You can use SPNEGO to create a secure environment between Connections and your Microsoft™ Exchange or HCL Domino® mail servers. For Domino® servers, it is better to use LTPA.
Procedure
-
Complete the following task: Mapping an Active Directory account to administrative
roles.
-
Complete the following task: Creating a service principal name and keytab
file.
- Set up service delegation.
-
In the Active Directory Users and Computers settings, locate the user
account for the HCL Connections server that you created in step 4-8 of
the previous procedure, Creating a service principal name and keytab file.
- Double-click the user account to open the Properties window.
- On the Delegation tab, select Trust
this user for delegation to any service (Kerberos only) or Trust
this user for delegation to specified services only and
select either option under that.
Tip: The
more secure option is Trust this user for delegation to
specified services only.
- If you choose Trust this user for delegation
to specified services only, click the Add button
for the Services to which this account can present delegated
credentials field, and add the information for Exchange
Web Services.
-
Complete the following task: Configuring SPNEGO on WebSphere® Application Server.
Important: In step 11, instead of selecting
LTPA, select Kerberos and LTPA
authentication.
- Complete the following steps:
- In the WAS-root/AppServer/profiles/Dmgr01/config/cells/cell-name/LotusConnections-config directory,
open the LotusConnections-config.xml file.
- After the
versionStamp
element, add
the following code:<properties>
<genericProperty name="shindig.properties.override.cre.makeRequest.passCookies">true</genericProperty>
<genericProperty name="shindig.config.container.overrides">
{
"gadgets.sso" : {
"spnegoDomain" : "exchange1.example.com,exchange2.example.com",
"cookieDomain" : "domino.example.com",
"cookieNames" : "LtpaToken,LtpaToken2,iwaSSL,iwaSSL2,Shimmer,ShimmerS"
}
}
</genericProperty>
</properties
-
For the
spnegoDomain
property, enter all domains of mail servers that are
secured with SPNEGO. Separate multiple domains with commas (,) and no spaces.
-
Do one of the following:
- If your environment includes Domino mail servers, for the
cookieDomain
property, enter all domains for Domino mail servers. Separate multiple domains with commas (,) and
no spaces.
- If your environment does not include Domino mail servers, remove the
cookieDomain
and cookieName
properties and values.
- Save and close the LotusConnections-config.xml file.
- If you are using Domino® servers,
complete the following steps:
- Open Domino® administrator
console.
- Open the server document for servers, and click Edit
Server.
- In the Timeouts section, click Internet Protocols
- HTTP.
- Clear the HTTP persistent connection field.
- Save and close the document.
- Restart your Connections servers.