In the simple configuration, IBM Mobile Connect can fill the role of either a reverse proxy or a VPN server. In this section, we walk through the installation and configuration procedures that are documented in the official IBM Mobile Connect product Information Center to install IBM Mobile Connect 6.1.5 on a Windows server in our lab. You can find the official IBM Mobile Connect product Information Center at:
IBM Mobile Connect documentation
Installing IBM Mobile Connect
Use these steps to install IBM Mobile Connect on a Windows system:
1. Launch the installer:
Upon running ConnMgr_615_X86.exe, you see:
2. Accept the license agreement:
Accept the license agreement and click Next
3. Destination Folder:
Accept or change the destination folder to where the Lotus Mobile Connect will be installed.
4. Ready to Install the Program:
to begin the installation:
5. Acknowledge the virtual adapter device driver:
During the installation, you are informed that the virtual adapter device driver is going to be installed:
6. Continue (Allow the Virtual Adapter installation):
Windows then asks if you want to allow the installation of the virtual adapter. Click Continue Anyway
to complete the installation of IBM Mobile Connect and launch the First Steps screen to begin the process of configuration.
If you want to defer the configuration, you can deselect the Launch option. First Steps can be launched anytime from the Start menu.
Configuring IBM Mobile Connect
After installing IBM Mobile Connect, use the FirstStep utility to configure the resources used by the server to provide clientless access to Traveler.
The First Steps panel provides links to three utilities which are used to configure IBM Mobile Connect:
- Database Configuration Wizard
- Key Management utility
These utilities can also be accessed from the Start menu. First Steps is included as a convenient guide and reminder.
When running IBM Mobile Connect on a Windows system, it is necessary to specify the storage mechanism.
1. Run First Steps
, either selecting at the end of the installation or from the Start menu:
2. Select Database Configuration
IBM Mobile Connect requires a storage mechanism for its configuration and active session table. If desired, this can also be used for storing its accounting and billing information. The options are to use the Local file System, IBM DB2, or Microsoft SQL Server. For a production system, use either DB2 for Linux, UNIX, and Windows or Microsoft SQL Server. To simplify this lab exercise, the Local File System was selected. On Windows, this uses DB2 (a single user version of DB2), which is only available on 32 bit Windows.
Click Database Configuration Wizard
3. In this panel, Select the desired storage mechanism. We select Local File System
. Click Next
4. Database configuration is complete. Click Done
5. The wizard returns to First Steps initial screen.
6. Select the Gatekeeper
from the menu and click the Gatekeeper
link to run the Gatekeeper:
As seen on the figure, Lotus Mobile Connect Gatekeeper comes pre-configured with a profile and administrator, which can be used to perform the initial configuration. Because the administrator password is the same for each new installation, change the passwords.
Initial configuration of IBM Mobile Connect resources
The Gatekeeper is used to configure and administer IBM Mobile Connect. It is a stand-alone utility which can be run on a variety of Operating Systems (Windows, Linux, and AIX) and does not have to run on the same system as the IBM Mobile Connect server component, which is known as the Connection Manager. If run the Gatekeeper on a different system, it requires TCP connectivity with the Connection Manager system and a new profile to identify that system.
The first time you run Gatekeeper, it detects that it is the first time and automatically walk you through your initial configuration. It does this by detecting the absence of the file wgated.conf in the Mobile Connect directory. If you ever want to run the initial configuration again, rename or delete that file.
: The Gatekeeper includes an excellent set of tips. Whenever you have a question about what to input, put the focus on that field and click Tips
Follow these step to perform the initial configuration.
1. Run the Gatekeeper to start the configuration. The Login screen opens. You can either log in or edit profile. Click Edit profile
2. Select Add Profile
to add a new profile.
3. Enter the Login profile name and either a Host name or IP address, then click OK
4. Log in to the new profile.
5. For the first login, you are presented with an informational window. After reading and closing it, you must configure the Access Manager. This is a server component which acts as the go between for the Gatekeeper and the Connection Manager.
to start the configuration.
6. Take the defaults or change as desired and click Next
7. Choose All for the logging level so that you have complete setup logs. Click Next
8. Select Finish
to configure the Access Manager.
9. The next prompt is change the administrator password. It is advisable to do so.
10. After dealing with the administrator password, you are prompted to create a Connection Manager. This is the primary server component that provides communications between the user devices and Lotus Notes Traveler.
to begin to add the Connection Manager.
11. Enter the values desired and click Next
12. Configuration OUs provide a means of organizing the configuration display but do not change behavior of the system.
Most installations take the default here and click Next
13. Click Finish
to complete the Connection Manager.
14. Click Yes
to begin the configuration of the HTTP Access service.
15. The Service URL defines the address that an user device uses to access IBM Mobile Connect. It starts with https which means that an SSL connection will be established. To use SSL, IBM Mobile Connect needs a security certificate. This certificate is provided by using the Key Management utility as described later.
Setting the URL for IBM Mobile Connect which serves as a front end for Lotus Notes Traveler has two main considerations:
- IP routing:
For IP routing, the host name in the URL provided to the user device must be resolved into an IP address that gets it to the IBM Mobile Connect system. This can be accomplished either by having the IBM Mobile Connect system own that address or by having your external firewall perform address translation. The port specified is only used once the packet is delivered to the system, therefore, there is no problem with IBM Mobile Connect using 443.
- SSL setup:
For SSL, the IBM Mobile Connect system is the endpoint of the encrypted tunnel that starts at the device. The device never talks directly to Lotus Notes Traveler because all communication flows through IBM Mobile Connect. This means that the host name in the URL used by the device must match the host name in the Service URL configured in the HTTP Access Service and relate to the security certificate on IBM Mobile Connect, as either a full match or by use of a wild card. It also means that communication between IBM Mobile Connect and Lotus Notes Traveler does not have to use SSL.
16. The Application server URL points to Lotus Notes Traveler. Note that the Authentication Profile is listed as System because that is the only one available. Click Next
to proceed with the configuration.
17. Accept or change the defaults and click Finish
to complete the configuration.
18. Mobile access service is not used by Apple and Android devices, so click No
19. The Connection Manager can manage its own user accounts or use an external authentication server. We chose the latter, so click No
20. Further configuration is needed, so click No
This completes the initial configuration of IBM Mobile Connect. Further configuration is required to simplify authentication.
To enable the IBM Mobile Connect Connection Manager to use the Domino credentials for user authentication, you have to create a Directory Services Server (DSS) that will access the LDAP function of Domino. The DSS is referenced by a new Authentication Profile (AP). Finally, the HTTP Access Service previously defined is modified to make use of the new AP.
1. Create a Directory Services Server:
a. In Gatekeeper on the Resource tab, right-click Mobile Connect -> Add Resource -> Director server
b. Provide a Common name, the name or address of the server, and Base distinguished name, then click Next
c. If the Domino LDAP function is configured for anonymous bind, Administrator's credentials are not needed.
Enter the values needed and click Next
d. Accept or change the OU configuration and click Finish
2. Create an Authentication Profile.
a. In Gatekeeper on the Resource tab, right-click Mobile Connect -> Add Resource -> Authentication Profile -> LDAP-bind Authentication
b. Provide a Common name and Description, then click Next
c. Select the Directory Server and User key field, then click Next
d. Configure LTPA to enable Single Sign-On (SSO), then click Next
For a complete discussion about SSO, see SSO
e. Accept or change the organization OU and click Finish
3. Modify the HTTP Access Service to use the new Authentication Profile.
a. In Gatekeeper on the Resource tab, right-click http-service0 -> Properties
b. On the Mode tab, change Credential challenge type to HTTP 401 basic authorization challenge
and change Authentication Profile to the one just created.
c. On the Lotus Mobility tab, select Enable Lotus Traveler integration
and click OK
d. On the General tab, set the maximum number of processing threads.
Note: The number of simultaneous sessions and number of processors are considerations for setting this value. The recommended value for a two-processor system with 1000 simultaneous sessions is 5 .
The Key Management utility is used to provide IBM Mobile Connect with a security certificate so that it can establish an SSL connection. Either a self-signed certificate or one acquired from a Certificate Authority can be used. It should be noted that Android devices are known to have problems with self-signed certificates; see Lotus Mobile Installer for Android.
You can run the Key Management utility from either the First Steps window or the Start menu.
1. Run the Key Management utility and open your key database.
The key database needs to be of type CMS. The default provided is http.trusted.kdb which is found in the Connection Manager directory.
2. When you open the key database, you are prompted for its password. The default is trusted
3. To create a self-signed certificate, go to the Personal Certificates section and click New Self-Signed
4. Enter a label and click OK
to complete the process.
5. In order to get a certificate from a Certificate Authority, go to Personal Certificate Requests
and click New
6. Fill in the label and click OK
7. Click OK
and include the created file in the request to the Certificate Authority.
8. When the certificate is received, navigate to the Personal Certificates
section and click Receive
For some certificates, you need to receive and import intermediate and signer certificates from the Certificate Authority.
Ready To Run
Your Connection Manager is now ready to run. In Gatekeeper on the Resources tab, right-click the Connection Manager resource and select Startup