Background

IBM® Connections is social software for business that lets you access everyone in your professional network, including your colleagues, customers, and partners. It contains several useful applications for collaboration such as Profiles, Communities, Activities, Files, Forums, and Blogs.

IBM Lotus® Quickr® is team collaboration software that helps you access and interact with the people, information, and project materials that you need to get your work done. Lotus Quickr for Domino® (hereafter called Quickr Domino) Team Places, Content Libraries, Team Forums, Wikis, and connectors make it easy to share documents and information among a team.

The following three IBM Connections applications can be integrated with Quickr Domino:

• Profiles. The configuration is easy; just change qpconfig.xml.
• Activities. The configuration is a bit more complex in that you first must enable SSO, then change the configuration file of Activities, and then add Quickr server to the IBM WebSphere® Application Server (WAS) resources.
• Communities. The configuration is complex; you must first enable SSO, then install connector for Quickr, and then configure Connections to support Quickr authenticated feeds.

IBM Connections and Lotus Quickr are both collaboration domain software, each of them has advantages, if we can integrate them together, they may become more powerful. Although they have such ability to do that, it’s difficult for us to find a comprehensive guidance, the information is separated in product documentation. What’s more, during the setup progress we met some difficulties; the experience we summarized in this article can help you to avoid detours. This solution (see figure 1) can guide you step by step in integrating IBM Connections with Quickr Domino.

Figure 1. Solution diagram

Environment information

In this exercise our environment was composed of the following:

• WebSphere Application Server, version 7.0.0.11
• Connections server, version 3.0.1
• DB2® server, version 9.5.0
• Quickr Domino server: Domino version 8.5.1 FP5 + Quickr version 8.5.1
• Lightweight Directory Access Protocol (LDAP): Domino LDAP version 8.5.1

Integrating Profiles with Quickr Domino

Configure the Profiles server in qpconfig.xml on the Quickr server

1. Open the qpconfig.xml file, which is under the Domino data directory; if it does not exist, create one based on qpconfig_sample.xml.

2. Add the following settings to qpconfig.xml:

where “server_name” is the name of the Connections server with the port number, and “semantic_tag_service_location” is the location of the semantic tag service JavaScript^TM file.

3. Restart the Domino server.

Enabling single sign-on (SSO) for Lotus Quickr Domino

3.1 Change the "Realm Name" of the WAS server (Optional)

This is an optional step; by default the realm name is "defaultWIMFileBasedRealm", it's not necessary to change it.

1. Log in to the WAS Integrated Solutions Console, for example, http://hostname:9060/ibm/console.
2. Select Security --- Global security (see figure 2).
3. Select Federated repositories from the Current realm definitions field, and then click the Configure button.

Figure 2. Global security window



4. On the Federated repositories page, add the LDAP server to the Realm name field, for example, ldapserver.cn.ibm.com:389 (see figure 3). Apply and save this setting.

Figure 3. Federated repositories window



5. From the Integrated Solutions Console, select System administration – Nodes (see figure 4). Select the name of the node that you have updated, and then click Full Resynchronize.

Figure 4. Nodes window



6. After changing the realm name of WAS, you must clear all Connections schedulers, which are Connections scheduled tasks saved in a database. Otherwise, the WAS server will not start successfully, displaying the error message, "The realms do not match".

To clear all Connections schedulers, follow these steps:

1. Figure 5. Run "db2 -v -td"@" -f clearScheduler.sql"
2. 


3. NOTE:

clearScheduler.sql resides in the folder of each component of the LCWizard installation package; for example, for the Wiki component, it looks like c:\LCWizard\Wizards\connections.sql\wikis\db2\clearScheduler.sql)

For the Homepage component, you can run the command, "db2 -v -tf clearScheduler.sql", because there is no @ in the sql and it's different from others.

For the Profiles component, you can add "CONNECT TO PEOPLEDB;" to the beginning of clearScheduler.sql, and run the command, "db2 -v -tf clearScheduler.sql".

8. Restart the WAS server.

Check "Distinguished name of base entry" of the Federated Repository

http://hostname:9060/ibm/console.
2. Select Security --- Global security.
3. Select "Federated repositories" from the Available realm definitions drop-down list; click Configure (see figure 6). Figure 6. Available realm definitions list



4. In the Federated repositories window, click the Base Entry you have created for the LDAP repository (see figure 7).

Figure 7. Federated repositories window



5. In the O=ibm Base Entry configuration window, make sure the "Distinguished name of a base entry in this repository" is NOT empty; the value should be same as the "Distinguished name of a base entry that....." setting (see figure 8).

If this setting is left empty, the SSO configuration with other servers may fail for authentication reasons. Since the base entry is appended to the distinguished name (dn) of the LDAP user redundantly, for example, one user's dn is "cn=mike chen,o=ibm", if you don't set this field, when this user visits other servers with SSO enabled (such as the Quickr server), the dn may become "cn=mike chen,o=ibm,o=ibm".

Figure 8. Base Entry Configuration window

Export the LTPA token from the WAS server

Log in to the WAS Integrated Solutions Console, for example, http://hostname:9060/ibm/console.
Click Security --- Global security. Under Authentication, expand “Web and SIP security”, and then select “single sign-on (SSO)” as shown in figure 9.

1. Figure 9. Select SSO
2. 


3. 3. In the next window (see figure 10), enter your domain name in the Domain name field, ensuring that there is a dot (.) before the domain name, for example, .cn.ibm.com. (You will need to enter this domain name again when configuring the Domino server.)


4. Figure 10. Enter Domain name
5. 



6. 4. In the same window, enable the "Interoperability Mode" and "Web inbound security attribute propagation" options.
7. 5. Restart all your installed features and confirm that you can switch between them without needing to authenticate more than once.
8. 6. Now log in to the WAS Console, and select Security --- Global security.
9. 7. In the Authentication section, under "Authentication mechanisms and expiration", click the LTPA radio button (see figure 11).


10. Figure 11. Enable LTPA
11. 



12. 8. In the LTPA window enter the password used to protect the exported key in the Password and Confirm password fields (see figure 12).
13. 9. Finally, enter the full file name (such as "c:\ltpakey.file") of the key file to be generated in the "Fully qualified key file name" field. Click the Export keys button.


14. Figure 12. LTPA window
15. 

16. Import LTPA token and set up SSO on the Domino server

17. 1. Copy the LTPA key file from the WAS server to the Quickr server.
18. 2. Open the Server document via the Domino Administrator, and create an SSO Configuration document (see figure 13).


19. Figure 13. Create SSO Configuration doc
20. 



21. 3. In the SSO configuration document, select Keys --- Import WebSphere LTPA Keys (see figure 14).


22. Figure 14. SSO Configuration doc
23. 



24. 4. Input the path of the LTPA key file, and input the password of this key file.
25. 5. In the Basics tab of the Web SSO Configuration document (see figure 15), make sure the following three settings are correct:

DNS Domain: .cn.ibm.com (It should be the same as Step 2.4 above; note the dot before the domain name.)
Domino Server Names: Quickr Server Name
LDAP Realm: ldapserver\:389 [It should be the same as Step 1.4 above, note the slash (\) before the colon (:)]

1. Figure 15. Basics tab of Web SSO Configuration doc
2. 



3. 6. Save and close the document.
4. 7. Open the Server document via the Domino Administrator, and select the Internet Protocols" --- Domino Web Engine tabs (see figure 16).
5. 8. Select Multiple Servers (SSO) in the Session authentication field, and select the LTPA token document you just created in the Web SSO Configuration field.


6. Figure 16. Server document
7. 


8. 9. Save the document, and restart the Domino server.
9. 10. Create domcfg.nsf based on domcfg5.ntf, and create the mapping file for the Quickr log-in page.

10. Integrate Activities to work with Quickr Domino

11. Enable users to publish file attachments to Quickr Domino

Use the wsadmin client to check out the Activities configuration files. Navigate to the "C:\IBM\WebSphere\AppServer\profiles\Dmgr01\bin" directory in a command line, and input the command, wsadmin -lang jython -user wasadmin -password passw0rd
Use this command to access the Activities configuration file: execfile("activitiesAdmin.py")
Run the command, print AdminControl.getCell(), to get the cell name, and make a note of it.
Check out the Activities configuration files, using the following command:

1. 5. Navigate to the directory where you specified to keep the Activities configuration file (e.g., c:\temp), and then open the oa-config.xml file via a text editor.


2. 6. Set the enabled attribute of the element to “true”, and create one element for each Quickr server that you want to support. In the server element, specify the fully qualified domain name of the Quickr server to which you want to allow your users to publish files and include the port number:

 <PublishFile enabled="true" allowCustomServers="false" requireSSO="true">

 <server>http://tam.cn.ibm.com</server>

 <server>http://QuickrServer.cn.ibm.com:8080</server>

 </PublishFile>