Enabling secure, remote access to IBM Lotus iNotes using IBM Lotus Mobile Connect
Editor's note: Know a lot about this topic? Want to share your expertise? Participate in the IBM Lotus software wiki program today.
This article is intended for IBM Lotus iNotes customers who want secure, remote access to enterprise Lotus iNotes servers from devices such as personal digital assistants (PDAs), laptops, or workstations that require access outside the bounds of their corporate intranet. You can accomplish this in two ways with Lotus Mobile Connect.
Lotus Mobile Connect provides a full client/server-based virtual private network (VPN) solution, for which the Lotus Mobile Connect client is installed on various supported user platforms. For HTTP-based applications (for example, Lotus iNotes), Lotus Mobile Connect also provides a clientless option that does not require that any additional software is installed on the user's device; instead, it provides secure authentication through a browser-based logon (see figure 1).
This article explains how the Lotus Mobile Connect clientless option is used in conjunction with Lotus iNotes.
Figure 1. Lotus Mobile Connect clientless option with Lotus iNotes
Why Lotus Mobile Connect?
Lotus Mobile Connect provides a Federal Information Processing Standards (FIPS) 140-2 certified platform containing the latest secure sockets layer (SSL) / transport-level security (TLS) ciphers and industry-standard authentication mechanisms. The Lotus Mobile Connect clientless option, that is, Lotus Mobile Connect HTTP access services, uses the same strong authentication and encryption algorithms as the full VPN client. HTTP access services can be configured to run simultaneously with full VPN sessions, providing a multifunction remote-access solution with a small footprint, allowing IT administrators to control the breadth of access per user.
The Lotus Mobile Connect management console, Gatekeeper, provides access to all configuration options and full control over ciphers, authentication methods, security restrictions, and enterprise destinations.
How does it work?
Lotus Mobile Connect HTTP access services secure communications by forcing remote HTTP-based applications to connect using industry-standard SSL/TLS technology. SSL/TLS ciphers are configurable and can be restricted to FIPS 140-2 certified algorithms. Two-way certificate validation is also available, to add an additional layer of trust to the session.
After secure communications have been established, the Connection Manager sends a form-based challenge to the remote application prompting for user credentials. Credential information is x-www-url-encoded and sent over the secure connection using an HTTP POST operation. The HTTP access services decode the information and validate it using a configurable authentication method.
Upon successful validation, the HTTP access service builds a token and sends it to the remote application using the HTTP Set-Cookie operational model. The cookie contains a Lotus Mobile Connect-specific encrypted token and has the secure and session bits turned on. The remote client is then expected to include the cookie containing the token in all future connect requests.
Now that the token is present in the HTTP flows, the HTTP access service opens a connection to an enterprise host and relays traffic back and forth, similar to an SSL/TLS gateway.
What it's not
Lotus Mobile Connect Connection Manager's clientless support is not an HTTP proxy. It does not cache any content nor store any other information contained in the body of the HTTP data flow. It is not an optimizer, compressor, or token reducer, and it is not able to flush a browser's cache. Because a secure session cookie is used, users must be sure to exit the browser session when they are finished with an application session.
Why Lotus iNotes?
Lotus iNotes is a Web-based application that provides access to Lotus Notes mail and personal information management (PIM) information from a standard Web browser. Because browsers use HTTP as the primary transport, this application can leverage Lotus Mobile Connect's clientless option to gain access to the mail databases located within the corporate intranet from a supported browser with Internet access.
Lotus iNotes, previously known as IBM Lotus Domino® Web Access, supports three different usage modes. Full mode offers the richest feature set and is intended to be used when bandwidth is not a concern. It is the preferred mode to use from dedicated workstations with a high-speed network connection to the mail server. In Lotus Domino releases earlier than version 8.0.1, full mode was the only mode. It includes the following major functional areas:
- Welcome page (a customizable home page)
Lotus iNotes also supports both Lotus Notes-style and S/MIME encryption and a cache-scrubbing capability for certain browsers. In conjunction with a Lotus Sametime® server, it offers integrated instant messaging and presence awareness. Lotus iNotes also offers a near-full-featured offline capability and local archiving using Domino Off-Line Services (DOLS). When deployed with the Lotus Domino Unified Communications offering, it also provides various unified communications features.
Ultralite mode was introduced in Lotus Domino 8.0.2 and is designed for browsers on the latest narrow-width mobile devices. The initial release supports the Apple iPhone and iPod Touch devices. The UI fully abides by Apple's recommended guidelines for iPhone applications. Ultralite mode leverages the least amount of script and is designed to function from script-disabled browsers.
Let's examine the architecture of the two product components involved here, Lotus Mobile Connect and Lotus iNotes.
Lotus Mobile Connect HTTP access services
The Connection Manager HTTP access services provide an SSL/TLS gateway function for HTTP communications from any HTTP version 1.1 client data stream, such as a Web browser. The connection provides access to Web-based services and content in the enterprise without requiring the presence of a VPN client. The session is secured by use of SSL/TLS and can be restricted to permit connections only from specified hosts or address ranges.
The HTTP access services is a subsystem within Lotus Mobile Connect that is responsible for applying set configuration options to all connection requests and data traffic. This subsystem is responsible for enforcing security, validating access, generating audit information, and relaying traffic to the intended enterprise-located servers.
Connection Manager's HTTP access services use SSL or TLS when communicating with the browser or client application. Both version 2 and version 3 of the SSL protocol are supported, and the following algorithms are supported:
- Public key algorithms
- RSA (1024-, 768-, or 512-bit keys)
- Symmetric key algorithms
- DES (56-bit key)
- Triple DES (168-bit key)
- RC4 (40-, 56-, or 128-bit keys)
- Message authentication codes
X.509 certificates can provide authentication for the SSL/TLS communications. These certificates, along with root certificates to validate the other party's certificate, are stored in a key database that is installed with Connection Manager. The Connection Manager administrator can configure the source of this database, using the Gatekeeper administration console. The administrator can also configure the desired root certificates and client-side certificates, using the administration interface of the SSL toolkit, IBM Key Management.
Lotus Mobile Connect supports restricting the SSL/TLS ciphers to those that are FIPS 140-2 approved and supports denying connection requests that support only SSL/TLS version 2 ciphers.
The HTTP access services authenticate each secure HTTP connection, checking the data stream for valid user credentials. If none exists, a configurable form-based challenge is issued to prompt for a valid user ID and password. This function uses authentication methods and algorithms available to all components of Lotus Mobile Connect.
Authentication methods are resource containers defining how Lotus Mobile Connect challenges for and validates remote user credentials. Lotus Mobile Connect supports methods for validating credentials with the following:
- LDAP V3-compliant directory servers
- RADIUS protocol servers
- RSA Secure ID including next-token support
- X.509 certificate exchange
- Lotus Mobile Connect system user accounts
For more information on authentication methods, refer to the Administrator's guide in the Lotus Mobile Connect Information Center.
Single Sign-On (SSO)
HTTP access services can enable SSO through Lightweight Third Party Authentication (LTPA). LTPA provides a mechanism for storing user authentication information in a token that is generated when users are successfully authenticated with Connection Manager. The token is encrypted and signed by use of a password and a public/private key pair, stored in an HTTP cookie, and included in all requests for the configured SSO domain.
The LTPA keys are shared with other LTPA-enabled servers within the same domain, so the servers can validate the token and authenticate user requests instead of challenging the user. LTPA tokens include a configurable expiration timestamp; after the token expires, a new authentication challenge is issued.
The LTPA token is used in place of the Lotus Mobile Connect-specific token and is sent to the HTTP client application in the form of an HTTP cookie, using the Set-Cookie directive. HTTP clients include this token in all future HTTP requests.
HTTP access services resource
The HTTP access services resource contains information telling Lotus Mobile Connect how to authenticate users and where to relay traffic to the back-end server. Each HTTP access services resource can send traffic to a single application server or proxy. There are three options for configuring access to multiple backend application servers:
- Lotus iNotes Redirector. Lotus Mobile Connect is tightly integrated with Lotus iNotes Redirector, allowing a single HTTP access services definition to function with multiple back-end Lotus iNotes mail servers.
- Use a transcoding reverse proxy. This option allows a reverse proxy to route traffic to the appropriate destination, based on information contained in the target URL.
- Assign different listen ports to each HTTP access services resource definition. Since each HTTP access services resource can be configured to send traffic to a different back-end server or proxy, configure each service to listen on a different port. Users need to know this port and to add it to the URL request, for example, https://inotes.xyz.com:12345.
- Use multiple Internet protocol addresses. The HTTP access services configuration includes the ability to bind the service to a specific IP address. This way, there can be multiple HTTP access services resources listening on the same set of ports. This option is necessary for applications that expect to use standard HTTP ports 80 and 443. The URL to the user simply looks like different host names, for example, https://inotes1.example.com, https://inotes2.example.com.
Configurable form-based challenge
Lotus Mobile Connect generates the challenge form after analyzing tokens in the HTTP header, to determine browser type and preferred locale (see figure 2). The template files used for this form are installed with the product in locale-specific subdirectories. These templates are designed to be customizable, provided that the basic attribute structure and function are not altered.
Figure 2. Form-based challenge screen
Administrators are free to change backgrounds, images, text, and more The resource files are located off the installation path in locale-specific subdirectories, as follows:
- AIX: /opt/IBM/ConnectionManager/http/msg/<locale>/
- Linux / Solaris: /opt/ibm/ConnectionManager/http/msg/<locale>/
- Windows Server: C:\Program Files\IBM\Connection Manager\http\msg\<locale>Resource files delivered to browsers have a standard_ prefix, while resource file intended for mobile devices have a mobile_ prefix. These files are loaded on demand, and any changes display upon next access without the need to restart the server. The mobile version of the challenge form is designed for iPhone/iPod displays (see figure 3).
Figure 3. Mobile version of challenge screen
When you enter a user ID and password and click the Login button, the browser generates a URL-encoded POST operation containing the entered fields along with hidden fields containing information about the session.
It's possible for HTTP-based applications to answer the challenge without the need to display the page to the user. You can uniquely identify the Lotus Mobile Connect challenge by querying the Server token in the HTTP header.
Lotus iNotes is installed as part of a Lotus Domino server installation, as long as the option Lotus iNotes is not deselected when you do a custom installation. For more details about installing and configuring Lotus iNotes, consult the Lotus Domino Administrator Help.
Enabling access to Lotus iNotes using HTTP access services requires architecture decisions and configuration steps for both components. This section describes options and requirements for each of the components.
For each of the Lotus iNotes servers accessed by Lotus Mobile Connect, the internal network address or host name and TCP port are required to properly configure the Lotus Mobile Connect HTTP access service. If you want an encrypted pipe between the Lotus iNotes and Lotus Mobile Connect servers, you need to import a certificate in PKCS12 format for each of the Lotus iNotes servers into the key database for Lotus Mobile Connect.
Lotus Mobile Connect
Configuring Lotus Mobile Connect involves setting up authentication methods and defining one or more instances of the HTTP access service resource. This section includes screen captures taken from the Lotus Mobile Connect management console Gatekeeper.
Let’s consider a sample architecture that includes a single HTTP access service configured to authenticate users against a Lotus Domino LDAP directory server and then relay authenticated traffic to a Lotus iNotes Redirector node.
The steps assume that the Lotus Mobile Connect Gatekeeper management interface is being used.
Directory server resource
First, we create a Directory server resource, using these steps:
- Right-click a top-level folder, or create a new folder to contain configuration information, and select Add resource - Directory server.
- In the Add a Directory Server window (see figure 4), enter a Common name (free-form text describing the resource).
- Enter the Hostname or IP address of the directory server.
- Enter the Base distinguished name, the most specific suffix common to all users. This is the starting point in the directory tree for resolving user accounts. Click Next.
Figure 4. Add a Directory Server window
- On the next screen (see figure 5) enter the Port number of service.
- If anonymous searches are not allowed, enter an Administrator's distinguished name and password.
- If the directory server requires a secure connection, enable the Use secure connection option and enter a Key database and stash file. If the directory server is using a self-signed certificate, you need to import that certificate to the key database.
- Click Next. select a Primary OU, and click Finish.
Figure 5. Second Add a Directory Server window
Authentication profile resource
The next step is to define an authentication profile that uses the directory server resource from the previous step. An authentication profile is a container defining how the HTTP access service challenges for and validates user credentials.
Lotus Mobile Connect supports LDAP, RADIUS/RSA Secure ID, two-way certificate validation, and system-specific authentication methods. This example uses LDAP authentication against the Lotus Domino directory server:
- Right-click the System container again, this time selecting Add Resource - Authentication Profile - LDAP-bind Authentication.
- In the Add a New Authentication Profile window (see figure 6), enter a Common name and optional Description (free-form text describing the profile).
- Select a Password policy. The policy is used to determine the number of failed log-in attempts before the account is locked. To View/Edit a password policy, see the Default Resources - Wireless Password Policy container.
- Optionally, select a Backup authentication profile to be used if this profile fails to connect to external servers. Click Next.
Figure 6. Add a New Authentication Profile window
- In In the next window (see figure 7) that displays, select the Directory Server defined earlier.
- The User key field is the attribute that Lotus Mobile Connect uses to search the directory server for the userid provided by the credential challenge. It defaults to mail and can be set to any attribute that is part of the user record in LDAP.
Figure 7. Second Add a New Authentication Profile window
- Optionally enter Additional search criteria, such as group information or employee type, if you want to restrict access to certain groups or types of employees. This field requires X.500 notation, for example, (&(employeeType=active)(group=remoteAccess)).
- Set the Maximum number of processing threads. Each active session is assigned to a thread for processing. The thread is responsible for all data exchange between client browser and back-end application server. It takes a bit of trial and error to get the optimal number of threads, but a good rule of thumb is 1 thread for every 100 concurrent sessions. Click Next.
- In the next window (see figure 8), if single sign-on (SSO) is desired, select the Enable LTPA option. The steps necessary to complete the configuration for SSO are detailed later in this article. This setting can be left unchecked for now. Click Next.
Figure 8. Third Add a New Authentication Profile window
- In the next window, select the Primary OU and click Finish.
Additional configuration options can be found on the Properties panel after the resource is created. More information on these options can be found in the System's administrator guide and by viewing the properties panel and selecting "Tip on a specific option."
HTTP access service resources
Now we must create an HTTP access service resource. HTTP access services are designed to relay authenticated traffic to a single backend application server or proxy. Multiple backend application servers require multiple HTTP access service definitions.
In the case of Lotus iNotes, Lotus Mobile Connect contains integration code to work with the iNotes Redirector function, allowing a single HTTP access service to relay traffic to multiple Lotus iNotes mail servers.
HTTP access services require public certificates to secure communications. Lotus Mobile Connect provides a utility for working with a key database, generating a Certificate Request Message (CRM) that is used in requesting a certificate for a given machine name, and generating self-signed certificates. This utility, wg_keyman, is located in the bin sub-directory under the install directory.
Follow these steps to add an HTTP access service request:
- To add an HTTP access service resource, right-click the Connection Manager resource, and select Add - HTTP Access Service. The window shown in figure 9 displays.
Figure 9. Adding an HTTP access service
- In the Service URL field, enter the text string matching the URL contained in the certificate used to secure connections.
- In the TCP Port to listen on field, enter the TCP port that the service is listening on for access requests. The default is the SSL default of 443.
- In the Description field, enter the free-form text description of the service.
- In the Current state field, select the state of the service. Active state means the Connection Manager activates the service; defined is equivalent to down, in which case the Connection Manager does not start the service, making it unreachable.
- Click Next; the window shown in figure 10 displays.
Figure 10. Specifying operational mode of the HTTP access service
- In the HTTP Proxy address field, enter the host name or IP address of a reverse proxy or application server to forward authenticated traffic.
- In the HTTP Proxy port field, enter the TCP port proxy or application server to forward authenticated traffic.
- Select the Require SSL to proxy option to require SSL/TLS between the Lotus Mobile Connect server and proxy or application server.
- In the Authentication Profile field, enter the authentication method to use to validate remote user credentials.
- If the SSO Domain option is set, this value overrides what is set in the authentication method. If it is not set, the authentication method properties are used.
- Click Next; the window shown in figure 11 displays.
Figure 11. Specifying the maximum number of threads and idle time
- In the Maximum number of processing threads field, enter the number of simultaneous processing threads. The number of simultaneous sessions and number of processors are considerations for setting this value. The recommended value for a two-processor system with 1000 simultaneous sessions is 5.
- In the Maximum idle time field, enter the maximum time that a session can be idle before the Connection Manager clears the session's authentication token, forcing the client to re-authorize.
- Select the Bind port to a specific address option to configure the service to be bound to a specific Internet address. By doing this binding, multiple HTTP access services resources can be configured to listen on the same ports, thus allowing for different back-end servers to be used based on the Internet address of the initial request. Multiple addresses can be assigned to a single network interface using IP aliasing.
- In the Address to bind to field, enter the Internet address or host name to bind the service to.
Secure the HTTP access service with a certificate
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) is used to secure communications over HTTP access services. This requires that a certificate for the externally visible hostname be stored in a Cryptographic Message Syntax (CMS) key database file.
Lotus Mobile Connect ships with a utility, wg_ikeyman, for managing key database files. The utility generates self-signed certificates and CRMs to obtain a public certificate from a certificate authority.
Self-signed certificates can work but require the user to accept and import the certificate when first connecting to the HTTP access service. For this reason, valid public certificates are recommended. To generate and use a self-signed certificate, follow these steps:
- From the command line, enter wg_ikeyman.
- Either work with a new key database file or use one of the key database files installed by Lotus Mobile Connect:
- To use an existing file, select Key Database File > Open. Set the Key database type to CMS, use the Browse button to browse to the Lotus Mobile Connect install directory, and then select the http.trusted.kdb file.
- If creating a new key database file, be sure to select the "Stash the password to a file" option.
- Enter the password; the default is "trusted."
- To create a self-signed certificate, select Create - New Self-Signed Certificate. At a minimum, enter a key label and a common name. The common name should match the fully qualified external hostname of the Lotus Mobile Connect server.
- Click OK, and exit the IBM Key Management application.
- Using Gatekeeper, bring up the HTTP access service properties panel, select the SSL tab, and verify that the File name of key database and File name of stash password fields are set correctly. Use the full path if possible.
- Optionally, select the SSL Ciphers tab and select the appropriate ciphers. The default settings are to allow all V2 and V3 ciphers. Click OK.
Single Sign-On (SSO)
Enabling SSO for Lotus Mobile Connect and Lotus iNotes requires that a common key file be generated by Lotus Mobile Connect and imported by the Lotus iNotes redirector and mail server nodes.
Configure/Enable SSO on Lotus Mobile Connect
You can enable SSO for Lotus Mobile Connect by using the Gatekeeper, navigating to the authentication method used by the HTTP access service and modifying the LTPA/SSO tab on the Properties panel (see figure 12), as follows:
- Select the Enable LTPA check box.
- Enter the LTPA token realm/domain. This value is typically set to the fully qualified hostname of the LDAP or RADIUS server used for authentication.
- Select the LTPA token user identification field. Use the distinguished name if authenticating against LDAP, and the uid for RADIUS or Secure ID.
- Select the Enable SSO checkbox and set an SSO Domain. The SSO domain is used to inform browsers when to include the LTPA token as a cookie in the HTTP header flows.
For HTTP access services, this value should be set to the fully qualified external hostname used to access the HTTP access service from a browser. If more than one hostname is used, it can be set to the external domain. This value can also be set in the HTTP access service definition, in which case it will override the setting in the authentication profile.
- Select Enable SSO over SSL connections only. The LTPA token is sensitive information and should be included by the browser only when communicating with Lotus Mobile Connect over a secure connection.
Figure 12. LTPA/SSO tab
- In the LTPA key action section, select the Generate new keys radio button and enter a 6-32 character password. Remember this password; it is required to import the key file on the iNotes servers.
- Click the Apply button to generate cryptographic keys that are used to generate LTPA tokens. These keys are stored internally by Lotus Mobile Connect and must now be exported.
Export LTPA keys to a file
The previous step generates cryptographic keys and a password used in LTPA token generation. For SSO to work properly, this data must be exported in a format acceptable to other application servers that grant access based on this token. To have Lotus Mobile Connect export the keys and configuration data, follow these steps:
- In the LTPA key action section of LTPA/SSO tab (see figure 12), select the Export to keyfile radio button and enter a file name. Include the full path to the file.
- Click Apply, to export the file. The key file is a user-readable ASCII file that can be transferred to the iNotes application servers.
Import LTPA key file on Lotus iNotes servers
For SSO to function properly, all servers must agree on cryptographic keys, user information, and miscellaneous other configuration data. Lotus Mobile Connect has generated the key file; now it must be imported by all participating iNotes servers. Follow these steps:
- Start the Lotus Domino Administration client and select File - Open Server.
- Enter the name of the server on which to work, and on the Configuration tab, expand Server and select All Server Documents from the left navigation pane.
- In the Server document, select Create - Web SSO Configuration from the menu.
- In the Web SSO Configuration window (see figure 13), enter a unique Configuration Name, for example, LtpaTokenLOTUSMOBILECONNECT, and enter the DNS Domain that houses the application servers, for example, .xyz.com. Then in the Participating Servers section, add the names of the Lotus Domino servers participating in the SSO configuration.
Figure 13. Web SSO Configuration window
- Click Keys (on the top menu bar of the Web SSS Configuration window) and select Import WebSphere LTPA Keys.
- In the Enter Import File Name prompt (see figure 14), enter the location of the key file obtained from the Lotus Mobile Connect Export Key file step and click OK.
Figure 14. Enter Import File Name prompt
- Enter the key file password, and click OK.
- A window showing the LTPA token configuration information displays. Click Save & Close.
- Return to the Configuration tab in the Server document, select All Server Documents, and select the server into which you want to import the key file again.
- In the Server document, select the Internet Protocols tab, and then select the Domino Web Engine tab (see figure 15).
- Set the Session authentication field to Multiple Servers (SSO), and set the Web SSO Configuration field to the Configuration Name set in step 4 above.
- Save and close the document, and restart the servers.
Figure 15. Domino Server document
Today's work force is becoming increasingly mobile. Enterprises need to extend the reach of email and PIM applications to users with browser access through both enterprise-provided and publically available mobile devices, laptops, and workstations. The combination of Lotus iNotes as a Web-based application and Lotus Mobile Connect for secure remote access provides Lotus Notes customers with a feature- and security-rich solution for meeting this critical business need.
- Refer to the Lotus Domino eMail on your Apple iPhone Web page.
- Refer to the IBM Lotus Mobile Connect Web page.
- Refer to the IBM Lotus Mobile Connect documentation.
- Read the developerWorks® WebSphere article, "Securing wireless communications with the WebSphere Everyplace Connection Manager."
- Refer to the IBM Lotus Domino and IBM Lotus Domino Administrator Help.
- Refer to the IBM Redbooks® publication, "iNotes Web Access: Deployment and Administration."
- Refer to the IBM Redbooks publication, "Domino Web Access 6.5 on Linux."
- Refer to the IBM Support Techdoc, "Key Content Resources for Lotus Mobile Connect."