Résumé du contenu de la page N° 1
RSA ClearTrust Ready Implementation Guide
for Portal Servers and Web-Based Applications
Last Modified March 15, 2005
1. Partner Information
Partner Name IBM Corporation
Web Site www.ibm.com
Product Name IBM Lotus Team Workplace
Version & Platform 6.5.1, Windows 2003 Enterprise
Product Description IBM Lotus Team Workplace (QuickPlace) is a business-ready, self-
service work space expressly designed for team collaboration. With
Lotus Team Workplace, users can instantly create secu
Résumé du contenu de la page N° 2
3. Solution Summary Feature Details Use UserID for SSO Yes Use UserID for Personalization Yes Recognize Authentication Type No API-level Authorization Support No (RuntimeAPI) User Management No (AdminAPI) 4. Integration Overview To achieve single-sign-on with Lotus Team Workplace, the RSA ClearTrust Agent for Domino is installed on the Domino server. The agent is then configured to protect all Team Workplace pages, as well as any other desired pages. The Domino server is
Résumé du contenu de la page N° 3
5. Product Requirements Hardware requirements Component Name: Lotus Domino Memory 256Mb Hard Drive 1Gb (1.5Gb recommended) Software requirements Component Name: Lotus Domino Operating System Version (Patch-level) AIX 5.1, 5.2 OS/400 VSR1, VSR2, i5OS VSR3 Windows 2000 Server, Advanced Server Windows 2003 Server, Enterprise Solaris 8, 9 Red Hat Enterprise Linux 2.1 Component Name: Lotus Team Workplace Operating System Version (Patch-level) AIX 5.1, 5.2 OS/400 VSR1, VSR2, i5OS
Résumé du contenu de la page N° 4
6. Product Configuration This section provides instructions for integrating the partners’ product with RSA ClearTrust. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of the two products to perform the tasks outlined in this section and access to the documentation for both in order to install the required software components. All products/components, including the ClearTrust servers and Entitleme
Résumé du contenu de la page N° 5
Also, be sure to select the Web Browsers (HTTP services) option, since it is not selected by default. After this configuration process ends, start your Domino server, and ensure that it starts up correctly. You should also use the admin.id file created above to enable you to administer the server from a Domino Administrator. Page: 5
Résumé du contenu de la page N° 6
Installation & Configuration of the RSA ClearTrust Agent for Domino Prior to beginning installation of the RSA ClearTrust Agent, stop the Domino server. Then, start the agent setup program. Ensure that the agent detects the correct installation directory for Domino. Make sure that the SSL settings entered in this process match the settings in your RSA ClearTrust servers’ configuration files. For more information, consult the RSA ClearTrust Agent for Domino’s Installation & Configuratio
Résumé du contenu de la page N° 7
Disable ClearTrust DSAPI Filter Note: There is a known issue with authenticating via the QuickPlaceLoginForm while the agent is installed. While using RSA ClearTrust Agent v4.6 for Domino, authenticating a user via QuickPlaceLoginForm may cause the Domino server to exit. See Known Issues for more information. Because of this issue, disable the RSA ClearTrust DSAPI filter for further configuration (it will be re- enabled later). To do this, start the Domino Administrator, and open up th
Résumé du contenu de la page N° 8
Enable Domino SSO Once the server restarts, start configuring the LTWP installation. • Create a Web SSO Configuration document, or add the LTWP server onto an existing one. When creating the SSO document, this guide used a Domino SSO Key. • Create a mapping form to map authentication to the QuickPlaceLoginForm. • Restart the server. 1. Use the Domino Administrator and open the hub server: a. Select the Configuration tab. b. In the navigation pane, choose Server. c. Click the Web
Résumé du contenu de la page N° 9
2. In the SSO Configuration document, make the following entries a. Select LtpaToken. b. Leave the Organization field empty. c. Select and add all of the servers from the directory to the Domino Server Names field (this uses the proper hierarchical name for each server). d. Enter the Internet domain that all of your servers share (you should precede this name with a leading period; Domino 6 will insert it when the document is saved if you forget). e. Select Keys from the action ba
Résumé du contenu de la page N° 10
3. Open each Server document and make the following changes to the Internet Protocols - Domino Web Engine tab: a. Session authentication: Multiple Servers (SSO) b. Web SSO Configuration: LtpaToken. c. Then Click Save and Close. 4. Open domcfg.nsf. If domcfg.nsf does not exist you will need to create it. See the Domino documentation for information on how to do this. Page: 10
Résumé du contenu de la page N° 11
5. Create a mapping form to map authentication to the QuickPlaceLoginForm. a. Applies To: All Web Sites/Entire Server b. Target Database: QuickPlace/resources.nsf c. Target Form: QuickPlaceLoginForm b. Then Click Save and Close. 6. Open the notes.ini file located in the Domino install directory and add the following parameter QuickPlaceUseDSAPIDNs=1 7. Restart both servers. Page: 11
Résumé du contenu de la page N° 12
Point Team Workplace at Domino User Store Open up LTWP home page in a browser, and login as the LTWP administrator created during installation. Under Server Settings, select User Directory, then Change Directory. Select Domino Server as the type, and point it at your Domino server. Then, select to disallow new users. Save your changes, and log out of LTWP. This is necessary so LTWP will pick up the Domino users. By default, LTWP uses Cloudscape as its user repository. To ease the
Résumé du contenu de la page N° 13
Cleaning Up Now, re-insert the ClearTrust DSAPI filter in the server document. Then, restart the server one last time. Note: The RSA ClearTrust DSAPI filter should be the last filter in the list. Authentication will not behave correctly otherwise. Testing the Setup When Domino starts, you should be able to see startup notices for LTWP and RSA ClearTrust DSAPI filters. Note that the LTWP message will show up as QuickPlace. Using the RSA ClearTrust Entitlements Manager, create entr
Résumé du contenu de la page N° 14
From a new browser, browse to http://servername.domainname. You should see the Domino homepage. Then go to /homepage.nsf, which should show you the same page, after authentication via RSA ClearTrust. When you navigate from there to the QuickPlace home page (/QuickPlace), you can see that you are automatically recognized by the RSA ClearTrust agent. Page: 14
Résumé du contenu de la page N° 15
As a last check, navigate to the web administration database (/webadmin.nsf). You will Notice that even though the web admin database is protected by Domino, and not by RSA ClearTrust, the Domino agent supplies the credentials to Domino’s native authentication, and the user is recognized from his RSA ClearTrust SSO cookie. Page: 15
Résumé du contenu de la page N° 16
7. Certification Checklist for Portal Servers and Web-Based Apps Date Tested: February 7, 2005 Product Tested Version RSA ClearTrust 5.5.2, 5.5.3 Team Workplace 6.5.1 Domino 6.5.1IF1, 6.5.2, 6.5.3 ClearTrust Agent for Domino 4.6 Test Case Result Product Characteristics for SSO Support Application/Portal is web-based, and supports access by a standard HTTP-based P browser Application/Portal runs on Web Server Platform supported by RSA ClearTrust P Application/Portal l
Résumé du contenu de la page N° 17
8. Known Issues Authentication Via QuickPlaceLoginForm May Cause Domino Server Exit While using RSA ClearTrust Agent v4.6 for Domino, authenticating a user via QuickPlaceLoginForm when the ClearTrust DSAPI filter is in place may cause the Domino server to exit. There is a fix available for this behavior from RSA technical support. To acquire this, ask for RSA ClearTrust Agent Hotfix 4.6.0.17. This issue can also be worked around by deleting the login mapping created in the Web Configu