This section provides information for configuring Computer Associates e
Trust SiteMinder for use with IBM® Lotus® Quickr™ for WebSphere Portal. You can use e
Trust SiteMinder to perform authentication or to perform both authentication and authorization for Lotus Quickr. Using e
Trust SiteMinder to perform only authorization is not supported at this time.
When you are setting up security to use an external security manager in a Lotus Quickr cluster environment and across mixed nodes, there are additional considerations. For instance, it is recommended that you perform any configuration for an external security manager after you have completed all other setup tasks, including ensuring that the Lotus Quickr cluster is functional.
You can configure e
Trust SiteMinder to perform authentication and authorization for Lotus Quickr in either of two ways:
- Configure both authorization and authentication together with one streamlined enable-sm-all configuration task.
- Configure authentication and authorization manually, step by step. See Related information below.
Complete the following steps to run the streamlined enable-sm-all
- Install and configure Lotus Quickr, the database software, and the LDAP directory.
- Install Computer Associate's Policy Server.
- You must install the eTrust SiteMinder Software Development Kit on the same machine as Lotus Quickr. Refer to the eTrust SiteMinder documentation for more information.
- Install the eTrust SiteMinder Trust Association Interceptor (TAI), following the instructions in the eTrust SiteMinder documentation.
- Ensure that the eTrust SiteMinder Software Development Kit smjavasdk2.jar is in the WebSphere® Application Server lib directory. If the jar file is not in the directory the SDK is not correctly installed and the configuration task will not complete. If the directory is missing the jar file, copy the smjavasdk2.jar into it. The default WebSphere Application Server library directory file is lib on the directory path where WebSphere Application Server is installed.
- Create and specify the following eTrust SiteMinder Domain objects. Refer to the eTrust SiteMinder Policy Design documentation for information about how to create these objects:
Now that eTrust SiteMinder components are ready, continue preparing the Lotus Quickr. Locate the wp_profile_root/ConfigEngine/properties/wkplc.properties file on the Lotus Quickr machine and create a backup copy before changing any values.
Use a text editor to open the wp_profile_root/ConfigEngine/properties/wkplc.properties file. Read the note and then follow the instructions for entering the values appropriate for your environment.
- User Directory: the LDAP server and suffix
- Authentication Scheme: to associate with the eTrust SiteMinder realms that Lotus Quickr creates
Note: An eTrust SiteMinder realm is different from an LDAP realm or a basic authentication realm. Within the eTrust SiteMinder administrative console, a realm is an administrative object representing a protected URL root. An example is lotus/myquickr. eTrust SiteMinder realms in combination with eTrust SiteMinder policies determine which users and groups are allowed to navigate to the protected URL root and its children URLs.
- Agent: an eTrust SiteMinder WebAgent that is configured to support 4.x agents or a custom eTrust SiteMinder agent. The agent must have a static shared secret to allow communication with the eTrust SiteMinder Policy Server. See the next step for more information about creating a custom eTrust SiteMinder agent.
Save the wp_profile_root/ConfigEngine/properties/wkplc.properties file.
Note: In the following steps the use of eTrust SiteMinder does not apply to a z/OS® environment.
- Do not change any settings other than those specified in these steps. For instructions on working with these files, see Configuration properties reference, which contains a complete list of properties and their default values.
- Use / instead of \ for all platforms.
- Some values, shown in italics in the steps below, might need to be modified to your specific environment.
- The Namespace management parameters cover both eTrust SiteMinder and Tivoli® Access Manager.
Edit the following values in the Advanced Security Configuration section of the wkplc.properties
Table 1. wkplc.properties file
|EACserverName||(Optional) Namespace context information to further distinguish externalized role names from other role names in the namespace. |
Note: If set, EACcellName and EACappName must also be set.
|reorderRoles||This field will allow you to either have your externalized rolenames displayed with the resource type first, or the role types first.|
|EACcellName||(Optional) Namespace context information to further distinguish externalized role names from other role names in the namespace. |
Note: If set, EACserverName and EACappName must also be set.
|EACappName||(Optional) Namespace context information to further distinguish externalized role names from other role names in the namespace. |
Note: If set, EACcellName and EACserverName must also be set.
|SMConfigFile||Location of the eTrust SiteMinder TAI WebAgent.conf file.|
|SMDomain||eTrust SiteMinder Domain containing all externalized resources.|
|SMScheme||eTrust SiteMinder Authentication scheme object name to use when creating realms.|
|SMAgent||The agent name that is created on eTrust SiteMinder for a specific external security manager instance. This agent must support eTrust SiteMinder custom or 4.x agents.|
|SMAgentPw ||Password for eTrust SiteMinder custom or 4.x Web agent (SMAgent).|
|SMAdminId||The administrative user ID that eTrust SiteMinder will use to access the eTrust SiteMinder policy server.|
|SMAdminPw||Password for the eTrust SiteMinder administrative user (SMAdminId).|
|SMUserDir||eTrust SiteMinder User Directory object referencing the LDAP server used for users and groups.|
|SMFailover||Failover mode of the eTrust SiteMinder Policy Server. |
Note: Must be set to true if more than one policy server is listed in the SMServers property.
|SMServers||Comma-delimited list of servers for the eTrust SiteMinder agent.|
Open a command prompt and change to the following directory:
Enter the following commands, noting that the z/OS commands do not apply when using eTrust SiteMinder:
- Enter the following command:
Change directory to the wp_profile_root/ConfigEngine/properties directory.
If you have stored your passwords in the wkplc.properties file, enter the following command to run the appropriate configuration task for your specific operating system. If you choose not to store your passwords in the wkplc.properties file, enter instead the command with passwords in the first note below. Entering this configuration task automatically updates the WebSphere Application Server and Lotus Quickr configurations with the property values you supply to enable eTrust SiteMinder ESM integration:
- UNIX: ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password
- AIX: ./stopServer.sh WebSphere_Portal -user admin_userid -password admin_password
- Windows: stopServer.bat WebSphere_Portal -user admin_userid -password admin_password
- UNIX: ./ConfigEngine.sh enable-sm-all
- Windows: ConfigEngine.bat enable-sm-all
Click here to go to the step that verifies that
After eTrust SiteMinder is configured for external authorization and authentication in Lotus Quickr, you may wish to use the XML Configuration Interface (xmlaccess). By default, the XML configuration interface cannot access Lotus Quickr through eTrust SiteMinder. To allow the XML configuration interface to access Lotus Quickr through eTrust SiteMinder, use eTrust SiteMinder to define the configuration URL (/wps/config) as unprotected. Refer to the eTrust SiteMinder documentation for specific instructions. After the configuration URL is defined as unprotected, only Lotus Quickr enforces access control to this URL. Other resources, such as the lotus/myquickr URL, are still protected by eTrust SiteMinder.
If you do not wish to store your passwords in the wkplc.properties
file, you may supply any password property on the command line. For example:
- UNIX: ./ConfigEngine.sh enable-sm-all -DSMAgentPW=password -DSMAdminPW=password
- Windows: ConfigEngine.bat enable-sm-all -DSMAgentPW=password -DSMAdminPW=password
If the configuration task fails, validate the values in the wkplc.properties
Parent topic: External security managers: qp85