Security and user authentication considerations

Correctly configuring authentication and security includes configuring single sign-on and setting up SSL.


About security through SSL and other features

Whether site includes single, dual, or multiple types of user directories, SSL is recommended, and you enable it the same way.

If site will use IBM Tivoli Access Manager or Computer Associates eTrust SiteMinder for additional security, set up such protection on servers in the following order: WebSphere Portal, LotusSametime®, and then Lotus Dominoservers. In addition, if you use eTrust SiteMinder, portlets such as Lotus Notes View will be unable to take advantage of features supported by DIIOP. For information on those features, see the Lotus Notes View topic.

If site will use Tivoli Access Manager or another reverse proxy, or a load balancer, when installing Lotus Sametime, select the option "Allow HTTP Tunneling on a Lotus Sametime server with a single IP address." With this option selected, all Lotus Sametime client data, except A/V data, is tunneled to the Lotus Sametime server via HTTP on port 80. You also may need to enable this option if Lotus Sametime clients must connect to the server through a network that blocks TCP communications on ports 8081 and 1533.


About user authentication through Single Sign-On (SSO)

Single sign-on between the Lotus Domino environment and the portal environment allows users to log in to the portal, and then work in any of the collaborative portlets without having to authenticate a second time. Although enabling single sign-on is not required to use all the collaborative portlets, it is strongly recommended as a way of improving the user experience. Lotus Notes View and iNotes require single sign-on support.

To support single sign-on, a Web SSO configuration document must exist for each Lotus Domino domain that includes Lotus Domino servers. The Web SSO configuration document is a domain-wide configuration document stored in the Lotus Domino Directory. This document, which you can replicate to all servers participating in the single sign-on domain, is encrypted for participating servers and administrators, and contains a shared secret key used by servers for authenticating user credentials.

In addition to the Web SSO configuration document for Lotus Domino servers, create, save, and export an LTPA key from WAS, and then import that WebSphere LTPA key into the Lotus Domino domain or domains. For each Lotus Domino domain that is set up for use with the portal, the same WebSphere LTPA key must be imported to support single sign-on. Verify that automatic LTPA key generation is disabled on each node of the single sign-on domain.

A best practice is to install and configure all servers prior to enabling single sign-on. For example, install and configure Lotus Sametime before you enable single sign-on.

If you complete the required single sign-on configuration between the Lotus Domino environment and portal environment, there is no procedure to disallow automatic login for a specific user. For example, if user A logs in to the portal, user A will always be logged in to the Lotus Domino environment.

Manage Single Sign-On and awareness when there are multiple types of directories. If there is an LDAP directory server other than Lotus Domino in place, for example Tivoli Directory Server, you could employ several strategies to integrate it with a native Lotus Domino Directory and therefore achieve single sign-on (SSO) and awareness across any collaborative portlets organization uses. The Lotus Domino Directory Assistance functionality may provide a solution for name mapping across LDAP directories. Even when organization, as a matter of policy, manages modifications primarily through an existing non-Lotus Domino LDAP directory, schema in the non-Lotus Domino directory can be customized and then work in concert with Directory Assistance, which can manage the name mapping for collaborative applications. For a number of creative multi-directory solutions, including information on supporting single-sign on for awareness through the Lotus Sametime servers if organization uses it, see the IBM developerWorks article Single Sign-on in a Multi-Directory World.


Parent

Plan for collaborative servers and portlets

 


+

Search Tips   |   Advanced Search