Config SSO IBM WebSphere Portal and Domino

8/10/2019 Config SSO IBM WebSphere Portal and Domino

1/25

Configuring single sign-on (SSO) between IBM

WebSphere Portal and IBM Lotus Doino

Charles Price

IBM Software GroupAdvisory Software Engineer, Domino Portal IntegrationAtlanta, GA USA

June 2009

Copyright International Business Machines Corporation 2009. All rights reserved.

Editor's Note: Tis wite paper is te se!ond in a tree"part series on SS# to $epu$lised over te ne%t mont or so& See te previous paper, 'Understanding single sign"on (SS#) $etween IBM* +e$Spere* Portal and IBM otus* Domino*&-

!bstra"t#This paper is designed to help administrators ho have a good grasp o! ho

""# or$s and ant an in%depth e&planation o! hat steps are necessary to con!igure""# 'eteen IBM( )e'"phere( *ortal and IBM +otus( ,omino(. It also e&plainsho to veri!y that ""# is or$ing correctly.

Table of Contents

- Introduction ....................................................................................................................... 2

2 Con!igure ""# 'eteen )e'"phere *ortal and +otus ,omino ....................................... 22.- &port the +T*A $ey !ile !rom )e'"phere *ortal ................................................... 22.2 Import the +T*A $ey !ile into +otus ,omino ........................................................... /2. Con!igure the ,omino server to support multi%server ""# .................................... -02.1 ,isa'le to$en regeneration version 3.-.&4 ............................................................. -22./ "ynchroni5e the directories ..................................................................................... -

Testing ""# 'eteen )e'"phere *ortal and +otus ,omino ......................................... 2-1 Conclusion ...................................................................................................................... 21/ 6esources ........................................................................................................................ 213 A'out the author ............................................................................................................. 21

-
http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.html


2/25

1 IntroductionIf you have read the developerWorks white paper, 7nderstanding single sign%on ""#4'eteen IBM( )e'"phere( *ortal and IBM +otus( ,omino(, you should have agood understanding of how SSO works between WebSphere Portal and Lotus Doino!"ow you are ready to #onfigure SSO in your environent! $his paper walks you through

the steps to do that and how to test that SSO is working #orre#tly!

2 Configure SSO between WebSphere Portal and LotusDomino%onfiguring SSO between WebSphere Portal and Lotus Doino is a four&step pro#ess,but before you #an begin, se#urity ust be enabled on WebSphere Portal! 'If it has notbeen enabled, do that before #ontinuing here!(

$he basi# steps are as follows)

*! +port the Lightweight $hird&party -uthenti#ation 'L$P-( key file froWebSphere Portal!

.! Iport the L$P- key file into Lotus Doino!/! %onfigure the Doino server to support ulti&server SSO!0! '1or version 2!* only( Disable WebSphere Portal fro regenerating the key files

every 34 days!

In the following se#tions we go into ore detail on ea#tly what happens during thesesteps!

2.1 Export the LTPA key file from WebSphere Portal- #oon 5uestion we get here is, Why do I need to eport the key file froWebSphere Portal6 If I already have a nuber of Doino servers with SSO #onfigured

between the, #an7t I 8ust use that key file and iport it into WebSphere Portal6

$he answer is no, there is no way to eport an L$P- key file fro the Doino server9you #an only iport it! So for SSO to work with any WebSphere -ppli#ation Server&based produ#t, you ust eport the key file fro WebSphere Portal and iport intoLotus Doino!

$o do this, follow these steps)

or WebSphere Portal !"1"#*! Open a browser to the WebSphere -ppli#ation Server -din #onsole 'for eaple,

https)::dpi&dev!atlanta!ib!#o)*440*:ib:#onsole in our environent(, and sele#t

Se#urity ; Se#ure adinistration, appli#ations, and infrastru#ture!

.!


3/25

igure 1" Securit$ Configuration page showing %#port &e$s 'for !"1(

/! +nter a password and file path on the Portal server where the key file will be saved,and then #li#k the +port keys button!

)OT%) DO "O$ #li#k the >enerate keys button near the top of the page! $his#hanges the #urrent keys used by WebSphere Portal and will #ause probles whentrying to get SSO to work!

If you #li#ked >enerate keys, restart WebSphere Portal and server*, then #oe ba#kto this page and eport the key file to ensure the key file you are eporting is the


4/25

sae one WebSphere Portal will be using going forward!

0! ?ou should see a essage su#h as, $he keys were su##essfully eported to the file@ABCEFGHJKCH!

M! %li#k ON and #li#k the Save link 'see figure .(!

igure 2" Sa*e changes

-t this point you are ready to iport the key file into Lotus Doino9 skip to the netse#tion for those details!

or WebSphere Portal !"+"#*! Open a browser to the WebSphere -ppli#ation Server -din #onsole 'for eaple,

https)::dpi&portal&*!atlanta!ib!#o)*44/3:ib:#onsole in our environent(, andsele#t Se#urity ; >lobal Se#urity!

.!


5/25

igure -"Securit$ Configuration page showing password %#port &e$s 'for !"+(

2! ?ou should see a essage that the keys were eported su##essfully9 #li#k the Savelink to save this to the aster #onfiguration 'see figure 0(!

igure ."Sa*e to master configuration

! %li#k Save one ore tie to #onfir the #hanges

! Log out of the -dinistration #onsole!

-t this point you are ready to iport the key file into Lotus Doino!

2.2 Import the LTPA key file into Lotus DominoIn this step we take the key file we 8ust eported fro WebSphere Portal and iport itinto the Doino server, as follows)

/


6/25

-. %opy the L$P- key file '8:;?@D;@( fro the Portal server to the Lotus "otesQ-dinistration #lient a#hine!

)OT%) If you7re oving the file fro a


7/25

M! %li#k Web %reate Web SSO %onfiguration 'see figure (!

igure " Create Web SSO Configuration

2! 1ill in the fields in the Web SSO do#uent for your environent 'see figure ()

Configuration Name:$he nae you want to #all the do#uent 'Ltpa$oken is thedefault(!

Organization:$his should always be left blank!

DNS Domain) $he doain used to a##ess WebSphere Portal and Lotus Tui#krU!1or ore inforation refer to Se#tion .!. in 7nderstanding single sign%on ""#4'eteen IBM( )e'"phere( *ortal and IBM +otus( ,omino(!

Expiration (minutes):We re#oend setting this to the sae value asWebSphere Portal! 'Vefer to se#tion /!/!. in 7nderstanding single sign%on ""#4'eteen IBM( )e'"phere( *ortal and IBM +otus( ,omino(!(

Map names in LTPA tokens: Set this to +nabled, if WebSphere Portalauthenti#ates with a non&Doino LD-P dire#tory, su#h as I= Dire#tory Server,=i#rosoft -#tive Dire#tory, or "ovell e&Dire#tory!

'$his is Disabled by default9 used only for dual dire#tories! 1or ore inforation,refer to Se#tion /!M in 7nderstanding single sign%on ""#4 'eteen IBM()e'"phere( *ortal and IBM +otus( ,omino(!(

Domino Serer Names: Set this to the server you want SSO to work withWebSphere Portal '=-IL:I= in our eaple(!

E
http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.html


8/25

igure " Web SSO Configuration document

"ow that you have filled out the SSO %onfiguration do#, you ust iport the L$P- keyfile, as follows)

*! Sele#t Neys ; Iport WebSphere L$P- Neys, fro the enu 'see figure 3(!

igure 3"Import WebSphere LTP0 4e$s

2. +nter the lo#ation to whi#h you #opied the L$P- key file '8:;?@D;@in ourenvironent(!

igure 1+" %nter Import ile )ame dialog

F
http://c/ltpakey.filehttp://c/ltpakey.file


9/25


10/25

0! %li#k the Save and %lose button at the top of the s#reen, to save the do#uent!

M! "ow, go to the Web ; Web %onfigurations view of the Doino dire#tory9 you shouldsee the Web SSO do#uent you 8ust #reated 'see figure *.(!

igure 12" )ewl$ created Web SSO doc

On#e you save and #lose the do#uent, you are ready to enable ulti&server SingleSign&on on the Doino server!

2. !onfi"ure the Domino ser#er to support multi$ser#er SS%"ow that the Web SSO do#uent has been #reated, you need to tell the Doino serverto use this do#uent! $o do this, follow these steps)

*! Open Doino adinistrator and sele#t 1ile ; Lotus "otes -ppli#ation ; Open!

.! In the Look in field, #hoose the priary Doino server9 in the 1ile nae field, enternaes!nsf and #li#k Open 're#all figure M(!

/!


11/25

0! Doubleli#k the server with whi#h you want SSO to work '=-IL:I= in our eaple(!

M! In the Server do#uent, sele#t the Internet Proto#ols tab and then the Doino Web+ngine tab 'see figure */(!

igure 1-"Domino Web %ngine tab

2! %li#k the +dit Server button at the top of the page!

! In the Y$$P Sessions se#tion 'see figure *0(, for the Session authenti#ation field,#hoose =ultiple Server 'SSO(9 for Web SSO %onfiguration, #hoose Ltpa$oken '"otethat this should be the nae of the Web SSO do#uent you #reated above!(

igure 1." 5TTP Sessions

--


12/25

! %li#k the Save Z %lose button to save the do#uent!

3! Vestart the Doino server for the new settings to take effe#t!

SSO should now work between WebSphere Portal and Lotus Doino! If you are usingPortal version 2!*! or later, it7s strongly re#oended you #oplete the net se#tion! If

not, skip to Se#tion / to test SSO in the environent!

2.& Disable token re"eneration '#ersion (.1.x)y default, L$P- keys are regenerated on a s#hedule every 34 days, #onfigurable to theday of the week! When this key is regenerated, SSO fro WebSphere Portal to theDoino servers breaks, and the -din ust repeat the three steps above to fi theissue! $o avoid this, we re#oend you disable the regeneration of the key files)

*! Open a browser to the WebSphere -ppli#ation Server -din #onsole 'for eaple,https)::dpi&dev!atlanta!ib!#o)*440*:ib:#onsole in our environent( and sele#tSe#urity ; Se#ure adinistration, appli#ations, and infrastru#ture!

.!


13/25

0!


14/25

Table 1" 7ser attributes

WebSphere Portal LD0P director$ user Domino Director$

D") uid\duser*,#n\users,d#\ib,d#\#o#n) Doino


15/25

igure 1" LD0P D) in 7ser name field

2! "ow #li#k the -dinistration tab!

!


16/25

D") uid\duser*,#n\users,d#\ib,d#\#o#n) Doino


17/25

igure 13" )ew 0pplication dialog bo#

/! %li#k ON! $he new database opens, and the inforation to #onne#t to the #orporate

LD-P dire#tory is #reated!

0! In the Dire#tory -ssistan#e database, #li#k the -dd Dire#tory -ssistan#e button 'seefigure .4(!

igure 2+" 0dd Director$ 0ssistance button

-E


18/25

M! On the asi#s tab 'see figure .*(, set fields as follows)

Domain t#pe: LD-P

Domain name:$his ust be a uni5ue nae9 the Doain nae for our Doino

dire#tory is I=, so we #annot use I= here!

Compan# Name: $his need not be uni5ue, so let7s use I=!

Sear$% or&er) $he order of the Dire#tory -ssistan#e do#uent you want thissear#hed!

'roup Aut%orization: %an be set to either ?es or "o for SSO!

Ena!e&:?es

Attriute to e use& as name in an SSO token (map to Notes LTPA*srNm): ^D"

igure 21" :asics tab

2! On the "aing %ontets 'Vules( tab 'see figure ..(, set the fields as follows)

-ll Ort*nit+s) _Ena!e&: ?esTruste& for Cre&entia!s: ?es __$his is the only one you need to #hange__

-F


19/25

igure 22" )aming Conte#t ';ules( tab

! On the LD-P tab 'see figure ./(, set fields as follows)

,ostname) Yostnae of the #orporate LD-P dire#tory

Option Aut%enti$ation Cre&entia!:

*sername: $he user to bind to the dire#tory who #an 5uery and have returnedthe attribute populated with the Doino D"!

Pass-or&: $he password of bind user

Attriute to e use& as Notes Distinguis%e& Name: $his is where you tell the Doinodire#tory where to find the Doino D" in the #orporate LD-P 'notesdn in oureaple(

T#pe of sear$% fi!ter to use:%li#k the down arrow and #hose your #orporate LD-Pdire#tory!

igure 2-" LD0P tab

-9


20/25


21/25

igure 2." Ser*er doc showing Director$ 0ssistance database name field

! Save and #lose the Server do#uent!

- Testing SSO between WebSphere Portal and LotusDomino"ow that SSO has been #onfigured, we ust verify that it7s working! $he following stepsare the best way to test SSO)

)OT%,In the testing and s#reenshots below, the fully 5ualified hostnae of the serversis always used in the browser! If the servernae 'ail, instead of ail!atlanta!ib!#o(were used, SSO would never work! 1or ore inforation on why that is, refer toSe#tions .!*, .!., and /!. of 7nderstanding single sign%on ""#4 'eteen IBM)e'"phere *ortal and IBM +otus ,omino!

*! Open the browser to the Portal server and sign in as your test user 'duser* in oureaple9 see figure .M(!

2-
http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.htmlhttp://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/index.html


22/25

igure 2/" Portal !"1 Welcome screen

.! %hange the


23/25

igure 2" Sign6in screen

In addition to testing SSO by signing into WebSphere Portal first, you should also testthe reverse)

*! Open a browser to your ail file and sign in 'do user*9 re#all figure .2(!

2. %hange the


24/25

. Conclusion-fter having read the first paper in this series, you gained a good understanding of howSSO works between WebSphere Portal and Lotus Doino! "ow, you also know all thedetailed steps to get SSO working between the two, sued up as follows)

*! +port the key file fro WebSphere.! Iport the key file into the Web SSO do#uent in Doino!/! %onfigure the Doino server for =ulti&server SSO!0! Syn#hroni[e the dire#tories for non&Doino LD-P #ustoers!

?ou should have little trouble setting up SSO between your two environents! If,however, there is still an issue, the net paper in this series will walk you througheverything you need to do to troubleshoot, isolate, and resolve the proble!

/ ;esources

developerWorks white paper,


25/25

Ye is an I= %ertified -sso#iate Syste -dinistrator & Lotus %ollaborative Solutions'adinistering Tui#kPla#eQ(, a Prin#ipal %ertified Lotus Professional for Doino systeadinistration, and an I= %ertified Syste -dinistrator for WebSphere Portal! Yeholds a degree in =atheati#s +du#ation fro the eorgia and taught highs#hool atheati#s for three years before 8oining I=! ?ou #an rea#h hi at

#harlespri#e]us!ib!#o!

$radear%s developer)or$sH ,ominoH IBMH +otusH KotesH Luic$*laceH Luic$rH and )e'"phere

are trademar$s or registered trademar$s o! IBM Corporation in the 7nited "tatesH othercountriesH or 'oth.

7KI is a registered trademar$ o! The #pen Nroup in the 7nited "tates and other

countries.

Microso!t and )indos are registered trademar$s o! Microso!t Corporation in the7nited "tatesH other countriesH or 'oth.

#ther companyH productH and service names may 'e trademar$s or service mar$s o!others.

2/

Config SSO IBM WebSphere Portal and Domino

Documents

Transcript of Config SSO IBM WebSphere Portal and Domino