This section provides links to explanations of how to use external security managers such as IBM® Tivoli® Access Manager for e-business to perform authentication and authorization for IBM Lotus® Quickr™ for WebSphere Portal. You can use an external security manager for authentication only or for both authentication and authorization. Using an external security manager to perform only authorization is not supported at this time.
External authentication: qp85
By default, Lotus Quickr relies on WebSphere® Application Server for authentication. You can also configure a third-party authentication proxy server, such as IBM Tivoli Access Manager for e-business WebSEAL, to perform authentication for Lotus Quickr. WebSphere Application Server typically uses a Trust Association Interceptor (TAI) to trust the external authentication proxy.
External authorization: qp85
When resources are created, their access control is administered internally by Lotus Quickr. Alternately, you can configure an external security manager to control access to resources. Currently, Lotus Quickr supports IBM Tivoli Access Manager for e-business and Computer Associates e
Trust SiteMinder as external security managers.
Password masking in External Security Manager property files: qp85
WebSphere Application Server has an encoding mechanism to mask the passwords and remove all comments from the production versions of properties files.
Using Tivoli Access Manager with Lotus Quickr: qp85
IBM Lotus Quickr for WebSphere Portal supports the use of IBM Tivoli Access Manager for e-business. Existing Tivoli Access Manager users can leverage the commonly used Tivoli Access Manager services to assist them in their deployment.
Using eTrust SiteMinder with Lotus Quickr: qp85
This section provides information for configuring Computer Associates e
Trust SiteMinder for use with IBM Lotus Quickr for WebSphere Portal. You can use e
Trust SiteMinder to perform authentication or to perform both authentication and authorization for Lotus Quickr. Using e
Trust SiteMinder to perform only authorization is not supported at this time.
Using SPNEGO: qp85
Use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) and Kerberos authentication protocol to enable IBM Lotus Quickr and client Web browsers to prove their identities to one another in a secure manner. This configuration enables users to sign onto the Windows® desktop and then be automatically signed into Lotus Quickr features without having to authenticate.
Changing the login and logout pages: qp85
By default, when unauthenticated users attempt to access the myquickr
page, they get redirected to the login screen to provide a user name and password. When using a WebSEAL or Computer Associates e
Trust SiteMinder TAI for authentication, you no longer need to use the Lotus Quickr login screen. Instead, the login icon should point to the myquickr
Managing access control with external security managers: qp85
Previous versions of Lotus Quickr worked with external security managers by externalizing resources and using ACLs to control permissions. Because Lotus Quickr Version 6.0 uses role-based access control, the externalization process has changed.
Using external security managers in a cluster: qp85
If you are configuring security for IBM Lotus Quickr for WebSphere Portal with an external security manager, review the additional considerations described in this section, depending on the external security manager that you are using. Perform any configuration for an external security manager after you have completed all other setup, including ensuring that the Lotus Quickr cluster is functional.