IBM Support

Configuring single sign-on for IBM Content Navigator by using IBM Security Access Manager for Web on WebSphere Application Server (FileNet P8)

Product Documentation


Abstract

This document contains the step-by-step instructions for configuring single sign-on (SSO) for IBM Content Navigator with a FileNet P8 repository by using IBM Security Access Manager for Web on WebSphere Application Server.

Content

To configure single sign-on integration between IBM Security Access Manager for Web and IBM Content Navigator, you must:

Before you begin
Ensure that you have the appropriate prerequisite software installed and configured in your environment.

If you plan to use IBM Security Access Manager for Web for SSO, you must be aware of the following restrictions:
  • You use IBM Content Navigator to connect to only IBM FileNet P8 repositories. If you configure the IBM Content Navigator web application to connect to IBM Content Manager or IBM Content Manager OnDemand repositories, you cannot use single sign-on.

Important: The following applications and components that might be part of your environment are not supported by IBM Security Access Manager for Web SSO:
  • IBM Content Navigator Sync client and sync services
  • IBM Content Navigator for Microsoft Office

If you are planning to use these components in your environment, you must configure and deploy IBM Content Navigator as a non-SSO application or deploy IBM Content Navigator in an SSO environment that supports these features, such as Kerberos/SPNEGO SSO.
For the latest support information, see the Hardware and software requirements for IBM Content Navigator for your installed version of IBM Content Navigator.

Step 1 - Complete the pre-deployment tasks

    1. Install and configure IBM Security Access Manager for Web by using the IBM Security Access Manager for Web V 7.0 Installation Guide. For more information, see IBM Security Access Manager for Web Version 7.0 Knowledge Center.
      • You must install the following Access Manager for Web components:
        • Base system components
        • WebSEAL
    2. Install and configure Security Access Manager Runtime for Java component on the application server where you are planning to install and deploy Content Navigator. Refer to Security Access Manager Knowledge Center how to install Security Manager Runtime for Java component.
      • HA systems: Install Security Access Manager Runtime for Java component on Network Deployment Manager server and each node in the cluster if they are residing on separate servers.
        • After you install Access Manager Runtime for Java you need to configure it for use within the current Java Runtime Environment (JRE). For that you need to run pdjrtecfg command on each application server in cluster.
        • Refer to Security Access Manager Utilities in the IBM Security Access Manager Knowledge Center and the WebSphere Application server Knowledge Center for further details and exact options applicable to your environment.
        • For Java application server to communicate with Policy Server and the Trust Association Interceptor (TAI) to establish trust for a request, it requires that the SvrSslCfg utility is run on each Application Server in cluster with config action and cfg_action create option. It will result in creating the PDPerm.properties file on each application server.
        • For more information and details on how to run SvrSslCfg utility, see WebSphere Application server Knowledge Center
    3. Install and configure IBM FileNet P8 Content Engine. See Product Documentation for FileNet P8 for more information.
    4. Install IBM Content Navigator. See Planning, Installing, and Configuring IBM Content Navigator for installation instructions. Do not deploy IBM Content Navigator.

Step 2 - Configure and deploy IBM Content Navigator with Security Access Manager for Web

  • Complete the following tasks:
    1. Create two junctions, one for IBM Content Navigator and one for the integrated help system using the server task pdadmin command on the Tivoli Access Manager WebSEAL server. For more information about the syntax and the options that you use to create a junction, see the server task create entry in the WebSEAL Administration in Security Access Manager Knowledge Center.

      Important: When you create the junctions, keep the following information in mind:
      • IBM Content Navigator and the integrated help system support only transparent junctions.
      • HA systems: When you specify the IBM Content Navigator host name, specify the HTTP Server name. When you specify the port number, specify port 80.
        1. To create the IBM Content Navigator junction, run the following command: pdadmin>server task default-webseald-ISAM_Server create -t tcp -h IBM_Content_Navigator_host_name -p port_number -c iv_creds,iv_user,iv_user_l -b supply -x /navigator
          • High Availability systems: pdadmin>server task default-webseald-ISAM_Server create -t tcp -h HTTP_host_name -p port_number -c iv_creds,iv_user,iv_user_l -b supply -x /navigator

            For example: pdadmin>server task default-webseald-abc.net.com create -t tcp -h xyz.net.com -p 9080 -c iv_creds,iv_user,iv_user_l -b supply -x /navigator
          • High Availability systems: pdadmin>server task default-webseald-abc.net.com create -t tcp -h xyz.net.com -p 80 -c iv_creds,iv_user,iv_user_l -b supply -x /navigator
        2. To create the integrated help system junction, run the following command: pdadmin>server task default-sebseald-ISAM_Server create -t tcp -h IBM_Content_Navigator_host_name -p port_number -x /wcdocs

          For example: pdadmin>server task default-webseald-abc.net.com create -t tcp -h xyz.net.com -p 9080 -x /wcdocs
    2. Run the IBM Content Navigator Configuration and Deployment Tool and create a new deployment profile for WebSphere Application Server.

      Run all of the configuration and deployment tasks that apply to your system. For more information, see http://www.ibm.com/support/knowledgecenter/SSEUEX_2.0.3/com.ibm.installingeuc.doc/eucde000.htm" target="_blank">Configuring and deploying IBM Content Navigator.
      • When you run the Configure the IBM Content Navigator Web Application task, ensure that you select Application server authentication for the IBM Content Navigator authentication option.
    3. Optional: WebSEAL has the option to prevent cross-site scripting, which is a common security problem for web servers. To enable this option, add the HTTPOnly attribute Failover Set-Cookie headers and change the value of the use-http-onlycookies in the server stanza of the WebSEAL configuration file to yes. The WebSEAL default value is use-http-only-cookies=no.
    4. Restart the application server where IBM Content Navigator is deployed. Restart the WebSEAL server instance.
    • Note: IBM Content Navigator configured with Security Access Manager and WebSEAL SSO now supports ISAM form-based authentication. You can now login to Navigator desktop using ISAM login form.

Step 3 - Verify your deployment of IBM Content Navigator with Security Access Manager

  • To verify the deployment: Important: You must provide the Security Access Manager credentials to access navigator desktop.

    Note: Login to IBM Content Navigator repositories from the admin desktop is manual, and repositories will not get logged in to automatically as part of SSO.

       In a web browser, enter a URL with the following format:http://ISAM_Server/context_root
       The default context root is navigator. For example, http://ISAM_Server_name/navigator

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"Before 3.0.6","Edition":"","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}]

Document Information

Modified date:
28 January 2020

UID

swg27042202

Page Feedback