Enable single sign-on for SiteMinder with SPNEGO 

---

Configure IBM® Connections to use single sign-on with Computer Associates' SiteMinder and SPNEGO.

Before starting

Before you can enable SSO, first install IBM Connections and ensure that you can access the installed applications from a web browser. You must also have completed the TAI/ASA installation and configuration instructions that are included with SiteMinder, including registering the TAI/ASA with WebSphere® Application Server.

• Configure WAS with SPNEGO. To do this, complete the tasks described in the following topics:

  • Create a service principal name and keytab file

  • Configure Kerberos and SPNEGO

  • Configure the backend authenticator

  • Configure SPNEGO on IBM HTTP Server
    
    

• You must be able to successfully access the installed applications IBM Connections from a web browser.
  
  

Notes:

Each href attribute in LotusConnections-config.xml is case-sensitive and must specify a fully-qualified domain name.

• The connectionsAdmin J2C alias that you specified during installation must correspond to a valid account that can authenticate with SiteMinder. It may map to a back-end administrative user account. This account must be capable of authenticating for single sign-on against SiteMinder. If you need to update the user ID or credentials for this alias, see the Change references to administrative credentials topic.

• WAS 7 Fix Pack 11 does not provide the key Java™ libraries that you need to install and configure SiteMinder Application Server Agents (ASA) for WebSphere with WAS. The procedure to update your files is described in Step 1 of this task.

• For more information about the SiteMinder Policy Server and Web Agent configuration, go to the SiteMinder BookShelf.

• For more information about the SiteMinder Agent for WebSphere, see the SiteMinder Agent for WebSphere Agent Guide (PDF) and CA SiteMinder Agent for WebSphere Agent Release Notes (PDF).
  
  

About this task

This task describes how to create SiteMinder Agent and Domain objects with realms, rules, and a policy that is related to IBM HTTP Server, Microsoft™ Internet Information Services (IIS), and WAS.

When a user requests a page that is protected by SiteMinder, the Web Agent on the HTTP server intercepts the request and prompts the user for authentication. The user is redirected to a Microsoft IIS server which is configured for SPNEGO authentication. If the user provides valid credentials, the user is authenticated by SPNEGO and a SiteMinder agent on the IIS server generates an SMSESSION cookie. This cookie is added to the request which is passed on to WAS. The SiteMinder Trust Association Interceptor (TAI) on the application server verifies the information in the cookie and sets the User Principal that IBM Connections requires to identify the user.

This task refers to a configuration that uses SiteMinder Policy Server 6.0 SP5, SiteMinder ASA 6.0 Agent for WAS (with CR00010 hotfix), and SiteMinder Web Agent v6qmr5-cr035.

To set up SSO using SiteMinder with SPNEGO...

Procedure

1. Download and apply the Unrestricted JCE policy files:

   1. Go to the J2SE 5 SDK Security information web page.

   2. Authenticate with your universal IBM user ID and password.

   3. Download the Unrestricted JCE Policy files for SDK for all newer versions package.

   4. Extract the files from the downloaded package.

   5. Back up your existing copies (if any) of the US_export_policy.jar and local_policy.jar files, located in the app_server_root/java/jre/lib/security directory.

   6. Copy the new jar files from the extracted package to the same directory, overwriting any existing files.

   7. Restart all IBM Connections servers, node agents, and deployment managers.
      

2. Create agents on the SiteMinder Policy Server, including Web Agents for IBM HTTP Server and Microsoft IIS, and an Application Server Agent for WAS.

   1. Open the SiteMinder Administration console.

   2. Right-click Agents and select Create Agent.

   3. Enter details of the Name and Description of the Web Agent for IBM HTTP Server.

   4. Repeat these steps for the Web Agent for IIS.

   5. Repeat these steps for the Application Server Agent.
      

3. Create Agent Configuration Objects on the SiteMinder Policy Server. In the SiteMinder Administration Console, open the Agent Conf Objects pane and complete the following steps:

   1. Configure the Web Agent for IBM HTTP Server:
      

      1. Right-click Apache Default Settings Agent and select Duplicate Configuration Object.

      2. Enter the Name and description of the Agent Configuration Object.

      3. Update the following parameters to match your environment:
         
         DefaultAgentName

         • <Name of the Apache Agent created above>

           CookieDomain

         • <your_domain>
           where <your_domain> is your IBM Connections domain. If, for example, the URL is http://activities.example.com/activities, your host name is activities.example.com and your domain is example.com. In this example, you would set CookieDomain=.example.com. The leading period is required.
           

           RequireCookies

         • NO
           This parameter configures the Web Agent to support basic authentication but without requiring all API client programs to support cookies.
           

           BadCSSChars

         • <,>
           This parameter enables the Invite colleagues functionality in Profiles.
           

           LogOffUri

         • <URI>
           
           Configure SiteMinder to recognize only one web address as the logout web address. Uncomment one of the following URIs by removing the number sign (#) character:
           
           #LogOffUri="/activities/service/html/ibm_security_logout"
           
           #LogOffUri="/blogs/ibm_security_logout"
           
           #LogOffUri="/communities/communities/ibm_security_logout"
           
           #LogOffUri="/dogear/ibm_security_logout"
           
           #LogOffUri="/files/ibm_security_logout"
           
           #LogOffUri="/forums/ibm_security_logout"
           
           #LogOffUri="/homepage/web/ibm_security_logout"
           
           #LogOffUri="/moderation/ibm_security_logout"
           
           #LogOffUri="/news/ibm_security_logout"
           
           #LogOffUri="/profiles/ibm_security_logout"
           
           #LogOffUri="/search/ibm_security_logout"
           
           #LogOffUri="/wikis/ibm_security_logout"
           

   2. Under the System tab, update the Agent Configuration Object with the following value: FCCCompatMode - NO

   3. Configure the Web Agent for IIS:
      

      1. Right-click IIS Default Settings Agent and select Duplicate Configuration Object.

      2. Enter the Name and description of the Agent Configuration Object.

      3. Update the following parameters to match your environment:
         
         DefaultAgentName

         • <Name of the Apache Agent created above>

           CookieDomain

         • <your_domain>
           where <your_domain> is your IBM Connections domain. If, for example, the URL is http://activities.example.com/activities, your host name is activities.example.com and your domain is example.com. In this example, you would set CookieDomain=.example.com. The leading period is required.
           

           RequireCookies

         • NO
           This parameter configures the Web Agent to support basic authentication but without requiring all API client programs to support cookies.
           

           BadCSSChars

         • <,>
           
           This parameter enables the Invite colleagues functionality in Profiles.
           

   4. Configure the Application Server Agent:
      

      1. Right-click Apache Default Settings Agent and select Duplicate Configuration Object.

      2. Enter the Name and description of the Agent Configuration Object.

      3. Update the following parameters to match your environment:
         
         DefaultAgentName

         • <Name of the Apache Agent created above>

           CookieDomain

         • <your_domain>
           where <your_domain> is your IBM Connections domain. If, for example, the URL is http://activities.example.com/activities, your host name is activities.example.com and your domain is example.com. In this example, you would set CookieDomain=.example.com. The leading period is required.
           

           AssertionAuthResource

         • /siteminderassertion

           AssertbyUserID

         • True
           

   Notes:
   

   • • When activated, the LogOffUri parameter clears the SMSESSION cookie and ensures that the user is logged out of all IBM Connections browser sessions.

     • To add parameters, edit the Agent Configuration Object on the SiteMinder Policy Server. Alternatively, you can edit the LocalConfig.conf file on the HTTP server if the Web Agent is configured to use it.

     • If you are editing the SiteMinder configuration file directly, surround the values of SiteMinder configuration parameters with quotation marks ("); for example: BadCSSChars="<,>". If you are changing these parameters within the SiteMinder Policy Server, do not use quotation marks.
       
       

4. Specify your SiteMinder Authentication Scheme configuration:

   1. Open the SiteMinder Administration Console and navigate to the Authentication Scheme Properties dialog box.

   2. From the Authentication Scheme type list, select Windows Authentication template.

   3. Clear the Use Relative Target check box.

   4. Enter the URL of your IIS server in the web Server Name field.

   5. Complete the User DN Lookup field with the appropriate information for your domain. For example, (sAMAccountName=%{UID}).
      

5. On the SiteMinder Policy Server, create a domain for the IBM HTTP Server web agent.

6. Create protected realms under the IBM HTTP Server Web Agent domain:

   1. Using the IBM HTTP Server Agent Object and Windows Authentication Scheme that you created earlier, create SiteMinder realms that are protected by Windows authentication.
      

      Application	Protected URL resource
      ConnectionsDefaultRealm	/
      Activities	/activities/follow/atomfba
      	/activities/service/atom2/forms
      	/activities/service/atom2/communityEvent
      	/activities/service/download/forms
      	/activities/service/getnonce/forms
      Blogs	/blogs/api_form
      	/blogs/atom_form
      	/blogs/follow/atomfba
      	/blogs/roller-ui/feed_form
      	/blogs/roller-ui/rendering/api_form
      	/blogs/roller-ui/rendering/feed_form
      	/blogs/services/atom_form
      Bookmarks	/dogear/atom_fba
      Communities	/communities/follow/atomfba
      	/communities/forum/service/atom/forms
      	/communities/service/atom/forms
      Files	/files/follow/atomfba
      	/files/form/cmis/repository
      Forums	/forums/atom/forms
      	/forums/follow/atomfba
      Profiles	/profiles/atom/forms
      	/profiles/atom2/forms
      	/profiles/follow/atomfba
      Wikis	/wikis/follow/atomfba

      See the #RealmsThatRequireFormsAuthe... table for a list of URLs that are protected by Windows authentication.
      
      Table 1. Realms that require Windows authentication
      

   2. Using the IBM HTTP Server Agent Object that you created earlier, create SiteMinder realms that are protected by basic authentication.
      

      Application	Protected URL resource
      Activities	/activities/follow/atom
      	/activities/service/download
      	/activities/service/html/autocompleteactivityname
      	/activities/service/html/autocompleteentryname
      	/activities/service/html/autocompletemembers
      	/activities/service/atom
      	/activities/service/getnonce
      Blogs	/blogs/api
      	/blogs/atom
      	/blogs/follow/atom
      	/blogs/issuecategories
      	/blogs/roller-ui/blog
      	/blogs/roller-ui/BlogsWidgetEventHandler.do
      	/blogs/roller-ui/feed
      	/blogs/roller-ui/rendering/api
      	/blogs/roller-ui/rendering/feed
      	/blogs/services/atom
      Bookmarks	/dogear/api/app
      	/dogear/api/deleted
      	/dogear/api/notify
      	/dogear/atom
      Communities	/communities/follow/atom
      	/communities/forum/service/atom
      	/communities/service/atom
      	/communities/service/json
      Files	/files/basic/api
      	/files/basic/cmis
      	/files/basic/opensocial
      	/files/follow/atom
      Forums	/forums/atom
      	/forums/follow/atom
      Home page	/homepage/atom/search
      	/homepage/atom/mysearch
      News	/news/atom/service
      	/news/atom/stories/newsfeed
      	/news/atom/stories/saved
      	/news/atom/stories/statusupdates
      	/news/atom/stories/top
      	/news/atom/watchlist
      Profiles	/profiles/atom
      	/profiles/audio.do
      	/profiles/follow/atom
      	/profiles/json
      	/profiles/photo.do
      	/profiles/vcard
      Wikis	/wikis/basic/api
      	/wikis/follow/atom

      See the #RealmsThatRequireBasicAuthenticati table for a list of URLs that are protected by basic authentication.
      
      Table 2. Realms that require basic authentication
      

   3. Optional: Protect login credentials with encryption: Using the Basic over SSL Template scheme, create a SiteMinder Authentication Scheme and apply the new Authentication Scheme to all the SiteMinder realms that require basic authentication.
      

7. Create Delete and Head actions for the Web Agent. By default, the Web Agent has only the Get, Post, and Put actions available. To add the Delete and Head actions...

   1. In the SiteMinder Administration Console, click View and select Agent Types.

   2. Select Agent Types in the Systems pane.

   3. Double-click Web Agent in the Agent Type list.

   4. In the Agent Type Properties dialog box, click Create.

   5. Enter Delete in the New Agent Action dialog box and click OK.

   6. Enter Head in the New Agent Action dialog box and click OK.

   7. Click OK again to save the new action.
      

8. Create the following rules for each realm:
   

   GetPostPutDelHead rule	OnAuthAccept rule
   Realm: CurrentRealm	Realm: CurrentRealm
   Resource: * (not /*)	Resource: * (not /*)
   Action: Web Agent actions -> Get,Post,Put,Delete,Head	Action: Authentication events -> OnAuthAccept
   When this Rule fires: Allow Access	When this Rule fires: Allow Access
   Enable or Disable this Rule: Enabled	Enable or Disable this Rule: Enabled

   Table 3. Rules for the IBM HTTP Server realms
   

9. Create a policy and add the users who will be able to access the server to the policy. You can allow all users in the LDAP directory or a subset of users; for example: an LDAP branch, individual users, or groups of users.

10. Add the new rules to the new policy.

11. Specify realms that are not protected by SiteMinder.
    

    Application	Unprotected URL resource
    Activities	/activities/auth
    	/activities/bookmarklet/tools/blet.js
    	/activities/email/addMemberMail.jsp
    	/activities/email/autoCompleteActivityMail.jsp
    	/activities/email/createMail.jsp
    	/activities/email/errorMail.jsp
    	/activities/email/notifyMail.jsp
    	/activities/images
    	/activities/service/html/images
    	/activities/service/html/mainpage
    	/activities/service/html/styles
    	/activities/service/html/themes
    	/activities/service/html/servermetrics
    	/activities/service/html/serverstats
    	/activities/serviceconfigs
    	/activities/static/
    Blogs	/blogs/bookmarklet/tools/blet.js
    	/blogs/notifications
    	/blogs/serviceconfigs
    	/blogs/static/
    Bookmarks	/dogear/bookmarklet/tools/blet.js
    	/dogear/peoplelike
    	/dogear/serviceconfigs
    	/dogear/static/
    	/dogear/templates
    Communities	/communities/bookmarklet/tools/blet.js
    	/communities/comm.widget
    	/communities/images
    	/communities/mail/broadcast
    	/communities/mail/invitedToJoin
    	/communities/mail/memberAdded
    	/communities/mail/memberRemoved
    	/communities/mail/requestToJoin
    	/communities/nav
    	/communities/resourceStrings.do
    	/communities/serviceconfigs
    	/communities/service/html/community/autoCompleteMembers.do
    	/communities/service/html/communityview
    	/communities/widgets
    	/communities/static/
    Files	/files/basic/anonymous/api
    	/files/app
    	/files/basic/anonymous/cmis
    	/files/basic/anonymous/opensocial
    	/files/form/anonymous/api
    	/files/form/anonymous/cmis
    	/files/form/anonymous/opensocial
    	/files/static/
    Forums	/forums/bookmarklet/tools/blet.js
    	/forums/serviceconfigs
    	/forums/static/
    	/forums/templates/mail
    Home page	/homepage/bookmarklet/tools/blet.js
    	/homepage/search
    	/homepage/serviceconfigs
    	/homepage/static/
    Moderation	/moderation/app
    	/moderation/static
    News	/help
    	/news/atom/stories/public
    	/news/atomfba/stories/public
    	/news/bookmarklet/tools/blet.js
    	/news/serviceconfigs
    	/news/static/
    Profiles	/profiles/bookmarklet/tools/blet.js
    	/profiles/atom/forms/connections.do
    	/profiles/images
    	/profiles/mail
    	/profiles/serviceconfigs
    	/profiles/static/
    Search	/search/atom/search
    	/search/bookmarklet/tools/blet.js
    	/search/static/
    Wikis	/wikis/basic/anonymous/api
    	/wikis/form/anonymous/api
    	/wikis/home
    	/wikis/js
    	/wikis/static/

    See the Realms that do not require authentication table for a list of URLs that do not require authentication.
    
    Note: You must configure notification templates and some Atom feeds as unprotected URLs. The Blogs footer page must also be unprotected because Blogs uses the Velocity template to extract footer pages.
    
    Table 4. Realms that do not require authentication
    

12. On the SiteMinder Policy Server, create a domain for the Application Server Agent.

13. Add the following realm to the new WAS domain:
    

    Realm name	Protected resource
    SM TAI Validation	/siteminderassertion

    Table 5. SiteMinder realms for WAS
    
    Note: You must configure the Protected Resource of this realm to match the AssertionAuthResource parameter that you configured earlier for the Application Server Agent.
    

14. On the SiteMinder Policy Server, create a domain for the IIS Server Agent.

15. Using the IIS Agent Object and Windows Authentication Scheme that you created earlier, create a SiteMinder realm that is protected by Windows authentication.
    

    Realm name	Protected resource
    IIS_Realm	/

    Table 6. SiteMinder realms that require Windows authentication
    

16. Create the following rules for this realm:
    

    GetPostPutDelHead rule	OnAuthAccept rule
    Realm: CurrentRealm	Realm: CurrentRealm
    Resource: * (not /*)	Resource: * (not /*)
    Action: Web Agent actions -> Get,Post,Put,Delete,Head	Action: Authentication events -> OnAuthAccept
    When this Rule fires: Allow Access	When this Rule fires: Allow Access
    Enable or Disable this Rule: Enabled	Enable or Disable this Rule: Enabled

    Table 7. Rules for the IIS realm
    

17. Set the timeout value of the session for each realm.

    1. In the SiteMinder Policy Server, open the Realm Dialog and click Session.
       

    2. In the Session Timeouts Group Box, enter timeouts for each realm. Enter the following values, if they are not already present:
       
       Maximum Timeout Enabled

       • 2 Hours 0 Minutes

         Idle Timeout Enabled

       • 1 Hours 0 Minutes
         

    Note: The maximum timeout and the idle timeout must be longer than the LTPA token timeout, which is defined in WAS. The LTPA token timeout is set to 120 minutes by default.
    

18. Install the Web Agent on IBM HTTP Server:

    1. Download the latest version of the Web Agent from the CA website.
       

    2. Install the Web Agent. For instructions, go to the SiteMinder BookShelf.
       

    3. When you are prompted for the Agent Configuration details, specify the Agent Configuration Object that you created earlier.
       

19. Install the Web Agent on IIS:

    1. Download the latest version of the Web Agent from the CA website.
       

    2. Install the Web Agent. For instructions, go to the SiteMinder BookShelf.
       

    3. When you are prompted for the Agent Configuration details, specify the Agent Configuration Object that you created earlier.
       

20. Install the Application Server Agent on your WebSphere nodes:

    1. Download the latest version of the Application Server Agent from the CA website.
       

    2. Install the Application Server Agent on each node in your IBM Connections deployment. For instructions, see the SiteMinder Agent for WebSphere Agent Guide.
       

    3. When you are prompted for the Agent Configuration details, specify the Agent Configuration Object that you created earlier.
       

21. Copy the smagent.properties file from the ASA installation conf folder to the WAS profile properties folder; for example: C:\program files\IBM\websphere\appserver\appsvr01\properties.

22. Configure Trust Association Interceptor on WAS.

    1. From the administrative console for WAS, click Security -> Global security.
       

    2. Under Web and SIP security, click Trust association.
       

    3. Click Enable Trust Association and then click Save.
       

    4. Click Interceptors.
       

    5. Delete any unused interceptors.
       

    6. Click New and enter the following name for the new interceptor:
       
       com.netegrity.siteminder.websphere.auth.SmTrustAssociationInterceptor
       

    7. Click OK and then click Save.
       

    8. Restart WAS.
       

23. Create rewrite rules to remap Atom API requests. Open the IBM HTTP Server httpd.conf configuration file. The file is stored in the ibm_http_server_root/conf directory. Add the following rules to the file:
    
    Note: You must add these rules to both the HTTP and HTTPS sections of the file.
    
    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
    
    RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L]
    
    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
    
    RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L]
    
    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
    
    RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L]
    
    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
    
    RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L]
    
    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
    
    RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L]
    
    Do not close the httpd.conf file until after the next step.
    

24. Create rewrite rules that redirect URLs when users log out of IBM Connections. Add the following rules to the httpd.conf file:
    
    RewriteEngine On
    
    RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
    
    RewriteCond %{QUERY_STRING} !=logoutExitPage=<your_logout_url>
    
    RewriteRule /(.*)/ibm_security_logout(.*)
    
    <LogOffUri>?logoutExitPage=<your_logout_url> [noescape,L,R]
    
    where <LogOffUri> is the URL that you uncommented earlier. After logging out of IBM Connections, the user's browser is directed to <your_logout_url>. This URL could be your corporate home page or the SiteMinder login page.
    
    Note: You must add these rules to both the HTTP and HTTPS entries.
    
    The following example illustrates a typical portion of the httpd.conf file after you have implemented this step:
    
    

    RewriteEngine on

    RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING} !=logoutExitPage=http://corphome.example.com RewriteRule /(.*)/ibm_security_logout(.*) /homepage/web/ibm_security_logout?logoutExitPage=http://corphome.example.com [noescape,L,R] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L] #Connections Config for SSL LoadModule ibm_ssl_module modules/mod_ibm_ssl.so <IfModule mod_ibm_ssl.c> Listen 0.0.0.0:443 <VirtualHost *:443> ServerName connections.example.com SSLEnable RewriteEngine on RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING} !=logoutExitPage=http://corphome.example.com RewriteRule /(.*)/ibm_security_logout(.*) /homepage/web/ibm_security_logout?logoutExitPage=http://corphome.example.com [noescape,L,R] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L] </VirtualHost> </IfModule> SSLDisable
    
    Note: Uncomment the LoadModule rewrite_module modules/mod_rewrite.so line in the httpd.conf file. This line is commented out by default. When the line is commented out, the web server will not start.
    

25. Save and close the httpd.conf file.

26. Add the Kerberos authenticator property to the IBM Connections configuration by editing LotusConnections-config.xml.

    1. Check out the configuration file:
       
       execfile("<app_server_root>/profiles/<DMGR>/bin/connectionsConfig.py")
       
       Note: If you are prompted to specify which server to connect to, enter 1.
       
       LCConfigService.checkOutConfig("<working_directory>","<cell_name>")
       
       where:
       

       • • app_server_root is the WAS installation directory

         • <DMGR> is the name of the dmgr profile. For example: Dmgr01

         • <working_directory> is the temporary working directory to which the configuration XML and XSD files are copied and are stored while you edit them. Use forward slashes to separate directories in the file path, even if you are using the Microsoft Windows operating system.

         • <cell_name> is the name of the WAS cell hosting the IBM Connections application. This argument is case sensitive. If you do not know the cell name, execute the following command in the wsadmin client to determine it:
           print AdminControl.getCell()
           

         For example:
         
         LCConfigService.checkOutConfig("c:/temp","foo01Cell01")
         

    2. Update the custom authenticator values by running the following commands:
       

       1. Configure the custom authenticator to support server-to-server authentication for SPNEGO:
          
          LCConfigService.updateConfig("customAuthenticator name="KerberosAuthenticator+")
          
          LCConfigService.updateConfig("IISKerberosSPN", "HTTP/<IIS_Host>@<SPNEGO_domain>")
          
          LCConfigService.updateConfig("WebKerberosSPN.name", "HTTP/<IHS_host>@<SPNEGO_domain>")
          
          LCConfigService.updateConfig("WASKerberosSPN.name", "HTTP/<WAS_Node1_host>@<SPNEGO_domain>")
          
          LCConfigService.updateConfig("WASKerberosSPN.name", "HTTP/<WAS_Node2_host>@<SPNEGO_domain>")
          
          where
          

          • • <IIS_host> is the host name of the IIS server.

            • <SPNEGO_domain> is the domain that you specified when you configured SPNEGO.

            • <IHS_host> is the host name of the IBM HTTP Server in your IBM Connections 3.0.1 deployment.

            • <WAS_Node1_host> specifies the first node in the cluster.

            • <WAS_Node2_host> specifies the second node in the cluster.
              
              

            Set the value of the custom.authenticator.cookieTimeout parameter to be equal to or less than the maximum timeout and idle timeout values that you configured earlier.
            
            Note: If the parameter does not already exist in LotusConnections-config.xml, create it. Open the file in a text editor and add the parameter to the customAuthenticator element.
            
            Specify the timeout value in minutes.
            
            LCConfigService.updateConfig("customAuthenticator.CookieTimeout","<timeout>"
            
            where <timeout> is a value in minutes that is less than or equal to the SiteMinder timeout values.
            

       Note: When your production environment is ready, set the AllowSelfSignedCerts parameter to false.
       
       Note: If the parameter does not already exist in LotusConnections-config.xml, create it. Open the file in a text editor and add the parameter to the customAuthenticator element.
       

    3. Check LotusConnections-config.xml back in...
       
       LCConfigService.checkInConfig()
       

27. Configure the client browser for SPNEGO:

    1. Log in with an administrator account to the Local Computer domain.
       

    2. Set the address of the Domain Controller IP to the same address as the DNS server.
       

    3. Open the User Accounts control panel and create a user account for the Local Computer domain.
       

    4. Specify Remote Desktop Users access for the new user account.
       
    The user can log in to the system through Remote Desktop by specifying the SPNEGO1 domain.
    

28. Verify that the configuration is working correctly:
    

    1. Log in to your Windows client system.
       

    2. Open Firefox or Internet Explorer and navigate to https://<IHS_host>/homepage. If you can log in automatically, without entering your credentials, then you have successfully configured single sign-on for SiteMinder with SPENGO.
       

What to do next

Advise your users to close all browser windows when they log out of Activities. This precaution avoids potential security problems that could arise because the SiteMinder session cookie in a browser window might still be updating while a user is logging out from a different browser window.

Parent topic

Configure single sign-on  
Related tasks
Create a service principal name and keytab file
Configure Kerberos and SPNEGO
Configure the backend authenticator
Configure SPNEGO on IBM HTTP Server
Configure web browsers to support Kerberos  

+

Search Tips   |   Advanced Search