Enabling secure, remote access to IBM Lotus iNotes using IBM Lotus Mobile ConnectLevel: IntermediateJohn Kari (jkari@us.ibm.com), Senior Software Engineer, IBM 14 Oct 2008Learn how the IBM® Lotus® Mobile Connect clientless option can be used in conjunction with IBM Lotus iNotes™ to gain secure, remote access to enterprise iNotes servers from devices (handhelds, laptops, workstations) requiring access outside the bounds of their corporate intranet.

This article is intended for IBM Lotus iNotes customers who want secure, remote access to enterprise Lotus iNotes servers from devices such as personal digital assistants (PDAs), laptops, or workstations that require access outside the bounds of their corporate intranet. You can accomplish this in two ways with Lotus Mobile Connect.Lotus Mobile Connect provides a full client/server-based virtual private network (VPN) solution, for which the Lotus Mobile Connect client is installed on various supported user platforms. For HTTP-based applications (for example, Lotus iNotes), Lotus Mobile Connect also provides a clientless option that does not require that any additional software is installed on the user's device; instead, it provides secure authentication through a browser-based logon (see figure 1).This article explains how the Lotus Mobile Connect clientless option is used in conjunction with Lotus iNotes.

Figure 1. Lotus Mobile Connect clientless option with Lotus iNotes

Why Lotus Mobile Connect?Lotus Mobile Connect provides a Federal Information Processing Standards (FIPS) 140-2 certified platform containing the latest secure sockets layer (SSL) / transport-level security (TLS) ciphers and industry-standard authentication mechanisms. The Lotus Mobile Connect

Document options

Print this page

E-mail this pageDocument options requiring JavaScript are not displayedDiscuss

Hey there! developerWorks is using Twitter

Follow us

Rate this page

Help us improve this content

clientless option, that is, Lotus Mobile Connect HTTP access services, uses the same strong authentication and encryption algorithms as the full VPN client. HTTP access services can be configured to run simultaneously with full VPN sessions, providing a multifunction remote-access solution with a small footprint, allowing IT administrators to control the breadth of access per user.The Lotus Mobile Connect management console, Gatekeeper, provides access to all configuration options and full control over ciphers, authentication methods, security restrictions, and enterprise destinations.

How does it work?Lotus Mobile Connect HTTP access services secure communications by forcing remote HTTP-based applications to connect using industry-standard SSL/TLS technology. SSL/TLS ciphers are configurable and can be restricted to FIPS 140-2 certified algorithms. Two-way certificate validation is also available, to add an additional layer of trust to the session.After secure communications have been established, the Connection Manager sends a form-based challenge to the remote application prompting for user credentials. Credential information is x-www-url-encoded and sent over the secure connection using an HTTP POST operation. The HTTP access services decode the information and validate it using a configurable authentication method.Upon successful validation, the HTTP access service builds a token and sends it to the remote application using the HTTP Set-Cookie operational model. The cookie contains a Lotus Mobile Connect-specific encrypted token and has the secure and session bits turned on. The remote client is then expected to include the cookie containing the token in all future connect requests.Now that the token is present in the HTTP flows, the HTTP access service opens a connection to an enterprise host and relays traffic back and forth, similar to an SSL/TLS gateway.

What it's notLotus Mobile Connect Connection Manager's clientless support is not an HTTP proxy. It does not cache any content nor store any other information contained in the body of the HTTP data flow. It is not an optimizer, compressor, or token reducer, and it is not able to flush a browser's cache. Because a secure session cookie is used, users must be sure to exit the browser session when they are finished with an application session.

Back to top

Why Lotus iNotes?Lotus iNotes is a Web-based application that provides access to Lotus Notes mail and personal information management (PIM) information from a standard Web browser. Because browsers use HTTP as the primary transport, this application can leverage Lotus Mobile Connect's clientless option to gain access to the mail databases located within the corporate intranet from a supported browser with Internet access.Lotus iNotes, previously known as IBM Lotus Domino® Web Access, supports three different usage modes. Full mode offers the richest feature set and is intended to be used when bandwidth is not a concern. It is the preferred mode to use from dedicated workstations with a high-speed network connection to the mail server. In Lotus Domino releases earlier than version 8.0.1, full mode was the only mode. It includes the following major functional areas:

Welcome page (a customizable home page) Mail Calendar Contacts To-do Notebook

Lotus iNotes also supports both Lotus Notes-style and S/MIME encryption and a cache-scrubbing capability for certain browsers. In conjunction with a Lotus Sametime® server, it offers integrated instant messaging and presence awareness. Lotus iNotes also offers a near-full-featured offline capability and local archiving using Domino Off-Line Services (DOLS). When deployed with the Lotus Domino Unified Communications offering, it also provides various unified communications features.Lite mode, which premiered with Lotus Domino 8.0.1, is a feature-reduced version that's been optimized for bandwidth-constrained environments. Its initial release supports only the Mail function and some limited access to Calendar data using a sidebar. Like full mode, it provides a rich user experience that leverages the latest Asynchronous JavaScript™ and XML (AJAX) techniques. The user interface (UI) is even more consistent with the Lotus Notes rich client offering. Ultralite mode was introduced in Lotus Domino 8.0.2 and is designed for browsers on the latest narrow-width mobile devices. The initial release supports the Apple iPhone and iPod Touch

devices. The UI fully abides by Apple's recommended guidelines for iPhone applications. Ultralite mode leverages the least amount of script and is designed to function from script-disabled browsers.

Back to top

ArchitectureLet's examine the architecture of the two product components involved here, Lotus Mobile Connect and Lotus iNotes.

Lotus Mobile Connect HTTP access servicesConnection Manager's HTTP access services provide an SSL/TLS gateway function for HTTP communications from any HTTP version 1.1 client data stream, such as a Web browser. The connection provides access to Web-based services and content in the enterprise without requiring the presence of a VPN client. The session is secured by use of SSL/TLS and can be restricted to permit connections only from specified hosts or address ranges.The HTTP access services is a subsystem within Lotus Mobile Connect that is responsible for applying set configuration options to all connection requests and data traffic. This subsystem is responsible for enforcing security, validating access, generating audit information, and relaying traffic to the intended enterprise-located servers.

SSL/TLSConnection Manager's HTTP access services use SSL or TLS when communicating with the browser or client application. Both version 2 and version 3 of the SSL protocol are supported, and the following algorithms are supported:

Public key algorithms o RSA (1024-, 768-, or 512-bit keys)

Symmetric key algorithms o DES (56-bit key) o Triple DES (168-bit key) o RC4 (40-, 56-, or 128-bit keys)

Message authentication codes o SHA-1 o MD5

X.509 certificates can provide authentication for the SSL/TLS communications. These certificates, along with root certificates to validate the other party's certificate, are stored in a key database that is installed with Connection Manager. The Connection Manager administrator can configure the source of this database, using the Gatekeeper administration console. The administrator can also configure the desired root certificates and client-side certificates, using the administration interface of the SSL toolkit, IBM Key Management.Lotus Mobile Connect supports restricting the SSL/TLS ciphers to those that are FIPS 140-2 approved and supports denying connection requests that support only SSL/TLS version 2 ciphers.

AuthenticationThe HTTP access services authenticate each secure HTTP connection, checking the data stream for valid user credentials. If none exists, a configurable form-based challenge is issued to prompt for a valid user ID and password. This function uses authentication methods and algorithms available to all components of Lotus Mobile Connect.Authentication methods are resource containers defining how Lotus Mobile Connect challenges for and validates remote user credentials. Lotus Mobile Connect supports methods for validating credentials with the following:

LDAP V3-compliant directory servers RADIUS protocol servers RSA Secure ID including next-token support X.509 certificate exchange Lotus Mobile Connect system user accounts

For more information on authentication methods, refer to the Administrator's guide in the Lotus Mobile Connect Information Center.

Single Sign-On (SSO)HTTP access services can enable SSO through Lightweight Third Party Authentication (LTPA). LTPA provides a mechanism for storing user authentication information in a token that is generated when users are successfully authenticated with Connection Manager. The token is encrypted and signed by use of a password and a public/private key pair, stored in an HTTP

cookie, and included in all requests for the configured SSO domain.The LTPA keys are shared with other LTPA-enabled servers within the same domain, so the servers can validate the token and authenticate user requests instead of challenging the user. LTPA tokens include a configurable expiration timestamp; after the token expires, a new authentication challenge is issued. The LTPA token is used in place of the Lotus Mobile Connect-specific token and is sent to the HTTP client application in the form of an HTTP cookie, using the Set-Cookie directive. HTTP clients include this token in all future HTTP requests.

HTTP access services resourceThe HTTP access services resource contains information telling Lotus Mobile Connect how to authenticate users and where to relay traffic to the back-end server. Each HTTP access services resource can send traffic to a single application server or proxy. There are three options for configuring access to multiple backend application servers:

Use a transcoding reverse proxy. This option allows a reverse proxy to route traffic to the appropriate destination, based on information contained in the target URL.

Assign different listen ports to each HTTP access services resource definition. Since each HTTP access services resource can be configured to send traffic to a different back-end server or proxy, configure each service to listen on a different port. Users need to know this port and to add it to the URL request, for example, https://inotes.xyz.com:12345.

Use multiple Internet protocol addresses. The HTTP access services configuration includes the ability to bind the service to a specific IP address. This way, there can be multiple HTTP access services resources listening on the same set of ports. This option is necessary for applications that expect to use standard HTTP ports 80 and 443. The URL to the user simply looks like different host names, for example, https://inotes1.example.com, https://inotes2.example.com.

Configurable form-based challengeThe challenge page has three configurable sections: a title bar, Message of the Day, and a Copyright section (see figure 2). These sections are configured by use of the HTML files loaded by the Connection Manager and are stored in the appropriate locale-related subdirectories.

Figure 2. Challenge page

When you enter a user ID and password and click the Login button, the browser generates a URL-encoded POST operation containing the entered fields along with hidden fields containing information about the session.It's possible for HTTP-based applications to answer the challenge without the need to display the page to the user. You can uniquely identify the Lotus Mobile Connect challenge by querying the Server token in the HTTP header.

Lotus iNotesLotus iNotes is installed as part of a Lotus Domino server installation, as long as the option Lotus iNotes is not deselected when you do a custom installation. For more details about installing and configuring Lotus iNotes, consult the Lotus Domino Administrator Help.

Back to top

ConfigurationEnabling access to Lotus iNotes using HTTP access services requires architecture decisions and configuration steps for both components. This section describes options and requirements for each of the components.

Lotus iNotesFor each of the Lotus iNotes servers accessed by Lotus Mobile Connect, the internal network address or host name and TCP port are required to properly configure the Lotus Mobile Connect HTTP access service. If you want an encrypted pipe between the Lotus iNotes and Lotus Mobile Connect servers, you need to import a certificate in PKCS12 format for each of the Lotus iNotes servers into the key database for Lotus Mobile Connect.

Lotus Mobile ConnectConfiguring Lotus Mobile Connect involves setting up authentication methods and defining one or more instances of the HTTP access service resource. This section includes screen captures taken from the Lotus Mobile Connect management console Gatekeeper.

Authentication methodsFor the purposes of this example, only the LDAP-bind method is profiled. For additional information on this and other supported methods, see Lotus Mobile Connect Version 6.1.2 Administrator's Guide in the Lotus Mobile Connect documentation. See Resources.For LDAP-bind methods, the first step is to define a resource containing information on how to access an LDAP V3-compliant directory service:

1. Using Gatekeeper, right-click a top-level folder such as System or Default Resources, and select Add resource - Directory server. The window in figure 3 displays.

Figure 3. Specifying a directory server

o In the Common name field, enter the free-form name of the resource. o In the Host name or IP address field, enter the host name or IP address of the

directory server. o In the Base distinguished name field, enter the base search suffix for finding

user accounts. 2. Click Next; the window in figure 4 displays.

Figure 4. Second screen for adding a directory server

o In the Port number of service field, enter the port number that the directory service is listening on.

o The Administrator's distinguished name (DN) field is optional and is required if the directory service does not allow anonymous bind and lookup operations.

o You must enter your password in the Enter the password field if the administrator DN is set.

o The Use secure connection section requires the use of SSL/TLS when connecting to the directory server for lookup and authentication functions. (NOTE: when this option is not enabled, user credentials can be sent in clear text between the Lotus Mobile Connect Connection Manager and directory services server.)

In the File name of key database field, enter PKCS12 kdb file to validate certificate authorities. (NOTE: When the directory server is using a self-signed certificate, the certificate needs to be exported in PKCS12 format and imported into the kdb file to pass verification checks.)

In the File name of stash password field, enter the PKCS12 kdb stash file that contains password for accessing the kdb file.

In the Secure port field, enter the port number that the directory service is listening on for secure connections. The default port number for LDAP is 636.

3. Define an LDAP-bind authentication method that uses the directory services resource defined in the previous step. To do this, right-click the same top-level container as you did in the previous step, and select Add Resource - Authentication Profile - LDAP-bind authentication. The window shown in figure 5 opens.

Figure 5. Defining the LDAP- bind authentication method

o Do not select the Request Windows credentials field; it applies only to Mobility Client sessions.

o In the Common name field, enter the free-form text string that represents the resource.

o In the Description field, enter the free-form text string that describes the method.

o In the Backup authentication profile field, select the backup authentication method to try if this method reports external server connectivity issues.

o The Password Policy, Challenge string, Include realm, and Default realm fields are all not applicable.

4. Click Next; the window shown in figure 6 displays.

Figure 6. Specifying the directory server from which to authenticate clients

o In the Directory Server field, select the directory server defined in the previous step.

o In the User key field, enter the attribute used in the attribute=value search string, where the value is substituted with the User ID from the credential challenge presented to the remote user. The default value is mail.

o The LDAP attribute used for lock status field is optional. This value is the attribute name that the Connection Manager uses to query the directory server, after a log-in fails to determine if a user account is locked. If the Connection Manager determines that the account has been locked, a specific

error message is sent to the remote user indicating the condition. o The Additional search criteria field specifies a text string to use in LDAP search

filters as defined in RFC 2254. This field is used in conjunction with the User key field. For example, when the value of the User key field is mail, and the value of this field is (employeeStatus=active), the search string becomes a logical operation of the user's email address and the employee status, for example, (&(mail=user@xyz.com)(employeeStatus=active)).

o The Maximum number of processing threads field shows the number of threads used to perform LDAP searches and bind operations. This value depends on your particular user model. Because LDAP lookups can take 300 to 1000 ms, it is generally a good idea to enable multiple threads to allow simultaneous lookups to occur.

o The Restricted session filters field is not applicable. 5. Click Next; the window shown in figure 7 displays.

Figure 7. Specifying whether Connection Manager uses LTPA and SSO

o Select the Enable LTPA option to enable LTPA token generation for use in SSO. o In the LTPA Token Lifetime field, enter the length of time in minutes that the

token is valid. o Select the Enable SSO option. o In the SSO Domain field, enter the DNS domain within which the SSO is

applied. o Select the Enable SSO over SSL connections only option only in connections

using the SSL/TLS transport. o In the Service port to include in LTPA token field, specify the port number to

use in the LTPA token if IPSec is used to secure communications between Lotus Mobile Connect and the enterprise application server.

Also, note that the following attributes are available through the Properties panels after resource creation:

Automatically create accounts for new users. The Lotus Mobile Connect Connection Manager requires pseudo-records for user accounts to store certain Lotus Mobile Connect-only attributes. This attribute determines if these pseudo-records need to exist for a user to log in or if Lotus Mobile Connect creates the pseudo-record on first login. Requiring pseudo-records is an additional security measure.

Perform additional DN validation. This feature, which requires LDAP group membership, allows Lotus Mobile Connect to verify a user's membership in a specific group before allowing access.

Directory server. This feature validates group membership against a different directory server definition.

Search attribute. This attribute is used to pair with the users DN when performing the group validation.

Syntax / filter. This feature is the definition of the search filter for group validation. This setting must be in LDAP X.500 notation. See Gatekeeper tip help for more information.

Maximum idle time. Idle time authentication waits for a response before timing out and trying a backup method.

Timeout for authentication. This value specifies the time to wait for authentication challenge responses before invalidating the session.

HTTP access service resourcesFollow these steps to add an HTTP access service request:

1. To add an HTTP access service resource, right-click the Connection Manager resource, and select Add - HTTP Access Service. The window shown in figure 8 displays.

Figure 8. Adding an HTTP access service

o In the Service URL field, enter the text string matching the URL contained in the certificate used to secure connections.

o In the TCP Port to listen on field, enter the TCP port that the service is listening on for access requests. The default is the SSL default of 443.

o In the Description field, enter the free-form text description of the service. o In the Current state field, select the state of the service. Active state means

the Connection Manager activates the service; defined is equivalent to down, in which case the Connection Manager does not start the service, making it unreachable.

2. Click Next; the window shown in figure 9 displays.

Figure 9. Specifying operational mode of the HTTP access service

o In the HTTP Proxy address field, enter the host name or IP address of a reverse proxy or application server to forward authenticated traffic.

o In the HTTP Proxy port field, enter the TCP port proxy or application server to forward authenticated traffic.

o Select the Require SSL to proxy option to require SSL/TLS between the Lotus Mobile Connect server and proxy or application server.

o In the Authentication Profile field, enter the authentication method to use to validate remote user credentials.

o If the SSO Domain option is set, this value overrides what is set in the authentication method. If it is not set, the authentication method properties are used.

3. Click Next; the window shown in figure 10 displays.

Figure 10. Specifying the maximum number of threads and idle time

o In the Maximum number of processing threads field, enter the number of simultaneous processing threads. The number of simultaneous sessions and number of processors are considerations for setting this value. The recommended value for a two-processor system with 1000 simultaneous sessions is 5.

o In the Maximum idle time field, enter the maximum time that a session can be idle before the Connection Manager clears the session's authentication token, forcing the client to re-authorize.

o Select the Bind port to a specific address option to configure the service to be bound to a specific Internet address. By doing this binding, multiple HTTP access services resources can be configured to listen on the same ports, thus allowing for different back-end servers to be used based on the Internet address of the initial request. Multiple addresses can be assigned to a single network interface using IP aliasing.

o In the Address to bind to field, enter the Internet address or host name to bind the service to.

Back to top

ConclusionToday's work force is becoming increasingly mobile. Enterprises need to extend the reach of email and PIM applications to users with browser access through both enterprise-provided and publically available mobile devices, laptops, and workstations. The combination of Lotus iNotes as a Web-based application and Lotus Mobile Connect for secure remote access provides Lotus Notes customers with a feature- and security-rich solution for meeting this critical business need.