Introduction

IBM Lotus Connections, the industry’s first integrated social software for business, helps allow you to build communities, share expertise and tasks, and exchange ideas simply and effectively. IBM Lotus Connections Application deployed on IBM WebSphere® Application Server can integrate with an external security manager product, such as IBM Tivoli Access Manager for e-business.

One of the components of Tivoli Access Manager is its reverse proxy security server called WebSEAL. WebSEAL can front-end any Web application server or Web server in an enterprise e-business infrastructure. When WebSphere Application Server and Lotus Connections are implemented with WebSEAL, it is usually necessary to provide a single sign-on (SSO) experience for the end user. In order to achieve SSO, Application Server needs to be configured to generate LTPA key which is passed to the WebSEAL server so that if WebSEAL has already authenticated a user, then Lotus Connections will not challenge the user again.

This article focuses on integrating WebSEAL with Lotus® Connections for authentication to provide SSO to Lotus Connections. This information is for Application Server administrators, and others who need provide SSO for their WebSphere based and Domino® based applications. To make the best use of this article, you should be familiar with WebSphere Application Server, Lotus Connections, and Tivoli Access Manager administration tasks. You should also be familiar with configuring an LDAP directory server, such as IBM Tivoli Directory Server, which is used in the scenario described in this article.

Back to top

Terminology

IBM Lotus Connections, the industry’s first integrated social software for business, helps allow you to build communities, share expertise and tasks, and exchange ideas simply and effectively. The five Web-based components of Connections: Activities, Blogs, Communities, Dogear, and Profiles, help you identify people within your enterprise having specific knowledge on a topic, access qualified resources, and create blogs, all within a business setting.

IBM Lotus Connections is social networking software that consists of five features:-

• Activities – Collaboration tool for collecting, organizing, sharing, and reusing work that is related to a project goal.

• Blogs – Online journals that you can use to deliver timely information with a personal touch.

• Communities – A Web site that you create so that people who share a common interest can interact with one another and share resources.

• Dogear – Social book marking tool that you can use to save, organize, and share Internet and intranet bookmarks.

• Profiles – Directory of the people in your organization that includes the information you need to form and encourage effective networks.

IBM Tivoli Access Manager for e-business is an authentication and authorization solution for corporate Web, client/server, and existing applications. This product allows customers to control user access to protected information and resources by providing a centralized, flexible, and scalable access control solution. It is a robust and secure centralized policy management solution for e-business and distributed applications.

IBM Tivoli Access Manager WebSEAL is a secure reverse Web proxy server that provides authentication, single sign-on (SSO), and authorization services for your Web application environment. In a typical deployment, WebSEAL is deployed in front of the applications server layer in a customer's environment.

Back to top

Customer requirement and deployment description

In this example, the customer has high availability clustered TAM setup and needs a social networking tool that allows them to build communities, share expertise and tasks, and exchange ideas simply and effectively--and can use features like Blogs for sharing ideas. IBM Lotus Connections, the industry’s first integrated social software for business fits into the requirements for the customer. Now the challenge is how a user can access Lotus Connections via TAM. We used the HTTP header solution, and since Lotus Connections is deployed on WebSphere, we tried TAI++ (Trust Association Interceptor) and finally Single Sign-On is achieved using LTPA cookie method. Therefore, TAM provided a Single Sign-On experience to the user and also the limited access rights to particular users using Access Control List (ACL’s).

The following describes the steps followed to have TAM 6.0 protect a Lotus Connections 1.0.1 environment.

The above diagram shows the scenario at the customer's site where we have four clustered WebSEALs and TAM Policy and Authorization Server in high availability mode. We also have Portal based and J2EE™ based applications along with Lotus Connections Application which are protected via Tivoli Access Manager using different Single Sign-On methods.

All these components are deployed on AIX® 5.3 (latest maintenance level package) with 2 CPU and 4 GB of memory.

Back to top

Prerequisite Components Installation for Lotus Connection Integration

NOTE: The deployment instructions below were used to support Lotus Connections 1.0.1 under TAM, which is not supported in this release. Lotus Connections 2.0 supports TAM and the configuration instructions can be found at "Infocenter Link" .

You can follow the instructions given in the link below for installation of WebSphere Application Server 6.1.

"IBM WebSphere Application Server 6.1 Installation Guide"

• Install the fix packs mentioned in "Table 1" using the Update Installer for WebSphere Application Server and follow the instructions given in the link below for installation of WebSphere Application Server Maintenance Packages .

"IBM WebSphere Application Server Maintenance Packages Installation Guide"

You can follow the instructions given in the link below for TAM-WebSEAL 6.0 installation and configuration.

"IBM Tivoli Access Manager 6.0 Installation Guide"

Back to top

Configuring WebSphere Application Server with Tivoli Directory Server v6.0 (Federated Repositories) for generating LTPA key

This section describes how you can configure Realm name and adding a base entry for Tivoli Directory Server. It also explains how to configure Federated repositories by specifying Distinguished Name (DN) and enabling Administrative and Application Security using WebSphere Application Server Console.

Note: Make sure that you have created realms in LDAP and LDAP attributes should have “firstname” and “mail” attributes. The mail attribute should be populated with the uid/email id of the user. Access the WAS admin console to start with the configuration.

1.) Start WebSphere Application Server.

2.) Click Security → Secure Administration, applications and infrastructure.

3.) Disable the Enable Administrative Security Check box. Click Apply and then Click the Save option.

4.) Restart the Websphere Application Server.

5.) Click Security → Secure Administration, applications and infrastructure.

Select Federated Repositories from the Available realm definitions field, and then click “Set as current”. Click Apply and then Click the Save option.

6.) Go Back to Security → Secure Administration, applications and infrastructure, with Federated repositories as available realm definition, click Configure.

7.) On the Federated repositories page, the realm name should be given with the following things.

Fully qualified machine domain name: LDAP configuration port

8.) Click Apply, and then click Save to save settings. Click Save again to confirm the change.

9.) Back to Federated Repository page, click Add Base entry to Realm, and then click Add Repository from the Repository reference page.

10.) On the New page, provide values for the required fields.

• Repository identifier –Any identifier that uniquely identifies the repository

• Directory type – IBM Tivoli Directory Server Version 6 .0

• Primary host name – DNS name of your Directory Server, such as tdsmachine.ibm.com.

• Login properties – Specify the LDAP property that can be used for authentication. Make sure to specify a property that has a unique value per user.

11.) On the Repository reference page, type the distinguished name values in the Distinguished Name (DN) of a base entry that uniquely identifies set of entries in the realm and DN of a base entry in this repository fields, for instance:

cn=tamusers,ou=tam,ou=applications,o=ibm,c=us

12.) Click Apply, and then click Save to save settings. Click Save again to confirm the change.

13.) On the Federated repositories page, click Apply, and then click Save to save this setting. You will need to click Save again to confirm the change.

14.) Enable Administrative and Application Security. If you want to restrict your application access to local resources, then select the Java 2 security check box as well, especially for Lotus Connections Communities installation.

15.) Click Apply, and then click Save to save settings. Click Save again to confirm the change and restart WebSphere Application Server.

16.) Log in to the WAS Administrative Console using administrative username and password.

You have successfully configured WebSphere Application Server with Federated Repositories.

Back to top

Installing and configuring Lotus Connections Blogs

This section shows the installation of Lotus Connections features, including all the required configuration steps. You can choose either the individual feature of Lotus Connection to be installed and configured, or you can select all the five features according to your own business requirements.

In this Article we select the feature "BLOGS" as the service to install from the following options:

Note: Stop WebSphere Application Server if it is already running and make sure that the database machine is accessible from the Lotus Connection machine to proceed with the installation.

1. Launch install.bat inside the Lotus Connections product Install directory and click Next.
2. Review and accept the Lotus Connections license agreement.
3. Select Save the settings in a response file if you want the installer to store the values you type into the fields during the installation.
4. Select "BLOGS" as the service to install from below given options as in "Fig 5".

5. Select the location of the existing instance of WebSphere Application Server.

6. When asked for the WAS instance, select server1. This server will host the Blogs, click Next.

Note: - Specify different server instance if you want to install the Blogs application on a different profile.

7. Type the WebSphere Application Server Administrative user ID and password. Userid = wasadmin, Password = password as shown in "Fig 8" and then click Next.

8. Select the database type – DB2® Universal Database™ from "Fig 10"

9. Provide JDBC™ connector information for the database as shown in "Fig 11"

10. Click Next.

11. You should see a window for successful completion.

Back to top

Single Sign-On concepts and configuration

This section describes some of WebSEAL features and Lightweight Third Party Authentication (LTPA) concepts, including the configuration steps and exporting LTPA keys from WebSphere Application Server Console.

IBM Tivoli Access Manager WebSEAL is a high performance, multi-threaded Proxy server that applies fine-grained security policy to the Tivoli Access Manager protected Web object space. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy.

WebSEAL usually acts as a reverse Web proxy by receiving HTTP/HTTPS requests from a Web browser and delivering content from its own Web server or from junctioned back-end Web application servers. Requests passing through WebSEAL are evaluated by the Tivoli Access Manager authorization service to determine whether the user is authorized to access the requested resource.

LTPA is primarily a technique for Single Sign-On (SSO) to applications deployed on Websphere Application Server, Domino based applications like IBM Lotus QuickPlace®, IBM Lotus Connections and Portal based applications from Tivoli Access Manager for e-business. The technique is to encrypt and pass the Distinguished Name (DN) of the user in the configured registry from one server to another in the form of a token called LTPA token. The server receiving the token decrypts and validates it against its configured user registry. In this LTPA method both the Tivoli Access Manager and the above defined backend applications should share the same Directory structure.

For creating and exporting LTPA key required for Single Sign-On, open Websphere console and login.

In the left menu, open

Security->Secure administration, applications, and infrastructure as shown in "Fig 14"

Click “Authentication mechanisms and expiration” in “Authentication” section as shown in "Fig 15"

In “Cross-cell single sign-on”, specify password and fully qualified key file name and click “Export keys” as shown in "Fig 16". Copy LTPA key file from Lotus Connection WebSphere Application Server to Tivoli Access Manager WebSEAL Server which is required during junction creation.

Back to top

Tivoli Access Manager WebSEAL configuration for Lotus Connections

This section shows the configuration needed for WebSEAL, including the "Junction Configuration", "Importing user from LDAP", and "Other required configuration" in WebSEAL configuration file.

A junction allows WebSEAL to provide protective services on behalf of the back-end server. WebSEAL performs authentication and authorization checks on all requests for resources before passing those requests across a junction to the back-end server. Junctions also allow a variety of Single Sign-On solutions to the junctioned back-end applications.

You can create an LTPA based junction from either pdadmin command line or Web Portal Manager using command given in "Fig 17".

Login to Tivoli Access Manager Command Administrative Tool using pdadmin command as shown in "Fig 17".

Junction Details

Webseald-server: default-webseald-abc.ibm.com

-F key_file: fully qualified LTPA key file name , -Z key_password: password for LTPA key file

-h : full qualified hostname for Lotus Connections servers , -p: HTTP port for Lotus Connections servers

WebSEAL configuration for Lotus Connection Integration is summarized with the configuration options shown in "Fig 18". Complete details for configuring these parameters in WebSEAL configuration file can be found in the WebSEAL Administration Guide here.

"IBM Tivoli Access Manager WebSEAL Adminstration Guide"

In WebSEAL configuration file /opt/pdweb/etc/webseald-default.conf, we have to modify the given below parameters for the Lotus Connection Integration with WebSEAL.

Script filtering is supported for filtering absolute URLs encountered in scripts such as JavaScript. You can allow WebSEAL to rewrite absolute URls with the new absolute URls containing host, protocol and other related information. WebSEAL allows creating either TCP or SSL junctions, so you will need to make sure that time-out required for TCP and SSL junction is never reached. WebSEAL supports different types of Authentication mechanisms, such as Basic Authentication, Forms-Authentication, Client Certificate Authentication, etc.

Filter-content-types defines the list of entries that specify MIME types to be filtered by WebSEAL when received from junctioned servers. Administrators can add additional MIME types that refer to a document that contains HTML or HTML-like content. You can add Document content types that the server will filter in responses from junctioned servers based on the application content-types.

Restart WebSEAL server to make the changes in effect using the command pdweb restart

For testing the Single Sign-On between Lotus Connection and Tivoli Access Manager WebSEAL we will import users from LDAP (user registry) using the command:
login -a sec_master -p password

Back to top

Configure TAM for Lotus Connection Plugin

This section shows the configuration needed for configuring Access Control Lists (ACLs) required to access Lotus Connection Plugin, including the "Creation of ACL's" and "Attaching ACL's" to particular Webseal objectspace as given "/WebSEAL/abc.ibm.com-default"

ACLs contain entries that control who can access which resources and perform which actions. An ACL entry defines a user or group and which actions each can perform against a protected object. A domain administrator can manage these ACL entries before or after the ACL policy is attached to domain resources. Any change to the ACL entry affects only the access that these users and groups have against a specific domain resource to which the ACL policy is attached.

The Atom feeds from the Connections servers must be protected with Basic Authentication because most feed readers are unable to authenticate with Forms Based Authentication. In this step, we will instruct Tivoli Access Manager to pass the Atom HTTP requests through to the WebSphere Application Server as unprotected resources using Access Control List's (ACL), which together with the Lotus Connections features, authenticates requests as needed.

To do so, you must define the Access Control List (ACL) and then attach these ACLs to the objectspaces or request patterns using the pdadmin command line utility.

Login to TAM command prompt using:- pdadmin -a sec_master -p password

To attach a request pattern to the access control list, enter the following commands:-. These ACL entries are for all the features of Lotus Connections like Blogs, Dogear, Profiles, and Communities. You can add these ACL entries according to your own requirements.

Specify a dynamic URL pattern to support the Blogs application by creating a dynurl configuration file, named dynurl.conf. It is a plain text file that contains mappings from objects to patterns. The file does not exist by default, but when created and present during WebSEAL startup, it enables the dynamic URL capability of WebSEAL. Create a file "dynurl.conf" in path "/opt/pdweb/www-default/lib"

Add the url pattern for Blogs in dynurl.conf file:

/blogs/blogsfeed /blogs/*/feed/*

Back to top

Accessing Lotus Connections through TAM via Single Sign-On

The below given figure explains that when you access Tivoli Access Manager first page you will encounter Webseal Self-Signed Certificate Page as a security validation, accept the Self-Signed Certificate to proceed.Click on second link "Continue to this Website (not recommended)"

After validating the WebSEAL Self-Signed Certificate as a security validation, you need to enter the User Credentials ("Username and Password") on Tivoli Access Manager Webseal Login page as in "Fig 23".Click on "Login" button.

After entering the User Credentials ("Username and Password") on Tivoli Access Manager Webseal Login page as shown in "Fig 23", you will land on the Lotus Connection e-Communities page.

Back to top

Additional Information

Table 1 Software Requirements for the Integration

Back to top

Conclusion

This document provides the steps to help you set up an integration solution to have Single Sign-On between Tivoli Access Manager for e-business Server V6.0 and IBM Lotus Connections 1.0.1 (officially unsupported in this release). Connections 2.0 is available where the same integration is possible and supported for managing effectively the components of Lotus Connections--helping you to identify people within your enterprise that have specific knowledge on a topic, access qualified resources, and create blogs, all within a business setting. This article presented key customer requirements and explained how and why we configured it this way.

Resources

Learn

• "IBM Tivoli Access Manager 6.0 Installation Guide"
  
  
• "IBM Tivoli Access Manager 6.0 Webseal Admin Guide"
  
  
• "IBM Tivoli Access Manager 6.0 Base Admin Guide"
  
  
• "IBM Lotus Connections 1.0.1 Installation Guide"
  
  
• "IBM Lotus Connections 1.0.1 Release Notes"
  
  
• "IBM Lotus Connections 1.0.1 QuickStart Guide"
  
  
• "IBM Lotus Connections 2.0 Release Notes"
  
  
• "IBM Lotus Connections 2.0 Installation Guide"
  
  

Get products and technologies

• Download IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.
  
  

About the author

Neelam Solenki is Software Engineer, currently working with Tivoli® Security Team, IBM® India Software Labs as Software Specialist.She holds Bachelor of Engineering Degree in Computer Science.She is IBM®Tivoli Access Manager for e-business V6.0 Implementation-certified.She has worked upon Tivoli Access Manager,Tivoli directory Server ,Tivoli Enterprise Single Sign-On and various suite of Tivoli Security Products.

Comments (Undergoing maintenance)

Back to top

Trademarks  |  My developerWorks terms and conditions

Table of contents

• Introduction
• Terminology
• Customer requirement and deployment description
• Prerequisite Components Installation for Lotus Connection Integration
• Configuring WebSphere Application Server with Tivoli Directory Server v6.0 (Federated Repositories) for generating LTPA key
• Installing and configuring Lotus Connections Blogs
• Single Sign-On concepts and configuration
• Tivoli Access Manager WebSEAL configuration for Lotus Connections
• Configure TAM for Lotus Connection Plugin
• Accessing Lotus Connections through TAM via Single Sign-On
• Additional Information
• Conclusion
• Resources
• About the author
• Comments

Next steps from IBM

• Try: Tivoli Access Manager for Enterprise Single Sign-on
• Webcast: Achieve an Agile Organization through Enterprise Architecture
• Briefing: Introduction to Tivoli service management environment
• Buy: Tivoli Access Manager for Enterprise Single Sign-on

My developerWorks community

Dig deeper into Tivoli on developerWorks

Calling all developers

Download no charge Lotus Domino Designer

Special offers