Configuring SSO between Connections Docs, File Viewer and WebSEAL

After you configure SSO between IBM Connections and WebSEAL, you must then configure Connections Docs, IBM® File Viewer and WebSEAL.

1. Ensure that the WebSEAL, IBM HTTP Server, IBM Connections, Connections Docs, and Document Format Conversion servers can ping each other.
2. Optional: Import Active Directory users to Tivoli® Access Manager.
   Note: If you already imported the users to Tivoli when you configured IBM Connections, you do not need to repeat it.

   Launch pdadmin and log in:

   1. Import the user:

      user import –gsouser user-id user-full-dn

      For example: user import –gsouser test2 "cn=test2,ou=org1,dc=cn,dc=ibm,dc=com"

   2. Validate the user:

      user modify user-id account-valid yes

      For example: user modify test2 account-valid yes

3. Create a transparent path junction for the /docs, /docs/rtc, and/viewer url:
   1. Launch pdadmin, log in to the WebSEAL server, and run the following command:

       server task WebSEAL-instance-name create -t ssl
      
      -h backend-server-name -x -p backend-server-port -i -b ignore -f -A -2
      
      -F ltpa-token -Z ltpa-password -k /docs
      
       
      
      server task WebSEAL-instance-name create -t ssl
      
      -h backend-server-name -x -p backend-server-port -i -b ignore -f -A -2
      
      -F ltpa-token -Z ltpa-password -k -l soft-worker-limit -L hard-worker-limit /docs/rtc
      
       
      
      server task WebSEAL-instance-name create -t ssl
      
      -h backend-server-name -x -p backend-server-port -i -b ignore -f -A -2
      
      -F ltpa-token -Z ltpa-password -k /viewer

      Where WebSEAL-instance-name is the name of the WebSEAL server. Use the following syntax:

      • backend-server-name is the domain name of the IBM Connections server for which Tivoli Access Manager is managing authentication, for example, IBM HTTP Server configured for IBM Connections.
      • backend-server-port is the port that is used by the backend server.
      • ltpa-token is the name of the file that you created to store the keys that you exported from WebSphere® Application Server.
      • ltpa-password is the password that you defined to encrypt the key file.
      • soft-worker-limit is the value (percent) on the junction that defines the soft limit for consumption of worker threads.
      • hard-worker-limit is the value (percent) on the junction that defines the hard limit for consumption of worker threads. As in the global hard limit setting, this option causes warning messages to be issued when the junction tries to consume more worker threads than allowed by the setting. In addition, the user is sent a 503 "Service Unavailable" message.
      For example:

      server task default-webseald-server.name.example.com create -t ssl -h 
      another.server.name.example.com -x -p 443 -i -b ignore -f -A -2 -F 
      C:\WAS7_ltpa.keys -Z password /docs
      
      server task default-webseald-server.name.example.com create -t ssl -h 
      another.server.name.example.com -x -p 443 -i -b ignore -f -A -2 -F 
      C:\WAS7_ltpa.keys -Z password -l 40 -L 80 /docs/rtc
      
      server task default-webseald-server.name.example.com create -t ssl -h 
      another.server.name.example.com -x -p 443 -i -b ignore -f -A -2 -F 
      C:\WAS7_ltpa.keys -Z password /viewer

      The /docs/rtc junction is used for the long polling for co-editing. Each Rational Team Concert request keeps a connection (thread) in WebSEAL, so you must have a separate junction to handle such requests.

4. Attach the default ACL for the created transparent path junction.

   acl attach /WebSEAL/tam_server-WebSEAL_instance/docs lc3-default-acl

   acl attach /WebSEAL/tam_server-WebSEAL_instance/viewer lc3-default-acl

   Where:

   • tam_server is the host name of the Tivoli Access Manager server
   • WebSEAL_instance is the name of the instance of the WebSEAL server that is configured to manage IBM Connections, for example, default
   • lc3-default-acl is the access control list (ACL) that you defined in step 6 of Enabling single sign-on for Tivoli Access Manager when you configured IBM Connections, for example, acl attach /WebSEAL/tam.example.com-default/docs example-default-acl.
5. Attach the by-pass ACL for the created transparent path junction:

   acl attach /WebSEAL/tam_server-WebSEAL_instance/docs/version.txt ic-bypass-acl

   acl attach /WebSEAL/tam_server-WebSEAL_instance/viewer/version.txt ic-bypass-acl

   Where:

   • tam_server is the host name of the Tivoli Access Manager server
   • WebSEAL_instance is the name of the instance of the WebSEAL server that is configured to manage IBM Connections, for example, default
   • object-path is the path to the resource on that domain

   • ic-bypass-acl is the access control list that you defined in step 7 of Enabling single sign-on for Tivoli Access Manager when you configured IBM Connections, for example, acl attach /WebSEAL/example.com-default/docs/version.txt example-bypass-aclacl attach /WebSEAL/example.com-default/viewer/version.txt example-bypass-acl.
6. Revise the webseald.conf file to enable large size post and special characters:

   Open thewebseald.conf file and add the following parameters:

   dynurl-allow-large-posts = yes

   suppress-dynurl-parsing-of-posts = yes

7. Change server_url in concord_config.json for Connections Docs nodes:
   1. Find the configuration file concord-config.josn on theConnections Docs node.
   2. Find the following section:

      {
         "id" : "lcfiles",
           "class" : "com.ibm.concord.lc3.repository.LCFilesCMISRepository",
         "config" :
         {
             "server_url" : "https://renovations.ibm.com/files",
             "j2c_alias" : "connectionsAdmin"
         }
       },

      Change the host name in server_url to WebSEAL host name. The host name must be consistent with interService URL values in the LotusConnections-config.xml file.

   3. Find the following section:

      {
          "id":"com.ibm.concord.platform.auth",
          "class":"com.ibm.concord.platform.auth.AuthenticationComponentImpl",
          "config":
          {
              "adapter":
              {
                  "class":"com.ibm.concord.lc3.auth.LotusConnectionsAuth",
                  "config" : {
                      "auth_type": "TAM"
                      "auth_host": "https://renovations.com"                            
                    }
                 }
              }
           },

      Revise or add the variables. The value of auth_type is "TAM", and the value of auth_host is the WebSEAL host name.

   4. Restart theConnections Docs server or cluster.
8. Change server_url in viewer_config.json for the File Viewer nodes:
   1. Find the configuration file viewer-config.josn on the File Viewer node.
   2. Find the following section:

      {
      "id":"com.ibm.concord.viewer.platform.auth",
      "class":"com.ibm.concord.viewer.platform.auth.AuthenticationComponentImpl",
      "config":
        {
           "adapter":
           {
               "class":"com.ibm.concord.viewer.lc3.auth.LotusConnectionsAuth",
               "config" :
               {
                    "auth_type": "FORM",
                    "auth_host": "https://renovations.com"
                  }
              }
          }
      },

      Revise or add the variables. The value of auth_type is "TAM", and the value of auth_host is the WebSEAL host name.

   3. Restart the File Viewer server or cluster.