...

Integrating CA (formerly Netegrity) SiteMinder 6.0 with IBM® Lotus® Connections 2.0

by user

on
Category: Documents
17

views

Report

Comments

Transcript

Integrating CA (formerly Netegrity) SiteMinder 6.0 with IBM® Lotus® Connections 2.0
Integrating CA (formerly Netegrity) SiteMinder
6.0 with IBM® Lotus® Connections 2.0
Xin BJ Xu
IBM Software Group, WPLC
Beijing, China
Xiao Feng Yu
IBM Software Group, WPLC
Staff Software Engineer
Shanghai, China
Patrick Curtin
IBM Software Group
WPLC Test Infrastructure Engineer
Dublin, Ireland
October 2008
© Copyright International Business Machines Corporation 2008. All rights reserved
Abstract: This white paper provides step-by-instructions on how to integrate CA
(formerly Netegrity) SiteMinder 6.0 with IBM® Lotus® Connections 2.0 to provide
your users with the security of a single sign-on environment.
1
Contents
1 Introduction ..................................................................................................................................3
2 Create Configuration objects on SiteMinder Policy Server...................................................4
2.1 Create objects for WebAgent ...............................................................................................4
2.1.1 Create the Web Agent objects............................................................................4
2.1.2 Create an Agent Conf Object..............................................................................5
2.1.3 Create a Host Conf Object..................................................................................6
2.2 Create Objects for SiteMinder ASA.....................................................................................8
2.2.1 Create SiteMinder ASA objects ..........................................................................8
2.2.2 Create an Agent Conf Object..............................................................................9
2.2.3 Create a Host Conf Object................................................................................10
2.3 Create a User Directory....................................................................................................11
2.4 Create an Authentication Scheme .....................................................................................12
3 Configure the Domains ............................................................................................................13
3.1 Define a Domain for the WebAgent...................................................................................13
3.2 Define a Domain for the ASA............................................................................................15
3.3 Define the Realm Definitions for both Domains...............................................................15
3.3 Define Rules for the Realms..............................................................................................19
3.4 Create a Policy for the Domain ........................................................................................21
4 Install and configure SiteMinder WebAgent..........................................................................24
4.1 Install the SiteMinder WebAgent .......................................................................................24
4.2 Configure the SiteMinder WebAgent .................................................................................27
Add SiteMinder cookie setting................................................................................27
4.2.2 Configuring SiteMinder logout ......................................................................28
4.2.3 Create rewrite rules to map Blogs URLs........................................................29
5 Install and configure SiteMinder ASA.....................................................................................30
5.1 Install SiteMinder ASA......................................................................................................30
5.2 Configure the ASA for WebSphere Application Server ......................................................32
6 Update AJAX proxy configurations.........................................................................................32
7 Enable SiteMinder for Lotus Connections.............................................................................33
8 Troubleshooting.........................................................................................................................33
9 Conclusion .................................................................................................................................36
10 Resources................................................................................................................................36
11 About the authors ....................................................................................................................36
2
1 Introduction
IBM Lotus Connections is social software for business that empowers you to be more
innovative and helps you execute more quickly by using dynamic networks of coworkers,
partners, and customers. Computer Associates (formerly Netegrity) SiteMinder is a Web
access control product providing Web single sign-on (SSO), centralized policy management
for authentication, authorization, and auditing and user entitlement. This white paper describes
how to integrate SiteMinder 6.0 (hereafter called “SiteMinder”) with Lotus Connections 2.0 to
provide your users with the security of an SSO environment.
Figure 1 shows a sample Lotus Connections 2.0 cluster deployment environment, in which
lccn60-1 is the IBM WebSphere® Application Server Network Deployment Manager (DM), SM
is SiteMinder, and lccn61-1 and lccn60-2 are the two nodes. For the IBM HTTP Server (IHS),
assume it is also installed on lccn60-1.
Figure 1. Cluster environment topology
Here the SiteMinder Web Agent is hosted on the IHS, lccn60-1, and the SiteMinder Application
Server Agent (ASA) is hosted on all three Application servers: lccn60-1, lccn60-2, and
lccn61-1.
3
Note that lccn60-1 is used as the example for SiteMinder ASA configuration throughout this
paper.
To configure SiteMinder to work with your Lotus Connections 2.0 environment, we must first
create Configuration objects on the SiteMinder Policy Server and then, for the Lotus
Connections environment, we will:
1. Configure the Domains and Realms on the SiteMinder Policy Server.
2. Install and configure the SiteMinder WebAgent.
3. Install and configure the ASA.
4. Update common Ajax proxy configuration files.
5. Enable the SiteMinder WebAgent and ASA.
The specific configuration we are using is:
•
SiteMinder Policy Server v6.0 SP5
•
SiteMinder ASA 6.0 Agent for WebSphere Application Server with CR0006 Hotfix
•
SiteMinder WebAgent v6qmr5-cr011
NOTE: Be sure you are using SiteMinder ASA 6.0 with all the latest updates applied to all
SiteMinder components.
2 Create Configuration objects on SiteMinder Policy
Server
You need to create and configure many Policy Server objects when working with the
SiteMinder Policy Server. Some objects represent connections to existing network entries, and
the others represent groupings of resources and policies that determine entitlements to those
resources.
2.1 Create objects for WebAgent
2.1.1 Create the Web Agent objects
1. To create an Agent, right-click on
icon under System Configuration on the
System tab of the left-hand pane of the console. Select “Create Agent”; the dialog box in
figure 2 displays.
4
Figure 2. SiteMinder Agent Properties dialog
2. Fill in the *Name and Description fields with “lccn60-1WA” and “Lotus Connections 2.0”,
respectively, ensuring the *Name field contains a unique value not used previously for an
existing agent on the server.
3. Click OK to save and close.
2.1.2 Create an Agent Conf Object
The IBM HTTP Server is Apache based, for which products it is recommended that you create
a duplicate of the existing ApacheDefaultSettings Agent Conf Object on the Policy Server and
modify the duplicate as appropriate. To do this, follow these steps:
1. To create an Agent Conf object for your HTTP Server, click the
icon under System Configuration on the System tab of the left- hand pane of the console.
2. Right-click the "ApacheDefaultSettings” Agent Conf object in the Agent Conf Object List in
the right-hand pane of the console and select Duplicate Configuration Object. The dialog
box in figure 3 displays.
5
Figure 3. Agent Configuration Object Properties dialog
3. Enter a unique name, for example, lccn60-1WA_conf, for the object in the *Name field.
4. Then, in the Configuration Values section, set the following parameters to the values
below or to the appropriate value for your server by clicking each parameter and clicking
the Edit button:
•
DefaultAgentName: Name given to agent created in above step
•
AllowLocalConfig: Set to Yes
•
CssChecking: Set to No
•
BadUrlChars: remove // and /, %00-%1f, %7f-%ff, and %25 from the default list of
Bad Url Characters
All other parameters can be left as default.
5.
Click OK to save and close.
2.1.3 Create a Host Conf Object
First, it is recommended that you create a duplicate of the existing DefaultHostSettings Host
6
Conf Object on the Policy Server and modify the duplicate as appropriate. Then, to create a
Host Conf object for your HTTP Server, follow these steps:
1. Click the
icon under System Configuration on the System tab of the
left-hand pane of the console.
2. Right-click the existing Host Conf object in the Host Conf Object List in the right-hand pane
of the console and select Duplicate Configuration Object. The dialog box in figure 4
displays.
Figure 4. Host Config Object Properties dialog
3. Enter a unique name and description (optional).
4. Edit the Parameter Value #Policy Server, removing the “#” sign from the front of the
parameter name and entering the IP Address of your Policy server in the appropriate place
in the value field.
5. Click OK to save and close.
7
2.2 Create Objects for SiteMinder ASA
2.2.1 Create SiteMinder ASA objects
1. To create an Agent, right click the
icon under System Configuration on the
System tab of the left-hand pane of the console. Select Create Agent; the dialog box in
figure 5 displays.
Figure 5. Agent Properties dialog
2. Fill in the *Name and Description fields with “lccn60-1ASA” and “Lotus Connections 2.0,”
respectively, as shown in the figure, ensuring the *Name field contains a unique value not
used previously for an existing agent on the server.
3. Click OK to save and close.
8
2.2.2 Create an Agent Conf Object
To create an Agent Conf object for your Application Server:
1. Click the
icon under System Configuration on the System tab of
the left-hand pane of the console.
2. Right-click the IISDefaultSettings Conf object in the Agent Conf Object List in the
right-hand pane of the console. Select “Duplicate Configuration Object”; the dialog box in
figure 6 displays.
Figure 6. Agent Configuration Object Properties dialog
3. Enter a unique name for the object, for example, lccn60-1ASA_conf, in the *Name field.
4. Then, in the Configuration Values section, set the following parameters to the values
below, or to the appropriate value for your server, by clicking each parameter and clicking
the Edit button:
a.
DefaultAgentName: Name given to agent created in above step
9
b.
AssertionAuthResource: Set to /siteminderassertion
c.
AssertbyUserID: Set to true
5. Click OK to save and close.
2.2.3 Create a Host Conf Object
To create a Host Conf object for your HTTP Server:
1. Click the
icon under System Configuration on the System tab of the
left-hand pane of the console.
2. Right-click the existing Host Conf object in the Host Conf Object List in the right-hand pane
of the console, select Duplicate Configuration Object, and you see the dialog box in figure
7.
Figure 7. Host Configuration Object Properties dialog
3. Enter a unique name, for example, Host_lccn60-1ASA, and description (optional) in the
respective fields.
10
4. Click OK to save and close.
2.3 Create a User Directory
SiteMinder uses LDAP/Database to authenticate users who access its configurations.
Configuring access to an LDAP User Directory on the Policy Server is required so that the
policy you set up for your Lotus Connections Server can access and use the appropriate LDAP
server to authenticate your Lotus Connections Users.
NOTE: The Lotus Connections server must be configured to use the same LDAP
repository—or at least a LDAP repository that contains the same user information—as the
LDAP repository accessed by the SiteMinder Policy Server.
To create a User Directory, follow these steps:
icon under System Configuration on the System tab of
1. Right-click the
the left-hand pane of the console and select Create User Directory. The dialog box in
figure 8 displays.
Figure 8. User Directory Properties dialog
11
2. Enter a unique name and description (optional) in the *Name and Description fields.
3. Set the *Namespace field to LDAP, and enter the fully qualified host name of your LDAP
server in the *Servername field.
4. Fill in the LDAP Search and LDAP User DN Lookup fields as appropriate for your LDAP
users.
5. Click OK to save and close.
NOTE: Depending on your particular LDAP server configuration, you may also need to
add in Required Credentials on the Credentials and Connection tab in order for the Policy
Server to be able to bind with your LDAP server.
Also, if you want to use “mail” as a login attribute, you can modify the “LDAP User DN
Lookup” parameters.
2.4 Create an Authentication Scheme
To create an Authentication Scheme:
1. Right-click the
icon under System Configuration on the System
tab of the left-hand pane of the console and select Create Authentication Scheme. The
dialog box in figure 9 displays.
12
Figure 9. Authentication Scheme Properties dialog
2. Enter a unique name, for example, lccn60-1_Scheme, and description (optional) in the
fields provided.
3. Select “HTML Form Template” from the Authentication Scheme Type drop-down box.
4. Enter the Fully Qualified Domain Name of your Web Server in the Web Server Name field.
5. Click OK to save and close.
3 Configure the Domains
A policy domain is a logical grouping of resources associated with one or more user directories.
Policy domains contain realms, rules, responses, and policies. The resources in a policy
domain can be grouped in one or more realms, where a realm is a set of resources with a
common security requirement. Access to resources is controlled by rules, which are
associated with the realm that contains the resource.
3.1 Define a Domain for the WebAgent
1. On the SiteMinder Policy Server, select Create Domain (see figure 10).
13
Figure 10. Create Domain
2. Enter a unique name (for example, lccn60-1WA_Domain) and description (optional) in the
fields provided (see figure 11).
3. From the drop-down list at the bottom of the dialog, select the User Directory that you will
use in this Domain, and click the Add button to add it to the User Directories tab.
14
Figure 11. Domain Properties dialog
3.2 Define a Domain for the ASA
On the SiteMinder Policy Server, select Create Domain and enter a unique name (for example,
lccn60-1ASA_Domain) and description (optional) in the fields provided.
Note that you don’t need to select a User Directory for this domain.
3.3 Define the Realm Definitions for both Domains
To define Realm Definitions for the WebAgent Domain:
1. Right-click the domain you created for the WebAgent and select Create Realm. Figure 12
shows an example of a realm for defined for resource “/blogs/atom”.
15
Figure 12. Realm Properties dialog
2. Enter a unique name (for example, AtomBlogs) and description (optional) for the Realm.
3. On the Resource tab, in the Agent field, enter the name of the agent that you created in
Section 2.1 (here it’s lccn60-1wa), or select it from the Lookup listing.
4. Define the Resource Filter as “/blogs/atom”.
5. Set the Default Resource Protection option to “Protected”.
6. Leave all other fields on the Resource, Session, and Advanced tabs as default.
7. The only Realm that has an extra change is the Realm that has the Protected Resource “/”.
For this Realm, set the Authentication Scheme to the HTML Forms scheme you created
earlier.
The realms in tables 1 and 2 must be defined for your Lotus Connections environment:
16
Table 1. Realms with Protected setting
17
Table 2. Realms with Unprotected setting
Note that these resources are set as Unprotected due to nature of the notification code, and
Waltz-Profiles Integration (WPI) / Waltz-Communities Integration (WCI) and API Service
Descriptions URLs.
To define Realm Definitions for the ASA Domain:
1. Right-click the domain you created for the ASA and select Create Realm; a dialog similar
to that in figure 13 appears.
18
Figure 13. Realm Properties dialog
2. Enter a unique name and description (optional) for the Realm.
3. In the Agent field on the Resource tab, enter the name of the agent that you created for the
WebAgent in this environment (here it’s lccn60-1asa), or select it from the Lookup listing.
4. Define the Resource Filter as “/siteminderassertion”.
5. Set the Default Resource Protection option to Protected or Unprotected.
6. Leave all other fields on the Resource, Session, and Advanced tabs as default.
3.3 Define Rules for the Realms
Now you must define the rules in table 3 for the Protected Realm created for the WebAgent.
To do this, right-click each protected Realm that was created above and select "Create Rule
under Realm".
19
Table 3. Rule definitions
Rule 1
(see figure 14)
*Name: GetPost Rule
Realm: (Whatever realm you are working with)
Resource: *
Action: Web Agent actions ->
Get,Post,Put,Delete
When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled
Rule 2
(see figure 15)
*Name: OnAuthAccept Rule
Realm: (Whatever realm you are working with)
Resource: *
Action: Authentication events -> OnAuthAccept
When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled
Figure 14. Example Rule 1
20
Figure 15. Example Rule 2
Note that no rules are required for the ASA's Realm.
3.4 Create a Policy for the Domain
Now define a Policy to control the domain (Policy for Web Agent, for example):
1. Right-click Policies, under the domain that was created above, and select "Create Policy";
you should see the dialog box shown in figure 16.
21
Figure 16. Policy Properties dialog
2. Enter a unique name for the object in the *Name field.
3. Click the Add/Remove button and, from the dialog that follows, add the
Users/Groups/Organizations that will be allowed access to your Lotus Connections
environment. In figure 16 above, the entire Organization has been added so all users
under this Organization in the LDAP will be allowed access.
4. Select the Rules tab (see figure 17).
22
Figure 17. Rules tab
5. Click the Add/Remove Rules button, to get the window shown in figure 18, and add the
rules you created above.
6. Click OK to save the Policy.
Figure 18. Available Rules window
23
4 Install and configure SiteMinder WebAgent
SiteMinder Web Agent is installed on the Lotus Connections HTTP server. It controls access to
Web content and delivers a user's security context, managed by eTrust SiteMinder, directly to
any Web application being accessed by the user. For Web servers, the Web agent integrates
through each Web server’s extension API, intercepts all requests for resources (URLs), and
determines whether each resource is protected by eTrust SiteMinder.
NOTE: These instructions are based on SiteMinder WebAgent v6qmr5-cr011. For other
versions, refer to the SiteMinder Web Agent’s documentation.
4.1 Install the SiteMinder WebAgent
To install the WebAgent:
1. Launch the Installation panel and accept the License Agreements.
2. Read the Important Information and click Next.
3. Choose the Install Directory.
4. In the Choose Shortcut Folder screen, you can keep the default setting of “SiteMinder”
(see figure 19).
Figure 19. Choose Shortcut Folder screen
5. Review the Install information.
6. Install the WebAgent and restart the system to complete the installation.
7. After restart, choose “Programs > SiteMinder > Web Agent Configuration Wizard” to
24
launch the Host Registration panel.
8. Choose “Yes” to continue the Host Registration.
9. Fill in the Admin User Name, Admin Password, and confirm Admin Password fields (see
figure 20).
Figure 20. Admin Registration screen
10. In the Trusted Host Name and Configuration Object screen (see figure 21) enter the name
in the Trusted Host Name field (here we use lccn60-1WA) that will be registered on the
SiteMinder Policy Server during the setup procedure.
Figure 21. Trusted Host Name and Configuration Object screen
25
11. In the Host Configuration Object field, enter the name (here it’s Host_lccn60-1WA) created
on the SiteMinder Policy Server. Click Next.
12. On the next screen, enter the SiteMinder Policy Server IP address in the IP Address field,
click the Add button, and click Next (see figure 22).
Figure 22. Policy Server IP Address screen
13. Select the Web server(s) you wish to configure as Web Agents (see figure 23).
Figure 23.Select Web Servers screen
26
14. On the Agent Configuration Object screen (see figure 24), enter the Agent Configuration
Object that was created on the Policy Server (here it’s lccn60-1WA_conf).
Figure 24. Agent Configuration Object screen
15. Choose your SSL Authentication method and click Next.
16. Choose “No, I don’t want to configure Self Registration” and click Next.
17. Review the Web Server Configuration Summary, click Install to continue, and then click
Done to finish the installation.
4.2 Configure the SiteMinder WebAgent
There are two methods to configure the SiteMinder Web Agent; central agent configuration
and local agent configuration. If you are using central agent configuration, configure the
settings on the Policy Server; otherwise, the configuration settings can be configured via the
LocalConfig.conf file, which resides in the <IHS_INSTALL_LOC>/conf folder.
Add SiteMinder cookie setting
1. To do this, set the proper CookieDomain value according to your environment:
# CookieDomain specified the domain SMSESSION cookie belongs to
CookieDomain="your-domain"
2. Ensure that the CookieDomain value conforms to RFC2109: host minus domain may not
contain any dots. For example, assuming the server host name is saturn.cn.ibm.com, the
proper domain name should be .cn.ibm.com:
27
CookieDomain=".cn.ibm.com"
3. Set RequireCookies="NO". If you are using on ramps, for instance, Hanover, Office
plugin, or Portlet, you must set the RequireCookies setting to NO, so that SiteMinder Web
Agent doesn’t expect the SMCHALLENGE cookie for basic authentication.
4.2.2 Configuring SiteMinder logout
Use these steps to configure the SiteMinder logout:
1. Set LogOffUri to enable SiteMinder logoff. When the Web Agent performs a full logoff, it
removes the session cookie from a user’s browser. The session cookie is also removed
from the local cookie domain and cookie provider domain, which you specify for SSO
environments. After clearing the cookies, the Web agent calls the Policy Server and
instructs it to remove any session information. At this point, the user is completely logged
off.
You can use any Lotus Connection feature to serve logout. For example, if Activities is
used to serve logout, you must set the LogOffUri settings to Activities logout URI
LogOffUri="/activities/service/html/ibm_security_logout".
Here is the full list of logout URI for all Lotus Connections features:
# LogOffUri="/activities/service/html/ibm_security_logout"
# LogOffUri="/blogs/ibm_security_logout"
# LogOffUri="/communities/communities/ibm_security_logout"
# LogOffUri="/dogear/ibm_security_logout"
# LogOffUri="/profiles/ibm_security_logout"
# LogOffUri="/homepage/web/ibm_security_logout"
2. Redirect logout request to SiteMinder LogOffUri. Since only one feature is chosen to
serve logout, if a user logs out in another feature, the HTTP server needs to redirect the
logout request to SiteMinder LogOffUri, to complete the full logout.
To do this, you must enable URL rewrite rules. The rewrite rules can be configured in the
IBM HTTP server configurations file named “httpd.conf” that resides in the
<IHS_INSTALL_LOC>/conf folder.
RewriteEngine On
RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteCond %{QUERY_STRING} !=logoutExitPage=<your_logout_url>
RewriteRule /(.*)/ibm_security_logout(.*) <LogOffUri>?l ogoutExitPage=<your_logout_url>
[noescape,L,R]
where <LogOffUri> is the URL that you selected in step 1. The client's browsers will be
28
sent to <your_logout_url> after logging out of Lotus Connections. This URL could be your
corporate home page or the Lotus Connections login page.
Note that you must add these rules to both the HTTP and HTTPS entries.
For instance, if Activities is chosen to serve logout and your corporate home page is
http://www.acme.com, the rewrite rule will look like the following:
RewriteEngine On
RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteCond %{QUERY_STRING} !=logoutExitPage=http://www.acme.com
RewriteRule /(.*)/ibm_security_logout(.*) /activities/service/html/ibm_security_logout?l
ogoutExitPage=http://www.acme.com [noescape,L,R]
This means that all logout requests from Lotus Connections features are served by the
Activities feature, and users are all logged out via a unified logoutExitPage as specified in
RewriteRule.
NOTE: Multiple LogOffUri is not officially supported in SiteMinder, though it proves to work
during our tests. We DO NOT recommend using multiple LogOffUri in SiteMinder
configurations, but if you choose to do so, simply set the following settings in your
LocalConfig.conf file:
LogOffUri="/activities/service/html/ibm_security_logout"
LogOffUri="/blogs/ibm_security_logout"
LogOffUri="/communities/communities/ibm_security_logout"
LogOffUri="/dogear/ibm_security_logout"
LogOffUri="/profiles/ibm_security_logout"
LogOffUri="/homepage/web/ibm_security_logout"
4.2.3 Create rewrite rules to map Blogs URLs
In Lotus Connections, there are a couple of feeds in Blogs that cause SiteMinder issues,
namely, the following:
/blogs/(.*)/feed/entries/atom
/blogs/(.*)/feed/comments/atom
/blogs/(.*)/feed/tags/atom
/blogs/(.*)/api
where the (.*) is replaced by the user’s login name because SiteMinder cannot handle
wildcards. To protect these URLs correctly, the following URL rewrite rules must be enabled in
the IBM HTTP Server configurations file httpd.conf that resides in the
<IHS_INSTALL_LOC>/conf folder. With the URL rewrite rules, the correct authentication is
applied:
29
RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/
[R,L]
RewriteRule ^/blogs/(.*)/feed/comments/atom(.*)
/blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L]
RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
NOTE: Be sure to enable the URL rewrite rules for both HTTP and HTTPS.
5 Install and configure SiteMinder ASA
SiteMinder ASA is installed on WebSphere Application Server to secure more fine-grained
objects such as servlets, JavaServer Pages (JSPs), or Enterprise Java™ Bean (EJB)
components, which could comprise a full-fledged distributed application.
Note that this paper is based on SiteMinder ASA 6.0 Agent for WebSphere Application Server
with CR0006 Hotfix. For other versions, please refer to the SiteMinder Web Agent’s
documentation.
5.1 Install SiteMinder ASA
NOTE: In a clustered environment, the SiteMinder ASA should be installed on WebSphere
Application Server. Also, before the installation, ensure the correct JCE policy files are copied
to the WebSphere Application Server because the Agent must use Java Unlimited
Cryptography, or else Host Registration will fail. Now, follow these steps:
1. Launch the installation wizard and accept the License Agreement.
2. Choose the Install location. If Install Directory does not exist, click “Yes, Continue” to
create a new one.
3. Choose the folder in which WebSphere Application Server 6.0 (or other version) is
installed.
4. Click Install, and choose “Yes, create trusted host” to create trusted host.
5. Enter the Host Registration information (see figure 25):
Policy Server IP Address: The IP Address of your SiteMinder Policy Server.
SM Admin Username: Can be obtained from the Administrator of you SiteMinder Policy
Server.
SM Admin Password: Can be obtained from the Administrator of you SiteMinder Policy
Server.
Host Name: The name of the Host you want to register.
Host Config Object: Created on the Policy Server.
30
Figure 25. Host Registration screen
6. In the next screen (see figure 26), enter the name for the Agent configuration object name
(this is created on the Policy Server).
7. Restart the system to complete the installation.
Figure 26.Agent Configuration screen
31
5.2 Configure the ASA for WebSphere Application Server
1. Copy the smagent.properties file from the ASA installation \conf folder over to the
WebSphere Application Server profile properties folder, for example,
c:\program files\IBM\websphere\appserver\appsvr01\properties.
2. Ensure that your system PATH includes a path the ASA's bin directory (typically
c:\smwasasa\bin).
3. Start the WebSphere Administration Console, if not already running, and do the following:
a. Select Security > Secure administration, applications, and infrastructure.
b. Expand Web Security and click Trust Association.
c.
Put a check next to Enable Trust Association and click Apply.
d. Click Interceptors and delete those you don’t require.
e. On the Interceptors page, click New.
f.
Enter the following SiteMinder ASA class name next to Interceptor Classname and
click Apply:
com.netegrity.siteminder.websphere.auth.SmTrustAssociationInterceptor
g. Save the changes to the master configuration by clicking Save on the next two
screens.
h. Log out of the Administration Console.
6 Update AJAX proxy configurations
To support access to the SiteMinder protected URL through the Ajax proxy, the proxy must be
configured to pass along the SiteMinder authentication token. The following declaration should
be added to pass SMSESSION cookie:
<proxy:cookies>
<proxy:cookie>JSESSIONID</proxy:cookie>
<proxy:cookie>SMSESSION</proxy:cookie>
</proxy:cookies>
1. To make this change to the proxy configuration file (proxy-config.xml; see table 4 below to
determine whether a feature uses this file), open a command window and start the
wsadmin command line tool.
2. Then use the following commands to access the Connections configuration and check out
the proxy configuration file:
execfile("connectionsConfig.py")
LCConfigService.checkOutProxyConfig("<working-directory>", "<cell-name>")
where <working-directory> is a temporary directory of your choice and <cell-name> is the
name of the cell where the Connections feature using the global proxy file is located.
32
3. Edit the file in the working directory to add the SMSESSIONID as described above and
then check in the file, using the following command:
LCConfigService.checkInProxyConfig("<working-directory>", "<cell-name>")
You can find the proxy configuration file for each feature in table 4.
Table 4. Proxy configuration file location for each Connections feature
7 Enable SiteMinder for Lotus Connections
Finally, after all the configurations are set property, you are ready to enable SiteMinder for
your Lotus Connections environment. To do this, follow these steps:
1. In the Local WebAgent Configuration file (WebAgent.conf) of the SiteMinder WebAgent
that has been configured with your HTTP server, set the EnableWebAgent parameter to
"YES".
2. In the Local WebAgent Configuration file (called ASAAgent-Assertion.conf and typically
located in c:\smwasasa\conf) of the SiteMinder ASA that has been configured with your
server, set the EnableWebAgent parameter to "YES".
3. Restart all HTTP servers and WebSphere Application Server.
8 Troubleshooting
Let’s now identify some common issues and how to address them.
Issue: Web Agent registration fails on Microsoft® Windows® 2000.
Solution: This is an Operation System special case. For Microsoft Windows 2000, edit the
Registry as follows, so the SiteMinder Web Agent can get the HTTP Server’s installPath to
finish its registration (see figure 27):
Name: installPath (1)
Type: REG_SZ
Data: equal to the Data of variable "installPath"
33
Figure 27. Registry Editor
Issue: SiteMinder login pages show up in email notifications.
Lotus Connection retrieves email notification templates via HTTP from deployed servers, thus
the notification template’s URL should be set as Unprotected in the SiteMinder configuration.
The notification templates don’t contain any sensitive data.
Solution: Check the URLs listed in Section 3.3 and make sure they are configured as
Unprotected.
Issue: User cannot log in when WPI or WCI is enabled.
When WPI or WCI is enabled, Lotus Connections will use WPI/WCI to get user or group
information. However, WPI/WCI itself works independently of the J2EE Web container and is
not able to pass along SiteMinder security tokens. Therefore the URL serves for WPI/WCI
need to be set as Unprotected in the SiteMinder configuration. In Lotus Connections, direct
access to these two URL will be rejected if there is no Lightweight Third-Party Authentication
(LTPA) token provided.
Solution: Check the URL /profiles/dsx for WPI and /communities/dsx for WCI and ensure they
are configured as Unprotected.
Issue: Microsoft Office plug-in doesn’t work with SiteMinder environment.
When the SiteMinder RequireCookies configuration parameter is set to YES, the SiteMinder
agent is expecting to see the SMCHALLENGE cookie when doing basic authentication. But
the Office plug-in is not able to accept that cookie, which the SiteMinder agent returns along
with an HTTP 401 response.
Solution: For the Office plug-in to work with SiteMinder, make sure the RequireCookies
parameter is set to “NO”.
34
Issue: A Lotus Connections feature fails to load feed data from other features.
In Connections features, there are widgets that load feed data from other features, and the
AjaxProxy is used to proxy the feed load request to avoid cross-site scripting issues.
Solution: To work with the SiteMinder environment, the AjaxProxy must be configured to pass
along SiteMinder security token SMSESSION. Thus, correct the AjaxProxy configuration for
the problematic feature, as described in Section 6 above.
Issue: Blogs page footer is replaced by SiteMinder login page.
Blogs includes the use page footer via HTTP from the deployed server, and the backend has
no knowledge of the SiteMinder security token, thus the footer URL must be configured as
Unprotected. This issue is expected to be fixed in a subsequent release.
Solution: Check the SiteMinder configuration and set /blogs/nav/footer.html as Unprotected.
Issue: The Navigation Bar fails to show the logged-in user’s name and instead
displays the Logout link when viewed with Microsoft Internet Explorer.
The Blogs and Dogear Connections features may exhibit this behavior if there are “too many”
cookies or if the overall cookie size exceeds 4,096 bytes. This can be exacerbated by the
presence of the SMSESSION cookie and the WebSphere LTPA cookies. More details on this
IE limitation may be found here: http://support.microsoft.com/kb/306070.
Solution: Reduce the number of cookies in use. One possible approach is to ensure
WebSphere is not configured for backward compatibility for LTPA (remove the use of
LtpaToken and only use LtpaToken2). For further details, refer to the IBM WebSphere
Application Server information center.
Issue: There is no Delete Action available when a user creates the Rules in
SiteMinder.
Solution: The SiteMinder WebAgent has only the Get, Post, and Put Actions available by
default. To add the Delete Action, follow these steps:
1.
Log in to the SiteMinder Administration Console.
2.
Click the View menu and select the Agent Types menu option.
3.
Select the Agent Types option that is now available in the Systems pane.
4.
Double-click the Web Agent in the Agent Type list.
5.
In the Agent Type Properties dialog box that appears, click the Create button.
6.
Type Delete in the New Agent Action dialog, and click OK.
7.
Click OK again; the new Action will be saved and available now in the Rules dialog.
35
9 Conclusion
This paper has provided detailed instructions on how to integrate Netegrity SiteMinder 6.0 with
Lotus Connections, focusing on the special configurations for different components of Lotus
Connections on both the Policy Server side and Agent side.
10 Resources
•
Lotus Connections developerWorks product page
•
Lotus Connections documentation page
•
CA SiteMinder Web Access Manager
•
WebSphere Application Server information center
11 About the authors
Xin BJ Xu is a Software Engineer from the Lotus Connections System Verification Test (SVT)
team at IBM China Software Development Lab in Beijing. You can reach him at
[email protected].
Xiao Feng Yu is a Staff Software Engineer with rich Web solutions experience, working at the
IBM China Software Development Lab in Shanghai. You can reach him at
[email protected].
Patrick Curtin, an expert in the SiteMinder area, is a WPLC Test Infrastructure Engineer from
IBM Software Group in Dublin, Ireland. You can reach him at [email protected].
Trademarks
•
•
•
•
Domino, IBM, Lotus, and WebSphere are trademarks or registered trademarks of IBM
Corporation in the United States, other countries, or both.
Windows and Windows 2000 are registered trademarks of Microsoft Corporation in the
United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of
Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of
others.
36
Fly UP