I want to make Portofino a partnerapp for josso, and i did the steps described here: http://www.manydesigns.com/documentation/tutorials/integration-with-josso.html,
but I don't know how to connect josso with portofino because they use different servers.
JOSSO has two parts: gateway and agent.
Gateway can be installed anywhere (and should be configured with a specific datastore), but agent should be installed on all servers that consume JOSSO authentication. JOSSO agent installs its hooks on web servers to control access.
So, you should install JOSSO agent on the web server instance that portofino runs on.
Related
I'm trying to host web pages using Win Server 2016. Currently, I have Jira and my personal web (IIS) servers. Using AWS, I currently have "myec2.com:port1" and "myec2.com/port2" running fine. And I'm planning to buy a domain "myname.com" to be connected to "myec2.long.name.com"
What I hope to do is "myname.com/jira" and "myname.com/mypage" or "jira.myname.com" and "mypage.myname.com" can redirect to Jira server and the IIS server. Is there a way I can achieve this goal?
Thanks in advance.
If you buy a domain like myname.com you will be able to configure any number of sub-domains such as jira.myname.com or mypage.myname.com as you like.
Usually what you would do is point those sub-domains to your server's IP then handle requests to those domains by setting up a web server (like apache or nginx) and configuring a virtual host (apache) or a server block (nginx) for each one of those sub-domains.
We have a simple system with a REST service (WebAPI) that will be hosted on one machine (hosted on IIS on a custom port, port numer 3031) and with a website hosted on another machine that will be talking to the service.
We want both to use SSL, so as I understand we will need to purchase two separate SSL certificates for the production deployment on the Internet.
Does that sound right?
If so, then I don't know how do I request and purchase a certificate for the WebAPI REST service... The service will be hosted on a custom port 3031, should I purchase a normal certificate for the domain name of the machine where the service will be hosted? And then should I basically install the certificate on the IIS on that machine (like it's described here: https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/working-with-ssl-in-web-api).
How will I be able to perform a verification of the domain for the purchased certificate if I'm going to use the certificate for a REST service on a custom port? (not for a regular website).
Apologies for my ignorance, I have searched the forum to find an answer to my issue, but I didn't find one, maybe it's because my very limited knowledge about certificates and security.
I used OWSM policy Oracle/wss_http_token_service_policy on the rest based proxy service, it is working fine (authenticating with basic.credentilas) in my local machine weblogic server but not supporting in the dev/test server, so what extra setting is required here? or do we need to use any other policy, I want to use just the basic authentication configured in my realms. Could you please advise.
While running two app servers (which has mobilefirst servers hosted 7.1 version) from ibm http server, only one server runs successfully on keeping only one of the Route attribute active in the plugin-cfg.xml of the http server. In the server which is not running, the following error is seen in the messages.log.
CWWKS4001E: The security token cannot be validated. This can be for the following reasons
1. The security token was generated on another server using different keys.
2. The token configuration or the security keys of the token service which created the token has been changed.
3. The token service which created the token is no longer available.
Kindly guide in resolving the error above.
Thanks.
Sounds like your two servers have not exchanged/shared LTPA keys and IHS and the WAS Plugin are a red herring.
http://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_ltpa.html
http://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_sso.html
Note: For SSO to work across Liberty servers, full profile servers, or both, set the following resources:
The servers must use the same LTPA keys and share the same user registry.
Sounds like communication issue between two servers. Are the inbound ports opened on another server to communicate with HTTP server? if they are opened use telnet and test whether both servers (HTTP and app server) are communicating with each other.
On HTTP Server, open command prompt and enter below command.
telnet <app server ip> <app server port>
If this is not successful then you need to open ports on app server.
Our IT staff refuses to install the SiteMinder agent on our application's IIS 6.0 web server, citing security concerns as it is a third-party software, as well as the possibility of high resource utilization impacting application performance.
They suggest that we set up an independent, segregated web server containing only a bare-bones IIS, the SiteMinder Agent, and a "shim" to authenticate login attempts.
This shim would be a single ASPX page marked to be protected by the agent. It would use the SiteMinder agent to authenticate the user ID, look up the user ID in the application's database, and return the user ID and password to the user's browser. A JavaScript function would then POST the user ID and password to the application's existing login page as if they typed it in themselves.
Are their concerns warranted? Why or why not?
Have you ever heard of anyone implementing a similar architecture?
Is their proposed solution good, bad, or ugly?
It does not look like it would work, because the agent manages not only the initial login, but subsequent calls to the application, i.e. authenticated session. The agent examines the cookie, validates it, etc. Your scenario does not describe how that would happen.
In our environment, all internet traffic goes through an Apache reverse proxy before hitting IIS. IIS is behind firewall. The Apache reverse proxy has the SM agent all it does is redirect the traffic to IIS. I suppose it would be feasible to do a similar setup with IIS acting as a reverse proxy.
BTW, tell your IT guy that his proposed shoestring and bubblegum login solution is a much bigger security concern than installing SiteMinder on IIS.
The apache reverse proxy solution will definitely work, but with SiteMinder r12.51, Secure Proxy Server is included, which is basically SiteMinder's version of a reverse proxy (plus a lot more).
SPS will let you configure a single server as a "gateway" for all of your applications that can't or won't install a SiteMinder agent. The web agent is embedded in SPS and a proprietary Java app does the heavy lifting. SPS also has a GUI which follows the look and feel of the r12 WAMUI, which makes configuring it very simple.
Secure Proxy Server also has a Federation Gateway feature, so you don't need to install the web agent option pack if you are doing SAML Federation. All of your fcc pages can also be served by the SPS, so you can reduce the number of webservers needed to support your SSO environment.