Administer > System security > FIPS mode > Configuring LW-SSO in FIPS mode > Configure LW-SSO in the Mobility Client for FIPS mode

Configure LW-SSO in the Mobility Client for FIPS mode

If Lightweight Single Sign-On (LW-SSO) is enabled on both the Service Manager (SM) server and the Mobility Client, Service Manager authentication will be bypassed if you have logged into another web application that also has LW-SSO enabled. The detailed bypass criteria includes both the protected domain/IP/DNS name and the initial LW-SSO string.

Prerequisites

Before you proceed, make sure of the following:

As an example, the following procedure assumes that you are deploying the Mobility Client on Tomcat.

To enable LW-SSO on the Mobility Client for FIPS mode, follow these steps:

  1. Extract the webapp-9.xx.xxxx.war file in an archive management program to the <Tomcat>/webapps directory.
  2. Open the security.xml file located in the <Tomcat>/webapps/<Mobility>/WEB-INF/spring directory in a text editor.
  3. Update the security.xml file.
    1. Locate the following scripts:

      <!-- <security:custom-filter ref="preAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/>
              <security:custom-filter ref="lwSsoFilter" before="BASIC_AUTH_FILTER"/>
              <security:custom-filter ref="springSecurity2lwssoIntegrationFilter" position="LAST"/> -->
      
    2. Uncomment the second and third lines to enable LW-SSO, as shown in the following:

      <!-- <security:custom-filter ref="preAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/> -->
              <security:custom-filter ref="lwSsoFilter" before="BASIC_AUTH_FILTER"/>
              <security:custom-filter ref="springSecurity2lwssoIntegrationFilter" position="LAST"/> 
    3. Save the file.
  4. Open the lwssofmconf.xml file located in the <Tomcat>/webapps/<Mobility>/WEB-INF/classes directory in a text editor.
  5. Update the lwssofmconf.xml file.
    1. Change the enableLWSSOFramework parameter to true (default: false).

      <enableLWSSO enableLWSSOFramework="true" enableCookieCreation="true" cookieCreationType="LWSSO" enableSAML2Support="false"/>
    2. Locate the following section.

      <lwssoValidation>
                  <domain>example.com</domain>
                  <crypto cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    encodingMode="Base64Url"
                    initString="This is a shared secret passphrase"/>
                  <!-- When Service Manager is running in FIPS mode, the crypto configuration above needs to be replaced with the configuration below. The initString value must be 32 characters long and contain no spaces.  -->
                  <!--
                  <crypto cryptoSource="jce" cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    pbeDigestAlgorithm="SHA1" encodingMode="Base64Url"
                    jcePbeAlgorithmName="AES" jcePbeMacAlgorithmName="AES"
                    macType="hmac"
                    macAlgorithmName="SHA1" directKeyEncoded="true" directKeyEncoding="Base64Url"
                    algorithmPaddingName="PKCS5Padding"
                    pbeCount="20" macKeySize="256" macPbeCount="20"
                    initString="rqa9mkdmfkvdvienfj4usldo9205mvid">
                  </crypto>
                  --> 
      </lwssoValidation>
    3. Update this section by doing the following:

      • Comment out the ordinary crypoto configuration part.
      • Uncomment the FIPS mode crypto configuration part.
      • Configure the domain of the host.
      • Update the default initString value to your own value, if needed.

        Caution The initString value is shared among all parties that participate in LW-SSO. In FIPs mode, this value must be 32 characters long and contain no spaces; otherwise LW-SSO will not work in FIPS mode.

      The following is an example:

      <lwssoValidation>
          <domain>myhostdomain.com</domain>
           <!--
                 <crypto cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    encodingMode="Base64Url"
                    initString="This is a shared secret passphrase"/>
            -->
            <!-- When Service Manager is running in FIPS mode, the crypto configuration above needs to be replaced with the configuration below.
            The initString value must be 32 characters long and contain no spaces. --> 
        
                  <crypto cryptoSource="jce" cipherType="symmetricBlockCipher"
                    engineName="AES" paddingModeName="CBC" keySize="256"
                    pbeDigestAlgorithm="SHA1" encodingMode="Base64Url"
                    jcePbeAlgorithmName="AES" jcePbeMacAlgorithmName="AES"
                    macType="hmac"
                    macAlgorithmName="SHA1" directKeyEncoded="true" directKeyEncoding="Base64Url"
                    algorithmPaddingName="PKCS5Padding"
                    pbeCount="20" macKeySize="256" macPbeCount="20"
                    initString="1qaz2wsxfkvdvienfj4usldo9205mvid">
                  </crypto>
      </lwssoValidation>

      Note Here, myhostdomain.com refers to the domain of the Mobility Client host. Beginning from the <creation> section to the end of the lwssofmconf.xml file, the variables are subject to change according to your actual deployment.

    4. Save the file.
  6. Restart the Mobility Client's web application server (in this example, Tomcat).
  7. Make sure the SM Server is started.
  8. Make sure the Web Tier's web application server is started.
  9. Launch the Mobility Client URL in a browser.

    The URL resembles the following: http://myMobilityHostFQDN:9080/Mobility/std/

  10. Log in to the Mobility Client and verify that LW-SSO from the Mobility Client to the Web Tier works correctly.