Quickr Domino – Master Class IBM® Lotus® DominoTM QuickrTM Planning Optimal Deployments (Siteminder integration) Quickr Domino – Master Class Abdelghafour Saidi Quickr Domino EMEA SEAL

Legal Disclaimer © 2009 IBM Corporation. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Renovations refer to a fictitious company and are used for illustration purposes only.

Agenda Quick Overview of siteminder and integration with Domino Deployment topology for the exercise Siteminder policy server configuration Overview of the configuration including the rules required for proper Quickr access Webagent (lab exercise) Webagent install and configuration Domino and Quickr configuration for siteminder integration (lab exercise) notes.ini settings webagent.conf settings qpconfig.xml settings Enabling Directory assistance names.nsf settings Other integration scenarios Using Domino for user lookup Troubleshooting Questions & Wrap-up

Quick Overview of siteminder SiteMinder is a directory-enabled, standards-based system that can help you work with heterogeneous Web and application servers, operating systems, and application development platforms SiteMinder includes two key components in its infrastructure for implementing SSO. The first is the Policy Server. Rules and other related information about directory, users, and resources are stored here. The second component is the webagent. This is the software installed on the Web server or application server that implements SSO

Siteminder integration with Domino Domino provides authentication for HTTP-based access via the C API and DSAPI (Domino Server API). The following diagram illustrates the use of DSAPI to support custom authentication DSAPI is implemented as a shared library (a DLL file on Windows 2000/NT or shared object on UNIX/Linux) that is registered and invoked by the Domino HTTP process. There are key events associated with the HTTP task, and these events are overwritten by the custom code in the DSAPI. Because DSAPI is in effect replacing the Domino authentication model There are three key components to SiteMinder in the Domino world: - SiteMinder Policy Server - LDAP Directory - WebAgent DSAPI Plugin

Siteminder and integration with Domino The Netegrity SiteMinder webagent for Domino is implemented as DSAPI. SiteMinder implements SSO by issuing an SMSession cookie for the user session. Any other Web or application server configured to work within the SiteMinder environment can validate the credentials within the cookie and authenticate the associated user The cookie is encrypted using secret keys.

Lab Exercise Deployment Topology

Lab Exercise ...

Siteminder policy server configuration (Demo on the policy server) The Policy Server provides options to determine how the installed webagent should behave. Every webagent should have the following defined on the Policy Server: Agent Configuration object, contains information about the IP address or host name of the agent. Host Configuration object, contains information about the Policy hosts and Policy Server-related settings. Policy Domain is a grouping of related realms, rules, responses, and policies (see the following bullets). Realm defines the resource to protect/unprotect with a definition of the authentication scheme. Rule defines specific Web actions for the protected/unprotected resources. It also allows or denies access. Response is an optional feature that defines HTTP headers sent to target Web servers. These can be static or custom built per request. User directory defines a repository of users (predominantly LDAP-based). Policy defines the combination of rule, realm, user directories, and responses.

Siteminder policy server creating realm and rules for proper Quickr access The following realms have to be created Realm1, protecting the “/” resource filter and using html form authentication scheme Ream2, protecting the “/dm” resource filter and using basic authentication scheme Ream3, protecting the “/LotusQuickr/lotusquickr/Main.nsf/dm/” resource filter and using basic authentication scheme realm2 and realm3 are only needed if realm1 is using html forms authentication and connectors are used Associate realms with rules actions : get, head, post and put

Siteminder Webagent install Install and configure the siteminder webagent on the domino server Make sure you user the latest version available Follow the wizard (details on the hands on exercise)

Siteminder Webagent Configuration Now that the webagent is installed you can configure the webagent Launch the configuration wizard and follow (steps on the hands on exercise) All the information you need to enter is specified on the hands on exercice

Configure the Domino server to use the DSAPI filter Edit the server document and specify the location of the DSAPI filter (DOMINOWebAgent.dll) On the notes.ini file add the entries related to the webagent configuration file location, DSAPI filter, authentication type.. On the server create the directory assistance database, add the external LDAP directory to it and make sure it's enabled on the server document On the webagent.conf file add any entries that you want to modify on the local configuration In our case we will be updating the configuration entries locally for the following SkipDominoAuth DominoLookupHeaderforLogin DominoUseHeaderforLogin DominoNormalizeUrls Make sure that the web agent is enabled As we have enabled forms for authentication we need to copy the content of default forms installed by the webagent to the domino\html directory (see hands on exercise) Edit the qpconfig.xml file and add/modify as defined on the hands on exercice to allow proper third-party authentication for users with multi-character delimiters

Using local Domino directory for users lockup In order to use the Domino directory for users lockup, we will need to define the external LDAP users in the domino directory, so any user who will need access to the Quickr resources need to have a person document on the domino directory Edit the person document in the domino directory and add the user's full LDAP credential

Using local Domino directory for users lockup This can also be achieved when adding the LDAP user credential to LTPA user name field under client information on the administration tab

Troubleshooting

Cannot authenticate and all settings are correct Make sure you are using the proper setting for DominoUseHeaderforLookup in the policy server / webagent config file Group membership not working on places Make sure the following: Directory assistance is enabled on the domino server with the proper ldap settings Make sure QuickPlaceThirdPartyDSAPIAuthentication=1 is enabled on the notes.ini file If using MS AD Make sure that in qpconfig.xml you have the following settings <group> <attribute_in_person_record>memberOf</attribute_in_person_record> </group>

Getting multiple user access prompts for log on when switshing between places Make sure QuickPlaceThirdPartyDSAPIAuthentication=1 is enabled on the notes.ini file Getting prompted for log on details several times when accessing image resources on the Quickr server Make sure that imaging resources are not protected on the siteminder server: siteminder agent configuration object dialogue Getting error when accessing Quickr and the siteminder authentication form is not displaying Make sure that the proper forms have been copied to the web server

When accessing the server via the Windows Explorer connector you are get an error - Authorization failed for [URL]. User ID ([your user id]) or password invalid. In the case where "/" is protected with HTML Form Based Authentication scheme (and not Basic Authentication), this registry key does not get written when accessing the root of the HTTP server. When trying to connect to the place Input http://URL/dm instead of http://URL and this will result in the registry key written, and subsequent attempts to access the root will be successful. Simply importing the servKey.reg file in the Connectors program directory will not work

Questions ?