Plan for collaborative servers and portlets

 

+
Search Tips   |   Advanced Search

 

 

Overview

Setting up a site with Domino Integration requires decisions about...

  • user directories
  • security
  • authentication
  • performance

...for the suite of Domino and Extended Products servers and software.

What directory do you want to use for the user directory for WebSphere Portal?

  • LDAP directory other than IBM Lotus Domino
  • Lotus Domino LDAP directory.

What directory do you want to use for the user directories for IBM Lotus Sametime and IBM Lotus QuickPlace?

  • LDAP directory other than Lotus Domino,
  • Lotus Domino LDAP directory,
  • native (non-LDAP) Lotus Domino directory.

 

Use Case: Single directory (LDAP other than Lotus Domino ) site (1A+2A).

  1. WebSphere Portal is installed and in active use.
  2. WebSphere Portal is configured with an LDAP directory other than Lotus Domino.
  3. Intend to integrate collaborative portlets
  4. You want the Lotus Domino portlets to have online awareness features.
  5. You want single-signon for all portlets
  6. Domino and Extended Products are not installed.

 

Domino integration suggestions

Install and set up a Lotus Sametime server to support awareness, as well as a Lotus QuickPlace server for team collaboration. Configure them to authenticate against the LDAP directory already configured with the portal site.

To enable single sign-on, configure it as a last task after installing and configuring new servers for Domino and Extended Products, to include all the new servers.

Install and configure a separate Lotus Domino LDAP server not as the portal user directory, but as support for key features in the collaborative portlets such as auto-detection of users' mail files. We can also use the portal non- Lotus Domino LDAP directory for auto-detection, but this approach requires additional configuration.

If you have an existing Lotus Domino server you intend to integrate, verify the release is supported before attempting to use it with the portal.

Follow normal Domino integration and messaging instructions.

 

Use Case: Single directory ( Lotus Domino LDAP) site (1B+2B)

  • WebSphere Portal is installed

  • No LDAP user directory has been configured

  • Intend to integrate collaborative portlets

  • You want the portlets to have online awareness features, and you want users to be able to work in portlets without authentication other than logging into the portal (that is, we need the single sign-on feature)

 

Lotus Domino integration suggestions

Use Lotus Domino LDAP as the single directory for the Portal.

 

Use Case: Dual directory-type site (LDAP other than Lotus Domino for portal with Lotus Domino LDAP for Lotus Sametime and Lotus QuickPlace user directories (1A + 2B).

  • You already have a mature installation of Lotus Domino servers including any of the following products:

    • Lotus QuickPlace
    • Lotus Sametime
    • Domino Web Access (iNotes)
    • Domino Document Manager

    Our Lotus Domino servers are upgraded to a release supported by WebSphere Portal.

  • You have newly installed WebSphere Portal or have the intention to deploy it. You may even have a mature portal site, but have not yet attempted to integrate it with the Lotus Domino installations.

  • Intend to integrate collaborative portlets, especially messaging portlets to support the existing Lotus Domino mail and calendar users.

  • You want the portlets to have online awareness features (our Lotus Domino users are accustomed to Lotus Sametime instant messaging), and you want users to be able to work in portlets without authentication other than logging into the portal (that is, we need the single sign-on feature).

 

Lotus Domino integration suggestions

Follow the instructions for Domino Integration and Messaging

See the following topics for tasks specific to reconciling directories:

 

Use-Case: Multiple directory-type site (LDAP other than Lotus Domino for portal with a combination of other directories for Lotus Sametime and Lotus Domino LDAP for Lotus QuickPlace (1A + 2B + 2C)

  • You already have a mature installation of Lotus Domino servers including any of the following products:

    • Lotus QuickPlace
    • Lotus Sametime
    • Domino Web Access (iNotes)
    • Domino Document Manager

    Our Lotus Domino servers are upgraded to a release supported by WebSphere Portal.

  • You have newly installed WebSphere Portal or have the intention to deploy it. You may even have a mature portal site, but have not yet attempted to integrate it with the Lotus Domino installations.

  • You have a native Lotus Domino Directory (non-LDAP) in active use. One or more of the following products uses a native Lotus Domino Directory:

  • Intend to integrate collaborative portlets, especially messaging portlets, to support the existing Lotus Domino mail and calendar users.

  • You want the portlets to have online awareness features for Lotus Sametime instant messaging, and you want users to be able to work in portlets without authentication other than logging into the portal (single sign-on).

 

Lotus Domino integration suggestions

Follow the instructions for Domino Integration and Messaging

To support SSO, reconcile authentication between user identifications in the native Lotus Domino directory and the portal LDAP directory.

See the following topics for tasks specific to reconciling directories:

 

Platform considerations

For i5/OS IBM recommends that you use the IBM Web Administration for iSeries Create WebSphere Portal wizard when configuring WebSphere Portal installations. The wizard...

  • Creates servers (HTTP and WebSphere Application Server)
  • Configures servers for Portal
  • Configures the database for Portal
  • Configures security (LDAP) for Portal
  • Deploys the portlets bundled with the WebSphere Portal product

We can edit the Portal installation configuration manually after you have used the WebSphere Portal wizard.

Depending upon platform, Lotus Domino servers in the environment may have slightly different task and/or registry requirements:

  • All platforms:

    Lotus Domino IIOP is used to pre-populate drop-down lists shown when users personalize the collaborative portlets.

  • Windows and UNIX:

    Any data source servers must have the following enabled...

    • HTTP
    • LDAP
    • Lotus Domino IIOP

  • For i5/OS any Lotus Domino data source servers must have HTTP and Lotus Domino IIOP enabled, and must use an LDAP user registry.

 

User directory considerations

From the portal perspective, there are two types of Lotus Domino servers:

We can use a Lotus Domino server with LDAP enabled both as the user repository for the portal and for auto-detection of users' mail files, unless the portal user repository is so large that you want to use separate machines for performance reasons.

 

User Directory considerations for Sametime and QuickPlace

If you will be using portlets for only...

  • Lotus Domino
  • Lotus Sametime

...the Lotus Sametime user directory can be any supported LDAP directory, although IBM recommends that Lotus Sametime use the same directory as the one configured for the portal, to avoid complexity.

If you will be using portlets for...

  • Lotus Domino
  • Lotus Sametime
  • Lotus QuickPlace

...then Lotus Sametime and Lotus QuickPlace must share the same LDAP directory to enable...

For an LDAP other than Lotus Domino, such as Tivoli Directory Server, to work properly with Lotus QuickPlace, modify qpconfig.xml on the Lotus QuickPlace server.

 

About security through SSL and other features

Whether the site includes single, dual, or multiple types of user directories, SSL is recommended, and you enable it the same way.

If you will use Lotus Sametime and Lotus QuickPlace together, and you enable SSL on one of the servers, also enable it on the other server.

If the site will use IBM Tivoli Access Manager for e-business or Computer Associates eTrust SiteMinder for additional security, set up such protection on servers in the following order:

  1. WebSphere Portal
  2. Lotus Sametime
  3. Lotus QuickPlace
  4. Lotus Domino servers

If the site will use Tivoli Access Manager or another reverse proxy, or a load balancer, when installing Lotus Sametime, select the option...

"Allow HTTP Tunneling on a Lotus Sametime server with a single IP address."

With this option selected, all Lotus Sametime client data, except A/V data, is tunneled to the Lotus Sametime server via HTTP on port 80. You also may need to enable this option if Lotus Sametime clients must connect to the server through a network that blocks TCP communications on ports 8081 and 1533.

 

About user authentication through Single Sign-On (SSO)

Single sign-on between the Lotus Domino environment and the portal environment allows users to log in to the portal, and then work in any of the collaborative portlets without having to authenticate a second time. My Lotus QuickPlaces, Lotus Notes View, and Domino Web Access require single sign-on support. SSO is also required if you use a mix of Lotus Sametime and Lotus QuickPlace portlets with both servers.

To support single sign-on, a Web SSO configuration document must exist for each Lotus Domino domain that includes Lotus Domino servers. The Web SSO configuration document is a domain-wide configuration document stored in the Lotus Domino Directory. This document, which we can replicate to all servers participating in the single sign-on domain, is encrypted for participating servers and administrators, and contains a shared secret key used by servers for authenticating user credentials.

In addition to the Web SSO configuration document for Lotus Domino servers, create, save, and export an LTPA key from WebSphere Application Server, and then import that WebSphere LTPA key into the Lotus Domino domain or domains. For each Lotus Domino domain that is set up for use with the portal, the same WebSphere LTPA key must be imported to support single sign-on. For complete instructions, see Configuring single sign-on between WebSphere Portal and Lotus Domino.

A best practice is to install and configure all servers prior to enabling single sign-on. For example, install and configure Lotus QuickPlace and Lotus Sametime before you enable single sign-on.

If you complete the required single sign-on configuration between the Lotus Domino environment and portal environment, there is no procedure to disallow automatic login for a specific user. For example, if user A logs in to the portal, user A will always be logged in to the Lotus Domino environment.

 

Manage Single Sign-On and awareness when there are multiple types of directories.

If there is an LDAP directory server other than Lotus Domino in place, for example Tivoli Directory Server, you could employ several strategies to integrate it with a native Lotus Domino Directory and therefore achieve single sign-on and awareness across any collaborative portlets the organization uses. The Lotus Domino Directory Assistance functionality may provide a solution for name mapping across LDAP directories. Even when the organization, as a matter of policy, manages modifications primarily through an existing non- Lotus Domino LDAP directory, schema in the non- Lotus Domino directory can be customized and then work in concert with Directory Assistance, which can manage the name mapping for collaborative applications.

For a number of creative multi-directory solutions, including information on supporting single-sign on for awareness through the Lotus Sametime and Lotus QuickPlace servers if the organization uses them, see the IBM developerWorks article Single Sign-on in a Multi-Directory World.

 

Performance considerations

When integrating Lotus Domino into the portal environment, consider performance when deciding how many and which servers we need.

For example, to use a Lotus Domino LDAP server as the user directory (repository) for the portal, install portal on a separate machine from the Lotus Domino LDAP server configured to support collaborative features in the portlets. The Lotus Domino LDAP server for the portal user directory should reside on a machine that is dedicated to serving the portal environment and all its users.

For i5/OS IBM recommends that a specific Lotus Domino server be created to run the collaborative components, and that it should reside on the same i5/OS server as WebSphere Portal.

 

Performance of Lotus Sametime and Lotus QuickPlace

If you will use Lotus Sametime and Lotus QuickPlace together, install these servers on separate machines, and configure both servers to use the same LDAP directory.

 

People Finder considerations

Configuration of Member Manager in the portal is a prerequisite for the People Finder portlet, so that the portlet can access the organization directory. See the topic Member Manager and People Finder.

 

Parent Topic

Planning a portal with Domino Integration

 

Related concepts


Single sign-on
Overview of cooperative portlets

 

Related reference


Member Manager and People Finder
Troubleshooting Domino and Extended Products Portlets