Configuring the IBM® Content Manager server for SSO

Configure the IBM® Content Manager Enterprise Edition server for single sign-on.

Before you begin

These steps assume you have installed HCL Connections, IBM® Content Manager Enterprise Edition, IBM® FileNet® Collaboration Services, and a Lightweight Directory Access Protocol (LDAP) server. They also assume the LDAP server is shared by IBM® Content Manager, IBM® FileNet® Collaboration Services, and HCL Connections.

Procedure

  1. Disable the required password setting:
    1. Start the IBM® Content Manager system administration client.
    2. Click Tools > Manage Database Connection ID > Change Database Shared Connection ID from the menu.
    3. Clear the Password is required for all users logging on to CM check box.
    4. Click OK
  2. Allow trusted log ons:
    1. In the navigation pane, click Library server parameters > Configurations.
    2. Right-click Library Server Configuration and select Properties.
    3. Set Max user action to Allow logon without warning and select the Allow trusted logon check box.
    4. Click OK.
  3. Set up LDAP user import information:
    1. Log in to the IBM® Content Manager system administration client.
    2. Click ToolsLDAP Configuration.
    3. Go to the LDAP tab and select the Enable LDAP User import and authentication check box.
    4. To configure the LDAP properties click the Server panel and enter your LDAP server information.
      Tip:

      In Administrative Console, the values for LDAP user registry settings must be configured correctly to filter the existing LDAP users to log in to IBM® FileNet® Collaboration Services.

      For example, in WebSphere Administration Console, Secure administration, applications, and infrastructure > Standalone LDAP registry > Advanced Lightweight Directory Access Protocol (LDAP) user registry setting, if you are using sAMAccountName in your organization as the User ID value, the User filter setting should be set to (&(sAMAccountName=%v)(objectcategory=user)) and User ID map should be user:sAMAccountName.

  4. Create privilege set for SSO users:
    1. Log in to the IBM® Content Manager system administration client.
    2. Expand Authorization and click Privilege Sets.
    3. Select AllPrivs privilege set. This privilege set is used as an example. Modify the privilege set information as required.
      Important: Do not clear the SystemSuperDomainAdmin check box.
    4. Right-click and select Copy > Advanced. Enter a name for this privilege set, for example: SSOPriv
    5. In the new privilege set, select AllowTrustedLogon and clear the SystemSuperDomainAdmin check box. This privilege is not required.
    6. Click OK.
  5. Add LDAP users:
    1. Log in to the IBM® Content Manager system administration client.
    2. Expand Authentication.
    3. Right-click and select Users > New.
    4. Set Password expiration to Never expires.
    5. Click LDAP and provide the user name you want to import.
    6. After the names are returned, highlight the name and click OK.
    7. Set Maximum privilege set to SSOPriv, the privilege set that you created in Step 4.
    8. In the Set Default panel, enter Default item access control list and click OK to create new SSO user.
    9. Restart the IBM® Content Manager server.
  6. Install the LDAP client to enable LDAP users to log in:
    Note: If the LDAP server is an IBM® Tivoli® Directory Server (ITDS), install the ITDS client on the same machine as IBM® Content Manager.
    1. During the LDAP client installation, select the Java client and C client only.
    2. Add the following file path to the PATH environment variable: C:\IBM\LDAP\V6.1\bin;C:\IBM\LDAP\V6.1\lib;
    3. Copy the DLL file from the C:\Program Files\IBM\db2cmv8\ldap directory to the C:\Program Files\IBM\db2cmv8\cmgmt\ls\icmnlsdb directory.
    4. Restart the LDAP server.
  7. Verify the LDAP setup:
    1. Install the IBM® Content Manager Enterprise Edition Client for Windows®.
    2. Verify whether the LDAP user can log in to IBM® Content Manager server using the client.