Topic
5 replies Latest Post - ‏2014-09-23T18:30:07Z by asadkamal
Ankush Jain
Ankush Jain
7 Posts
ACCEPTED ANSWER

Pinned topic ICA POP-UP while loging into ICN

‏2013-04-25T07:03:18Z |

Greetings,

We have configured ICA 3.0.1 Plugin in ICN 2.0.1 for Enterprise Search.

After configuring ICA plugin in ICN,  we are getting the attached popup viz. "Authentication Required" of ICA every time we logs into ICN. As shown in the attached screenshot. We  then again inputs the credentials in the pop up and after that ICA works fine until next browser/login session when this pop up appears again.

The ICA 3.0.1 was installed using embedded Web Application Server i.e. "Jetty" by us as a single server installation.The Product number of  IBM Content Analytics with Enterprise Search v3.0 Windows Multilingual which we have use to deploy on our servers is "CI73MML" . We think that we have deployed bundled  version of ICA with ICN and followed all the instruction as listed in IBM Info center.

Also the "Fix pack 001" of ICA was installed on top of it at the time of installation.

We have deployed following components of FileNet on the same server where ICA and ICN deployed.
                                                                      
IBM WebSphere Application Server 7.0.0.23                              
FileNet Content manager 5.1 ----- WAS Profile 1                        
FileNet Navigator 2.0.1-------------- WAS Profile 1                    
FileNet WorkplaceXT 1.1.5.1------- WAS Profile 2                       
IBM Content Analytics 3.0.1--------- Jetty                                              
Database-------------------------------- DB2 9.7.5        
                                                      
Also, we will be using existing Microsoft AD. 

Can you please suggest the resolution for not getting the Pop-up?

Thanks & Regards,

Ankush Jain

Attachments

  • djc664
    djc664
    20 Posts
    ACCEPTED ANSWER

    Re: ICA POP-UP while loging into ICN

    ‏2013-04-25T15:47:21Z  in response to Ankush Jain

    Couple of qualifying questions:

    Are you using SSO within ICN?

    Does you have collection that has security enabled from SSO?

    IF SO - did you enable SSO between the collector agent for ICA 3.0.1 and FCM 5.1?

    • Ankush Jain
      Ankush Jain
      7 Posts
      ACCEPTED ANSWER

      Re: ICA POP-UP while loging into ICN

      ‏2013-04-26T07:12:19Z  in response to djc664

      Hello Dominic,

      Thanks for the prompt reply.

      The answer of your question are as under:

      Are you using SSO within ICN?

      No, we are not using any SSO within ICN.

      Does you have collection that has security enabled from SSO?

      No collection is created that has security enabled from SSO.

      But we had a collection that has security enabled "not from SSO". Now we have deleted that Collection from ICA 3.0.1 and we are still getting that POP-UP in ICN.

      Please guide us to do the right configuration.

      Thanks & Regards

      Ankush Jain

  • djc664
    djc664
    20 Posts
    ACCEPTED ANSWER

    Re: ICA POP-UP while loging into ICN

    ‏2013-04-26T13:39:54Z  in response to Ankush Jain

    General Notes:

    • From my experience, this connection with the ICA Add-on in ICN is brand new to the ICA team, and as such this is a bit of uncharted territory on all sides.
    • If you are configured to use more than one directory target for authentication, you cannot use Jetty to do this - you would have to deploy ICA via Websphere's HTTP add-on.

    The prompt you're getting would allow you to provide specific credentials for the collections related to the plug-in. However, I am assuming you want the AD credentials you are using for ICN to be used to log into ICA, and provide you whatever access to collections that credential grants you.

    Full instructions are here. Read through this just to make sure you're not missing something. http://www-01.ibm.com/support/docview.wss?uid=swg27023986

    Here's an overview of the steps involved:

    You want to use the cookie that ICN makes to "pass" through ICA. To do that, you need to make sure that the LTPA key made from the profile CE is deployed in is imported into the Jetty server.

    You will also need to ensure that the cookie is using the FQDN for the address (i.e. cetest.DOMAIN.COM) so that the cookie will be able to pass "DOMAIN.COM". When you go to http://cetest.DOMAIN.COM:9080/navigator) it will set the cookie for DOMAIN.COM using the LTPA key. That then gets picked up by ICA and is authorized by the LTPA key you imported.

    I recommend using the /snoop page to test if the cookie is being set correctly. Also, take it one step at a time. Don't try to configure all parts and only test the same page you screenshot - follow the instructions in the link to test each piece. It can get really complicated over nothing if you don't break it down from the start.

    A point of concern, though - I don't see the Quick Search field on the top banner of ICN for the desktop shown, which should have shown up when you enabled the add-on in your desktop. You may want to make sure to test this on the defaults-only desktop in ICN first as well.

    • Ankush Jain
      Ankush Jain
      7 Posts
      ACCEPTED ANSWER

      Re: ICA POP-UP while loging into ICN

      ‏2013-05-01T05:58:38Z  in response to djc664

      Hi Dominic,
      thanks, that was the solution.

      The LTPA connection has worked for me. Now it works fine: Jetty with SSO with an LTPA-Token from a WAS.

      The link that you shared with us missing a step i.e. I have to Generate the key in ICA then have to import WAS key in it.

      The Following steps that has to taken care of:

      - Generate LTPA key store: Go to Security > Configure Security Application Settings:
      - Check "Use LTPA tokens for application single sign-on"
      - Fill in "Cookie Domain name" info (Make sure you put a period in front ex: cetest.example.com)
      - Make sure "LTPA interoperability mode" is checked
      - Click on "Generate Key" button to create LTPA store. You will be prompt to enter password. Enter password. Make sure that esltpa.jceks is created under <es_NodeRoot>/master_config.

      - Import the LTPA key(generated from WAS earlier): Go to security > Configure Security Application Settings:
      - Make sure the Cookie Domain name is filled in (ex: cetest.example.com)
      - Make sure "LTPA interoperability mode" is checked
      - Fill in "Additional Domain Name" info. That should be the realm name in my WebSphere server setting(My scenario) (ex: CETEST:389)
      - Type in the path of the key (ex: c:\ltpa.key) and password when prompt.
      - You should see "The specified LTPA token was successfully imported" check.
             Now it's clear

      Best Regards

      Ankush Jain

      Attachments

    • asadkamal
      asadkamal
      1 Post
      ACCEPTED ANSWER

      Re: ICA POP-UP while loging into ICN

      ‏2014-09-23T18:30:07Z  in response to djc664

      Hi there folks, Im running in to the same issue the only difference being that I do have SSO on ICN. I have a few questions regarding he cookie domain setting. By default in WAS that field is empty, do I have to populate it with cehostname.domain.com ?

       

      Regards

      Asad