You can get the latest OpenID Connect fix pack from technote.
  2. In Configuring an OpenID Connect Relying Party, see step 12 for instructions to install the OpenID Connect application.

2) Configure OpenID Connect provider’s client

     In Troubleshoot: OpenID Connect, WebSphere traditional, follow the steps in the section:

How can I set up my Google™ API Console project so that I can use the Google OP with the WebSphere OIDC TAI?

3) Configure OpenID Connect in WebSphere administration console

Open the WebSphere administration console.
 

3.1) Set TAI Custom properties

  1. Click Security > Global security > Web and SIP security > Trust association.
  2. Click Interceptors.
  3. Click New to add an interceptor.
  4. Enter the interceptor class name: com.ibm.ws.security.oidc.client.RelyingParty.
    customprops 1
  5. Add custom properties for your environment. The following custom properties are required.
    See     OpenID Connect Relying Party custom properties for details of each property:

    provider_1.identifier: Value for this property can be any string. For example, if it is specified as "rp" then append the same string at the end of the redirect URL in OpenID Connect provider’s client configuration, that is, https://<IS_HOST>:<port>/oidcclient/rp

    provider_1.discoveryEndpointUrl: This value can be obtained from OpenID Connect provider’s client configuration. By default, it is https://accounts.google.com/.well-known/openid-configuration

    provider_1.clientId: This value can be obtained from OpenID Connect provider’s client configuration.

    provider_1.clientSecret: This value can be obtained from OpenID Connect provider’s client configuration.

    provider_1.filter: This value is fixed. All Information Server web applications that support usage of OpenID Connect are listed here, that is, Launchpad, Operations Console, IMAM, and IA:
                               request-url^=oidcclient|snoop|/ibm/iis/launchpad/index.jsp|/ibm/iis/ds/console/login.jsp|/ibm/iis/imam/console/loginForm.jsp|/ibm/iis/dq/da/login.jsp

    provider_1.useRealm: Specify ASBRealm as the value. This realm uses Information Server internal user repository stored in XMETA database.
  6. Click Apply and save this configuration.

3.2) Set Custom properties

  1. Depending on your WebSphere installation, click
         for Clustered installation:
               Security > Security domains > IBM_Information_Server_sd > Custom properties

    clustertaierror 0
     
    for Stand-alone installation:
         Security > Global security > Custom properties
    Standalonetaierror 1
  2. Set property com.ibm.websphere.security.continueAfterTAIError to false.
  3. Click Apply and save this configuration.

3.3) Import the OpenID Connect provider's SSL signer certificate to the WebSphere Application Server's truststore

  1. Expand Security and click SSL certificate and key management.
    Under Configuration settings, click Manage endpoint security configurations.
  2. Select the appropriate outbound configuration to get to the cell management scope.
  3. Under Related Items, click Key stores and certificates and if WebSphere is
               Clustered: click the CellDefaultTrustStore keystore
               Stand-alone: click the NodeDefaultTrustStore keystore
  4. Under Additional Properties, click Signer certificates and Retrieve From Port.
  5. Provide values for the following as indicated:
        Host - OpenID Connect provider's host name
        Port - OpenID Connect provider's port
        Alias - oidc_cert
  6. Click Retrieve Signer Information. 
  7. Verify that the certificate information is for a certificate that you can trust.
  8. Click Apply and Save.

signer cert 0

4) Configure OpenID Connect in Information Server

Log in to your services tier machine and run the following commands to set OpenID Connect related properties
    a. <IS_HOME>/ASBSServer/bin/iisAdmin.sh -set -key com.ibm.iis.isf.security.OpenId -value true
    b. <IS_HOME>/ASBSServer/bin/iisAdmin.sh -set -key com.ibm.iis.isf.security.AllowedRefererDomainNames -value <hostDomain>
               where hostDomain is the OpenID Connect host domain name. For example, google.com.

5) Restart WebSphere

Restart WebSphere for all of the above changes to take effect.

6) Information Server applications supported with OpenID Connect

  1. The following applications are directly supported and intercepted by using the corresponding URLs:
    1. IIS launchpad – https://<Services tier host>:<port>/ibm/iis/launchpad/index.jsp
    2. Operation console – https://<Services tier host>:<port>/ibm/iis/ds/console
    3. Information Analyzer – https://<Services tier host>:<port>/ibm/iis/dq/da
    4. IMAM - https://<Services tier host>:<port>/ibm/iis/imam/console
       
  2. For all other applications available in the Information Server launchpad, the following steps are done:
        a. Open the launchpad.
                    https://<Services tier host>:<port>/ibm/iis/launchpad/index.jsp.
        b. The request is intercepted; provide the OpenID credentials.
            If OpenID authentication was completed elsewhere, this step is skipped.
        c. If the credentials are valid, the request is redirected to the launchpad.
        d. In the launchpad, click any application to go to the login page of that application for second factor authentication.
     For example,
         a. Open the launchpad
​​​​​​​​​​​​​​launchpad
         b. Provide OpenID credentials.
redirectopenid
         c. In the launchpad, open an application. For Administration console, the login page is displayed for second factor authentication:
adminconsole

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"ARM Category":[{"code":"a8m500000008XFHAA2","label":"Information Server Administration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
07 July 2021

UID

ibm16466263

Page Feedback