ShowTable of Contents
Introduction
You must have IBM® Tivoli® Access Manager (TAM) for e-business, version 6.1.1, installed before you can perform this procedure. Also, ensure that you can access the installed IBM Sametime applications from a Web browser.
This setup requires the installation of Tivoli Access Manager, Base, Runtime, and Web Security applications, where:
- TAM WebSEAL is a reverse proxy server.
- TAM and IBM Sametime® should be configured to use the same LDAP server.
- Previously, WebSEAL for Sametime was configured using Standard WebSEAL Junctions.
Setting up Single Sign-on
Single sign-on (SSO) enables users to log in to one application of IBM Sametime and switch to other applications and resources without having to authenticate again. There are several different ways to configure SSO. This procedure describes one approach, in which we use an IBM WebSphere® Application Server Lightweight Third-party Authentication (LTPA) key and WebSEAL transparent junctions.
Before you begin
Prepare for SSO by determining which WebSphere Deployment Manager will provide the LTPA key(s) and export them for use on the Sametime components. This step applies to all Sametime components, and the LTPA key must be imported on all Deployment Managers and Community Servers.
For the purposes of this document, all servers using SSO must use the same LDAP directory that the Sametime Community Server uses. Although other configurations are possible, they are outside the scope of this article.
About this task
The Sametime Community Server installation creates an IBM Lotus® Domino® SSO key. You must replace the Domino SSO key with a WebSphere LTPA key to allow the Sametime Community server running on Domino and the other servers running on WebSphere Application Server to have an identical key for token validation and generation.
If Sametime servers running on WebSphere Application Server are managed by a different Sametime System Console, you must export the LTPA key from one of them and import it into the others.
1. In a browser, launch the Sametime System Console.
2. Log in to the Integrated Solutions Console for the Sametime server (Console Server).
3. Select Security --- Global Security --- WEB and SIP Security --- Single Sign-on (SSO), as shown in figure 1.
Figure 1. Global Security window
4. Make sure that the Domain name matches the Sametime Server domain and verify that Interoperability Mode is selected (see figure 2).
Figure 2. Single sign-on (SSO) window
5. Click OK and save the master configuration.
6. Then select Security --- Global Security; under Authentication, click LTPA. In the LTPA timeout section, set the timeout value to a value larger than the default, to minimize the potential for an LTPA token to expire during an active meeting.
A value that covers a period somewhat longer than a typical work day, such as 600 minutes, is recommended (see figure 3).
Figure 3. LTPA window
7. Under the Cross-cell single sign-on (see figure 4) section, enter a Password, confirm the password, and specify a file name to store the key. Make a note of the location of the file created, to use when you import the file to the Sametime Community Server.
For example, we can save the key name as “LTPAkey” by typing “c:\LTPAkey” drive (for Microsoft® Windows® servers). Then click Export keys.
Figure 4. Cross-cell single sign-on section
8. Navigate to the directory where you exported the LTPA key and copy it to a location where you can access the file from the Sametime Community Server.
9. After creating LTPA keys for Sametime servers, configure the Sametime Community Server for SSO:
a) Make sure all servers use the same LDAP directory.
b) By default the Sametime installation creates a Domino SSO key. This key should be replaced with the WebSphere LTPA key you exported above.
10. (Optional) If you have multiple CELLs in your deployment, use the “Import keys” (recall figure 4 above) option to import the LTPA keys you just exported. This also holds true if you need to import keys into your single CELL deployment from an existing WebSphere/WebSEAL configuration.
NOTE: If you import keys, it is critical to remember to synchronize the nodes and restart the deployment manager and all nodes/application servers for the change to take effect.
Importing LTPA keys to the Sametime Community Server
In this section we explain how to import the LTPA key from WebSphere to Domino. Before we start, however, ensure you have Domino Notes Administrator installed and configured on the Sametime Server machine.
NOTE: IBM Sametime 8.5 requires Lotus Domino version 8.0 or later; if you are maintaining an older Sametime server, it may be running a version of Lotus Domino prior to v8.
First, import the LTPA keys used by Sametime servers in the same DNS domain:
1. Open the Domino administrator console on the Domino server for the Sametime Community Server.
2. Select Configuration ---Web --- Web Configurations view (see figure 5). You may need to scroll down to see Web SSO configuration.
Figure 5. Web SSO Configurations view
3. Double-click “Web SSO Configuration for LtpaToken” to open the document, and click Keys --- Import WebSphere LTPA keys (figure 6).
Figure 6. Web SSO Configuration for LtpaToken document
.
4. Type in the exact file location of the key file you created on the Sametime SIP Proxy and Registrar server.
5. Enter the password you created on the server when you enabled SSO; click OK. The message "Successfully imported WebSphere LTPA keys" displays after the key has been imported.
6. In the Token Format field of the WebSphere Information section, select the LTPA token formats to be supported by Domino:
- LtpaToken - LTPAv1 only
- LtpaToken2 - LTPAv2 only
- LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are supported.
-
-
-
-
-
-
-
- With this last option selected, both tokens are created, but the token returned to the client is determined by the TOKEN_TYPE_TO_RETURN flag under the AuthToken section of the Sametime.ini file. The default value is LTPA, which returns the LTPAv1 token. Changing the value to LTPA2 results in the LTPAv2 token being returned instead.
7. Click Save and Close.
Now Configure the Sametime Community Server so that LtpaToken gets set by the Sametime Proxy Web client instead of the Sametime token:
1. Log in to the Sametime System Console as the Sametime administrator.
2. Click Sametime Servers --- Sametime Community Servers.
3. In the list of Community Servers, click the name of a Sametime Community Server, to open its Configuration page.
4. Click the Community Services tab (see figure 7).
Figure 7. Community Servers tab
5. At the bottom of the "General" section, for the “Select the authentication type that users can use while logging into the community server” option, select the LTPA only radio button.
6. Restart the Domino server to put your changes into effect.
Making a junction from TAM to the Sametime server
1. First, make sure your Tivoli Access Manager packages are configured properly, as shown in figure 8.
Figure 8. Access Manager Configuration window
2. Go to your TAM server and log in to the PDADMIN command line utility by opening a command prompt window and typing “pdadmin” (see figure 9).
Figure 9. Command prompt window
3. Log in as Policy Server admin (see figure 10):
- Type “login” and then press Enter.
- Type “Sec_master” and then press Enter.
- Key in the sec_master password and then press Enter
Figure 10. Log in as Policy Server admin
Creating junctions for Sametime servers
For the Sametime Meeting and Sametime Proxy Servers, create the following transparent path junctions:
Junctions for Sametime Proxy Server:
/stwebclient
/stwebapi
/stwebav
/stbaseapi
Junctions for Sametime Meetings Server:
/stmeetings
/rtc
/userinfo
/DocumentShare
/AppShare
/admin
/summary
/rtcauth
Junctions for Sametime Community Server:
/CommunityCBR
/sametime
/stconf.nsf
/STsrc.nsf
/stcenter.nsf
/icons
Syntax:
server task <WEBSEAL-INSTANCE-NAME> create -t <CONNECTION-PROTOCOL> -h <SAMETIME-SERVER-NAME> -p <SAMETIME-SERVER-PORT> -i -x -f -A -F <LTPA-TOKEN-NAME> -Z <LTPA-TOKEN-PASSWORD> /<JUNCTION-NAME>
where:
- WEBSEAL-INSTANCE-NAME is the instance name of your policy server. You can find it by using pdadmin command “server list”
- CONNECTION-PROTOCOL is TCP or SSL
- SAMETIME-SERVER-NAME is sametime server full DNS name
- SAMETIME-SERVER-PORTis the port sametime server use
- LTPA-TOKEN-NAME is the path of your LTPA key location. for example, C:\
- LTPA-TOKEN-PASSWORD is the LTPA Password you created in Sametime Console Server
- JUNCTION-NAME is the Web address path
Example for Sametime Proxy Server junction:
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebclient
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebapi
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebav
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stbaseapi
Example for Sametime Meeting Server:
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stmeetings
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /rtc
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /userinfo
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /DocumentShare
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /AppShare
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /admin
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /summary
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /rtcauth
WebSeal configuration for password protected Meeting Rooms:
When entering a Meeting room that is password protected under normal conditions the user should receive an authentication challenge for a meeting room password prior to entering the room. When accessing Meetings through a TAM WebSeal however this authentication challenge may not be presented to the client (webclient or mobile client) with the existing WebSeal configuration. After the client request goes through the WebSeal to the junction server (Meetings), the junction server responds but WebSeal may not handle the response for the authentication challenge for the Meeting room, and may throw an error such as HTTP 500, or internal server error.
To resolve:
Modify the /rtc junction for Meetings. Change the /rtc junction to forward original client BA header information ("-b ignore" switch when creating the junction)
Basic authentication mode should be changed from 'filter' to 'ignore'
e.g.
Junction point: /rtc
Type: SSL
Junction hard limit: 0 - using global value
Junction soft limit: 0 - using global value
Active worker threads: 2
Basic authentication mode: ignore
Forms based SSO: disabled
TFIM junction SSO: no
Authentication HTTP header: do not insert
:
With this configuration change the user should receive an authentication challenge for the room password to enter the Meeting room successfully.
Sametime Community Server (STILL STANDARD JUNCTIONS):
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /CommunityCBR
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /sametime
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stconf.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /Stsrc.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stcenter.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /icons
Creating an ACL
After creating the junctions, keep the PDadmin utility open. We need to create an Access Control List (ACL) to override the WebSeal default in ACL for certain URIs
Here are the steps to create a Sametime default ACL:
1. Create an ACL called st-default-acl:
acl create <st-default-acl>
2. Then change the attributes for different user groups:
acl modify <st-default-acl> set user sec_master TcmdbsvaBRlrx
acl modify <st-default-acl> set any-other Tmdrx
acl modify <st-default-acl> set unauthenticated T
acl modify <st-default-acl> set group iv-admin TcmdbsvaBRrxl
acl modify <st-default-acl> set group webseal-servers Tgmdbsrxl
Attaching the new Access Control List to the junctions
Now we can attach the newly created ACL to the following objects on the WebSEAL Server, using this syntax:
acl attach /WEBSEAL/<WEBSEAL-INSTANCE>/<OBJECT> <st-default-acl>
For Sametime Proxy Server ACL:
/stbaseapi
/stwebclient
/stwebav
/stwebapi
For Sametime Meeting Server ACL:
/stmeetings
/rtc
Example:
acl attach /WebSEAL/server-default/stbaseapi st-default-acl
acl attach /WebSEAL/server-default/stwebclient st-default-acl
acl attach /WebSEAL/server-default/stwebav st-default-acl
acl attach /WebSEAL/server-default/stwebapi st-default-acl
acl attach /WebSEAL/server-default/stmeetings st-default-acl
acl attach /WebSEAL/server-default/rtc st-default-acl
Conclusion
You should now have a good idea of how to configure IBM TAM for Sametime Community Server, Meeting Server, Proxy Server, Media Manager, Advanced Server, and the Connect client, using TAM with the Sametime System Console as the authentication server.
Tell us what you think
Please visit this link to take a one-question survey about this article: http://www.surveymonkey.com/s/9Q6ZKGN
Resources
developerWorks® Sametime product page:
http://www.ibm.com/developerworks/lotus/products/instantmessaging/
Sametime Forum:
http://www-10.lotus.com/ldd/stforum.nsf?OpenDatabase
Sametime product documentation:
http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation
About the authors
Naveed Yousuf is a Software Engineer working on various teams at IBM's Dublin Software Lab since 1999. He has worked with the Sametime Systems Verification Test (SVT) team for the past four years, focusing on integration and interoperability across Sametime products. You can reach him at
naveed_yousuf@ie.ibm.com.
Pat Curtin is a Software Engineer working on various teams at IBM's Dublin Software Lab since 1999. He works with the Lotus SVT team, focusing on integration and interoperability across Lotus products. You can reach him at
PCURTIN@ie.ibm.com.
Tony Payne has worked as an IBM Sametime Software Engineer for 12 years, with a focus / special attention on cross-product interoperability and security architecture, and working on Level 3 Customer Support for the past two years. You can reach him at
tony_payne@us.ibm.com.