Integrating CA (formerly Netegrity) SiteMinder 6.0 with IBM® Lotus® Connections 2.0
by user
Comments
Transcript
Integrating CA (formerly Netegrity) SiteMinder 6.0 with IBM® Lotus® Connections 2.0
Integrating CA (formerly Netegrity) SiteMinder 6.0 with IBM® Lotus® Connections 2.0 Xin BJ Xu IBM Software Group, WPLC Beijing, China Xiao Feng Yu IBM Software Group, WPLC Staff Software Engineer Shanghai, China Patrick Curtin IBM Software Group WPLC Test Infrastructure Engineer Dublin, Ireland October 2008 © Copyright International Business Machines Corporation 2008. All rights reserved Abstract: This white paper provides step-by-instructions on how to integrate CA (formerly Netegrity) SiteMinder 6.0 with IBM® Lotus® Connections 2.0 to provide your users with the security of a single sign-on environment. 1 Contents 1 Introduction ..................................................................................................................................3 2 Create Configuration objects on SiteMinder Policy Server...................................................4 2.1 Create objects for WebAgent ...............................................................................................4 2.1.1 Create the Web Agent objects............................................................................4 2.1.2 Create an Agent Conf Object..............................................................................5 2.1.3 Create a Host Conf Object..................................................................................6 2.2 Create Objects for SiteMinder ASA.....................................................................................8 2.2.1 Create SiteMinder ASA objects ..........................................................................8 2.2.2 Create an Agent Conf Object..............................................................................9 2.2.3 Create a Host Conf Object................................................................................10 2.3 Create a User Directory....................................................................................................11 2.4 Create an Authentication Scheme .....................................................................................12 3 Configure the Domains ............................................................................................................13 3.1 Define a Domain for the WebAgent...................................................................................13 3.2 Define a Domain for the ASA............................................................................................15 3.3 Define the Realm Definitions for both Domains...............................................................15 3.3 Define Rules for the Realms..............................................................................................19 3.4 Create a Policy for the Domain ........................................................................................21 4 Install and configure SiteMinder WebAgent..........................................................................24 4.1 Install the SiteMinder WebAgent .......................................................................................24 4.2 Configure the SiteMinder WebAgent .................................................................................27 Add SiteMinder cookie setting................................................................................27 4.2.2 Configuring SiteMinder logout ......................................................................28 4.2.3 Create rewrite rules to map Blogs URLs........................................................29 5 Install and configure SiteMinder ASA.....................................................................................30 5.1 Install SiteMinder ASA......................................................................................................30 5.2 Configure the ASA for WebSphere Application Server ......................................................32 6 Update AJAX proxy configurations.........................................................................................32 7 Enable SiteMinder for Lotus Connections.............................................................................33 8 Troubleshooting.........................................................................................................................33 9 Conclusion .................................................................................................................................36 10 Resources................................................................................................................................36 11 About the authors ....................................................................................................................36 2 1 Introduction IBM Lotus Connections is social software for business that empowers you to be more innovative and helps you execute more quickly by using dynamic networks of coworkers, partners, and customers. Computer Associates (formerly Netegrity) SiteMinder is a Web access control product providing Web single sign-on (SSO), centralized policy management for authentication, authorization, and auditing and user entitlement. This white paper describes how to integrate SiteMinder 6.0 (hereafter called “SiteMinder”) with Lotus Connections 2.0 to provide your users with the security of an SSO environment. Figure 1 shows a sample Lotus Connections 2.0 cluster deployment environment, in which lccn60-1 is the IBM WebSphere® Application Server Network Deployment Manager (DM), SM is SiteMinder, and lccn61-1 and lccn60-2 are the two nodes. For the IBM HTTP Server (IHS), assume it is also installed on lccn60-1. Figure 1. Cluster environment topology Here the SiteMinder Web Agent is hosted on the IHS, lccn60-1, and the SiteMinder Application Server Agent (ASA) is hosted on all three Application servers: lccn60-1, lccn60-2, and lccn61-1. 3 Note that lccn60-1 is used as the example for SiteMinder ASA configuration throughout this paper. To configure SiteMinder to work with your Lotus Connections 2.0 environment, we must first create Configuration objects on the SiteMinder Policy Server and then, for the Lotus Connections environment, we will: 1. Configure the Domains and Realms on the SiteMinder Policy Server. 2. Install and configure the SiteMinder WebAgent. 3. Install and configure the ASA. 4. Update common Ajax proxy configuration files. 5. Enable the SiteMinder WebAgent and ASA. The specific configuration we are using is: • SiteMinder Policy Server v6.0 SP5 • SiteMinder ASA 6.0 Agent for WebSphere Application Server with CR0006 Hotfix • SiteMinder WebAgent v6qmr5-cr011 NOTE: Be sure you are using SiteMinder ASA 6.0 with all the latest updates applied to all SiteMinder components. 2 Create Configuration objects on SiteMinder Policy Server You need to create and configure many Policy Server objects when working with the SiteMinder Policy Server. Some objects represent connections to existing network entries, and the others represent groupings of resources and policies that determine entitlements to those resources. 2.1 Create objects for WebAgent 2.1.1 Create the Web Agent objects 1. To create an Agent, right-click on icon under System Configuration on the System tab of the left-hand pane of the console. Select “Create Agent”; the dialog box in figure 2 displays. 4 Figure 2. SiteMinder Agent Properties dialog 2. Fill in the *Name and Description fields with “lccn60-1WA” and “Lotus Connections 2.0”, respectively, ensuring the *Name field contains a unique value not used previously for an existing agent on the server. 3. Click OK to save and close. 2.1.2 Create an Agent Conf Object The IBM HTTP Server is Apache based, for which products it is recommended that you create a duplicate of the existing ApacheDefaultSettings Agent Conf Object on the Policy Server and modify the duplicate as appropriate. To do this, follow these steps: 1. To create an Agent Conf object for your HTTP Server, click the icon under System Configuration on the System tab of the left- hand pane of the console. 2. Right-click the "ApacheDefaultSettings” Agent Conf object in the Agent Conf Object List in the right-hand pane of the console and select Duplicate Configuration Object. The dialog box in figure 3 displays. 5 Figure 3. Agent Configuration Object Properties dialog 3. Enter a unique name, for example, lccn60-1WA_conf, for the object in the *Name field. 4. Then, in the Configuration Values section, set the following parameters to the values below or to the appropriate value for your server by clicking each parameter and clicking the Edit button: • DefaultAgentName: Name given to agent created in above step • AllowLocalConfig: Set to Yes • CssChecking: Set to No • BadUrlChars: remove // and /, %00-%1f, %7f-%ff, and %25 from the default list of Bad Url Characters All other parameters can be left as default. 5. Click OK to save and close. 2.1.3 Create a Host Conf Object First, it is recommended that you create a duplicate of the existing DefaultHostSettings Host 6 Conf Object on the Policy Server and modify the duplicate as appropriate. Then, to create a Host Conf object for your HTTP Server, follow these steps: 1. Click the icon under System Configuration on the System tab of the left-hand pane of the console. 2. Right-click the existing Host Conf object in the Host Conf Object List in the right-hand pane of the console and select Duplicate Configuration Object. The dialog box in figure 4 displays. Figure 4. Host Config Object Properties dialog 3. Enter a unique name and description (optional). 4. Edit the Parameter Value #Policy Server, removing the “#” sign from the front of the parameter name and entering the IP Address of your Policy server in the appropriate place in the value field. 5. Click OK to save and close. 7 2.2 Create Objects for SiteMinder ASA 2.2.1 Create SiteMinder ASA objects 1. To create an Agent, right click the icon under System Configuration on the System tab of the left-hand pane of the console. Select Create Agent; the dialog box in figure 5 displays. Figure 5. Agent Properties dialog 2. Fill in the *Name and Description fields with “lccn60-1ASA” and “Lotus Connections 2.0,” respectively, as shown in the figure, ensuring the *Name field contains a unique value not used previously for an existing agent on the server. 3. Click OK to save and close. 8 2.2.2 Create an Agent Conf Object To create an Agent Conf object for your Application Server: 1. Click the icon under System Configuration on the System tab of the left-hand pane of the console. 2. Right-click the IISDefaultSettings Conf object in the Agent Conf Object List in the right-hand pane of the console. Select “Duplicate Configuration Object”; the dialog box in figure 6 displays. Figure 6. Agent Configuration Object Properties dialog 3. Enter a unique name for the object, for example, lccn60-1ASA_conf, in the *Name field. 4. Then, in the Configuration Values section, set the following parameters to the values below, or to the appropriate value for your server, by clicking each parameter and clicking the Edit button: a. DefaultAgentName: Name given to agent created in above step 9 b. AssertionAuthResource: Set to /siteminderassertion c. AssertbyUserID: Set to true 5. Click OK to save and close. 2.2.3 Create a Host Conf Object To create a Host Conf object for your HTTP Server: 1. Click the icon under System Configuration on the System tab of the left-hand pane of the console. 2. Right-click the existing Host Conf object in the Host Conf Object List in the right-hand pane of the console, select Duplicate Configuration Object, and you see the dialog box in figure 7. Figure 7. Host Configuration Object Properties dialog 3. Enter a unique name, for example, Host_lccn60-1ASA, and description (optional) in the respective fields. 10 4. Click OK to save and close. 2.3 Create a User Directory SiteMinder uses LDAP/Database to authenticate users who access its configurations. Configuring access to an LDAP User Directory on the Policy Server is required so that the policy you set up for your Lotus Connections Server can access and use the appropriate LDAP server to authenticate your Lotus Connections Users. NOTE: The Lotus Connections server must be configured to use the same LDAP repository—or at least a LDAP repository that contains the same user information—as the LDAP repository accessed by the SiteMinder Policy Server. To create a User Directory, follow these steps: icon under System Configuration on the System tab of 1. Right-click the the left-hand pane of the console and select Create User Directory. The dialog box in figure 8 displays. Figure 8. User Directory Properties dialog 11 2. Enter a unique name and description (optional) in the *Name and Description fields. 3. Set the *Namespace field to LDAP, and enter the fully qualified host name of your LDAP server in the *Servername field. 4. Fill in the LDAP Search and LDAP User DN Lookup fields as appropriate for your LDAP users. 5. Click OK to save and close. NOTE: Depending on your particular LDAP server configuration, you may also need to add in Required Credentials on the Credentials and Connection tab in order for the Policy Server to be able to bind with your LDAP server. Also, if you want to use “mail” as a login attribute, you can modify the “LDAP User DN Lookup” parameters. 2.4 Create an Authentication Scheme To create an Authentication Scheme: 1. Right-click the icon under System Configuration on the System tab of the left-hand pane of the console and select Create Authentication Scheme. The dialog box in figure 9 displays. 12 Figure 9. Authentication Scheme Properties dialog 2. Enter a unique name, for example, lccn60-1_Scheme, and description (optional) in the fields provided. 3. Select “HTML Form Template” from the Authentication Scheme Type drop-down box. 4. Enter the Fully Qualified Domain Name of your Web Server in the Web Server Name field. 5. Click OK to save and close. 3 Configure the Domains A policy domain is a logical grouping of resources associated with one or more user directories. Policy domains contain realms, rules, responses, and policies. The resources in a policy domain can be grouped in one or more realms, where a realm is a set of resources with a common security requirement. Access to resources is controlled by rules, which are associated with the realm that contains the resource. 3.1 Define a Domain for the WebAgent 1. On the SiteMinder Policy Server, select Create Domain (see figure 10). 13 Figure 10. Create Domain 2. Enter a unique name (for example, lccn60-1WA_Domain) and description (optional) in the fields provided (see figure 11). 3. From the drop-down list at the bottom of the dialog, select the User Directory that you will use in this Domain, and click the Add button to add it to the User Directories tab. 14 Figure 11. Domain Properties dialog 3.2 Define a Domain for the ASA On the SiteMinder Policy Server, select Create Domain and enter a unique name (for example, lccn60-1ASA_Domain) and description (optional) in the fields provided. Note that you don’t need to select a User Directory for this domain. 3.3 Define the Realm Definitions for both Domains To define Realm Definitions for the WebAgent Domain: 1. Right-click the domain you created for the WebAgent and select Create Realm. Figure 12 shows an example of a realm for defined for resource “/blogs/atom”. 15 Figure 12. Realm Properties dialog 2. Enter a unique name (for example, AtomBlogs) and description (optional) for the Realm. 3. On the Resource tab, in the Agent field, enter the name of the agent that you created in Section 2.1 (here it’s lccn60-1wa), or select it from the Lookup listing. 4. Define the Resource Filter as “/blogs/atom”. 5. Set the Default Resource Protection option to “Protected”. 6. Leave all other fields on the Resource, Session, and Advanced tabs as default. 7. The only Realm that has an extra change is the Realm that has the Protected Resource “/”. For this Realm, set the Authentication Scheme to the HTML Forms scheme you created earlier. The realms in tables 1 and 2 must be defined for your Lotus Connections environment: 16 Table 1. Realms with Protected setting 17 Table 2. Realms with Unprotected setting Note that these resources are set as Unprotected due to nature of the notification code, and Waltz-Profiles Integration (WPI) / Waltz-Communities Integration (WCI) and API Service Descriptions URLs. To define Realm Definitions for the ASA Domain: 1. Right-click the domain you created for the ASA and select Create Realm; a dialog similar to that in figure 13 appears. 18 Figure 13. Realm Properties dialog 2. Enter a unique name and description (optional) for the Realm. 3. In the Agent field on the Resource tab, enter the name of the agent that you created for the WebAgent in this environment (here it’s lccn60-1asa), or select it from the Lookup listing. 4. Define the Resource Filter as “/siteminderassertion”. 5. Set the Default Resource Protection option to Protected or Unprotected. 6. Leave all other fields on the Resource, Session, and Advanced tabs as default. 3.3 Define Rules for the Realms Now you must define the rules in table 3 for the Protected Realm created for the WebAgent. To do this, right-click each protected Realm that was created above and select "Create Rule under Realm". 19 Table 3. Rule definitions Rule 1 (see figure 14) *Name: GetPost Rule Realm: (Whatever realm you are working with) Resource: * Action: Web Agent actions -> Get,Post,Put,Delete When this Rule fires: Allow Access Enable or Disable this Rule: Enabled Rule 2 (see figure 15) *Name: OnAuthAccept Rule Realm: (Whatever realm you are working with) Resource: * Action: Authentication events -> OnAuthAccept When this Rule fires: Allow Access Enable or Disable this Rule: Enabled Figure 14. Example Rule 1 20 Figure 15. Example Rule 2 Note that no rules are required for the ASA's Realm. 3.4 Create a Policy for the Domain Now define a Policy to control the domain (Policy for Web Agent, for example): 1. Right-click Policies, under the domain that was created above, and select "Create Policy"; you should see the dialog box shown in figure 16. 21 Figure 16. Policy Properties dialog 2. Enter a unique name for the object in the *Name field. 3. Click the Add/Remove button and, from the dialog that follows, add the Users/Groups/Organizations that will be allowed access to your Lotus Connections environment. In figure 16 above, the entire Organization has been added so all users under this Organization in the LDAP will be allowed access. 4. Select the Rules tab (see figure 17). 22 Figure 17. Rules tab 5. Click the Add/Remove Rules button, to get the window shown in figure 18, and add the rules you created above. 6. Click OK to save the Policy. Figure 18. Available Rules window 23 4 Install and configure SiteMinder WebAgent SiteMinder Web Agent is installed on the Lotus Connections HTTP server. It controls access to Web content and delivers a user's security context, managed by eTrust SiteMinder, directly to any Web application being accessed by the user. For Web servers, the Web agent integrates through each Web server’s extension API, intercepts all requests for resources (URLs), and determines whether each resource is protected by eTrust SiteMinder. NOTE: These instructions are based on SiteMinder WebAgent v6qmr5-cr011. For other versions, refer to the SiteMinder Web Agent’s documentation. 4.1 Install the SiteMinder WebAgent To install the WebAgent: 1. Launch the Installation panel and accept the License Agreements. 2. Read the Important Information and click Next. 3. Choose the Install Directory. 4. In the Choose Shortcut Folder screen, you can keep the default setting of “SiteMinder” (see figure 19). Figure 19. Choose Shortcut Folder screen 5. Review the Install information. 6. Install the WebAgent and restart the system to complete the installation. 7. After restart, choose “Programs > SiteMinder > Web Agent Configuration Wizard” to 24 launch the Host Registration panel. 8. Choose “Yes” to continue the Host Registration. 9. Fill in the Admin User Name, Admin Password, and confirm Admin Password fields (see figure 20). Figure 20. Admin Registration screen 10. In the Trusted Host Name and Configuration Object screen (see figure 21) enter the name in the Trusted Host Name field (here we use lccn60-1WA) that will be registered on the SiteMinder Policy Server during the setup procedure. Figure 21. Trusted Host Name and Configuration Object screen 25 11. In the Host Configuration Object field, enter the name (here it’s Host_lccn60-1WA) created on the SiteMinder Policy Server. Click Next. 12. On the next screen, enter the SiteMinder Policy Server IP address in the IP Address field, click the Add button, and click Next (see figure 22). Figure 22. Policy Server IP Address screen 13. Select the Web server(s) you wish to configure as Web Agents (see figure 23). Figure 23.Select Web Servers screen 26 14. On the Agent Configuration Object screen (see figure 24), enter the Agent Configuration Object that was created on the Policy Server (here it’s lccn60-1WA_conf). Figure 24. Agent Configuration Object screen 15. Choose your SSL Authentication method and click Next. 16. Choose “No, I don’t want to configure Self Registration” and click Next. 17. Review the Web Server Configuration Summary, click Install to continue, and then click Done to finish the installation. 4.2 Configure the SiteMinder WebAgent There are two methods to configure the SiteMinder Web Agent; central agent configuration and local agent configuration. If you are using central agent configuration, configure the settings on the Policy Server; otherwise, the configuration settings can be configured via the LocalConfig.conf file, which resides in the <IHS_INSTALL_LOC>/conf folder. Add SiteMinder cookie setting 1. To do this, set the proper CookieDomain value according to your environment: # CookieDomain specified the domain SMSESSION cookie belongs to CookieDomain="your-domain" 2. Ensure that the CookieDomain value conforms to RFC2109: host minus domain may not contain any dots. For example, assuming the server host name is saturn.cn.ibm.com, the proper domain name should be .cn.ibm.com: 27 CookieDomain=".cn.ibm.com" 3. Set RequireCookies="NO". If you are using on ramps, for instance, Hanover, Office plugin, or Portlet, you must set the RequireCookies setting to NO, so that SiteMinder Web Agent doesn’t expect the SMCHALLENGE cookie for basic authentication. 4.2.2 Configuring SiteMinder logout Use these steps to configure the SiteMinder logout: 1. Set LogOffUri to enable SiteMinder logoff. When the Web Agent performs a full logoff, it removes the session cookie from a user’s browser. The session cookie is also removed from the local cookie domain and cookie provider domain, which you specify for SSO environments. After clearing the cookies, the Web agent calls the Policy Server and instructs it to remove any session information. At this point, the user is completely logged off. You can use any Lotus Connection feature to serve logout. For example, if Activities is used to serve logout, you must set the LogOffUri settings to Activities logout URI LogOffUri="/activities/service/html/ibm_security_logout". Here is the full list of logout URI for all Lotus Connections features: # LogOffUri="/activities/service/html/ibm_security_logout" # LogOffUri="/blogs/ibm_security_logout" # LogOffUri="/communities/communities/ibm_security_logout" # LogOffUri="/dogear/ibm_security_logout" # LogOffUri="/profiles/ibm_security_logout" # LogOffUri="/homepage/web/ibm_security_logout" 2. Redirect logout request to SiteMinder LogOffUri. Since only one feature is chosen to serve logout, if a user logs out in another feature, the HTTP server needs to redirect the logout request to SiteMinder LogOffUri, to complete the full logout. To do this, you must enable URL rewrite rules. The rewrite rules can be configured in the IBM HTTP server configurations file named “httpd.conf” that resides in the <IHS_INSTALL_LOC>/conf folder. RewriteEngine On RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING} !=logoutExitPage=<your_logout_url> RewriteRule /(.*)/ibm_security_logout(.*) <LogOffUri>?l ogoutExitPage=<your_logout_url> [noescape,L,R] where <LogOffUri> is the URL that you selected in step 1. The client's browsers will be 28 sent to <your_logout_url> after logging out of Lotus Connections. This URL could be your corporate home page or the Lotus Connections login page. Note that you must add these rules to both the HTTP and HTTPS entries. For instance, if Activities is chosen to serve logout and your corporate home page is http://www.acme.com, the rewrite rule will look like the following: RewriteEngine On RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING} !=logoutExitPage=http://www.acme.com RewriteRule /(.*)/ibm_security_logout(.*) /activities/service/html/ibm_security_logout?l ogoutExitPage=http://www.acme.com [noescape,L,R] This means that all logout requests from Lotus Connections features are served by the Activities feature, and users are all logged out via a unified logoutExitPage as specified in RewriteRule. NOTE: Multiple LogOffUri is not officially supported in SiteMinder, though it proves to work during our tests. We DO NOT recommend using multiple LogOffUri in SiteMinder configurations, but if you choose to do so, simply set the following settings in your LocalConfig.conf file: LogOffUri="/activities/service/html/ibm_security_logout" LogOffUri="/blogs/ibm_security_logout" LogOffUri="/communities/communities/ibm_security_logout" LogOffUri="/dogear/ibm_security_logout" LogOffUri="/profiles/ibm_security_logout" LogOffUri="/homepage/web/ibm_security_logout" 4.2.3 Create rewrite rules to map Blogs URLs In Lotus Connections, there are a couple of feeds in Blogs that cause SiteMinder issues, namely, the following: /blogs/(.*)/feed/entries/atom /blogs/(.*)/feed/comments/atom /blogs/(.*)/feed/tags/atom /blogs/(.*)/api where the (.*) is replaced by the user’s login name because SiteMinder cannot handle wildcards. To protect these URLs correctly, the following URL rewrite rules must be enabled in the IBM HTTP Server configurations file httpd.conf that resides in the <IHS_INSTALL_LOC>/conf folder. With the URL rewrite rules, the correct authentication is applied: 29 RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L] RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L] RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) NOTE: Be sure to enable the URL rewrite rules for both HTTP and HTTPS. 5 Install and configure SiteMinder ASA SiteMinder ASA is installed on WebSphere Application Server to secure more fine-grained objects such as servlets, JavaServer Pages (JSPs), or Enterprise Java™ Bean (EJB) components, which could comprise a full-fledged distributed application. Note that this paper is based on SiteMinder ASA 6.0 Agent for WebSphere Application Server with CR0006 Hotfix. For other versions, please refer to the SiteMinder Web Agent’s documentation. 5.1 Install SiteMinder ASA NOTE: In a clustered environment, the SiteMinder ASA should be installed on WebSphere Application Server. Also, before the installation, ensure the correct JCE policy files are copied to the WebSphere Application Server because the Agent must use Java Unlimited Cryptography, or else Host Registration will fail. Now, follow these steps: 1. Launch the installation wizard and accept the License Agreement. 2. Choose the Install location. If Install Directory does not exist, click “Yes, Continue” to create a new one. 3. Choose the folder in which WebSphere Application Server 6.0 (or other version) is installed. 4. Click Install, and choose “Yes, create trusted host” to create trusted host. 5. Enter the Host Registration information (see figure 25): Policy Server IP Address: The IP Address of your SiteMinder Policy Server. SM Admin Username: Can be obtained from the Administrator of you SiteMinder Policy Server. SM Admin Password: Can be obtained from the Administrator of you SiteMinder Policy Server. Host Name: The name of the Host you want to register. Host Config Object: Created on the Policy Server. 30 Figure 25. Host Registration screen 6. In the next screen (see figure 26), enter the name for the Agent configuration object name (this is created on the Policy Server). 7. Restart the system to complete the installation. Figure 26.Agent Configuration screen 31 5.2 Configure the ASA for WebSphere Application Server 1. Copy the smagent.properties file from the ASA installation \conf folder over to the WebSphere Application Server profile properties folder, for example, c:\program files\IBM\websphere\appserver\appsvr01\properties. 2. Ensure that your system PATH includes a path the ASA's bin directory (typically c:\smwasasa\bin). 3. Start the WebSphere Administration Console, if not already running, and do the following: a. Select Security > Secure administration, applications, and infrastructure. b. Expand Web Security and click Trust Association. c. Put a check next to Enable Trust Association and click Apply. d. Click Interceptors and delete those you don’t require. e. On the Interceptors page, click New. f. Enter the following SiteMinder ASA class name next to Interceptor Classname and click Apply: com.netegrity.siteminder.websphere.auth.SmTrustAssociationInterceptor g. Save the changes to the master configuration by clicking Save on the next two screens. h. Log out of the Administration Console. 6 Update AJAX proxy configurations To support access to the SiteMinder protected URL through the Ajax proxy, the proxy must be configured to pass along the SiteMinder authentication token. The following declaration should be added to pass SMSESSION cookie: <proxy:cookies> <proxy:cookie>JSESSIONID</proxy:cookie> <proxy:cookie>SMSESSION</proxy:cookie> </proxy:cookies> 1. To make this change to the proxy configuration file (proxy-config.xml; see table 4 below to determine whether a feature uses this file), open a command window and start the wsadmin command line tool. 2. Then use the following commands to access the Connections configuration and check out the proxy configuration file: execfile("connectionsConfig.py") LCConfigService.checkOutProxyConfig("<working-directory>", "<cell-name>") where <working-directory> is a temporary directory of your choice and <cell-name> is the name of the cell where the Connections feature using the global proxy file is located. 32 3. Edit the file in the working directory to add the SMSESSIONID as described above and then check in the file, using the following command: LCConfigService.checkInProxyConfig("<working-directory>", "<cell-name>") You can find the proxy configuration file for each feature in table 4. Table 4. Proxy configuration file location for each Connections feature 7 Enable SiteMinder for Lotus Connections Finally, after all the configurations are set property, you are ready to enable SiteMinder for your Lotus Connections environment. To do this, follow these steps: 1. In the Local WebAgent Configuration file (WebAgent.conf) of the SiteMinder WebAgent that has been configured with your HTTP server, set the EnableWebAgent parameter to "YES". 2. In the Local WebAgent Configuration file (called ASAAgent-Assertion.conf and typically located in c:\smwasasa\conf) of the SiteMinder ASA that has been configured with your server, set the EnableWebAgent parameter to "YES". 3. Restart all HTTP servers and WebSphere Application Server. 8 Troubleshooting Let’s now identify some common issues and how to address them. Issue: Web Agent registration fails on Microsoft® Windows® 2000. Solution: This is an Operation System special case. For Microsoft Windows 2000, edit the Registry as follows, so the SiteMinder Web Agent can get the HTTP Server’s installPath to finish its registration (see figure 27): Name: installPath (1) Type: REG_SZ Data: equal to the Data of variable "installPath" 33 Figure 27. Registry Editor Issue: SiteMinder login pages show up in email notifications. Lotus Connection retrieves email notification templates via HTTP from deployed servers, thus the notification template’s URL should be set as Unprotected in the SiteMinder configuration. The notification templates don’t contain any sensitive data. Solution: Check the URLs listed in Section 3.3 and make sure they are configured as Unprotected. Issue: User cannot log in when WPI or WCI is enabled. When WPI or WCI is enabled, Lotus Connections will use WPI/WCI to get user or group information. However, WPI/WCI itself works independently of the J2EE Web container and is not able to pass along SiteMinder security tokens. Therefore the URL serves for WPI/WCI need to be set as Unprotected in the SiteMinder configuration. In Lotus Connections, direct access to these two URL will be rejected if there is no Lightweight Third-Party Authentication (LTPA) token provided. Solution: Check the URL /profiles/dsx for WPI and /communities/dsx for WCI and ensure they are configured as Unprotected. Issue: Microsoft Office plug-in doesn’t work with SiteMinder environment. When the SiteMinder RequireCookies configuration parameter is set to YES, the SiteMinder agent is expecting to see the SMCHALLENGE cookie when doing basic authentication. But the Office plug-in is not able to accept that cookie, which the SiteMinder agent returns along with an HTTP 401 response. Solution: For the Office plug-in to work with SiteMinder, make sure the RequireCookies parameter is set to “NO”. 34 Issue: A Lotus Connections feature fails to load feed data from other features. In Connections features, there are widgets that load feed data from other features, and the AjaxProxy is used to proxy the feed load request to avoid cross-site scripting issues. Solution: To work with the SiteMinder environment, the AjaxProxy must be configured to pass along SiteMinder security token SMSESSION. Thus, correct the AjaxProxy configuration for the problematic feature, as described in Section 6 above. Issue: Blogs page footer is replaced by SiteMinder login page. Blogs includes the use page footer via HTTP from the deployed server, and the backend has no knowledge of the SiteMinder security token, thus the footer URL must be configured as Unprotected. This issue is expected to be fixed in a subsequent release. Solution: Check the SiteMinder configuration and set /blogs/nav/footer.html as Unprotected. Issue: The Navigation Bar fails to show the logged-in user’s name and instead displays the Logout link when viewed with Microsoft Internet Explorer. The Blogs and Dogear Connections features may exhibit this behavior if there are “too many” cookies or if the overall cookie size exceeds 4,096 bytes. This can be exacerbated by the presence of the SMSESSION cookie and the WebSphere LTPA cookies. More details on this IE limitation may be found here: http://support.microsoft.com/kb/306070. Solution: Reduce the number of cookies in use. One possible approach is to ensure WebSphere is not configured for backward compatibility for LTPA (remove the use of LtpaToken and only use LtpaToken2). For further details, refer to the IBM WebSphere Application Server information center. Issue: There is no Delete Action available when a user creates the Rules in SiteMinder. Solution: The SiteMinder WebAgent has only the Get, Post, and Put Actions available by default. To add the Delete Action, follow these steps: 1. Log in to the SiteMinder Administration Console. 2. Click the View menu and select the Agent Types menu option. 3. Select the Agent Types option that is now available in the Systems pane. 4. Double-click the Web Agent in the Agent Type list. 5. In the Agent Type Properties dialog box that appears, click the Create button. 6. Type Delete in the New Agent Action dialog, and click OK. 7. Click OK again; the new Action will be saved and available now in the Rules dialog. 35 9 Conclusion This paper has provided detailed instructions on how to integrate Netegrity SiteMinder 6.0 with Lotus Connections, focusing on the special configurations for different components of Lotus Connections on both the Policy Server side and Agent side. 10 Resources • Lotus Connections developerWorks product page • Lotus Connections documentation page • CA SiteMinder Web Access Manager • WebSphere Application Server information center 11 About the authors Xin BJ Xu is a Software Engineer from the Lotus Connections System Verification Test (SVT) team at IBM China Software Development Lab in Beijing. You can reach him at [email protected]. Xiao Feng Yu is a Staff Software Engineer with rich Web solutions experience, working at the IBM China Software Development Lab in Shanghai. You can reach him at [email protected]. Patrick Curtin, an expert in the SiteMinder area, is a WPLC Test Infrastructure Engineer from IBM Software Group in Dublin, Ireland. You can reach him at [email protected]. Trademarks • • • • Domino, IBM, Lotus, and WebSphere are trademarks or registered trademarks of IBM Corporation in the United States, other countries, or both. Windows and Windows 2000 are registered trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. 36