SSL setup for Connections 2.5.0.2 integration with Domino Quickr 8.5

Added by

Sonya Purcell | Edited by IBM contributor

Sonya Purcell on November 22, 2010 | Version 7

Edit
More Actions ▼

Abstract

The objective of this document is to detail the experiences of the IBM System Verification Test (SVT) team when enabling SSL on a Lotus Domino Quickr 8.5 and a Lotus Connections 2.5 configuration.

Tags: 8.5, clustering, installation, Integration, Quickr_Domino_8.5, security, SSL, SSO

Prerequisites

SSO should be working between Quickr and Connections servers
Activities/Profiles and Communities are working as expected between Quickr and Connections. (eg. Can publish from activities, Can see the person card on the Quickr server and Can create a community with teamspaces and wikis successfully

being created from Connections server to Quickr)

Http Server setup and working with connections

SSL enablement between Connections
To enable SSL on a connections server in order for it to connect to a Quickr server there are a number of things to do.

SSL settp for Connections server

SSL CONFIGURATION

Configuring the IBM HTTP server to accept inbound SSL traffic
You must first configure the IBM HTTP server to accept inbound SSL traffic. To do this, do the following:
1. Create the IBM HTTP server keys.
2. Create a self-signed digital certificate. This is for a test environment only in a production environment self-signed certificated would not be used.
3. Configure the IBM HTTP server to use a certificate.

The following sections explain how to do these tasks.

Creating the IBM HTTP server keys
To create the IBM HTTP server keys, perform the following steps:
1. Create a folder named "keys" on the IBM HTTP server machine under the IHS root directory, for example: IHS_root\ssl\keys.
2. Launch the HTTP server Key Management Utility tool by selecting Start - Programs - IBM HTTP Server - Start Key Management Utility.
3. Select Key Database File - New, and enter the following information (see figure 1):
Key Database Type: CMS key database file
File Name: ihscert.kdb
Location: IHS_root\ssl\keys

Then click OK.

Figure 1. Creating a new key database file

4. At the password prompt (see figure 2), enter a password, and then confirm it.

Figure 2. Password Prompt dialog

5. Uncheck the Set expiration time check box or you will need to change the password in 60 days, as this is a test environment this is ok however in a production environment this would need to be need to be set for security purposes on a live server.
6. Select "Stash the password to a file," and click OK. This enables the HTTP server to make use of the password to gain access to any certificates you store in the key store.
7. If you are creating a self-signed certificate, verify that the following files are now visible in the IHS_root\ssl\keys directory:
ihscert.kdb
ihscert.rdb
ihscert.sth
ihscert.crl

Creating a self-signed digital certificate
To create a self-signed digital certificate, do the following:
1. Launch the HTTP server's Key Management Utility.
2. In the Signer Certificates box, select Personal Certificates. A list of signer certificates appears. These represent the identities of a selection of CAs. (You do not need a CA-signed certificate if you are creating a self-signed certificate.)
3. Optional: Select each certificate and click Delete, then confirm the deletion.
4. Select New Self-Signed. Enter the following information, and click OK:

Field	Value
Key label	self-signed
Version	X509 V3
Key Size	1024.00
Common Name	Enter the fully qualified host name of the IBM HTTP server, for example, qdsvt06p.cn.ibm.com
Organization	Enter the organization name, such as Acme Corporation.
Country	Enter the country, such as US.
Validity Period	365 days

A new self-signed certificate is created and added to the ihscert.kdb file. From the menu, select Key Database File - Exit.

Configuring the IBM HTTP server to use a certificate
To configure the IBM HTTP server to use a certificate, proceed as follows:
1. Navigate to IHS_root\conf and, with a text editor, make a backup copy of the IBM HTTP server configuration file (httpd.conf) and open it.
2. Add the following lines to the end of the httpd.conf file to implement one type of SSL implementation on the IBM HTTP server:

LoadModule was_ap20_module "C:\IBM\HTTPServer\Plugins\bin\mod_was_ap20_http.dll"
WebSpherePluginConfig "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-cfg.xml"

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
IfModule mod_ibm_ssl.c
Listen 0.0.0.0:443
VirtualHost *:443
ServerName qdsvt06p.cn.ibm.com

DocumentRoot C:\IBM\HTTPServer\htdocs

SSLEnable
/VirtualHost
/IfModule
SSLDisable
Keyfile "C:\IBM\IHS\Plugins\config\webserver1\plugin-key.kdb"
SSLStashFile "C:\IBM\IHS\Plugins\config\webserver1\plugin-key.sth"
ErrorLog "C:\IBM\IHS\logs\sslerror.log"
TransferLog "C:\IBM\IHS\logs\sslaccess.log"

...where HttpServerName is the fully qualified DNS name of the HTTP server name. Note: You need to manually create the files named sslerror.log and sslaccess.log under the IHS_HOME/logs/ directory.
3. Save and close the file, and restart the HTTP server.
4. Verify that SSL is working correctly with the IBM HTTP server, by going to https://qdsvt06p.cn.ibm.com
(See attached file: httpd.conf)

CONFIGURING HTTP SERVER WITH CONNECTIONS CERTIFICATES
Once all of these steps are complete the HTTP Server has been set up to accept SSL connections. Next step is adding the signed certificates from Connections to the .kdb file. This is explained in infocenter under section "Configuring the IBM HTTP Server for SSL".

However there are sometimes problems with this as noted on infocenter - in any case this can be done another way...

Extract the Personal Certificate for the WebSphere Application Server node on which the Lotus Connections features are deployed.

a. Open the Integrated Solutions Console of the WebSphere Application Server and click Security > SSL certificate and key management.
b. Click Key stores and certificates, and then click NodeDefaultKeyStore.
Note: In a network deployment, click CellDefaultKeyStore.
c. Click Personal certificates, and then select the check box beside the default certificate.
d. Click Extract and then type a fully-qualified name (on the WebSphere Application Server's file system) in the Certificate file name field.
e. Click OK to extract the file.
Note: If you do not specify a directory path, the certificate is stored in the WAS_HOME\profiles\profile_name\etc path of the WebSphere Application Server.

Make sure to extract these file(s) to a folder accessible to the HTTP Server's IKEYMAN utility or else copy them over to a location which is.

Open the .kdb file created earlier in the IKEYMAN utility and import these certificates which were exported from WAS Console

Do this for all of the certificates exported and restart the HTTP server. Now you will be able to use https and Connections. This is required in order to login to connections.
Test this https://qdsvt06p.cn.ibm.com/activities

LDAP SSL from info center->http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/topic/com.ibm.connections.25.help/t_inst_federated_repositories.html

1. Optional: If you are using SSL for LDAP, add a signer certificate to your trust store by completing the following steps:

a. From the WebSphere Application Server Integrated Solutions Console, select Security > SSL Certificate and key management > Key Stores and certificates > CellDefaultTrustStore > Signer Certificate > Retrieve from port.

b. Type the DNS name of the LDAP directory in the Host Name field.
c. Type the secure LDAP port in the Port field (typically 636).
d. Type an alias name, such as LDAPSSLCertificate, in the Alias field.
e. Click Apply

2. Optional: Verify that users in the LDAP directory have been successfully added to the repository:

a. From the WebSphere Application Server Integrated Solutions Console, select Users and Groups > Manage Users.
b. In the Search for field, enter a user name that you know to be in the LDAP directory and click Search. If the search succeeds, you have partial verification that the repository is configured correctly. However, this check cannot check for the groups that a user belongs to.

SSL setup for the Quickr Servers

Using a notes client open the certsrv.nsf db application on the Quickr node 1 server.
Select the third option here Install trusted Root certificate into the Key Ring

Fill in the key file details for the Quickr Server node 1 SSL key in this instance AIX5SSL.kyr.
Next fill in the Certificate Label qrdsvt05.cn.ibm.com, select Certificate Source: Clipboard.
Right mouse click on your proxy self signed key created in the section above ProxyCert and open it with wordpad.
Select all and paste it into the Certificate from Clipboard section below.
Click Merge Trusted Root Certificate into Key Ring.
When asked for a password for the Key ring File type the password.

These steps need to be repeated for the second Quickr node in the Quickr Cluster

Using a notes client open the certsrv.nsf db application on the Quickr node 2 server.
Select the third option here Install trusted Root certificate into the Key Ring
Fill in the key file details for the Quickr Server node 2 SSL key in this instance AIX6SSL.kyr.
Next fill in the Certificate Label qrdsvt05.cn.ibm.com, select Certificate Source: Clipboard.
Right mouse click on your proxy self signed key created in the section above ProxyCert and open it with wordpad.
Select all and paste it into the Certificate from Clipboard section below.
Click Merge Trusted Root Certificate into Key Ring.
When asked for a password for the Key ring File type the password.

Generating LTPA token on Connections and Importing the LTPA key Quickr SSO configuration

Connections Server
Generate an LTPA token from the Connection
Generate an LTPA token from the Connections server once SSL has been setup.
Go to the Admin console of Connections

Log into the WebSphere Application Server Integrated Solutions Console as an administrator, expand Security, and then click Secure administration, applications, and infrastructure.
Click Authentication mechanisms and expiration, and then in the Cross-cell single sign-on section, provide values for the following fields:

Password – Type a secure password that you will remember. You will need to provide this password later, when you import the key into Domino Web SSO configuration.
Confirm the password.
Fully qualified key file name – Specify a valid path and a file name for the file that will hold the exported keys. This file is encrypted using the password specified above.

Click Export keys.

Locate the key on your local server where it was specified in the path above and copy this to the quickr server.

Quickr Server
The LTPA key is now copied to the quickr server so it needs to be imported into the SSO config of quickr so both connections and quickr are SSO connected.
Open up the domino Administrator Client on the quickr server and select the Configuration tab.
Now select the Web twistie and open up the Web Server Configuration, the domino servers will display but to see the Web SSO configuration use the right hand scroll bar and scroll to the top.
Open the Web SSO Configuration and select the Web SSO Configuration for Ltpa Token.
Click Edit the SSO Configuration, select Keys from the top menu and click on Import WebSphere LTPA Keys.
Enter the path to the LTPA key
Type the LTPA password when prompted.

Click save and close
See below where the WebSphere Information is now populated with data once the WebSphere LTPA token is imported into the Web SSO configuration on domino.

Reference information configure SSO between QD and LC for Profile Integration

Profile integration

Step1. Export Msso from your connection server

Get theLTPA key from your connection server, you must use the same LTPA key on Quickr server.
Steps for getting the LTPA key from a WAS server

Access the administrative console by typing http://localhost:9090/admin in a Web browser.
Click Security > Authentication mechanisms > LTPA in the navigation panel on the left.
In the Key File Name field, enter the full path of a file for key storage. This file needs write permissions.
Click Export Keys. A file is created with the LTPA keys.

Note: Exporting keys fails if a new set of keys is generated or imported and not saved prior to exporting. To avoid failure, make sure that you save the new set of keys (if any) prior to exporting them.

Step2. Copy this SSO key and import it to domino quickr server

1. Startup the Lotus Domino Administrator client .
2. Point this Admin client at the qdsvtAIX5/ibm server.
3. Login as Notes Administrator/notes password= passw0rd.
4. In the client click on FILE\Database\New
5. Under Section entitled "Specify New Database Name and Location"in Server field chose: qdsvtAIX5/ibm
6. Under Section entitled "Specify Template for New Database" in Server field chose: qdsvtAIX5/ibm
Then make sure that you checkoff "Show Advanced Templates".And chose the template: "Domino Web Server Configuration (R6)"
(and you'll see the File name: domcfg5.ntf )
7. GO to the File name line Under Section entitled "Specify New Database Name and Location" and enter domcfg.nsf.
And for the title enter: R8 Dom config
8. Click OK to save the db to server qdsvtAIX5/ibm.
9. Now setup this domcfg.nsf since it will open up in your view.
Click the ADD MAPPING icon at the top of the view to create a document.
Under the Section entitled FORM MAPPING,
in the field named Target Database enter: LotusQuickr/resources.nsf
in the field named Target Form enter: QuickPlaceLoginForm
Save the doucment and close the db.
10. Select the 'Configuration - Server - All Server documents' view.
Pls create a Web MSSO document under the 'Web -Web Configurations' view
Click Web...Create SSO Configuration.
In the field Domino Server Names, add the Domino name of each server you want to share the LTPA token. Be sure to add all the quickr server to this field.
In the Token Domain field, enter the Internet domain suffix used by the servers, for example: cn.ibm.com
import the WebSphere LTPA SSO keys from the "Keys" drop down menu
11. In the Admin client, on the FILES tab,
open qdsvtAIX5/ibm names.nsf
Click on Configuration twistie
Click on Servers twistie
Click on ALL SERVER DOCUMENTS
Click EDIT SERVER when you have qdsvtAIX5/ibm selected.
In the server document click on the Internet Protocols tab.
Under that click on the DOMINO WEB ENGINE tab.
In the HTTP SESSIONS section
in the SESSION AUTHENICATION field, enable Multiple Servers (SSO)
and under the MEMORY CACHES section,
in the CACHED USER EXPIRATION INTERVAL, change it to 10 seconds (default is 120 seconds). NOTE: this is for automation to work correctly.
12. Restart Server
Do these steps on both Quickr Domino nodes in the Cluster so repeat steps 1-12 for qdsvtAIX6/ibm.

Step 3. update the stanza in qpconfig.xml

Step 3. update the profile_server stanza in qpconfig.xml

Restart the server

Enable Activities to be published to Quickr Server follow the connections wiki link

Enable Activities to be published to Quickr Server follow the connections wiki link
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/S1_Enabling_the_Activities_publish_feature

Allow list of servers Connections can publish to.

Integrate Connections with Quickr via the ND server which in this case is the load balancer
Quickr
qdsvtaix5.cn.ibm.com
qdsvtaix6.cn.ibm.com
ND
clusternd3.cn.ibm.com
Proxy Server
qrdsvt05.cn.ibm.com
Connections
qdsvt06p.cn.ibm.com

Log into the connections administrative console and add the quickr nodes, load balancer/ND server and Proxy Server name to the White list.
https://qdsvt06p.cn.ibm.com:9043/ibm/console/logon.jsp

This links to the infocenter to add Quickr server names to the QuickrwhitelistProvider
http://publib.boulder.ibm.com/infocenter/ltscnnct/v2r0/index.jsp?topic=/com.ibm.connections.25.help/t_admin_act_define_quickr_servers.html