ShowTable of Contents
You must have IBM® Tivoli® Access Manager (TAM) for e-business, version 6.1.1, installed before you can perform this procedure. Also, ensure that you can access the installed IBM Sametime applications from a Web browser.
This setup requires the installation of Tivoli Access Manager, Base, Runtime, and Web Security applications, where:
- TAM WebSEAL is a reverse proxy server.
- TAM and IBM Sametime® should be configured to use the same LDAP server.
- Previously, WebSEAL for Sametime was configured using Standard WebSEAL Junctions.
=Setting up Single Sign-on==
Single sign-on (SSO) enables users to log in to one application of IBM Sametime and switch to other applications and resources without having to authenticate again. There are several different ways to configure SSO. This procedure describes one approach, in which we use an IBM WebSphere® Application Server Lightweight Third-party Authentication (LTPA) key and WebSEAL transparent junctions.
Before you begin
Prepare for SSO by determining which WebSphere Deployment Manager will provide the LTPA key(s) and export them for use on the Sametime components. This step applies to all Sametime components, and the LTPA key must be imported on all Deployment Managers and Community Servers.
For the purposes of this document, all servers using SSO must use the same LDAP directory that the Sametime Community Server uses. Although other configurations are possible, they are outside the scope of this article.
About this task
The Sametime Community Server installation creates an IBM Lotus® Domino® SSO key. You must replace the Domino SSO key with a WebSphere LTPA key to allow the Sametime Community server running on Domino and the other servers running on WebSphere Application Server to have an identical key for token validation and generation.
If Sametime servers running on WebSphere Application Server are managed by a different Sametime System Console, you must export the LTPA key from one of them and import it into the others.
1. In a browser, launch the Sametime System Console.
2. Log in to the Integrated Solutions Console for the Sametime server (Console Server).
3. Select Security --- Global Security --- WEB and SIP Security --- Single Sign-on (SSO), as shown in figure 1.
Figure 1. Global Security window
4. Make sure that the Domain name matches the Sametime Server domain and verify that Interoperability Mode is selected (see figure 2).
Figure 2. Single sign-on (SSO) window
5. Click OK and save the master configuration.
6. Then select Security --- Global Security; under Authentication, click LTPA. In the LTPA timeout section, set the timeout value to a value larger than the default, to minimize the potential for an LTPA token to expire during an active meeting.
A value that covers a period somewhat longer than a typical work day, such as 600 minutes, is recommended (see figure 3).Figure 3. LTPA window
7. Under the Cross-cell single sign-on (see figure 4) section, enter a Password, confirm the password, and specify a file name to store the key. Make a note of the location of the file created, to use when you import the file to the Sametime Community Server.
For example, we can save the key name as “LTPAkey” by typing “c:\LTPAkey” drive (for Microsoft® Windows® servers). Then click Export keys.
Figure 4. Cross-cell single sign-on section
8. Navigate to the directory where you exported the LTPA key and copy it to a location where you can access the file from the Sametime Community Server.
9. After creating LTPA keys for Sametime servers, configure the Sametime Community Server for SSO:
a) Make sure all servers use the same LDAP directory.
b) By default the Sametime installation creates a Domino SSO key. This key should be replaced with the WebSphere LTPA key you exported above.
10. (Optional) If you have multiple CELLs in your deployment, use the “Import keys” (recall figure 4 above) option to import the LTPA keys you just exported. This also holds true if you need to import keys into your single CELL deployment from an existing WebSphere/WebSEAL configuration.
NOTE: If you import keys, it is critical to remember to synchronize the nodes and restart the deployment manager and all nodes/application servers for the change to take effect.
Importing LTPA keys to the Sametime Community Server
In this section we explain how to import the LTPA key from WebSphere to Domino. Before we start, however, ensure you have Domino Notes Administrator installed and configured on the Sametime Server machine.
IBM Sametime 8.5 requires Lotus Domino version 8.0 or later; if you are maintaining an older Sametime server, it may be running a version of Lotus Domino prior to v8.
First, import the LTPA keys used by Sametime servers in the same DNS domain:
1. Open the Domino administrator console on the Domino server for the Sametime Community Server.
2. Select Configuration ---Web --- Web Configurations view (see figure 5). You may need to scroll down to see Web SSO configuration.
Figure 5. Web SSO Configurations view
3. Double-click “Web SSO Configuration for LtpaToken” to open the document, and click Keys --- Import WebSphere LTPA keys (figure 6).
Figure 6. Web SSO Configuration for LtpaToken document
4. Type in the exact file location of the key file you created on the Sametime SIP Proxy and Registrar server.
5. Enter the password you created on the server when you enabled SSO; click OK. The message "Successfully imported WebSphere LTPA keys" displays after the key has been imported.
6. In the Token Format field of the WebSphere Information section, select the LTPA token formats to be supported by Domino:
- LtpaToken - LTPAv1 only
- LtpaToken2 - LTPAv2 only
- LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are supported.
With this last option selected, both tokens are created, but the token returned to the client is determined by the TOKEN_TYPE_TO_RETURN flag under the AuthToken section of the Sametime.ini file. The default value is LTPA, which returns the LTPAv1 token. Changing the value to LTPA2 results in the LTPAv2 token being returned instead.
7. Click Save and Close.
Now Configure the Sametime Community Server so that LtpaToken gets set by the Sametime Proxy Web client instead of the Sametime token:
1. Log in to the Sametime System Console as the Sametime administrator.
2. Click Sametime Servers --- Sametime Community Servers.
3. In the list of Community Servers, click the name of a Sametime Community Server, to open its Configuration page.
4. Click the Community Services tab (see figure 7).
Figure 7. Community Servers tab
5. At the bottom of the "General" section, for the “Select the authentication type that users can use while logging into the community server” option, select the LTPA only radio button.
6. Restart the Domino server to put your changes into effect.