ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know!

ID304 Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know! Jay Boyd | Lotus Connections Team Lead | IBM Luis Benitez | Social Software Product Manager | IBM

Who we are

Tweet Away

Agenda
Options for Securing Lotus Connections
SSO
New User Life Cycle Options in 3.0
Q&A

Not ideal security... Photo credit: http://www.flickr.com/photos/fboyd/2494909325/

Securing Lotus Connections
Lotus Connections has tons of security options
Virus Scanning
SSL (even forced!)
Forced Authentication
Filtering active content
MIME control
and...
Photo credit: http://www.flickr.com/photos/juanpol/2704542/

Agenda
SSO
Q&A

Single Sign On
My favorite
Improves usability
Great for adoption
Photo credit: http://commons.wikimedia.org/wiki/File:Single_sign_on_aproaches.png

What's supported
SSO
… with Domino apps (of course!)
… with WebSphere apps (any doubt?)
… with Quickr J/D (go go Gadget docs)
… with Sametime (duh!)
… via Tivoli Access Manager 6.1.1
… via CA's Siteminder 6.0
… via SPNEGO
Portlets are an exception :(

Single Sign On: Connections 3.0 Options
SSO allows a user to authenticate once and then use other systems that are within the same authentication configuration without providing userid/password authentication subsequent times.
LTPA (WebSphere default)
SPNEGO
TAM (Form Based Auth, Transparent Junctions, LTPA)
SiteMinder (FBA, ASA/WebAgent)
TAM/SPNEGO
Except with LTPA, authentication is forced, there is no anonymous access

Cookies are key with most SSO options (these are not your mother's Cookies)
Cookies
Textual information consisting of Name/Value pairs
Usually used to provide State in an otherwise Stateless protocol (HTTP)
Domain and Path determine when Cookies are included with an HTTP Request
SPNEGO uses Security tokens in the HTTP Header with every request

Single Sign On: LTPA
Lightweight Third-Party Authentication
IBM proprietary, supported by IBM products such as WebSphere and Domino
Represented as Cookies called LtpaToken (older format, not on by default in WAS7, Domino requires version1) or LtpaToken2, value is encrypted
UserID
Authentication Realm
Authentication Expiration Time
Important to use both of these if integrating with Domino and Portal

Single Sign On: Keys to successful LTPA Configuration
All participating Servers:
Same Authentication Realm (correlates to Cookie domain)
Synchronized system time
Identical LDAP configuration (WAS Federated Repository)
Share the same LTPA keys
Servers should use FQDN
“ipconfig/all” or “hostname” / “domainname” commands should show FQDN

Single Sign On: Troubleshooting LTPA
Verify SSO Domain name
Verify Servers are within the same domain (or a subdomain)
Verify Servers imported the same LTPA Key

Single Sign On: Troubleshooting LTPA
Ensure authentication expiration is consistent
Ensure auto generation is off

Simple Connections Deployment

Connections Enterprise Deployment

Single Sign On: TAM

Single Sign On: TAM
TAM 6.1.1
TAM Form Based Auth, Transparent Junctions, LTPA
Yes, the configuration is complex and there are a ton of security realms
Yes, the Delete Action must be configured
TAM acts as a Reverse Proxy; don't forget to enable dynamicHosts in LotusConnections-config.xml
Cookies: PD-H-SESSION-ID & PD-S-SESSION-ID

Single Sign On: TAM
TAM acts as a reverse proxy, only forwarding a request for protected URLs once the user is Authenticated.
Very specific configuration:
Form Based Authentication
Transparent Junction
LTPA authentication
“ Anonymous Access” ACL’s pass through for all ATOM url patterns
Test with a browser - - feeds that require authentication should prompt for Basic Auth, never TAM Form Authentication
** double check your configuration settings with the Connections 3 Documentation **

Single Sign On: SiteMinder

Single Sign On: SiteMinder
SiteMinder Policy Server 6.0 SP5, SiteMinder ASA 6.0 Agent for WebSphere Application Server (with CR00010 hotfix), and SiteMinder Web Agent v6qmr5-cr035
Yes, the configuration is complex and there are a lot of security realms
Protect Web Applications with FBA
Protect ATOM feeds with BA
Yes, the Delete Action must be configured
Cookies: SMSESSION
Watch for PERL script to be posted that creates realms

Configuration is hard, we feel your pain :(
Single Sign On configuration is hard
Scripts are needed to automate Configuration
Perl
Detailed examples help (Prescriptive Deployment scenarios)
http://www-10.lotus.com/ldd/lcwiki.nsf/xpViewCategories.xsp?lookupName=Deployments
TAM and SiteMinder SSO Validation Wizard is available!

Single Sign On: SPNEGO

Simple and Protected GSSAPI Negotiation Mechanism
Generic Security Services Application Program Interface
Most notable implementations are Kerberos based
Used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
Most wide use is Microsoft's Integrated Windows Authentication
Kerberos
NTLM

Client & Server perform negotiation, determining the preferred algorithm to use
On 1 st request browser gets back a 401, Headers indicate “Authorization: Negotiate”
If capable, Client & Server agree on protocol and on every subsequent request the client infrastructure generates a new security token that is included in the header

Single Sign On: Troubleshooting SPNEGO
Configuring SPNEGO can be difficult
Install Connections First, verify, then configure SPNEGO
Follow base WebSphere documentation and use standard SNOOP application to verify your configuration.
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_SPNEGO_troubles.html

Connections Server to Server Communication & SSO
Server to Server Communication
Obtaining User information from Profiles (WPI)
Obtaining Membership information from Communities (WCI)
Community Life Cycle
Search Indexing
All communication is authenticated and uses HTTP
Interservice URL vs Service URL
LotusConnections-config.xml: customAuth element specifies authentication type

Connections Server to Server Communication & SSO

Connections Server to Server Communication & SSO – Alternative Inter Service Configuration

SSO: LotusConnections-config.xml

Agenda
SSO
Q&A

Why we need this
Listened to many customers
Heard of situations where
Maternity / Paternity Leave
Leave of Absence (Education, Military, etc)
Left the company
Etc

Why we need this (cont'd)
In 2.5, we had profile types
Required manual work via TDI
No need to re-invent the wheel!
Wanted to simplify this process for everyone
Photo credit: http://www.dehats.com/drupal/?q=node/69

Tivoli Directory Integrator: Keeping Profiles in Sync
TDI assembly line: connectors, flow controls, loops, branches
Supports two-way synchronization on LDAP attributes
Hooks enable scripting and customization
Use it for
Initial population
Frequent updates
3.0 Introduces Inactive Users!!!

Data Integrity – don't delete old data
If you delete a user, you lose authorship information and data consistency
Don't delete the data, let your TDI assembly line inactivate the user

Profiles Platform Commands
Drive administrative events from a single application
Provides a framework for future unified commands
User Life Cycle should be preceded by name synchronization in each Application
Each application maintains its own user mapping table in the application database and it needs to be synchronized with LDAP, inactivating users not found in LDAP
Inactivating clears the user's login ids & email.
Frequent periodic TDI Sync can be created to automatically mark users inactive
Profiles propagates the command to inactivate a user across all components
Administrator can re-activate users

Initial Synchronization
wsadmin command session
[root@tapstage bin]# ./wsadmin.sh -lang jython wsadmin> execfile("activitiesAdmin.py") Connecting to WebSphere:name=ActivitiesAdminService,type=LotusConnections, cell=tapstageCell01 ,
Synchronize users
Wsadmin> ActivitiesMemberService.syncAllMembersByExtId(...) syncAllMembersByExtId request processed wsadmin>

Check the logs....
Locate the log file on the node specified when you started the WSADMIN command
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/clusterA_server1/ActivitiesUlcSyncCmd.log
Typical log messages about users that are not found and are Inactivated
[2010-12-21 07:34:32] CLFWY0261I: The synchronize command inactivated member Betsy Craig [current external id: b5bd83c0-8f09-1028-910f-db07163b51b2, application id 001G091E0E4B47BEF6967B3131AD59003CD0]

Resolving user mismatches
Mismatch Needs investigation
[2010-12-21 07:34:31] CLFWY0242W: The synchronize command found that active member Benjamin Button [current external id: LDAP_ID , application id LC_ID ] could not be matched via external id, but could be matched via login or email to external id NEW_LDAP_ID . The member was not updated since this action was disabled by the command.
Review the information from HR systems about the user identified by external id NEW_LDAP_ID and determine if this entry matches Benjamin Button or if the person has left the company.

Resolving user mismatches (continued)
If the User has left, inactivate:
ActivitiesMemberService.inactivateMemberByExtId(" LDAP_ID ”)
If Old and New ids reflect the same person, synchronize the user accounts
ActivitiesMemberService.syncMemberByExtId(" OLD_LDAP_ID ”, {" newExtId ": " NEW_LDAP_ID "})
Good details here:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Synchronizing_user_data_using_administrative_commands_lc3

Agenda
SSO
Q&A

Related Sessions
JMP205 IBM Lotus Connections 3.0 Administration Overview Sunday, 1:30pm
SHOW202 Enterprise 2.0 Hero: A Beginner’s Guide to Installing IBM Lotus Connections 3.0 Monday, 4:30pm
SHOW203 Lotus Connections 3.0 – Enterprise Integration for Administrators Sunday, 4:00pm
BP105 Twelve MORE Things Your Mother Never Told You About Deploying IBM Lotus Connections 3.0 Thursday, 10am
BP114 IBM Lotus Connections Administration: From the Command Line to a Graphical UI Tuesday, 4:45pm
BP303 Social Comes to You: How to Bring IBM Lotus Connections to Your Application in Context! Wednesday, 11:15am
INV111 Making Decisions Collaboratively with Cognos Business Intelligence and IBM Lotus Connections Tuesday, 10am
AD303 Connecting Developers and Community with Rational Jazz and Lotus Connections Tuesday, 1:30pm
AD304 Customizing Lotus Connections 3.0 Tuesday 10am
ID301 What's New in IBM Lotus Connections 3.0 Monday, repeats on Tuesday, 11am
ID302 Best Practices for a Happy and Healthy IBM Lotus Connections Deployment! Tuesday, 1:30
ID303 Exceptional Work Experience - Integrating and Extending Lotus Connections, WebSphere Portal, Lotus Quickr, Lotus Notes, Lotus Sametime and ECM Monday, 11am
ID305 Build Large-scale Performing Enterprise Solutions for IBM Lotus Connections Tuesday, 4:45
ID306 Compliance and Moderation with Lotus Connections 3.0 Wednesday, 4:15

References
V3 System Requirements: http://www-01.ibm.com/support/docview.wss?uid=swg27019882
V3 Single Sign On: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_single_signon_lc3
All about security in v3: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Security_lc3
Configuring Siteminder with Lotus Connections 3.0: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Scenario_3_Setting_up_SiteMinder_Single_Sign-On_(SSO)_with_Lotus_Connections_3.0
Use caution with the version 2.5 guides – concepts remain the same, but details may have changed in some cases:
Lotus Connections 2.5 and Kerberos/SPNEGO: http://www.ibm.com/developerworks/lotus/library/connections-kerberos/index.html
Configuring IBM TAM with Lotus Connections 2.5: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_IBM_Tivoli_Access_Manager_SSO_for_IBM_Lotus_Connections_2.5
Lotus Connections 2.5 Security Guidelines: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/IBM_Lotus_Connections_2.5_secure_configuration_guidelines

Legal Disclaimer © IBM Corporation 2011. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Connections, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Renovations refer to a fictitious company and are used for illustration purposes only.

http://www.lbenitez.com	96
http://3eblogg.wordpress.com	28
http://www.genusllc.com	17
http://static.slidesharecdn.com	7
http://www.slideshare.net	2
http://planetlotus.org	1
http://twitter.com	1
https://3eblogg.wordpress.com	1
url_unknown	1
http://translate.googleusercontent.com	1
http://paper.li	1

ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know!

by Luis Benitez

Accessibility

Categories

Upload Details

Usage Rights

11 Embeds 156

Statistics