Integrating Netegrity SiteMinder 5.5 with IBM Sametime 6.5x

This article explains how you can integrate Netegrity SiteMinder with IBM Lotus Sametime to implement a single sign-on (SSO) environment.

Share:

Martin McDonnell, Technical Specialist, IBM

Martin McDonnell is a Technical Specialist in the LET Common Services Team in IBM and is the primary contact within the team for Netegrity SiteMinder. He is responsible for providing Netegrity SiteMinder integration solutions to world-wide Test, Development, and Support teams within IBM.



02 August 2005

Customers are increasingly demanding that IBM software be configurable to work seamlessly with other third-party software in their existing IT and security infrastructures. One such piece of third-party software that customers often deploy is Netegrity SiteMinder. SiteMinder is a security software solution that securely manages identities across an organization, controlling access to enterprise information assets. SiteMinder provides single sign-on (SSO) functionality across single and multiple domains, simplifying the use of applications across various Web and application servers and across multiple operating systems. It also provides policy-based centralized control of user authentication and access management. (For more on using SiteMinder with IBM/Lotus products, see the developerWorks: Lotus article, "Netegrity SiteMinder authentication with Domino Document Manager 7.")

This article outlines one way to successfully integrate a Sametime 6.5x server with SiteMinder 5.5, using a basic authentication scheme configured on the SiteMinder Policy Server, to provide SSO to the components of the Sametime server. Bear in mind that there are other ways to successfully integrate SiteMinder with Sametime. In this article, however, we deal with only one such configuration. Our configuration information is based on successful integration configurations that we have set up both internally within IBM and externally at customer sites. We assume that you have a working knowledge of Domino, Sametime and LDAP configuration and administration.

If you are interested in IBM security management solutions, similar to Netegrity SiteMinder, check out the developerWorks Tivoli Security Products page.

The integration process

In this article, we focus on the following integration scenario: how to integrate SiteMinder with a Sametime 6.5x server that has been configured to use its native Domino Directory. The following steps outline one way to successfully configure Netegrity SiteMinder with Sametime given this scenario.

LDAP account configuration

Netegrity SiteMinder only authenticates against LDAP accounts (and not Domino Directory accounts). For the configuration outlined in this article, you will need to add an existing field to each LDAP user account that will access your Sametime/SiteMinder configuration, and add the Notes distinguished name of the corresponding Domino user to this field.

For example, let's say that you have the following five LDAP accounts that will be used in this configuration. On the Domino server, you must have five equivalent Domino accounts. For the configuration discussed in this article to work, you will need to add an extra value to each of these LDAP accounts that will hold the Notes distinguished name of the corresponding Person document in the Domino Directory. In the following five examples, a field called notesdn has been added to each LDAP account to hold this value:

uid: givenName sn cn userPassword notesdn
s65xadminST65xAdministratorAdministrator, ST65x<must be set the same as the Domino account password/Internet password>CN=Sametime Admin/O=ST65x
testuser1TestUser1User1, Test<must be set the same as the Domino account password/Internet password>CN=Test User1/O=ST651
testuser2TestUser2User2, Test<must be set the same as the Domino account password/Internet password>CN=Test User2/O=ST651
testuser3TestUser3User3, Test<must be set the same as the Domino account password/Internet password>CN=Test User3/O=ST651
testuser4TestUser4User4, Test<must be set the same as the Domino account password/Internet password>CN=Test User4/O=ST651

If a new field cannot be added to the LDAP accounts, you can use an existing blank field in the LDAP accounts to hold this information (for example, the description or comments field).

It should be noted that, with this particular configuration, a process would need to be put in place to ensure synchronization of data between the Domino Directory and LDAP since, typically, the environment would have continuous directory changes (adding/removing users, and so on).

Installing and configuring your Domino and Sametime 6.5x servers

Note: These steps describe a basic Domino server installation that can support Sametime. If you need more detailed information about Domino server installations and Domino environments, see the Lotus Domino documentation.

Your Domino server installation should be configured as follows:

  • Do not select Partitioned Server Installation.
  • When prompted for Type of Setup, select Domino Application Server.

After installation is complete, configure your Domino server appropriately. When basic Domino server configuration has been completed, customize your Server document as follows:

TabAction
Basics tab
  • Ensure a fully qualified Internet host name has been set to servername.domain.com.
  • Set "Is this a Sametime Server" to Yes.
Ports\Notes Network Ports tabEnsure the TCPIP Port is enabled and the fully qualified Internet host name (servername.domain.com) is set in the Net Address field.
Security
  • Run unrestricted LotusScript/Java agents.
  • The signature that is used to sign the Sametime agents must be allowed to run unrestricted IBM LotusScript and Java agents on the Sametime server. To ensure that the Sametime agent signer can run unrestricted LotusScript and Java agents on the Sametime server, open the Server document for the Sametime server. Select the Security tab, and enter the Sametime agent signer (for example, Sametime). Enter Development/Lotus Notes Companion Products in the "Run unrestricted LotusScript/Java agents" field. Then save the changes to the Server document. Alternatively, you can sign all databases with an ID with rights to run agents in your environment.
Internet Protocols\HTTP tab
  • Ensure the host name has been set to servername.domain.com.
  • Set "Allow HTTP clients to browse databases" to Yes.
  • Set Home URL to /stcenter.nsf.
Internet Protocols\Domino Web Engine tab
  • Set Session Authentication to Disabled.
  • Set Java servlet support to Domino Servlet Manager.

Your Sametime overlay installation should be configured as follows:

  • When prompted, select "Set up on a Domino Server" and browse and navigate to the Domino server.id file.
  • When prompted "What type of Directory do you want to use?" select Domino.
  • Allow HTTP Tunneling can be set as required.
  • As a best practice, it is also recommended that the server's fully qualified hostname and Sametime alias name (if hostname and server name are not the same) are entered in DNS.
  • Launch Domino/Sametime Services by starting the Lotus Domino Service and verify that all services are functioning correctly with no errors. Test all functionality on the Sametime server to ensure it is working normally.

You then need to configure a user account that Sametime can use to access the meeting service. For example, you can create a specific Person document (for instance, SametimeServletAccess) with a password (such as ssaccess). This user is then added to the ACL of Stconfig.nsf with all roles, and the username and password are added to the meeting services document in Stconfig.nsf as follows:

Remote Service Access

Meeting Management Username: SametimeServletAccess
Meeting Management Password:ssaccess

Recorded Meeting Management Username: SametimeServletAccess
Recorded Meeting Management Password:ssaccess

Materials Refresh Username:SametimeServletAccess
Materials Refresh Password:ssaccess

Materials Control Username: SametimeServletAccess
Materials Control Password:ssaccess

You also need to add the SametimeAdminUsername=SametimeServletAccess and SametimeAdminPassword=ssaccess parameters into the [Config] section of the Sametime.ini and restart the Sametime server. When Sametime restarts, it should replace these two lines and make a single encrypted line similar to the following:

SametimeAdminAuthorization=U2FtZXRpbWVTZXJ2bGV0QWNjZXNzOnBhc3N3b3Jk,


Setting up Policy documents and objects for your Sametime environment on the SiteMinder 5.5 Policy server

When you successfully log in to the Netegrity SiteMinder 5.5 Policy Server, an administration console similar to figure 1 appears:

Figure 1. SiteMinder Administration console
SiteMinder Administration console

On the Netegrity SiteMinder Policy server, you will need to create the following objects in order to configure SiteMinder to protect your Sametime 6.5.x server:

  • Agent
  • Agent configuration object
  • Host configuration object
  • User directory
  • Domain
  • Realm for the domain
  • A number of sub-realms under the main realm
  • Rule(s) for the realm and sub-realms
  • Responses for the rules
  • A policy for the domain

Creating an agent

To create an agent, right-click the Agents icon under System Configuration on the System tab of the left-hand pane of the console, and select Create Agent. A dialog similar to figure 2 appears:

Figure 2. SiteMinder Agent dialog
SiteMinder Agent dialog

In the *Name field, enter a unique value not used previously for an existing agent on the server. For Agent Type, select the SiteMinder radio button and choose Web Agent from the drop-down list. Click OK to save and close.

Creating an agent configuration object

For Domino-based products, we recommend that you create a duplicate of the existing DefaultDominoSettings agent configuration object on the Policy Server and modify the duplicate as appropriate. To create an agent configuration object for your Sametime server, click the Agent Conf Objects icon under System Configuration on the System tab of the left-hand pane of the console. Then right-click the DefaultDominoSettings agent configuration object in the agent configuration object list in the right-hand pane of the console, and select Duplicate Configuration Object.

Enter a unique name for the object in the *Name field. Then in the parameter list, set the following parameters to the values indicated (or to the appropriate value for your server) by clicking on each parameter and selecting the Edit button:

  • DefaultAgentName is the name given to the agent.
  • BadUrlChars. Remove // and %00-%1f,%7f-%ff,%25 from the default list of bad url characters.

In the configuration outlined in this article, we will also set AllowLocalConfig to Yes (When set to No, then all WebAgent configuration parameters are defined on the Policy Server and not locally in the WebAgent.conf file on the Sametime server).

All other parameters can be left as their defaults. When complete, click OK to save and close the agent configuration object.

Creating a host configuration object

As with the agent configuration object, we suggest that you create a duplicate of the existing DefaultHostSettings host configuration object on the Policy Server and modify the duplicate as appropriate. To create a host configuration object for your Sametime 6.5.1 server, click the Host Conf Objects icon under System Configuration on the System tab of the left-hand pane of the console. Then right-click an existing host configuration object in the host configuration object list in the right-hand pane of the console, and select Duplicate Configuration Object. A dialog similar to figure 3 appears:

Figure 3. SiteMinder Host Configuration Object dialog
SiteMinder Host Configuration Object dialog

Enter a unique name for the host configuration object in the *Name field, and optionally a description. Next, edit the parameter value #Policy Server by removing the # from the front of the parameter name, and enter the IP address of your Policy Server in the Value column. Then click OK to save and close the host configuration object.

Creating a user directory

SiteMinder uses LDAP to authenticate users accessing its configurations. Creating a user directory on the Policy Server is required so that the policy that you set up for your Sametime 6.5x server can access and use the appropriate LDAP server to authenticate your Sametime users.

To create a user directory, right-click the User Directories icon under System Configuration on the System tab of the left-hand pane of the console, and select Create User Directory. A dialog similar to figure 4 is displayed:

Figure 4. SiteMinder User Directory dialog
SiteMinder User Directory dialog

Enter a unique name and an optional description. Next, set *NameSpace to LDAP and enter the fully qualified host name of your LDAP server in the *Server field. Then fill in the LDAP Search and LDAP User DN Lookup sections as appropriate for your LDAP users. (Depending on your particular LDAP server configuration, you may also need to add required credentials on the Credentials and Connection tab so the Policy Server can bind with your LDAP server. (Refer to the Netegrity documentation for details.) When you've completed these fields, click OK to save and close the user directory.

Creating a domain

To create a domain, right-click the Domains icon under System Configuration on the System tab of the left-hand pane of the console, and select Create Domain. A dialog similar to figure 5 is displayed:

Figure 5. SiteMinder Domain dialog
SiteMinder Domain dialog

Enter a unique name and optional description. From the drop-down list at the bottom of the dialog, select the user directory that you will use in this domain (created in the previous section) and click the "<< Add" button to add it to the User Directories tab. Click OK to save and close the Domain.

Creating a realm for the domain

To create a realm for this domain, click the Domains tab in the left-hand pane of the administration console. Right-click the domain you created in the previous section and select Create Realm from the menu. A dialog similar to figure 6 is displayed:

Figure 6. SiteMinder Realm dialog
SiteMinder Realm dialog

Enter a unique name and optional description for the realm. On the Resource tab, in the Agent field, enter the name of the agent that you created earlier in this article (or select it from the Lookup listing). Then enter a forward slash (/) in the Resource Filter field. Next, set Authentication Scheme to Basic and Default Resource Protection to Protected. Leave all other fields on the Resource, Session and Advanced tabs as default. Then click OK to save and close the realm.

Creating sub-realms under the main Sametime realm

Please note that the sub-realm definitions below are just one of a number of recommended Sametime implementations that can be defined on the SiteMinder Policy Server.

To create a sub-realm, click the Domains tab. Right-click the realm you created in the previous section and select "Create Realm under Realm" from the menu. Create the following sub-realms for your configuration, with the values indicated:

Name Resource Filter Authentication Scheme Default Resource Protection
ST TeststlinksBasicUnprotected
ST AdminConfigservlet/auth/scsBasicUnprotected
ST AdminPageservlet/auth/adminBasicProtected
ST Srcstsrc.nsf/joinBasicProtected
ST DominoSTDomino.nsfBasicUnprotected
ST Appletssametime/appletsBasicUnprotected
ST AppletSametime/AppletBasicUnprotected
IMI Sametimesametime/hostAddress.xmlBasicUnprotected
ST MMAPIservlet/auth/mmapiBasicUnprotected
ST Admin CGIcgi-bin/StAdminAct.exeBasicUnprotected

Creating rules for the realm and sub-realms

On the Domains tab, expand the domain you created. Right-click the realm for which you want to create a rule, and select "Create Rule under Realm" from the menu. Then create the following rules for the realms and sub-realms indicated:

For Realm: Sametime create the following two rules with values as indicated (see figure 7):

Rule 1 Rule2
*Name: GetPost Rule
Realm: Sametime
Resource: *
Action: Web Agent actions -> Get,Post
When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled
*Name: OnAuthAccept Rule
Realm: Sametime
Resource: *
Action: Authentication events -> OnAuthAccept
When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled
Figure 7. SiteMinder Rule dialog
SiteMinder Rule dialog

For Sub-Realm: ST AdminPage create a rule called Rule1 with values as indicated:
*Name: GetPost Rule
Realm: Sametime.ST AdminPage
Resource: *
Action: Web Agent actions -> Get,Post
When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled

For Sub-Realm: ST Src create the following two rules with values as indicated:

Rule 1 Rule2
*Name: GetPost Rule
Realm: Sametime.ST Src
Resource: *
Action: Web Agent actions -> Get,Post
When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled
*Name: OnAuthAccept Rule
Realm: Sametime.ST Src
Resource: *
Action: Authentication events -> OnAuthAccept
When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled

Creating responses for the domain

On the Domains tab, expand the domain you created. Right-click the Responses icon in the sub-tree and select Create Response. This displays the SiteMinder Response dialog (see figure 8):

Figure 8. SiteMinder Response dialog
SiteMinder Response dialog

Create the following two responses (see figure 9):

Response 1: *Name: DefaultTimeOut. Add the following two attributes by clicking on the Create button in the Response dialog:

Attribute Name Attribute Kind *Variable Value Attribute Caching
WebAgent-OnAuthAccept-Session-Idle-TimeoutStatic28800Cache value
WebAgent-OnAuthAccept-Session-Max-TimeoutStatic50400Cache value
Figure 9. Response Attribute editor
Response Attribute editor

Response 2: *Name: IMA Token Response. Create the following attribute (this example assumes that NOTESDN is the name of the LDAP user account entry that contains the user's Domino distinguished name value, as outlined in the LDAP configuration section earlier in this article. If you have used a different entry in the user account to store this value, replace the Variable Name/Attribute Name appropriately in the following table.

Attribute Name Attribute Kind *Variable Name *Attribute Caching
WebAgent-HTTP-Header-VariableUser AttributeNOTESDNCache value

Creating and configuring a policy for the domain

On the Domains tab, expand the domain you created. Right-click the Policies icon in the sub-tree and select Create Policy. Figure 10 appears.

Figure 10. Policy dialog
Policy dialog

Enter a unique name and (optional) description for the policy. The Users tab should contain a tab listing the user directory that you defined previously. Click the Add/Remove button on the Users tab and add the LDAP branch that SiteMinder will use to authenticate users to the current members list. Then click OK to save and close.

Next, open the Rules tab, and click the Add/Remove Rules button. Add all the rules you created previously for the realms and sub-realms to the current members list. Click OK to close this dialog. Finally, add the response indicated in the following table for each rule by selecting the rule on the tab and clicking the Set Response button:

Rule Realm Response
GetPost RuleSametimeIMA Token Response
OnAuthAcceptSametimeDefaultTimeOut
GetPost RuleSametime.ST AdminPageIMA Token Response
GetPost RuleSametime.ST SrcIMA Token Response
OnAuthAccept RuleSametime.ST SrcDefaultTimeOut

All values on the IP Addresses, Time, and Advanced tabs of the Policy dialog should be left as default. Then click OK on the Policy dialog to save and close.


Installing and configuring the SiteMinder Web agent on the Sametime server

We recommend that you install the latest available version of the V5 Netegrity SiteMinder Web agent and the latest available hotfix that is certified by Netegrity to work with the version of Domino that you are using. Please refer to the Netegrity SiteMinder 5.5 Platform Support Matrix for further details - this can be obtained from the Netegrity Support Site.

After the Web agent and hotfix have been installed, launch the Web Agent Configuration Wizard from the Start menu by selecting Programs - SiteMinder. On each of the dialogs that appear, complete the appropriate fields with the following information:

  1. Make sure Enable PKCS11 is unchecked.
  2. Complete the following fields to identify an administrator with the rights to register a trusted host, then click Next: Administrator, Password, Confirm password.
  3. In the Trusted Host Name field, enter the name of the system that you wish to register as a trusted host (typically the physical server name, for instance servername). This will create a trusted host entry on the Policy Server. There cannot be duplicate trusted host entries, so if you have already registered this server, you will need to delete the existing trusted host entry on the Policy Server or register it under a new name.
  4. In the Policy Server IP Address field, enter the IP address of the Policy Server.
  5. In the Host Configuration Object field, enter the name of the host configuration object that you created on the Policy Server.
  6. Accept the default location of the host configuration file.
  7. Select the appropriate Web server. In this case, it will be Lotus Domino 6.0.
  8. In the "Web Agent Configuration for Lotus Domino 6.0" dialog, review the displayed information. If you see the message "The Agent configuration Object has not been configured," click the Configure button.
  9. In the Agent Configuration Object field, enter the name of the agent configuration object that you created on the Policy Server.
  10. Select No advance authentication. Then click Next. This will return you to the "Web Agent Configuration for Lotus Domino 6.0" dialog.
  11. Review the details displayed in relation to the location of the host configuration file and the name of the agent configuration object to ensure they are now correct. Then click Finish.

Configuring the Domino/Sametime Server for the Web agent and DSAPI filter settings

To add the correct DSAPI filter file name to the Sametime server configuration, do the following:

  1. Open Names.nsf on your Domino server.
  2. Open the server document for your Domino/Sametime server.
  3. Select the Internet Protocols -> HTTP tab, and in the DSAPI filter file names field, enter the name and full path of the SiteMinder Web agent:
    <Netegrity installation path>\dominowebagent.dll (typically c:\Program Files\Netegrity\Siteminder Web Agent\bin\DOMINOWebAgent.dll)
  4. Save and close.
  5. You should also check that the installation/configuration process has successfully created a line in the Notes.ini similar to the following:
    WebAgentConfLocation=<Netegrity installation path>\bin\Lotus Domino 6\WebAgent.conf

Enabling the SiteMinder Web agent on the Sametime server and performing basic integration verification testing

To finish configuring the SiteMinder Web agent and then enable it, perform the following steps:

  1. Edit the WebAgent.conf file in the following directory on your server:
    <Netegrity installation path>\Program Files\Netegrity\SiteMinder Web Agent\Bin\Lotus Domino 6 (typically c:\Program Files\Netegrity\SiteMinder Web Agent\Bin\Lotus Domino 6)
  2. Change the value of the EnableWebAgent attribute to EnableWebAgent="YES".
  3. We set AllowLocalConfig=YES in the Agent Configuration Object defined on the Policy Server, so we also add in the following entries in the WebAgent.conf file:
    CookieDomain=<set to the domain that your Sametime 6.5x server resides in, for example ".domain.com">
    RequireCookies="YES"
    PersistentCookie="NO"
    SkipDominoAuth="NO"
    DominoLookupHeaderForLogin="YES"
    DominoUseHeaderForLogin="HTTP_NOTESDN"
    LogFile="YES"
    LogFileName="C:\stsiteminder.log" # or to another filename/directory of your choice
    LogAppend="YES"
    LogLevel="2"
    LogConsole="YES" # this will log Netegrity messages to the Domino console
  4. Save and close.
  5. Restart the Domino/Sametime server for the changes to take affect.

When the Domino/Sametime server restarts, you should see messages similar to those shown in figure 11 on your Domino server console. These messages indicate that the SiteMinder Web agent has been installed and configured correctly on your server and that the SiteMinder DSAPI filter is loading successfully. You can also verify that the WebAgent has started successfully by checking the Event Viewer Application logs and also by viewing the WebAgent Log File.

Figure 11. Domino server console messages
Domino server console messages

Testing the integration

After you have verified that your configuration has been set up and enabled correctly, you can perform the following basic test to verify that SiteMinder is now providing single sign-on and authentication for your Sametime server:

  1. Using a browser, attempt to log in to the Meeting Center on your Sametime server: http://<fully qualified servername>/stcenter.nsf. You should then be presented with a basic authentication dialog by SiteMinder asking you to authenticate against the realm that you created on the SiteMinder Policy Server (for example, Sametime).
  2. After you provide a valid username/password from the LDAP server, you should be authenticated by the SiteMinder Policy Server and be able to gain access to the Sametime Meeting Center home page. You should be identified on the Sametime server by your Domino username and you should then be able to access all functionality on the server without having to re-provide credentials. If so, SiteMinder is providing single sign-on to the Sametime server.
  3. Reference the WebAgent Log File and verify that the NotesDN value from the LDAP server user account is being successfully passed by SiteMinder to Domino for login purposes.

Summary

The configuration steps described in this article will provide full SSO integration between Netegrity SiteMinder and your Sametime server. These same steps can also be used to configure your Sametime server in a multi-server environment protected by Netegrity SiteMinder. The SiteMinder Policy Server configuration and Domino/Sametime setups would be identical. Only the Web agent configuration parameter settings may require change, depending on how your Sametime server is configured in the multi-server environment.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into IBM collaboration and social software on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Lotus
ArticleID=90957
ArticleTitle=Integrating Netegrity SiteMinder 5.5 with IBM Sametime 6.5x
publish-date=08022005