Home

 

Define trusted and nontrusted Web sites for the Home page

The Ajax proxy configuration for all the IBM Lotus Connections features is defined in the proxy-config.tpl template file. When you want to specify different Ajax proxy settings for a specific feature only, you do so by creating a new, feature-specific version of the template file.

To edit proxy configuration properties for the Home page, use wsadmin. See Start the wsadmin client for information about how to start the wsadmin command-line tool.


Lotus Connections uses a single proxy configuration file for all features by default. This file is initially deployed as a template file, proxy-config.tpl, which contains the URLs for each Lotus Connections feature specified as variables. On startup, the variables in the template file are replaced with the URLs for each feature that are found in the LotusConnections-config.xml file.When Lotus Connections 2.5 is installed, the default policy in the proxy-config.tpl file looks as follows:

This policy specifies that non-Lotus Connections feeds and widgets can only exchange GET methods with Lotus Connections servers. The empty <proxy:cookies/> and <proxy:headers/> elements mean that cookies and headers are not allowed. When you want to allow a host to exchange cookies or headers, or to perform PUT, POST, or DELETE methods, you need to add a new policy that supports this.

For secure deployments, the proxy configuration should be modified to specifically lock down the target URLs that Home page widgets should communicate with. By specifying a proxy policy that applies to Home page only, you can limit the external sites that widgets can communicate with. This limits the external connections that the widget can make.

When you want to set a specific policy for Home page only and you want the other Lotus Connections features to use the default settings, you can override the default settings for Home page by creating a proxy-homepage-config.tpl file that contains the customization that you want. At startup, Lotus Connections looks for customized template files and, on finding proxy-homepage-config.tpl, uses this to configure the proxy for the Home page.

To specify a proxy policy for the Home page only...

  1. Navigate to the location on the Lotus Connections server where the configuration XML and TPL files are stored.

    For example:

    C:\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\cell_name\LotusConnections-config

  2. Copy the existing proxy-config.tpl file to proxy-homepage-config.tpl.

  3. Use wsadmin to access the Lotus Connections configuration files:

  4. Check out the proxy configuration file...

    HomepageCellConfig.checkOutProxyConfig("<working-directory>", "<cell-name>")

    where:

    • <working-directory> is the temporary working directory to which the configuration TPL and XSD files are copied. The files are kept in this working while you make changes to them.

    • <cell-name> is the name of the WebSphere Application Server cell hosting the Lotus Connections feature. This argument is required even in stand-alone deployments. The argument is also case-sensitive, so type it with care. If you do not know the cell name, do one of the following to determine it:

      • Stand-alone deployment: Look at the name after the following in the file system:

        WAS_HOME\profiles\profile_name\config\cells\

      • Network deployment: From wsadmin...

        print AdminControl.getCell()

    For example:

      HomepageCellConfig.checkOutConfig("d:\home_temp", "HomepageServerNode01Cell")
      

  5. Go to your temporary working and open the proxy-homepage-config.tpl file in a text editor.

  6. Edit the file to specify that specific feed sources are trusted or untrusted for Home page, making sure to insert the custom policy earlier in the code than the default policy. For example, you can do the following:

    • To explicitly refuse all traffic from a specific site, add a policy like this:

        <proxy:policy url="malicious.site.com" acf="none">
            <proxy:actions/>
            <proxy:headers/>
            <proxy:cookies/>
        </proxy:policy>
        

  7. To allow a particular service in your network to display a custom widget, you can add the following policy entry to the file.

      <proxy:policy url="http://my.network.com/widget/*" acf="none">
          <proxy:actions>
              <proxy:method>GET</proxy:method>
          </proxy:actions>
          <proxy:headers>
              <proxy:header>User-Agent</proxy:header>
              <proxy:header>Accept*</proxy:header>
              <proxy:header>Content*</proxy:header>
              <proxy:header>Authorization*</proxy:header>
          </proxy:headers>
          <proxy:cookies>
              <proxy:cookie>JSESSIONID</proxy:cookie>
          </proxy:cookies>
      </proxy:policy>
      

    This policy allows the HTTP GET method, passes JSESSIONID cookies, and the named headers, but it does not allow anything else.

  8. To add the two LTPA cookies to the policy, add the following to the <proxy:cookies> section:

      <proxy:cookie>LtpaToken</proxy:cookie>
      <proxy:cookie>LtpaToken2</proxy:cookie>
      

    For example, the following policy allows a particular service to run on your network and pass cookies for LTPA tokens to the features:

      <proxy:policy url="http://my.network.com/service/*" acf="none">
          <proxy:actions>
              <proxy:method>GET</proxy:method>
          </proxy:actions>
          <proxy:headers>
            <proxy:header>User-Agent</proxy:header>
            <proxy:header>Accept*</proxy:header>
            <proxy:header>Content*</proxy:header>
            <proxy:header>Authorization*</proxy:header>
          </proxy:headers>
          <proxy:cookies>
            <proxy:cookie>JSESSIONID</proxy:cookie>
            <proxy:cookie>LtpaToken</proxy:cookie>
            <proxy:cookie>LtpaToken2</proxy:cookie>
          </proxy:cookies>
      </proxy:policy>
      

    Depending on your configuration, the <proxy:policy> section might require more or less detail. The following table lists some common cookies and headers that might be required under different configurations.


    Common cookies or headers

    Cookie/Header Description
    SMSESSION SiteMinder session cookie that passes SiteMinder credentials to Lotus Quickrâ„¢.
    PD-H-SESSION-ID Non-secure Tivoli Access Manager session cookie that passes Tivoli Access Manager credentials to Lotus Quickr.
    PD-S-SESSION-ID Secure Tivoli Access Manager session cookie that passes the secure version of the Tivoli Access Manager cookie to Lotus Quickr.
    WWW-AUTHENTICATE SSL header that passes SSL authentication when connecting to a secure Lotus Quickr deployment.

  9. Save and close the proxy-homepage-config.tpl file.

  10. To check in the proxy-homepage-config.tpl file...

    HomepageCellConfig.checkInProxyConfig("<working-directory>", "<cell-name>")

  11. To exit wsadmin, type

    exit

    at the prompt.

  12. Stop and restart the Home page server.


Administer the Home page using wsadmin

 

Related tasks

Configure the AJAX proxy


+

Search Tips   |   Advanced Search