Implementing SSO in an Unwired Server Cluster

Place required files in the appropriate primary Unwired Server subdirectory so they are distributed to all Unwired Servers within the cluster during cluster synchronization.

Any changes to a named security configuration affect the cluster and triggers a cluster synchronization, which automatically zips the files in the primary Unwired Server CSI subdirectory and distributes them to the other servers in the cluster. Copy all certificate and other security-related files to the CSI subdirectory.

SSO2 tokens are cached in the Unwired Server CDB, and since all nodes of the cluster share the primary server's CDB, it is accessible by all other nodes in the cluster.

The provider configuration information, which includes the server certificate file name and location, must be the same on all cluster nodes. The same is true for the cryptographic DLLs and certificate files for SSO using X509.

  1. On the primary server in the cluster, put any SAP certificate files or truststores into the <UnwiredPlatform_InstallDir>\Servers\UnwiredServer\Repository\CSI\conf directory on the primary server.

    Use system properties to specify the full path and location of the file in the configuration so they can be accessed from different servers within the cluster if installation directories are different from that of the primary server. For example:

    ${djc.home}/Repository/CSI/conf/
SNCTEST.pse
    For X.509 CertificateAuthenticationLoginModule, if the ValidateCertificatePath is set to true, the default, the CA certificate (or one of its parents) must be installed in the trust store for each server.
    Note: Unwired Server truststore and keystore files:
    • <UnwiredPlatform_InstallDir\Servers\UnwiredServer\Repository\Security\truststore.jks – is the Unwired Server trust store that contains CA (or parent) certificates. Unwired Server trusts all CA or parent certificates in truststore.jks.
    • <UnwiredPlatform_InstallDir\Servers\UnwiredServer\Repository\Security\keystore.jks – contains client certificates only.

    The CertificateAuthenticationLoginModule also has Trusted Certificate Store* and Store Password properties which you can set if you want to keep the module out of the default Unwired Server trust store. In which case you must first:

    1. Use keytool to put the CA certificate into a new keystore.
    2. Put the keystore into the Repository\CSI\conf subdirectory.
    3. Include the path in the Trusted Certificate Store property.
  2. From Sybase Control Center, add the login module.
  3. Restart all Unwired Servers within the cluster.
Parent topic: Setting up SAP SSO Using X.509 Certificates
Previous topic: Installing and Configuring Certificates on Unwired Server
Next topic: Creating and Assigning a Security Configuration That Uses X.509 Credentials