Home

 

Enable single sign-on for SiteMinder

 

+

Search Tips   |   Advanced Search

Configure IBM Lotus Connections to use Computer Associates' SiteMinder to implement user authentication and single sign-on (SSO).

Before you can enable SSO, first install Lotus Connections features and ensure that you can access the installed features from a Web browser. You must also have completed the TAI/ASA installation and configuration instructions that are included with SiteMinder, including registering the TAI/ASA with WebSphere Application Server.

Notes

• If you are using a reverse proxy, change the HREF URLs for each feature in the LotusConnections-Config.xml file to refer to the URL of the proxy server. For more information, see the Configuring a reverse caching proxy topic.

• If you are enabling SSO between Lotus Connections and a product that is deployed on a pre-6.1 version of WebSphere Application Server, or if the product is using IBM Lotus Domino®, first complete the steps described in the Enabling SSO with stand-alone LDAP topic.

• The connectionsAdmin J2C alias that you specified during installation must correspond to a valid user in your LDAP or it cannot be authenticated for SSO. If you need to update the credentials for this alias, see the Changing references to administrative credentials topic.

• WebSphere Application Server 6.1 Fix Pack 23 does not provide the key Java™ libraries that you need to install and configure SiteMinder Web agents with WebSphere Application Server. The procedure to update your files is described in Step 1 of this task.

You need to create a new domain with realms, rules, and a policy that is related to IBM HTTP Server and WebSphere Application Server.

When a user logs in, the Web agent creates an smsession cookie with the user's authentication details and sends it to the WebSphere Application Server agent. This agent then checks the login credentials in the cookie against the LDAP The Lotus Connections features can share the authentication details and thus enable single sign-on (the user can browse all the features without needing to log in again).

This task describes a configuration that uses SiteMinder Policy Server 6.0 SP5, SiteMinder ASA 6.0 Agent for WebSphere Application Server (with CR0006 hotfix), and SiteMinder Web Agent v6qmr5-cr011.

To set up SSO using SiteMinder...

1. Download and apply the Unrestricted JCE policy files:

   1. Go to the J2SE 5 SDK Security information Web page.

   2. Authenticate with your universal IBM user ID and password.

   3. Download the Unrestricted JCE Policy files for SDK for all newer versions package.

   4. Extract the files from the downloaded package.

   5. Back up your existing copies (if any) of the US_export_policy.jar and local_policy.jar files, located in the app_server_root/java/jre/lib/security

   6. Copy the new jar files from the extracted package to the same directory, overwriting any existing files.

   7. Restart all Lotus Connections servers, node agents, and deployment managers.

2. Configure SiteMinder to recognize only one Web address as the logout Web address. Add the following Agent Configuration Object parameters to the SiteMinder configuration and then uncomment one of them by removing the number sign (#) character:

   #LogOffUri="/activities/service/html/ibm_security_logout"

   #LogOffUri="/blogs/ibm_security_logout"

   #LogOffUri="/communities/communities/ibm_security_logout"

   #LogOffUri="/dogear/ibm_security_logout"

   #LogOffUri="/files/ibm_security_logout"

   #LogOffUri="/homepage/web/ibm_security_logout"

   #LogOffUri="/profiles/ibm_security_logout"

   #LogOffUri="/search/ibm_security_logout"

   #LogOffUri="/wikis/ibm_security_logout"

   Notes

   • When activated, the LogOffUri parameter clears the SMSESSION cookie and ensures that the user is logged out of all Lotus Connections browser sessions

   • If you are using forms authentication, create an FCC file on the form authentication server

   • To add parameters, edit the Agent Configuration Object on the SiteMinder Policy Server. Alternatively, you can edit the LocalConfig.conf file on the HTTP server if the web agent is configured to use it. You must surround the values of SiteMinder configuration parameters with quotation marks (") if you are editing the SiteMinder configuration file directly. For example:

     BadCSSChars="<,>"

     If you are changing these parameters from the SiteMinder Policy Server, do not use quotation marks.

3. Enable Home page widgets by adding the following Agent Configuration Object parameter:

   CookieDomain=<your_domain>

   where <your_domain> is your Lotus Connections domain. If, for example, the URL is http://activities.example.com/activities, your host name is activities.example.com and your domain is example.com. In this example, you would set CookieDomain=.example.com. The leading period is required.

4. To enable the Invite colleagues functionality in Profiles, modify the BadCSSChars parameter as follows:

   BadCSSChars=<,>

5. To support preemptive basic authentication, add the following Agent Configuration Object parameter to the SiteMinder configuration:

   RequireCookies=NO

6. On the SiteMinder Policy Server, create a domain for the IBM HTTP Server Web agent.

7. Create protected realms under the IBM HTTP Server Web agent domain:

   1. Create SiteMinder realms that are protected by forms authentication:

      Realms that require forms authentication

      Feature	Protected URL resource
      ConnectionsDefaultRealm	/
      Activities	/activities/service/atom2/forms
      /activities/service/getnonce/forms
      Blogs	/blogs/api_form
      /blogs/atom_form
      /blogs/roller-ui/feed_form
      /blogs/roller-ui/rendering/api_form
      /blogs/roller-ui/rendering/feed_form
      /blogs/services/atom_form
      /blogs/roller-ui/BlogsWidgetEventHandler.do
      Communities	/communities/forum/service/atom/forms
      /communities/service/atom/forms
      Dogear	/dogear/api_fba
      /dogear/atom_fba
      Home page	/homepage/atomfba/mysearch
      News	/news/atomfba/stories/container
      /news/atomfba/stories/saved
      /news/atomfba/stories/top
      /news/atomfba/service
      Profiles	/profiles/atom/forms
      /profiles/atom2/forms
      Search	/search/atom/mysearch

   2. Create SiteMinder realms that are protected by basic authentication:

      Realms that require basic authentication

      Feature	Protected URL resource
      Activities	/activities/service/html/autocompleteactivityname
      /activities/service/html/autocompleteentryname
      /activities/service/html/autocompletemembers
      /activities/service/atom
      /activities/service/atom2
      /activities/service/getnonce
      Blogs	/blogs/api
      /blogs/atom
      /blogs/services/atom
      /blogs/roller-ui/blog
      /blogs/roller-ui/feed
      /blogs/roller-ui/rendering/api
      /blogs/roller-ui/rendering/feed
      /blogs/services/xmlrpc
      Communities	/communities/service/atom
      /communities/service/json
      /communities/forum/service/atom
      Dogear	/dogear/api
      /dogear/atom
      /dogear/json
      /dogear/snippet
      /dogear/count
      /dogear/lisnippet
      /dogear/tagsets
      /dogear/tagslike
      /dogear/people
      /dogear/peoplelike
      /dogear/tags
      /dogear/xbel
      Files	/files/basic/api
      Home page	/homepage/atom/mysearch
      News	/news/atom/stories/container
      /news/atom/stories/saved
      /news/atom/stories/top
      /news/atom/service
      Profiles	/profiles/atom
      /profiles/atom2
      /profiles/audio.do
      /profiles/photo.do If you are using the Lotus Connections plug-in for SharePoint, move this URL resource to the list of unprotected realms.
      /profiles/json
      /profiles/vcard
      Wikis	/wikis/basic/api

8. Create the following rules for each realm:

   Rules for the IBM HTTP Server realms

   GetPostPutDel rule	OnAuthAccept rule
   Realm: CurrentRealm	Realm: CurrentRealm
   Resource: * (not /*)	Resource: * (not /*)
   Action: Web Agent actions -> Get,Post,Put,Delete	Action: Authentication events -> OnAuthAccept
   When this Rule fires: Allow Access	When this Rule fires: Allow Access
   Enable or Disable this Rule: Enabled	Enable or Disable this Rule: Enabled

9. Create a policy and add the new rules to the new policy.

10. Specify realms that are not protected by SiteMinder.

    Configure notification templates and some Atom feeds as unprotected URLs. The Blogs footer page also needs to be unprotected because Blogs uses the Velocity template to extract footer pages.

    Realms that do not require authentication

    Feature	Unprotected URL resource
    Activities	/activities/email
    /activities/images
    /activities/serviceconfigs
    Blogs	/blogs/msg.jsp
    /blogs/approvedmsg.jsp
    /blogs/confirmflagged.jsp
    /blogs/notify.jsp
    /blogs/notifyedit.jsp
    /blogs/notifyflagged.jsp
    /blogs/notifyquarantined.jsp
    /blogs/ownermsg.jsp
    /blogs/nav/footer.html
    /blogs/serviceconfigs
    /blogs/roller-ui/images
    Communities	/communities/mail
    /communities/images
    /communities/serviceconfigs
    Dogear	/dogear/templates
    /dogear/serviceconfigs
    Files	/files/basic/anonymous/atom
    /files/form/anonymous/atom
    Home page	/homepage/search
    /homepage/serviceconfigs
    News	/news/atom/stories/public
    /news/serviceconfigs
    Profiles	/profiles/mail
    /profiles/images
    /profiles/serviceconfigs
    Search	/search/atom/search
    Wikis	/wikis/basic/anonymous/atom
    /wikis/form/anonymous/atom

11. If you are using the Lotus Connections plugin for SharePoint, set the following unprotected URLs:

    Realms for the SharePoint plugin.

    Feature	Unprotected URL resource
    Profiles	/profiles/photo.do Remove this URL resource from the list of realms that require basic authentication.
    /profiles/ibm_semantictagservlet/css/semantictagstyles.css
    /profiles/nav/common/styles/base/standalonevcard.css
    /profiles/resources/js-resources.js
    /profiles/resources/js-attr-resources.js
    /profiles/javascript/persontag.js
    /profiles/javascript/persontagui.js
    /profiles/ibm_semantictagservlet/rest/unsecure
    /profiles/ibm_semantictagservlet/javascript/semantictagservice.js
    /profiles/css/sametime/main.css
    /profiles/nav/common/styles/images

12. On the SiteMinder Policy Server, create a domain for the WebSphere Application Server agent.

13. Add the following realm to the new WebSphere Application Server domain:

    SiteMinder realms for WebSphere Application Server

    Realm name	Protected resource
    SM TAI Validation	/siteminderasssertion

14. Set the timeout value of the session by clicking the Session tab from the SiteMinder Policy Server. The maximum timeout and the idle timeout must be longer than the LTPA token timeout, which is defined on the WebSphere Application, and, by default, is set to 120 minutes.

15. Create rewrite rules in the configuration file for the IBM HTTP Server to remap Atom API requests that are required by the Blogs portlets and by the Blogs feature of the Lotus Connections plug-in for Microsoft Office. Open the httpd.conf file which is stored in the ibm_http_server_root/conf directory, and then add the following rules to the file:

    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)

    RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L]

    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)

    RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/ $1/tags/atom/ [R,L]

    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)

    RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/ feed/$1/entries/atom/ [R,L]

    RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)

    RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/

    feed/$1/comments/atom/ [R,L]

    Do not close the httpd.conf file until after the next step.

16. Create rewrite rules that will redirect URLs when users log out of the product. Add the following rules to the httpd.conf file:

    RewriteEngine On

    RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)

    RewriteCond %{QUERY_STRING} !=logoutExitPage=<your_logout_url>

    RewriteRule /(.*)/ibm_security_logout(.*)

    <LogOffUri>?logoutExitPage=<your_logout_url> [noescape,L,R]

    where <LogOffUri> is the URL that you uncommented in step 1. The client's browsers will be sent to<your_logout_url> after logging out of Lotus Connections. This URL could be your corporate home page or the Lotus Connections login page.

    You must add these rules to both the HTTP and HTTPS entries.

    The following example illustrates a typical rewrite rule:

    RewriteEngine OnRewriteCond %{REQUEST_URI}
     /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING} 
    !=logoutExitPage=http://w3.ibm.com RewriteRule /(.*)/ibm_security_logout(.*)
     /homepage/web/ibm_security_logout?logoutExitPage= http://w3.ibm.com [noescape,L,R]
    

17. Save and close the httpd.conf file.

18. Update the Lotus Connections AJAX proxy configuration file:

    1. Open a command-line window to start wsadmin, and use the following commands to check out the proxy configuration file:

       execfile("connectionsConfig.py")

       LCConfigService.checkOutProxyConfig("<working_directory>", "cell_name")

       where <working_directory> is a temporary of your choice. Use forward slashes to separate directories in the file path, even if you are using the Microsoft Windows operating system. cell_name is the name of the cell where the Lotus Connections feature that uses the global proxy file is located. This argument is required even in stand-alone deployments. This argument is also case-sensitive, so type it with care.

    2. To support access to SiteMinder-protected URLs through the AJAX proxy, add the following declaration to the proxy configuration file after each occurrence of JSESSIONID:

       <proxy:cookies>

       <proxy:cookie>JSESSIONID</proxy:cookie>

       <proxy:cookie>SMSESSION</proxy:cookie>

       </proxy:cookies>

    3. Use the following commands to check in the proxy configuration file:

       LCConfigService.checkInProxyConfig("<temp_directory>", "cell_name")

19. Add a SiteMinder authenticator property to the Lotus Connections configuration by editing the LotusConnections-config.xml file.

    1. Use the following command to check out the configuration file:

       • Stand-alone deployment:

         execfile("connectionsConfig.py")

         LCConfigService.checkOutConfig("<working_directory>","cell_name")

       • Network deployment:

         execfile("WAS_HOME/profiles/Dmgr01/config/bin_lc_admin/connectionsConfig.py")

         If you are prompted to specify which server to connect to, type 1.

         LCConfigService.checkOutConfig("<working_directory>","cell_name")

       where:

       • <working_directory> is the temporary working directory to which the configuration XML and XSD files are copied and are stored while you make changes to them. Use forward slashes to separate directories in the file path, even if you are using the Microsoft Windows operating system.

       • cell_name is the name of the WebSphere Application Server cell hosting the Lotus Connections feature. This argument is required even in stand-alone deployments. This argument is also case-sensitive. If you do not know the cell name, do one of the following commands to determine it:

         • Stand-alone deployment: Look at the name in the following directory in the file system:

           WAS_HOME\profiles\profile_name\config\cells\

         • Network deployment: Type the following command while in wsadmin:

           print AdminControl.getCell()

       For example:

       LCConfigService.checkOutConfig("/temp","foo01Cell01")

       or

       LCConfigService.checkOutConfig("c:/temp","foo01Cell01")

    2. Update the custom authenticator values by running the following commands:

       1. Configure the custom authenticator to support server-to-server authentication for SiteMinder:

          LCConfigService.updateConfig("customAuthenticator.name",

          "SiteMinderAuthenticator")

       2. Set the value of the custom.authenticator.cookieTimeout parameter to be equal to or less than the maximum timeout and idle timeout values that you configured in a previous step. Specify the timeout value in minutes.

          LCConfigService.updateConfig("customAuthenticator.CookieTimeout","<timeout>"

          where <timeout> is a value in minutes that is less than or equal to the SiteMinder timeout values.

    3. If you are using the Profiles database as the user directory,complete the steps in the Enabling Lotus Connections service extensions topic.

    4. Check the LotusConnections-config.xml file back in by running the following command:

       LCConfigService.checkInConfig()

20. Optional: (Only required if you have installed the Communities or Profiles feature.) Configure the Lotus Connections service extensions to point to your webserver. You must have enabled the SiteMinder Web agent on the webserver. Open the configuration file that is appropriate to your deployment and run the command to change the webserver, using the following example as a guide:

    <sloc:serviceReference

    communities_directory_service_extension_auth="DSX-Admin"

    communities_directory_service_extension_auth_alias="connectionsAdmin"

    communities_directory_service_extension_enabled="true"

    communities_directory_service_extension_href=

    "http://<your-webserver>/communities/dsx/"

    profiles_directory_service_extension_auth="DSX-Admin"

    profiles_directory_service_extension_auth_alias="connectionsAdmin"

    profiles_directory_service_extension_enabled="true"

    profiles_directory_service_extension_href=

    "http://<your-webserver>/profiles/dsx/"

    serviceName="directory"/>

    For more information about editing configuration settings, see the Enabling Lotus Connections service extensions topic.

Advise your users to close all browser windows when they log out of Activities. This precaution avoids potential security problems that could arise because the SiteMinder session cookie in a browser window might still be updating while a user is logging out from a different browser window.

Configure single sign-on

Securing Lotus Connections Related information

CA SiteMinder Web Access Manager Agent for WebSphere

---