Enabling single sign-on for Security Access Manager
Configure HCL Connections™ to use single sign-on with Secure Access Manager (formerly Tivoli® Access Manager).
Before you begin
Install the supported version of Security Access Manager (ISAM).
Ensure that you can access the installed Connections applications from a web browser.
Set the IBM® WebSphere® Application Server single sign-on domain to the same value as that of the Secure Access Manager server.
- Connections supports the WebSphere® cookie-based lightweight third-party authentication (LTPA) mechanism as an SSO solution for ISAM. Connections does not support other SSO solutions that WebSEAL supports such as WebSphere® Trust Association Interceptor (TAI), Forms SSO, Cross-domain SSO, or E-community SSO.
- For more information, refer to Security Access Manager knowledge center.
About this task
Single sign-on (SSO) enables users to log in to one application of Connections and switch to other applications and resources without having to authenticate again.
Connections supports the use of encrypted connections Transparent Path junctions with ISAM. Connections does not support TCP type junctions or Standard junctions. This procedure uses a WebSphere® Application Server LTPA key and WebSEAL Transparent Junctions.
To set up SSO using Security Access Manager, complete the following steps:
Procedure
- Use available authentication data when an unprotected URI is accessed: On the Global security page, expand Web and SIP security, and then click General settings. Click Authenticate only when the URI is protected and select Use available authentication data when an unprotected URI is accessed, if it is not already selected. Click Apply and then click OK.
-
Import your HTTP Server certificate into the Security Access Manager keystore. To import the
certificate, complete the following steps:
-
To support SSO with the Lightweight Third-Party Authentication (LTPA) key, the same keys and
passwords must be shared by Security Access Manager and WebSphere® Application Server. To export the keys from WebSphere® Application Server, complete the following steps:
Note: If you have modified your federated repository properties, such as the realm name of the federated repository, re-export your LTPA keys and copy them to the Security Access Manager server, to the same location that you used to create the Security Access Manager junctions. See Step 5 for more details.
-
If you're using Cognos, you must disable the MBean to enable the metrics. In the WebSphere® Application Server Integrated Solutions Console,
click . Then click New to add the following custom property.
com.ibm.websphere.security.disableGetTokenFromMBean=false
-
Use the exported LTPA key to configure the transparent path junctions in Security Access
Manager.
For more information about using the pdadmin command line utility, refer to Server task commands for junctions in the Security Access Manager knowledge center.
-
Create a default Connections ACL to override the default WebSEAL ACL by running the following
commands:
acl create lc3-default-acl
acl modify lc3-default-acl set user sec_master TcmdbsvaBRlrx
acl modify lc3-default-acl set any-other Tmdrx
acl modify lc3-default-acl set unauthenticated T
acl modify lc3-default-acl set group iv-admin TcmdbsvaBRrxl
acl modify lc3-default-acl set group webseal-servers Tgmdbsrxl
- Attach default ACLs to resources that are protected by
form-authentication.
-
Define the unprotected access control list and then attach unprotected resources and resources
that require basic-authentication to it using the pdadmin command line utility, so that Security
Access Manager passes HTTP requests for these resources through to WebSphere® Application Server for authentication.
-
To get the activity stream on the Homepage to display, you must import an encrypted connection
(SSL) certificate from the ISAM server to the nodes.
- Navigate to .
- Restart the Homepage application.
Note: To get the ECM events to appear, the ISAM certs must be imported to the NodeDefaultTrustStore.If the ISAM server and the WebSEAL server are different, you need to import the cert from the WebSEAL server. -
For Connections Content Manager configure an extra set of steps for the FileNet Collaboration
Services:
- To add properties, the administrator needs to edit the
fncs-sitePrefs.properties file, which is located in the FNCS installation
directory, before running the configuration
wizard.Note: For FNCS 2.0.3, the fncs-sitePrefs.properties file is located in <FNCS_HOME>/configure/explodedformat/fncs/WEB-INF/classes/. <FNCS_HOME> is the FNCS installation directory.
- Add the following properties to the fncs-sitePrefs.properties file at the
end of the file after the comments and save it:
fncsServerURL=http://your http url for the TAM and WebSeal proxy fncsServerURLSecure=https://your https url for the TAM and WebSeal proxy icUrl=https://your https url for the TAM and WebSeal proxy
For example:
fncsServerURL=http://webseald.your_domain.com fncsServerURLSecure=https://webseald.your_domain.com icUrl=https://webseald.your_domain.com
- After setting the properties, you must complete the steps in Configuring FileNet Collaboration Services for the Connections Content Manager.
- To add properties, the administrator needs to edit the
fncs-sitePrefs.properties file, which is located in the FNCS installation
directory, before running the configuration
wizard.
-
Specify a dynamic URL pattern to support the Blogs application and mail notification:
-
Configure Security Access Manager to use form-authentication over HTTPS by updating the
webseald-server-name.conf file. Add the following line to
the [forms] stanza:
forms-auth = https
Note: You cannot specify HTTP-only authentication. To specify both HTTP and HTTPS, add the following line: forms-auth = both. -
(Do not complete this step for Security Access Manager with SPNEGO) Add HCL Allow access to the
Embedded Experience gadget by adding the following line to the [ba] stanza in the
webseald-server-name.conf file:
ba-auth = none
- Configure content filtering by adding the following lines
to the webseald-server-name.conf file:
[filter-content-types]
type = text/xml
type = application/atom+xml
[script-filtering]
script-filter = yes
rewrite-absolute-with-absolute = yes
- Configure recognition of double-byte character sets. Update
the webseald-server-name.conf file:
Add the following lines:
decode-query = yes
utf8-qstring-support-enabled = yes
-
Configure Security Access Manager as the reverse proxy for Connections. Update the
webseald-server-name.conf file:
Add the following line to the [server] stanza:
web-host-name = fully-qualified-host-name
Add the following line to the [session] stanza:
use-same-session = yes
-
Configure Security Access Manager to include host information in the HTTP header. Update the
webseald-server-name.conf file:
In the
[header-names]
stanza, add the following line:httphdr{host} = X-Forwarded-Host
Stop and restart your WebSEAL instance.
-
Determine how you want the system to behave when users log out of Connections. By default, when
users click Log out in the SSO environment, they are not fully logged out of
Connections. Edit the HTTP Server httpd.conf configuration file to implement
the post-log out behavior. By default, the file is located in the following directory:
- AIX®: /usr/IBM/HTTPServer/conf
- Linux™: /opt/IBM/HTTPServer/conf
- Windows™: C:\IBM\HTTPServer\conf
To capture requests to /ibm_security_logout and redirect them to /pkmslogout, add the following rewrite rules to the httpd.conf file:
RewriteEngine On
RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteRule ^/(.*) /pkmslogout [noescape,L,R]
Note: You must add these rules to both the HTTP and HTTPS entries.Ensure that the line that enables mod_rewrite is not commented out by removing the preceding # symbol. For example:
LoadModule rewrite_module modules/mod_rewrite.so
The following example illustrates a typical portion of the httpd.conf file after you have implemented the steps that are described in this step:
RewriteEngine On
RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteRule ^/(.*) /pkmslogout [noescape,L,R]
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<IfModule mod_ibm_ssl.c>
Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName connections.example.com
SSLEnable
RewriteEngine On
RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteRule ^/(.*) /pkmslogout [noescape,L,R]
</VirtualHost>
</IfModule>
SSLDisable
- Add an ErrorDocument 500 statement to the httpd.conf file. This statement appears in the user's browser if a Connections application becomes unavailable.
- Save and close the httpd.conf file.
- Restart HTTP Server.
- The value of the
cookie timeout attribute in the LotusConnections-config.xml file
must be smaller than the values of the timeout and inactive-timeout
attributes in the webseald-server-name.conf file.
Check these values in the [session] stanza of the webseald-server-name.conf file
and edit them if necessary.Note: The values of the timeout parameters in the Security Access Manager configuration file are given in seconds but the CookieTimeout value in the LotusConnections-config.xml file is given in minutes.
Use the following example as a guide:
# Maximum lifetime (in seconds) for an entry in the credential cache
# Setting this to zero allows entries in the cache to fill without expiry until the
# cache contains the number of entries specified by max-entries. After that
# point, entries are expired according to a least recently used algorithm.
timeout = 3600
# Lifetime (in seconds) of inactive entries in the credential cache.
# To disable, set to 0.
inactive-timeout = 600
- Restart your cluster: Stop all application servers and all nodes, and then restart the deployment manager, all the nodes, and all the application servers.