Académique Documents
Professionnel Documents
Culture Documents
0
Xin BJ Xu IBM Software Group, WPLC Beijing, China Xiao Feng Yu IBM Software Group, WPLC Staff Software Engineer Shanghai, China Patrick Curtin IBM Software Group WPLC Test Infrastructure Engineer Dublin, Ireland
October 2008
(formerly Netegrity) SiteMinder 6.0 with IBM Lotus Connections 2.0 to provide your users with the security of a single sign-on environment.
Contents
1 Introduction ..................................................................................................................................3 2 Create Configuration objects on SiteMinder Policy Server...................................................4 2.1 Create objects for WebAgent ...............................................................................................4 2.1.1 Create the Web Agent objects............................................................................4 2.1.2 Create an Agent Conf Object..............................................................................5 2.1.3 Create a Host Conf Object..................................................................................6 2.2 Create Objects for SiteMinder ASA.....................................................................................8 2.2.1 Create SiteMinder ASA objects ..........................................................................8 2.2.2 Create an Agent Conf Object..............................................................................9 2.2.3 Create a Host Conf Object................................................................................10 2.3 Create a User Directory....................................................................................................11 2.4 Create an Authentication Scheme .....................................................................................12 3 Configure the Domains ............................................................................................................13 3.1 Define a Domain for the WebAgent...................................................................................13 3.2 Define a Domain for the ASA............................................................................................15 3.3 Define the Realm Definitions for both Domains...............................................................15 3.3 Define Rules for the Realms..............................................................................................19 3.4 Create a Policy for the Domain ........................................................................................21 4 Install and configure SiteMinder WebAgent..........................................................................24 4.1 Install the SiteMinder WebAgent .......................................................................................24 4.2 Configure the SiteMinder WebAgent .................................................................................27 Add SiteMinder cookie setting................................................................................27 4.2.2 Configuring SiteMinder logout ......................................................................28 4.2.3 Create rewrite rules to map Blogs URLs........................................................29 5 Install and configure SiteMinder ASA.....................................................................................30 5.1 Install SiteMinder ASA......................................................................................................30 5.2 Configure the ASA for WebSphere Application Server ......................................................32 6 Update AJAX proxy configurations.........................................................................................32 7 Enable SiteMinder for Lotus Connections.............................................................................33 8 Troubleshooting.........................................................................................................................33 9 Conclusion .................................................................................................................................36 10 Resources................................................................................................................................36 11 About the authors ....................................................................................................................36
1 Introduction
IBM Lotus Connections is social software for business that empowers you to be more innovative and helps you execute more quickly by using dynamic networks of coworkers, partners, and customers. Computer Associates (formerly Netegrity) SiteMinder is a Web access control product providing Web single sign-on (SSO), centralized policy management for authentication, authorization, and auditing and user entitlement. This white paper describes how to integrate SiteMinder 6.0 (hereafter called SiteMinder) with Lotus Connections 2.0 to provide your users with the security of an SSO environment. Figure 1 shows a sample Lotus Connections 2.0 cluster deployment environment, in which lccn60-1 is the IBM WebSphere Application Server Network Deployment Manager (DM), SM is SiteMinder, and lccn61-1 and lccn60-2 are the two nodes. For the IBM HTTP Server (IHS), assume it is also installed on lccn60-1. Figure 1. Cluster environment topology
Here the SiteMinder Web Agent is hosted on the IHS, lccn60-1, and the SiteMinder Application Server Agent (ASA) is hosted on all three Application servers: lccn60-1, lccn60-2, and lccn61-1.
Note that lccn60-1 is used as the example for SiteMinder ASA configuration throughout this paper. To configure SiteMinder to work with your Lotus Connections 2.0 environment, we must first create Configuration objects on the SiteMinder Policy Server and then, for the Lotus Connections environment, we will: 1. Configure the Domains and Realms on the SiteMinder Policy Server. 2. Install and configure the SiteMinder WebAgent. 3. Install and configure the ASA. 4. Update common Ajax proxy configuration files. 5. Enable the SiteMinder WebAgent and ASA. The specific configuration we are using is: SiteMinder Policy Server v6.0 SP5 SiteMinder ASA 6.0 Agent for WebSphere Application Server with CR0006 Hotfix SiteMinder WebAgent v6qmr5-cr011
NOTE: Be sure you are using SiteMinder ASA 6.0 with all the latest updates applied to all SiteMinder components.
2. Fill in the *Name and Description fields with lccn60-1WA and Lotus Connections 2.0, respectively, ensuring the *Name field contains a unique value not used previously for an existing agent on the server. 3. Click OK to save and close.
3. Enter a unique name, for example, lccn60-1WA_conf, for the object in the *Name field. 4. Then, in the Configuration Values section, set the following parameters to the values below or to the appropriate value for your server by clicking each parameter and clicking the Edit button: DefaultAgentName: Name given to agent created in above step AllowLocalConfig: Set to Yes CssChecking: Set to No BadUrlChars: remove // and /, %00-%1f, %7f-%ff, and %25 from the default list of Bad Url Characters All other parameters can be left as default. 5. Click OK to save and close.
Conf Object on the Policy Server and modify the duplicate as appropriate. Then, to create a Host Conf object for your HTTP Server, follow these steps: 1. Click the left-hand pane of the console. 2. Right-click the existing Host Conf object in the Host Conf Object List in the right-hand pane of the console and select Duplicate Configuration Object. The dialog box in figure 4 displays. Figure 4. Host Config Object Properties dialog icon under System Configuration on the System tab of the
3. Enter a unique name and description (optional). 4. Edit the Parameter Value #Policy Server, removing the # sign from the front of the
parameter name and entering the IP Address of your Policy server in the appropriate place in the value field.
2. Fill in the *Name and Description fields with lccn60-1ASA and Lotus Connections 2.0, respectively, as shown in the figure, ensuring the *Name field contains a unique value not used previously for an existing agent on the server. 3. Click OK to save and close.
3. Enter a unique name for the object, for example, lccn60-1ASA_conf, in the *Name field. 4. Then, in the Configuration Values section, set the following parameters to the values below, or to the appropriate value for your server, by clicking each parameter and clicking the Edit button: a. DefaultAgentName: Name given to agent created in above step
b. c.
3. Enter a unique name, for example, Host_lccn60-1ASA, and description (optional) in the respective fields.
10
11
2. Enter a unique name and description (optional) in the *Name and Description fields. 3. Set the *Namespace field to LDAP, and enter the fully qualified host name of your LDAP server in the *Servername field. 4. Fill in the LDAP Search and LDAP User DN Lookup fields as appropriate for your LDAP users. 5. Click OK to save and close. NOTE: Depending on your particular LDAP server configuration, you may also need to add in Required Credentials on the Credentials and Connection tab in order for the Policy Server to be able to bind with your LDAP server. Also, if you want to use mail as a login attribute, you can modify the LDAP User DN Lookup parameters.
tab of the left-hand pane of the console and select Create Authentication Scheme. The dialog box in figure 9 displays.
12
2. Enter a unique name, for example, lccn60-1_Scheme, and description (optional) in the fields provided. 3. Select HTML Form Template from the Authentication Scheme Type drop-down box. 4. Enter the Fully Qualified Domain Name of your Web Server in the Web Server Name field. 5. Click OK to save and close.
13
2. Enter a unique name (for example, lccn60-1WA_Domain) and description (optional) in the fields provided (see figure 11). 3. From the drop-down list at the bottom of the dialog, select the User Directory that you will use in this Domain, and click the Add button to add it to the User Directories tab.
14
15
2. Enter a unique name (for example, AtomBlogs) and description (optional) for the Realm. 3. On the Resource tab, in the Agent field, enter the name of the agent that you created in Section 2.1 (here its lccn60-1wa), or select it from the Lookup listing. 4. Define the Resource Filter as /blogs/atom. 5. Set the Default Resource Protection option to Protected. 6. Leave all other fields on the Resource, Session, and Advanced tabs as default. 7. The only Realm that has an extra change is the Realm that has the Protected Resource /. For this Realm, set the Authentication Scheme to the HTML Forms scheme you created earlier. The realms in tables 1 and 2 must be defined for your Lotus Connections environment:
16
17
Note that these resources are set as Unprotected due to nature of the notification code, and Waltz-Profiles Integration (WPI) / Waltz-Communities Integration (WCI) and API Service Descriptions URLs. To define Realm Definitions for the ASA Domain: 1. Right-click the domain you created for the ASA and select Create Realm; a dialog similar to that in figure 13 appears.
18
2. Enter a unique name and description (optional) for the Realm. 3. In the Agent field on the Resource tab, enter the name of the agent that you created for the WebAgent in this environment (here its lccn60-1asa), or select it from the Lookup listing. 4. Define the Resource Filter as /siteminderassertion. 5. Set the Default Resource Protection option to Protected or Unprotected. 6. Leave all other fields on the Resource, Session, and Advanced tabs as default.
19
Rule 1
Rule 2
*Name: GetPost Rule Realm: (Whatever realm you are working with) Resource: * Action: Web Agent actions -> Get,Post,Put,Delete When this Rule fires: Allow Access Enable or Disable this Rule: Enabled
Figure 14. Example Rule 1
*Name: OnAuthAccept Rule Realm: (Whatever realm you are working with) Resource: * Action: Authentication events -> OnAuthAccept When this Rule fires: Allow Access Enable or Disable this Rule: Enabled
20
21
2. Enter a unique name for the object in the *Name field. 3. Click the Add/Remove button and, from the dialog that follows, add the Users/Groups/Organizations that will be allowed access to your Lotus Connections environment. In figure 16 above, the entire Organization has been added so all users under this Organization in the LDAP will be allowed access. 4. Select the Rules tab (see figure 17).
22
5. Click the Add/Remove Rules button, to get the window shown in figure 18, and add the rules you created above. 6. Click OK to save the Policy. Figure 18. Available Rules window
23
5. Review the Install information. 6. Install the WebAgent and restart the system to complete the installation. 7. After restart, choose Programs > SiteMinder > Web Agent Configuration Wizard to
24
launch the Host Registration panel. 8. Choose Yes to continue the Host Registration. 9. Fill in the Admin User Name, Admin Password, and confirm Admin Password fields (see figure 20). Figure 20. Admin Registration screen
10. In the Trusted Host Name and Configuration Object screen (see figure 21) enter the name in the Trusted Host Name field (here we use lccn60-1WA) that will be registered on the SiteMinder Policy Server during the setup procedure. Figure 21. Trusted Host Name and Configuration Object screen
25
11. In the Host Configuration Object field, enter the name (here its Host_lccn60-1WA) created on the SiteMinder Policy Server. Click Next. 12. On the next screen, enter the SiteMinder Policy Server IP address in the IP Address field, click the Add button, and click Next (see figure 22). Figure 22. Policy Server IP Address screen
13. Select the Web server(s) you wish to configure as Web Agents (see figure 23). Figure 23.Select Web Servers screen
26
14. On the Agent Configuration Object screen (see figure 24), enter the Agent Configuration Object that was created on the Policy Server (here its lccn60-1WA_conf). Figure 24. Agent Configuration Object screen
15. Choose your SSL Authentication method and click Next. 16. Choose No, I dont want to configure Self Registration and click Next. 17. Review the Web Server Configuration Summary, click Install to continue, and then click Done to finish the installation.
27
CookieDomain=".cn.ibm.com" 3. Set RequireCookies="NO". If you are using on ramps, for instance, Hanover, Office plugin, or Portlet, you must set the RequireCookies setting to NO, so that SiteMinder Web Agent doesnt expect the SMCHALLENGE cookie for basic authentication.
28
sent to <your_logout_url> after logging out of Lotus Connections. This URL could be your corporate home page or the Lotus Connections login page. Note that you must add these rules to both the HTTP and HTTPS entries. For instance, if Activities is chosen to serve logout and your corporate home page is http://www.acme.com, the rewrite rule will look like the following: RewriteEngine On RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING} !=logoutExitPage=http://www.acme.com RewriteRule /(.*)/ibm_security_logout(.*) /activities/service/html/ibm_security_logout?l ogoutExitPage=http://www.acme.com [noescape,L,R] This means that all logout requests from Lotus Connections features are served by the Activities feature, and users are all logged out via a unified logoutExitPage as specified in RewriteRule. NOTE: Multiple LogOffUri is not officially supported in SiteMinder, though it proves to work during our tests. We DO NOT recommend using multiple LogOffUri in SiteMinder configurations, but if you choose to do so, simply set the following settings in your LocalConfig.conf file: LogOffUri="/activities/service/html/ibm_security_logout" LogOffUri="/blogs/ibm_security_logout" LogOffUri="/communities/communities/ibm_security_logout" LogOffUri="/dogear/ibm_security_logout" LogOffUri="/profiles/ibm_security_logout" LogOffUri="/homepage/web/ibm_security_logout"
29
RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L] RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L] RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) NOTE: Be sure to enable the URL rewrite rules for both HTTP and HTTPS.
30
6. In the next screen (see figure 26), enter the name for the Agent configuration object name (this is created on the Policy Server). 7. Restart the system to complete the installation. Figure 26.Agent Configuration screen
31
32
3. Edit the file in the working directory to add the SMSESSIONID as described above and then check in the file, using the following command: LCConfigService.checkInProxyConfig("<working-directory>", "<cell-name>") You can find the proxy configuration file for each feature in table 4. Table 4. Proxy configuration file location for each Connections feature
8 Troubleshooting
Lets now identify some common issues and how to address them.
33
34
Issue: A Lotus Connections feature fails to load feed data from other features.
In Connections features, there are widgets that load feed data from other features, and the AjaxProxy is used to proxy the feed load request to avoid cross-site scripting issues. Solution: To work with the SiteMinder environment, the AjaxProxy must be configured to pass along SiteMinder security token SMSESSION. Thus, correct the AjaxProxy configuration for the problematic feature, as described in Section 6 above.
Issue: The Navigation Bar fails to show the logged-in users name and instead displays the Logout link when viewed with Microsoft Internet Explorer.
The Blogs and Dogear Connections features may exhibit this behavior if there are too many cookies or if the overall cookie size exceeds 4,096 bytes. This can be exacerbated by the presence of the SMSESSION cookie and the WebSphere LTPA cookies. More details on this IE limitation may be found here: http://support.microsoft.com/kb/306070. Solution: Reduce the number of cookies in use. One possible approach is to ensure WebSphere is not configured for backward compatibility for LTPA (remove the use of LtpaToken and only use LtpaToken2). For further details, refer to the IBM WebSphere Application Server information center.
Issue: There is no Delete Action available when a user creates the Rules in SiteMinder.
Solution: The SiteMinder WebAgent has only the Get, Post, and Put Actions available by default. To add the Delete Action, follow these steps: 1. 2. 3. 4. 5. 6. 7. Log in to the SiteMinder Administration Console. Click the View menu and select the Agent Types menu option. Select the Agent Types option that is now available in the Systems pane. Double-click the Web Agent in the Agent Type list. In the Agent Type Properties dialog box that appears, click the Create button. Type Delete in the New Agent Action dialog, and click OK. Click OK again; the new Action will be saved and available now in the Rules dialog.
35
9 Conclusion
This paper has provided detailed instructions on how to integrate Netegrity SiteMinder 6.0 with Lotus Connections, focusing on the special configurations for different components of Lotus Connections on both the Policy Server side and Agent side.
10 Resources
Lotus Connections developerWorks product page Lotus Connections documentation page CA SiteMinder Web Access Manager WebSphere Application Server information center
Trademarks
Domino, IBM, Lotus, and WebSphere are trademarks or registered trademarks of IBM Corporation in the United States, other countries, or both. Windows and Windows 2000 are registered trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others.
36