Configuring eTrust SiteMinder to perform authorization for Lotus QuickrAdded by IBM | Edited by Charlie Price on February 21, 2011 | Version 2 (Show original)
|You can configure Computer Associates eTrust SiteMinder to perform authorization independently from configuring it to perform authentication. However, if you use eTrust SiteMinder to perform authorization for Lotus® Quickr™, you should also use it to perform authentication for Lotus Quickr. Using eTrust SiteMinder to perform only authorization is not supported at this time.
You can configure Computer Associates e
Trust SiteMinder to perform authorization independently from configuring it to perform authentication. However, if you use e
Trust SiteMinder to perform authorization for Lotus® Quickr™, you should also use it to perform authentication for Lotus Quickr. Using e
Trust SiteMinder to perform only authorization is not supported at this time.
Complete the following steps to configure e
Trust SiteMinder to perform authorization for IBM® Lotus Quickr for WebSphere Portal:
- Install and configure Lotus Quickr, the database software, and the LDAP directory.
- Install eTrust SiteMinder's Policy Server feature.
- You must install the eTrust SiteMinder Software Development Kit on the same machine as Lotus Quickr. Refer to the eTrust SiteMinder documentation for more information.
- Install the eTrust SiteMinder Trust Association Interceptor (TAI), following the instructions in the eTrust SiteMinder documentation.
- Ensure that the eTrust SiteMinder Software Development Kit smjavasdk2.jar is in the eTrust SiteMinder lib directory. If it is not there, the SDK will not install and the configuration task will not complete. If the directory is missing the jar file, copy the smjavasdk2.jar into it. The default eTrust SiteMinder library directory is: C:\\WebSphere\\AppServer\\lib.
- Create and specify the following eTrust SiteMinder Domain objects. Refer to the eTrust SiteMinder Policy Design documentation for information about how to create these objects.
Optional: In eTrust SiteMinder version 5.5 and higher, the configuration for eTrust SiteMinder Web Agents, including shared secrets, is centrally administered and can be dynamic. You may create a new custom agent to ensure a static shared secret. Follow these steps to create a custom agent in eTrust SiteMinder:
- User Directory: the LDAP server and suffix
- Authentication Scheme: to associate with the eTrust SiteMinder realms that eTrust SiteMinder creates
Note: An eTrust SiteMinder realm is different from an LDAP realm or a basic authentication realm. Within the eTrust SiteMinder administration console, a realm is an administrative object representing a protected URL root. An example is lotus/myquickr. eTrust SiteMinder realms in combination with eTrust SiteMinder policies determine which users and groups are allowed to navigate to the protected URL root and its children URLs.
- Agent: an eTrust SiteMinder WebAgent that is configured to support 4.x agents or a custom eTrust SiteMinder agent. The agent must have a static shared secret to allow communication with the eTrust SiteMinder Policy Server. See the step below for instructions on creating a custom eTrust SiteMinder agent. NOTE: when setting up the WebAgent, make sure to as documented in the following technote: http://www-01.ibm.com/support/docview.wss?uid=swg21305703
Optional: Ensure that users are no longer created through Lotus Quickr.
- Open the eTrust SiteMinder Administration console.
- Select Agent Types from the View -> Agent Types menu.
- Right-click Agent Types, and select Create Agent Type from the pop-up menu.
- Enter a Name and an Action for the new agent type. Other fields are optional.
- Click OK.
- Select Agents from the View -> Agents menu.
- Right-click Agent, and select Create Agent to create an agent object of the new agent type.
- Note the name, action, and shared secret for this agent. You will use these values in the following step.
If you use eTrust SiteMinder, you probably have a user provisioning process for creating and updating users and groups and administering group membership. You will probably want to continue using that user provisioning process instead of managing your directory through Lotus Quickr. Lotus Quickr creates entries in the directory in two ways:
Locate the wp_profile_root/ConfigEngine/properties/wkplc.properties file on the Lotus Quickr machine and create a backup copy before changing any values.
Use a text editor to open the wp_profile_root/ConfigEngine/properties/wkplc.properties file and enter the values appropriate for your environment.
In Lotus Quickr, the ability to create new users through the Manage Users and Groups portlet is governed by Lotus Quickr access control.
- Administrators can create entries with the Manage Users and Groups portlet
- Users can create entries with the self-registration screen
Edit the following values in the Advanced Security Configuration section of the wkplc.properties file:
Password considerations: For security reasons, you should not store passwords in the wkplc.properties file. It is recommended that you edit the wkplc.properties prior to running a configuration task, inserting the passwords needed for that task. Then, after the task has run, you should delete all passwords from the wkplc.properties file. For more information, see Deleting passwords.
- Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference for a complete properties reference, including default values.
- Use / instead of \ for all platforms.
- Some values, shown in italics below, might need to be modified to your specific environment.
Alternatively, you can specify the password on the command line using the following syntax:
where profile_root is the name of the WebSphere® Application Server profile where Lotus Quickr is installed; for example, wp_profile
- UNIX®: ./ConfigEngine.sh task_name -Dpassword_property_key=password_value
- Windows®: ConfigEngine.bat task_name -Dpassword_property_key=password_value
As with other properties, each password property must have the -D prefix and be set equal to (=) a value. If you have multiple properties in a single command, use a space character between each -Dproperty=value setting.
Table 1. wkplc.properties file
Save the wkplc.properties file.
Open a command prompt and change to the /bin directory in the path for your operating system, as detailed in this file.
Enter the commands to first start the WebSphere Application Server server and then stop the Lotus Quickr server. Refer to this file for the details.
Change to the wp_profile_root/ConfigEngine directory.
Enter the following command to run the appropriate configuration task for your specific operating system:
|EACserverName||(Optional) Namespace context information to further distinguish externalized role names from other roll names in the IBM Tivoli® Access Manager for e-business namespace. |
Note: If set, EACcellName and EACappName must also be set.
|reorderRoles||This field will allow you to either have your externalized role names displayed with the resource type first, or the role types first.|
|EACcellName||(Optional) Namespace context information to further distinguish externalized role names from other roll names in the Tivoli Access Manager namespace. |
Note: If set, EACserverName and EACappName must also be set.
|EACappName||(Optional) Namespace context information to further distinguish externalized role names from other roll names in the Tivoli Access Manager namespace. |
Note: If set, EACcellName and EACservername must also be set.
|SMDomain||eTrust SiteMinder Domain containing all externalized resources.|
|SMScheme||eTrust SiteMinder Authentication scheme object name to use when creating realms.|
|SMAgent||The agent name that is created on eTrust SiteMinder for a specific external security manager instance. This agent must support eTrust SiteMinder custom or 4.x Web agents.|
|SMAgentPw||Password for eTrust SiteMinder custom or 4.x Web agent (SMAgent). |
|SMAdminId||The administrative user ID that eTrust SiteMinder will use to access the eTrust SiteMinder policy server.|
|SMAdminPw ||Password for eTrust SiteMinder administrative user (SMAdminId). |
|SMUserDir||eTrust SiteMinder User Directory object referencing the LDAP server used for users and groups.|
|SMFailover||Failover mode of eTrust SiteMinder Policy Server. |
Note: Must be set to true if more than one policy server is listed in the SMServers property.
|SMServers||Comma-delimited list of servers for eTrust SiteMinder agent.|
Note: If multiple servers are specified in the SMServers value:
- The SMFailover value must be set to true
- In WP External Access Control Service, you can specify the following values for each server as described in Setting configuration properties: qp85:
- UNIX: ./ConfigEngine.sh enable-sm-authorization -DSmAgentPw=password -DSmAdminPw=password
- Windows: ConfigEngine.bat enable-sm-authorization -DSmAgentPw=password -DSmAdminPw=password
where profile_root is the name of the WebSphere Application Server profile where Lotus Quickr is installed; for example, wp_profile.
Optional: Use the WebSphere Application Server encoding mechanism to mask the passwords in WP External Access Control Service. Refer to the detailed instructions in Password masking in External Security Manager property files for masking passwords, changing masked passwords, or running commands with explicit password properties.
Restart Lotus Quickr to verify that the setup steps completed at this point are working correctly. This populates the external security manager with the necessary topology items and contains a representation for the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL/1 role. The eTrust SiteMinder namespace will contain several subrealms in addition to the Lotus Quickr recognized role name.
If users other than wpsadmin are allowed to externalize resources, add those users to the realm representing the Administrator of EXTERNAL_ACCESS_CONTROL.
Proceed to the Resource Permissions portlet on the Lotus Quickr machine.
Note: If the configuration task fails, validate the values in the wkplc.properties file.
Add users and groups to the eTrust SiteMinder policies corresponding to the appropriate roles.
After configuring eTrust SiteMinder for external authorization in Lotus Quickr, any XML Configuration Interface (xmlaccess) execution may be affected. If you wish to run xmlaccess, add the following property value change on the SiteMinderLoginModule custom property in the WebSphere Application Server administration console, by first selecting in order: Security -> JAAS Configuration -> Application Logins -> Portal_Login -> JAAS Login Modules -> com.ibm.wps.sso.SiteMinderLoginModule -> Custom properties .
- Select a resource type.
- Click the Assign Access icon for the specific resource.
- Click the Edit Role icon for a role that you want to externalize.
- Click Add to explicitly assign at least one user or group to your chosen role for the resource.
- Select the specific users or user groups by clicking on Search for Users or User Groups or clicking on the pull down for the Search by option where the default is set to All available. Click OK.
- An informational message box should display the message that members were successfully added to the role.
- Optional: Explicitly assign additional roles. If you do not assign at least one user or group to each role type for the resource, you must use the external security manager interface to create this role type later. For example, if you do not assign any users or groups to the Editor role type for the resource, then you must use the external security manager interface to create the Editor role type later.
- Click the Externalize icon for the resource. These steps move every role that is defined for each resource you assigned to the eTrust SiteMinder Policy Domain. One policy is defined for each externalized role.CC
Now that you are in Custom properties, if you wish to run xmlaccess add the isPassive value set to true. This property value change will allow requests that don't contain the eTrust SiteMinder authentication headers to login, but without an eTrust SiteMinder credential available to Lotus Quickr. Any resources controlled by eTrust SiteMinder will not be available. Normal requests through a valid eTrust SiteMinder WebAgent will still contain the necessary credentials. If this property value is not set, the SiteMinderLoginModule will fail in the absence of the eTrust SiteMinder authentication headers.
Parent topic: Using eTrust SiteMinder with Lotus Quickr: qp85