+

Search Tips   |   Advanced Search

Enable single sign-on for Tivoli Access Manager


Overview

Single sign-on (SSO) enables users to log in to one application of Connections, and switch to other applications, in other cells, without having to re-authenticate.

This procedure describes one approach that uses an LTPA key with WebSEAL Transparent Junctions.

Connections supports the use of SSL Transparent Path junctions with Tivoli Access Manager. IBM Connections does not support TCP type junctions or TAM Standard junctions.

Connections supports LTPA as an SSO solution for TAM. IBM Connections does not support...


Set up SSO using TAM

  1. Verify the connectionsAdmin J2C alias specified during installation corresponds to valid TAM account.

    Map to a back-end TAM administrative user account. This account must be capable of authenticating for single sign-on against TAM. If update the userid or credentials for this alias, see Change references to database administrative credentials

  2. Install IBM TAM for e-business, version 6.1.1.

  3. Verify access to installed Connections applications from a web browser.

  4. Set the IBM WAS single sign-on domain to the same value as that of the TAM server.

  5. For SSO between IBM Connections deployed with a stand-alone LDAP on WAS, or if the product is using Lotus Domino , Enable single sign-on for standalone LDAP

  6. To support SSO with the LTPA key, the same keys and passwords must be shared by the TAM and WAS.

    Export the keys from WAS:

    1. From the WAS console as an administrator, go to...

        Security| Global security | Authentication mechanisms and expiration | LTPA | Cross-cell single sign-on section

      ...and set...

      Password Enter a secure password and then confirm the password. Provide this password later
      /path/to/key_file Specify a valid path and a file name for the file that will hold the exported keys

      For example:

        p*ssw*rd
        /path/to/WAS_ltpa.keys

    2. Click Export keys.

    If we have modified the federated repository properties, such as the realm name of the federated repository, re-export your LTPA keys and copy them to the TAM server, to the same location used to create the TAM junctions.

    If recreating the LTPA token introduces errors, clear all scheduled tasks.

  7. Use available authentication data when an unprotected URI is accessed: On the Global security page, expand...

    ...and select...

    • Authenticate only when the URI is protected
    • Use available authentication data when an unprotected URI is accessed

    Apply and then click OK.

  8. Import the IHS certificate into the TAM keystore.

    1. Determine the location of the WebSEAL certificate key file.

      Edit...

        TIVOLI_ROOT/PDWeb/etc/webseald-default.conf

      ...and search for keyword:

        webseal-cert-keyfile

    2. Copy the WebSEAL certificate key file to the IHS host.

      For example, from TAM host:

    3. On the system where IHS is installed, start the IBM Key Management utility:

    4. Open the IHS key file:

        Key Database File | Open

      ...using the following values...

      Key database type CMS
      File Name plugin-key.kdb
      File Location IHS_ROOT/Plugins/config/webserver_name/

      For example: /IBM/HTTPServer/Plugins/config/webserver1/

      Click OK and enter the password for the IHS key file. The default password is WebAS.

    5. Under Key database content, select Personal Certificates.

    6. Click...

        Extract Certificate

      ...and specify a file name and location for storing the certificates. Leave the Field Data type unchanged.

      For example:

      • Certificate file name: cert.arm
      • /path/to

    7. Using ikeyman, open the WebSEAL certificate key file.

      When we are prompted for the password, enter the password of the WebSEAL key file. The default password is pdsrv.

    8. Under Key database content, select...

        Signer Certificates | Add

      ...and then locate the extracted IHS certificate file.

      Enter a label for this certificate; for example:

        C5_IHS_cerficate

      If we have already imported other IHS certificates into the WebSEAL certificate file, delete them before we can add a new certificate.

    9. Save the changes to pdsrv.kdb and close the file.

        Key Database File - Close

    10. Copy the WebSEAL certificate file, pdsrv.kdb, to the same location on the WebSEAL server.

        /path/to/Tivoli/PDWeb/www-default/certs/pdsrv.kdb

  9. Use the exported LTPA key to configure the transparent path junctions in TAM.

    1. Copy the LTPA keys that you exported in Step 1 to the TAM server.

      For example:

        /path/to/WAS7_ltpa.keys

    2. Open the pdadmin command line utility, which is installed as part of the TAM runtime package.

    3. For each junction, configure a transparent path junction for each installed application.

      Do not include the carriage returns in the command. They are added here for display purposes.

      server task WebSEAL-instance-name create \
             -t ssl   \
             -h backend-server-name \
             -x \
             -p backend-server-port \
             -i \
             -b ignore \
             -f \
             -A \
             -2   \
             -F ltpa-token \
             -Z ltpa-password \
             -k transparent-path-jct
      

      where:

      • WebSEAL-instance-name is the name of the WebSEAL server. Use the following syntax:

        WebSEAL_instance-webseald-tam_server

        For example: default-webseald-server.name.myco.com

      • backend-server-name is the domain name of the Connections server for which TAM is managing authentication. For example, IHS configured for Connections.

      • backend-server-port is the port used by the backend server.

      • ltpa-token is the name of the file that you created to store the keys that you exported from WAS.

      • ltpa-password is the password definedd to encrypt the key file.

      • transparent-path-jct is the transparent path junction for the application. This value must match the URL pattern and must be created once for each URL pattern:

        • /activities
        • /blogs
        • /cognos
        • /communities
        • /connections
        • /dm
        • /dogear
        • /files
        • /forums
        • /help
        • /homepage
        • /metrics
        • /mobile
        • /mobileAdmin
        • /moderation
        • /news
        • /oauth2
        • /profiles
        • /search
        • /wikis

      For example:

      server task default-webseald-server.name.myco.com create \
             -t ssl \
             -h another.server.name.myco.com \
             -x \
             -p 443 \
             -i \
             -b ignore \
             -f \
             -A \
             -2 \
             -F \
             -k /path/to/WAS7_ltpa.keys \
             -Z password /profiles 
      

      • The -2 parameter is needed only if we are using LTPA type 2. WAS allows both LTPA 1 and LTPA 2.

      • If an invalid certificate error occurs, import your backend-server-name certificate into the WebSEAL certificate store before you create the junctions.

      • The transparent path junctions include /help even though it is not an independent Connections application. It is an integral part of the News application but must be configured as a separate junction.

    For more information about using the pdadmin command line utility, go to the Use pdadmin to create junctions web page in the TAM information center.

  10. Create a default IBM Connections ACL to override the default WebSEAL ACL by ...

      acl create lc3-default-acl
      acl modify lc3-default-acl set user sec_master TcmdbsvaBRlrx
      acl modify lc3-default-acl set any-other Tmdrx
      acl modify lc3-default-acl set unauthenticated T
      acl modify lc3-default-acl set group iv-admin TcmdbsvaBRrxl
      acl modify lc3-default-acl set group webseal-servers Tgmdbsrxl

  11. Attach default ACLs to resources that are protected by form-authentication.

    1. Attach the default ACL to application root URLs:

        acl attach /WebSEAL/tam_server-WebSEAL_instance/app_root lc3-default-acl

      where:

      • tam_server is the host name of the TAM server

      • WebSEAL_instance is the name of the instance of the WebSEAL server configured to manage IBM Connections; for example: default

      • app_root is the root path to the Connections applications, including the following:

        • /activities
        • /blogs
        • /cognos
        • /communities
        • /dogear
        • /files
        • /forums
        • /homepage
        • /news
        • /metrics
        • /mobile
        • /moderation
        • /profiles
        • /search
        • /wikis

      • lc3-default-acl is the access control list (ACL) definedd in Step 5

      For example:

        acl attach /WebSEAL/tam.myco.com-default/activities example-default-acl

    2. Attach the default ACL to other resources that are protected by form-authentication. Runs:

        acl attach /WebSEAL/tam_server-WebSEAL_instance/object-path lc3-default-acl

      where:

      • tam_server is the host name of the TAM server

      • WebSEAL_instance is the name of the instance of the WebSEAL server configured to manage IBM Connections; for example: default

      • object-path is the path to the resource on that domain

      • lc3-default-acl is the access control list definedd in Step 5. Replace this variable with the name of the default ACL.

      For example: acl attach /WebSEAL/tam.myco.com-default/activities/service/getnonce/forms example-default-acl

      See the Resources that require form-authentication table for a list of URLs that are protected by form-authentication.

      Application Protected URL
      Activities /activities/seedlist/myserver
      /activities/service/atom2/communityEvent
      /activities/service/atom2/forms
      /activities/service/download/forms
      /activities/service/getnonce/forms
      Blogs /blogs/seedlist/myserver
      Bookmarks /dogear/seedlist/myserver
      Common resources /connections/opensocial/rest
      Communities /communities/calendar/seedlist/myserver
      /communities/forum/service/atom/forms
      /communities/recomm/ajax
      /communities/recomm/atom_form
      /communities/service/atom/forms
      Forums /forums/atom/forms
      /forums/seedlist/myserver
      Metrics /metrics
      /cognos
      Profiles /profiles/atom/forms
      /profiles/atom2/forms
      URL Preview
      /connections/opengraph/form/api/oembed
      /connections/thumbnail/form/api/imageProxy

  12. Define the unprotected access control list and then attach unprotected resources and resources that require basic-authentication to it using the pdadmin command line utility, so that TAM passes HTTP requests for these resources through to WAS for authentication.

    1. To define the unprotected access control list:

        acl create ic-bypass-acl
        acl modify ic-bypass-acl set user sec_master TcmdbsvaBRlrx
        acl modify ic-bypass-acl set any-other Tmdrx
        acl modify ic-bypass-acl set unauthenticated Tmdrx
        acl modify ic-bypass-acl set group iv-admin TcmdbsvaBRrxl
        acl modify ic-bypass-acl set group webseal-servers Tgmdbsrxl

      where ic-bypass-acl is the name of the unprotected access control list; for example, connections-acl-bypass.

      The any-other parameter refers to authenticated users who are not defined by other parameters such as sec_master or iv-admin.

    2. To attach the access control list to resources that do not require authentication, run the following command:

      acl attach /WebSEAL/tam_server-WebSEAL_instance/object-path ic-bypass-acl

      where:

      • tam_server is the host name of the TAM server
      • WebSEAL_instance is the name of the instance of the WebSEAL server configured to manage IBM Connections; for example: default
      • object-path is the path to the resource on that domain
      • ic-bypass-acl is the access control list definedd in Step 7a

      See the Resources that do not require authentication table for a list of unprotected URLs .

      Application Unprotected URL
      Activities /activities/auth
      /activities/authverify
      /activities/images
      /activities/service/html/mainpage
      /activities/oauth
      /activities/service/html/images
      /activities/service/html/servermetrics
      /activities/service/html/serverstats
      /activities/static
      /activities/service/html/styles
      /activities/service/html/themes
      /activities/serviceconfigs
      Blogs /blogs/static
      /blogs/oauth
      /blogs/serviceconfigs
      Bookmarks /dogear/bookmarklet/tagslike/proxy
      /dogear/oauth
      /dogear/peoplelike
      /dogear/serviceconfigs
      /dogear/static
      /dogear/tagslike
      /dogear/tagrecs
      Common resources /connections/bookmarklet/tools/blet.js
      /connections/bookmarklet/tools/discussThis.js
      /connections/bookmarklet/tools/rlet.js
      /connections/core/oauth
      /connections/oauth
      /connections/opensocial/oauth
      /connections/resources/socmail-client
      /connections/resources/ic
      /connections/resources/web
      /connections/resources/socpim
      /connections/serviceconfigs
      /nav/common
      Content Manager /wsi
      /acce
      /dm
      Communities /communities/calendar/calendar.xml
      /communities/calendar/oauth
      /communities/images
      /communities/recomm/oauth
      /communities/recomm/recomm.xml
      /communities/service/atom/oauth
      /communities/service/html/communityview
      /communities/service/opensocial/oauth
      /communities/serviceconfigs
      /communities/service/html/community/autoCompleteMembers.do
      /communities/service/html/singleas
      /communities/static
      /communities/stylesheet
      /communities/tools/embedAS.html
      Files /files/app
      /files/basic/anonymous/api
      /files/basic/anonymous/cmis
      /files/basic/anonymous/opensocial
      /files/form/anonymous/api
      /files/form/anonymous/cmis
      /files/form/anonymous/opensocial
      /files/oauth
      /files/static
      /files/serviceconfigs
      Forums /forums/oauth
      /forums/serviceconfigs
      /forums/static
      Home page /homepage/oauth
      /homepage/search
      /homepage/serviceconfigs
      /homepage/static
      Metrics /metrics/service/eventTracker
      /metrics/service/oauth
      /metrics/serviceconfigs
      /cognos/servlet
      Moderation /moderation/oauth
      News /help
      /news/common/sand/static/
      /news/follow/oauth
      /news/microblogging/isPermitted.action
      /news/oauth
      /news/serviceconfigs
      /news/sharebox/config.action
      /news/static
      OAuth Provider /oauth2
      Profiles /profiles/images
      /profiles/oauth
      /profiles/serviceconfigs
      /profiles/static
      /profiles/widget-catalog
      Search /search/atom/search/*
      /search/oauth
      /search/static
      /search/serviceconfigs
      URL Preview /connections/opengraph/form/anonymous/api/oembed
      /connections/opengraph/basic/anonymous/api/oembed
      /connections/opengraph/oauth/anonymous/api/oembed
      /connections/thumbnail/api/imageProxy
      Widget container /connections/opensocial/anonymous/rest
      /connections/opensocial/common
      /connections/opensocial/gadgets
      /connections/opensocial/ic
      /connections/opensocial/rpc
      /connections/opensocial/social
      /connections/opensocial/xrds
      /connections/opensocial/xpc
      Wikis /wikis/basic/anonymous/api
      /wikis/form/anonymous/api
      /wikis/oauth
      /wikis/serviceconfigs
      /wikis/static

    3. The Atom feeds on IBM Connections servers use basic authentication because most feed readers are unable to authenticate with form-authentication. WAS and Connections applications authenticate these Atom HTTP requests through basic authentication as required.

      To attach the unprotected ACL to resources that IBM Connections protects with basic authentication, run the following command:

        acl attach /WebSEAL/tam_server-WebSEAL_instance/object-path ic-bypass-acl

      where:

      tam_server host name of the TAM server
      WebSEAL_instance name of the instance of the WebSEAL server configured to manage IBM Connections; for example: default
      object-path path to the resource on that domain
      ic-bypass-acl access control list definedd in Step 7 a

      For example:

        acl attach /WebSEAL/myco.com-default/activities/service/atom example-bypass-acl

      Application Protected URL
      Activities /activities/follow/atom
      /activities/service/atom
      /activities/service/atom2
      /activities/service/download
      /activities/service/getnonce
      /activities/service/html/autocompleteactivityname
      /activities/service/html/autocompleteentryname
      /activities/service/html/autocompletemembers
      Blogs /blogs/api
      /blogs/atom
      /blogs/follow/atom
      /blogs/issuecategories
      /blogs/roller-ui/blog
      /blogs/roller-ui/feed
      /blogs/roller-ui/BlogsWidgetEventHandler.do
      /blogs/roller-ui/rendering/api
      /blogs/roller-ui/rendering/feed
      /blogs/services/atom
      Bookmarks /dogear/api/app
      /dogear/api/deleted
      /dogear/api/notify
      /dogear/atom
      /dogear/people.do
      Common resources /connections/opensocial/basic/rest
      Communities /communities/calendar/atom
      /communities/calendar/handleevent
      /communities/calendar/ical
      /communities/follow/atom
      /communities/forum/service/atom
      /communities/recomm/atom
      /communities/recomm/handleevent
      /communities/service/atom
      /communities/service/atom/communities/my
      /communities/service/json
      /communities/service/opensocial
      Files /files/basic/api
      /files/basic/api/myuserlibrary/feed
      /files/basic/cmis
      /files/basic/opensocial
      /files/follow/atom
      Forums /forums/atom
      /forums/follow/atom
      Home page /homepage/atom/mysearch
      /homepage/atom/search
      /homepage/web/updates/
      Metrics /cognos/servlet/ping

      Required for Connections 4.5, CR3 only.

      News /news/atom/service
      /news/atom/stories/community
      /news/atom/stories/newsfeed
      /news/atom/stories/public
      /news/atom/stories/save
      /news/atom/stories/saved
      /news/atom/stories/statusupdates
      /news/atom/stories/top
      /news/atom/watchlist
      /news/atomfba/stories/public
      Profiles /profiles/atom
      /profiles/atom2
      /profiles/atom/forms/tagCloud.do

      If we use case-insensitive junctions in the TAM configuration, specify tagcloud.do instead of tagCloud.do.

      /profiles/follow/atom
      /profiles/json
      /profiles/vcard
      /profiles/photo.do
      /profiles/audio.do
      URL Preview /connections/opengraph/basic/api/oembed
      /connections/thumbnail/basic/api/imageProxy
      Wikis /wikis/basic/api
      /wikis/follow/atom

  13. Specify a dynamic URL pattern to support the Blogs application, and mail notification:

    1. Create a dynurl configuration file named dynurl.conf. The dynurl.conf file is a plain text file containing mappings from objects to patterns. Using a text editor, add the following content to the file:

      /blogs/blogsfeed /blogs/*/feed/*

      /blogs/blogsapi /blogs/*/api/*

      Save the file in the webseal-instance-docroot/lib directory. For example:

        /opt/Tivoli/PDweb/www-default/lib

    2. To attach the bypass ACL definedd in Step 7 a to the dynurl ACL, open the pdadmin command line utility and enter the following commands:

      acl attach /WebSEAL/tam_server-WebSEAL_instance/blogs/blogsfeed ic-bypass-acl

      acl attach /WebSEAL/tam_server-WebSEAL_instance/blogs/blogsapi ic-bypass-acl>

      where:

      • tam_server is the host name of the TAM server.

      • WebSEAL_instance is the name of the instance of the WebSEAL server configured to manage IBM Connections; for example: default.

      • ic-bypass-acl is the name of the access control list definedd earlier.

      For example:

      acl attach /WebSEAL/server.name.myco.com -default/blogs/blogsfeed open

    3. To allow large Blogs posts, open the webseald.conf file and add the following parameter:

      dynurl-allow-large-posts = yes

    4. To enable the uploading of PDF files, add the following parameter to the webseald.conf file:

      suppress-dynurl-parsing-of-posts = yes

  14. To get the activity stream on the Homepage to display, import an SSL certificate from the TAM server to the nodes.

    1. Navigate to SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore> \ signer certs.

    2. Restart the Homepage application.

    To get the ECM events to appear, the TAM certs have to be imported to the NodeDefaultTrustStore. If the TAM server and the Web Seal server are different, import the cert from the Web seal server.

  15. For Connections Content Manager configure an additional set of steps for the FileNet Collaboration Services:

    1. To add properties, the administrator needs to edit the <FNCS_HOME>\configmanager\profiles\fncs-sitePrefs.properties file, where FNCS_HOME is the FNCS install directory, before running the configuration wizard.

    2. Add the following properties to the fncs-sitePrefs.properties file at the end of the file after the comments and save it:
      urlBaseService <your http url for the TAM and WebSeal proxy> 
      fncsServerURL <your http url for the TAM and WebSeal proxy> 
      fncsServerURLSecure <your https url for the TAM and WebSeal proxy> 

    3. After setting the properties, complete the steps in Configure FileNet Collaboration Services for the Connections Content Manager.

  16. Configure TAM to use form-authentication over HTTPS by updating the webseald-server-name.conf file. Add the following line to the [forms] stanza:

    forms-auth = https

    We cannot specify HTTP-only authentication. To specify both HTTP and HTTPS, add the following line: forms-auth = both.

  17. (Do not complete this step for TAM with SPNEGO) Add a Tivoli Allow access to the Embedded Experience gadget by adding the following line to the [ba] stanza in the webseald-server-name.conf file:

    ba-auth = none

  18. Configure content filtering by adding the following lines to the webseald-server-name.conf file:

    [filter-content-types]

    type = text/xml

    type = application/atom+xml

    [script-filtering]

    script-filter = yes

    rewrite-absolute-with-absolute = yes

  19. Configure TAM as the reverse proxy for Connections.

    Update the webseald-server-name.conf file and add the following line to the [server] stanza:

      web-host-name = fully-qualified-host-name

    Add the following line to the [session] stanza:

      use-same-session = yes

    Stop and restart the WebSEAL instance.

  20. Update the values for the dynamicHosts and interService URL attributes in LotusConnections-config.xml:

    1. Check out LotusConnections-config.xml:

        execfile("app_server_root/profiles/DMGR/bin/connectionsConfig.py")LCConfigService.checkOutConfig("/tmp","cell_name")

      If we are prompted to specify which server to connect to, type 1.

      where:

      • /tmp is the temporary working directory to which configuration files are stored while you edit them. Use forward slashes to separate directories, even with Windows.

      • cell_name is the name of the WAS cell hosting the Connections application. This argument is case sensitive. If we do not know the cell name in the wsadmin client to determine it:

        print AdminControl.getCell()

      For example: LCConfigService.checkOutConfig("c:/temp","foo01Cell01")

    2. Update the dynamicHosts values by ...

      1. Enable dynamicHosts:

        LCConfigService.updateConfig("dynamicHosts.enabled","true")

      2. Enter the WebSEAL host name in the values for the dynamicHosts.href and dynamicHosts.ssl_href attributes:

        LCConfigService.updateConfig("dynamicHosts.href","http://WebSEAL_host")

        LCConfigService.updateConfig("dynamicHosts.ssl_href","https://WebSEAL_host")

        where WebSEAL_host is the fully qualified host name of the WebSEAL server.

      • Each href attribute in LotusConnections-config.xml is case-sensitive and must specify a fully-qualified domain name.

      • The fully-qualified host name for the WebSEAL server and the dynamicHosts configuration must be identical.

    3. (Do not complete this step for TAM with SPNEGO) Update the interService URL values ...

      LCConfigService.updateConfig("application_interService_key","https://WebSEAL_host")

      where:

      • WebSEAL_host is the fully qualified host name of the WebSEAL server

      • application_interService_key is the href attribute for the application, and includes the following applications:

        • activities.interService.href
        • blogs.interService.href
        • communities.interService.href
        • dogear.interService.href
        • files.interService.href
        • forums.interService.href

        • help.interService.href
        • homepage.interService.href
        • mobile.interService.href
        • moderation.interService.href
        • news.interService.href

        • personTag.interService.href
        • profiles.interService.href

        • quickr.interService.href

        • sametimeLinks.interService.href

        • sametimeProxy.interService.href
        • search.interService.href
        • wikis.interService.href

    4. Check LotusConnections-config.xml in ...

      LCConfigService.checkInConfig()

    We can also complete this step by running the connectionsConfig.py script in the wsadmin client.

  21. Determine how you want the system to behave when users log out of Connections. By default, when users click Log out in the SSO environment, they are not fully logged out of Connections. Edit the IHS httpd.conf configuration file to implement the post-log out behavior. By default, the file is located in:

      /opt/IBM/HTTPServer/conf

    To capture requests to /ibm_security_logout and redirect them to /pkmslogout, add the following rewrite rules to httpd.conf:

      RewriteEngine On
      RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
      RewriteRule ^/(.*) /pkmslogout [noescape,L,R]

    You must add these rules to both the HTTP and HTTPS entries.

    Ensure the line that enables mod_rewrite is not commented out by removing the preceding # symbol. For example:

    LoadModule rewrite_module modules/mod_rewrite.so

    The following example illustrates a typical portion of httpd.conf after you have implemented the steps described in this step:

    RewriteEngine On 
    RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) 
    RewriteRule ^/(.*) /pkmslogout [noescape,L,R] 
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so 
    <IfModule mod_ibm_ssl.c> 
        Listen 0.0.0.0:443 
        <VirtualHost *:443> 
            ServerName connections.myco.com 
            SSLEnable 
            RewriteEngine On 
            RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) 
            RewriteRule ^/(.*) /pkmslogout [noescape,L,R] 
        </VirtualHost> 
    </IfModule> 
    SSLDisable 
    

  22. Add an ErrorDocument 500 statement to httpd.conf.

    This statement appears in the user's browser if a Connections application becomes unavailable.

  23. Save and close httpd.conf.

  24. Restart IHS.

  25. (Do not complete this step for TAM with SPNEGO) Add a TAM authenticator property by editing LotusConnections-config.xml.

    1. Check out configuration file:

      • execfile("app_server_root/profiles/DMGR/bin/connectionsConfig.py")

        If we are prompted to specify which server to connect to, enter 1.

        LCConfigService.checkOutConfig("/tmp","cell_name")

      where:

      • app_server_root is the WAS install directory

      • DMGR is the name of the dmgr profile. For example: Dmgr01

      • /tmp is the temporary working directory to which configuration XML and XSD files are copied while you edit them. Use forward slashes to separate directories, even with Windows.

      • cell_name is the name of the WAS cell hosting the Connections application. This argument is case sensitive. If we do not know the cell name, execute the following command in the wsadmin client to determine it:

      For example:

      LCConfigService.checkOutConfig("c:/temp","foo01Cell01")

    2. Configure the custom authenticator to support server-to-server authentication for TAM:

      LCConfigService.updateConfig("customAuthenticator.name",

      "TAMAuthenticator")

    3. Keep the file open until you have completed the next step.

  26. (Do not complete this step for TAM with SPNEGO) Configure the cookie timeout value for Connections:

    1. Locate the CookieTimeout attribute in LotusConnections-config.xml.

      If the attribute is not present, add it to the <customAuthenticator name="TAMAuthenticator"> element.

    2. Set the value, in minutes, of the CookieTimeout attribute to be equal to or less than the maximum timeout and idle timeout values that you configured in TAM.

      When the production environment is ready, set the AllowSelfSignedCerts parameter to false.

      If the parameter does not already exist in LotusConnections-config.xml, create it. Open the file in a text editor and add the parameter to the customAuthenticator element.

    3. Save the changes.

    4. Check LotusConnections-config.xml back in ...

      LCConfigService.checkInConfig()

  27. The value of the cookie timeout attribute in LotusConnections-config.xml must be smaller than the values of the timeout and inactive-timeout attributes in the webseald-server-name.conf file.

    Check these values in the [session] stanza of the webseald-server-name.conf file and edit them if necessary.

    The values of the timeout parameters in the TAM configuration file are given in seconds but the CookieTimeout value in LotusConnections-config.xml is given in minutes.

    Using the following example as a guide:

      # Maximum lifetime (in seconds) for an entry in the credential cache
      # Set to zero to allow entries in the cache to fill without expiry until the
      # cache contains the number of entries specified by max-entries. After that
      # point, entries are expired according to a least recently used algorithm.
      timeout = 3600
      # Lifetime (in seconds) of inactive entries in the credential cache.
      # To disable, set to 0.
      inactive-timeout = 600

  28. Import the TAM certificate into the WAS trust store. See Add certificates to the WebSphere trust store.

  29. Restart the cluster: Stop all application servers and all nodes, and then restart the deployment manager, all the nodes, and all the application servers.


Parent topic:
Configure single sign-on


Related:
Security
Enable single sign-on for standalone LDAP
Change references to administrative credentials
Add certificates to the WebSphere trust store
IBM TAM information center