Skip to main content link. Accesskey S
  • Help
  • IBM Logo
  • IBM Sametime wiki
  • All Wikis
  • All Forums
  • THIS WIKI IS READ-ONLY. Learn more...
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • IBM Redbooks
  • API Documentation
Search
Community Articles > Sametime Standard > Sametime Standard deployment scenarios > Configuring IBM Tivoli Access Manager / WebSEAL transparent junctions to work with an IBM Sametime environment
  • Share Show Menu▼
  • Subscribe Show Menu▼

About the Original Author

Click to view profileIBM contributorNaveed Yousuf
Contribution Summary:
  • Articles authored: 4
  • Articles edited: 0
  • Comments Posted: 0

Recent articles by this author

Configuring IBM Tivoli Access Manager / WebSEAL transparent junctions to work with an IBM Sametime environment

This article explains the steps to configure IBM Tivoli Access Manager (TAM) for IBM Sametime Community Server, Meeting Server, Proxy Server, and the Connect client, using TAM with the Sametime System Console as the authentication server.

Troubleshooting the IBM Sametime 8.5.2 System Console

This article discusses common, known issues of the IBM® Sametime® 8.5.2 System Console and how to troubleshoot these issues.

Troubleshooting the IBM Lotus Sametime 8.5.1 Media Server Client

This guide describes the known issues associated with the client side of IBM® Lotus® Sametime® 8.5.1 Media Server and explains how to troubleshoot them.

Troubleshooting the IBM Lotus Sametime 8.5.1 Media Server

This article provides step-by-step instructions on troubleshooting common issues encountered when using the IBM® Lotus® Sametime® 8.5.1 Media Server, serving as an updated guide to the wiki article, “Troubleshooting the Sametime 8.5 Media Server.”
Community articleConfiguring IBM Tivoli Access Manager / WebSEAL transparent junctions to work with an IBM Sametime environment
Added by IBM contributorNaveed Yousuf | Edited by Martin J Mc Cann on January 12, 2015 | Version 12
expanded Abstract
collapsed Abstract
This article explains the steps to configure IBM Tivoli Access Manager (TAM) for IBM Sametime Community Server, Meeting Server, Proxy Server, and the Connect client, using TAM with the Sametime System Console as the authentication server.
ShowTable of Contents
HideTable of Contents
  • 1 Introduction
  • 2 Setting up Single Sign-on
    • 2.1 Before you begin
    • 2.2 About this task
  • 3 Importing LTPA keys to the Sametime Community Server
  • 4 Making a junction from TAM to the Sametime server
  • 5 Creating junctions for Sametime servers
  • 6 Conclusion
  • 7 Tell us what you think
  • 8 Resources
  • 9 About the authors

Introduction


You must have IBM® Tivoli® Access Manager (TAM) for e-business, version 6.1.1, installed before you can perform this procedure. Also, ensure that you can access the installed IBM Sametime applications from a Web browser.

This setup requires the installation of Tivoli Access Manager, Base, Runtime, and Web Security applications, where:
  • TAM WebSEAL is a reverse proxy server.
  • TAM and IBM Sametime® should be configured to use the same LDAP server.
  • Previously, WebSEAL for Sametime was configured using Standard WebSEAL Junctions.


Setting up Single Sign-on


Single sign-on (SSO) enables users to log in to one application of IBM Sametime and switch to other applications and resources without having to authenticate again. There are several different ways to configure SSO. This procedure describes one approach, in which we use an IBM WebSphere® Application Server Lightweight Third-party Authentication (LTPA) key and WebSEAL transparent junctions.

Before you begin


Prepare for SSO by determining which WebSphere Deployment Manager will provide the LTPA key(s) and export them for use on the Sametime components. This step applies to all Sametime components, and the LTPA key must be imported on all Deployment Managers and Community Servers.

For the purposes of this document, all servers using SSO must use the same LDAP directory that the Sametime Community Server uses. Although other configurations are possible, they are outside the scope of this article.

About this task


The Sametime Community Server installation creates an IBM Lotus® Domino® SSO key. You must replace the Domino SSO key with a WebSphere LTPA key to allow the Sametime Community server running on Domino and the other servers running on WebSphere Application Server to have an identical key for token validation and generation.

If Sametime servers running on WebSphere Application Server are managed by a different Sametime System Console, you must export the LTPA key from one of them and import it into the others.

1. In a browser, launch the Sametime System Console.
2. Log in to the Integrated Solutions Console for the Sametime server (Console Server).
3. Select Security --- Global Security --- WEB and SIP Security --- Single Sign-on (SSO), as shown in figure 1.

Figure 1. Global Security window



4. Make sure that the Domain name matches the Sametime Server domain and verify that Interoperability Mode is selected (see figure 2).

Figure 2. Single sign-on (SSO) window


5. Click OK and save the master configuration.
6. Then select Security --- Global Security; under Authentication, click LTPA. In the LTPA timeout section, set the timeout value to a value larger than the default, to minimize the potential for an LTPA token to expire during an active meeting.


A value that covers a period somewhat longer than a typical work day, such as 600 minutes, is recommended (see figure 3).


Figure 3. LTPA window



7. Under the Cross-cell single sign-on (see figure 4) section, enter a Password, confirm the password, and specify a file name to store the key. Make a note of the location of the file created, to use when you import the file to the Sametime Community Server.

For example, we can save the key name as “LTPAkey” by typing “c:\LTPAkey” drive (for Microsoft® Windows® servers). Then click Export keys.

Figure 4. Cross-cell single sign-on section



8. Navigate to the directory where you exported the LTPA key and copy it to a location where you can access the file from the Sametime Community Server.

9. After creating LTPA keys for Sametime servers, configure the Sametime Community Server for SSO:


a) Make sure all servers use the same LDAP directory.
b) By default the Sametime installation creates a Domino SSO key. This key should be replaced with the WebSphere LTPA key you exported above.


10. (Optional) If you have multiple CELLs in your deployment, use the “Import keys” (recall figure 4 above) option to import the LTPA keys you just exported. This also holds true if you need to import keys into your single CELL deployment from an existing WebSphere/WebSEAL configuration.


NOTE: If you import keys, it is critical to remember to synchronize the nodes and restart the deployment manager and all nodes/application servers for the change to take effect.


Importing LTPA keys to the Sametime Community Server


In this section we explain how to import the LTPA key from WebSphere to Domino. Before we start, however, ensure you have Domino Notes Administrator installed and configured on the Sametime Server machine.

NOTE: IBM Sametime 8.5 requires Lotus Domino version 8.0 or later; if you are maintaining an older Sametime server, it may be running a version of Lotus Domino prior to v8.

First, import the LTPA keys used by Sametime servers in the same DNS domain:

1. Open the Domino administrator console on the Domino server for the Sametime Community Server.
2. Select Configuration ---Web --- Web Configurations view (see figure 5). You may need to scroll down to see Web SSO configuration.

Figure 5. Web SSO Configurations view



3. Double-click “Web SSO Configuration for LtpaToken” to open the document, and click Keys --- Import WebSphere LTPA keys (figure 6).

Figure 6. Web SSO Configuration for LtpaToken document
.


4. Type in the exact file location of the key file you created on the Sametime SIP Proxy and Registrar server.
5. Enter the password you created on the server when you enabled SSO; click OK. The message "Successfully imported WebSphere LTPA keys" displays after the key has been imported.
6. In the Token Format field of the WebSphere Information section, select the LTPA token formats to be supported by Domino:

  • LtpaToken - LTPAv1 only
  • LtpaToken2 - LTPAv2 only
  • LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are supported.








  •  
  •  
  •  
  •  
  •  
  •  
  • With this last option selected, both tokens are created, but the token returned to the client is determined by the TOKEN_TYPE_TO_RETURN flag under the AuthToken section of the Sametime.ini file. The default value is LTPA, which returns the LTPAv1 token. Changing the value to LTPA2 results in the LTPAv2 token being returned instead.


7. Click Save and Close.

Now Configure the Sametime Community Server so that LtpaToken gets set by the Sametime Proxy Web client instead of the Sametime token:

1. Log in to the Sametime System Console as the Sametime administrator.
2. Click Sametime Servers --- Sametime Community Servers.
3. In the list of Community Servers, click the name of a Sametime Community Server, to open its Configuration page.
4. Click the Community Services tab (see figure 7).

Figure 7. Community Servers tab



5. At the bottom of the "General" section, for the “Select the authentication type that users can use while logging into the community server” option, select the LTPA only radio button.
6. Restart the Domino server to put your changes into effect.

Making a junction from TAM to the Sametime server


1. First, make sure your Tivoli Access Manager packages are configured properly, as shown in figure 8.

Figure 8. Access Manager Configuration window



2. Go to your TAM server and log in to the PDADMIN command line utility by opening a command prompt window and typing “pdadmin” (see figure 9).

Figure 9. Command prompt window



3. Log in as Policy Server admin (see figure 10):

  • Type “login” and then press Enter.
  • Type “Sec_master” and then press Enter.
  • Key in the sec_master password and then press Enter


Figure 10. Log in as Policy Server admin

Creating junctions for Sametime servers


For the Sametime Meeting and Sametime Proxy Servers, create the following transparent path junctions:

Junctions for Sametime Proxy Server:
/stwebclient
/stwebapi
/stwebav
/stbaseapi

Junctions for Sametime Meetings Server:
/stmeetings
/rtc
/userinfo
/DocumentShare
/AppShare
/admin
/summary
/rtcauth

Junctions for Sametime Community Server:


/CommunityCBR
/sametime
/stconf.nsf
/STsrc.nsf
/stcenter.nsf
/icons


Syntax:
server task <WEBSEAL-INSTANCE-NAME> create -t <CONNECTION-PROTOCOL> -h <SAMETIME-SERVER-NAME> -p <SAMETIME-SERVER-PORT> -i -x -f -A -F <LTPA-TOKEN-NAME> -Z <LTPA-TOKEN-PASSWORD> /<JUNCTION-NAME>

where:

  • WEBSEAL-INSTANCE-NAME is the instance name of your policy server. You can find it by using pdadmin command “server list”
  • CONNECTION-PROTOCOL is TCP or SSL
  • SAMETIME-SERVER-NAME is sametime server full DNS name
  • SAMETIME-SERVER-PORTis the port sametime server use
  • LTPA-TOKEN-NAME is the path of your LTPA key location. for example, C:\
  • LTPA-TOKEN-PASSWORD is the LTPA Password you created in Sametime Console Server
  • JUNCTION-NAME is the Web address path

Example for Sametime Proxy Server junction:
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebclient
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebapi
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebav
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stbaseapi

Example for Sametime Meeting Server:
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stmeetings
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /rtc
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /userinfo
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /DocumentShare
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /AppShare
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /admin
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /summary
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /rtcauth

 

Note:

If this functionality is used for the case when entering Meeting Rooms that are password protected, the user may not receive an authentication challenge for the room password.

If this is the case then modification to the /rtc junction definition above may be required.                                                                                                                                                                                                                      

Change the /rtc junction to forward original client BA header information ("-b ignore" switch when creating the junction).                                                                                                                                                                     

'Basic authentication mode' should be changed from 'filter' to 'ignore'  within the junction definition.

 

Sametime Community Server (STILL STANDARD JUNCTIONS):
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /CommunityCBR
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /sametime
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stconf.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /Stsrc.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stcenter.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /icons

Creating an ACL
After creating the junctions, keep the PDadmin utility open. We need to create an Access Control List (ACL) to override the WebSeal default in ACL for certain URIs

Here are the steps to create a Sametime default ACL:

1. Create an ACL called st-default-acl:


acl create <st-default-acl>


2. Then change the attributes for different user groups:


acl modify <st-default-acl> set user sec_master TcmdbsvaBRlrx
acl modify <st-default-acl> set any-other Tmdrx
acl modify <st-default-acl> set unauthenticated T
acl modify <st-default-acl> set group iv-admin TcmdbsvaBRrxl
acl modify <st-default-acl> set group webseal-servers Tgmdbsrxl


Attaching the new Access Control List to the junctions
Now we can attach the newly created ACL to the following objects on the WebSEAL Server, using this syntax:


acl attach /WEBSEAL/<WEBSEAL-INSTANCE>/<OBJECT> <st-default-acl>


For Sametime Proxy Server ACL:
/stbaseapi
/stwebclient
/stwebav
/stwebapi

For Sametime Meeting Server ACL:
/stmeetings
/rtc

Example:
acl attach /WebSEAL/server-default/stbaseapi st-default-acl
acl attach /WebSEAL/server-default/stwebclient st-default-acl
acl attach /WebSEAL/server-default/stwebav st-default-acl
acl attach /WebSEAL/server-default/stwebapi st-default-acl
acl attach /WebSEAL/server-default/stmeetings st-default-acl
acl attach /WebSEAL/server-default/rtc st-default-acl

Conclusion


You should now have a good idea of how to configure IBM TAM for Sametime Community Server, Meeting Server, Proxy Server, Media Manager, Advanced Server, and the Connect client, using TAM with the Sametime System Console as the authentication server.

Tell us what you think


Please visit this link to take a one-question survey about this article: http://www.surveymonkey.com/s/9Q6ZKGN

Resources


developerWorks® Sametime product page:
http://www.ibm.com/developerworks/lotus/products/instantmessaging/

Sametime Forum:
http://www-10.lotus.com/ldd/stforum.nsf?OpenDatabase

Sametime product documentation:
http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation

About the authors


Naveed Yousuf is a Software Engineer working on various teams at IBM's Dublin Software Lab since 1999. He has worked with the Sametime Systems Verification Test (SVT) team for the past four years, focusing on integration and interoperability across Sametime products. You can reach him at naveed_yousuf@ie.ibm.com.

Pat Curtin is a Software Engineer working on various teams at IBM's Dublin Software Lab since 1999. He works with the Lotus SVT team, focusing on integration and interoperability across Lotus products. You can reach him at PCURTIN@ie.ibm.com.

Tony Payne has worked as an IBM Sametime Software Engineer for 12 years, with a focus / special attention on cross-product interoperability and security architecture, and working on Level 3 Customer Support for the past two years. You can reach him at tony_payne@us.ibm.com.
expanded Attachments (0)
collapsed Attachments (0)
expanded Versions (16)
collapsed Versions (16)
Version Comparison     
VersionDateChanged by              Summary of changes
16Jan 13, 2015, 7:22:26 AMMartin J Mc Cann  
15Jan 13, 2015, 7:21:25 AMMartin J Mc Cann  
14Jan 13, 2015, 7:19:36 AMMartin J Mc Cann  
13Jan 12, 2015, 5:50:46 AMMartin J Mc Cann  
This version (12)Jan 12, 2015, 5:49:35 AMMartin J Mc Cann  
11Jan 9, 2015, 7:38:10 AMMartin J Mc Cann  
10Jan 9, 2015, 7:36:52 AMMartin J Mc Cann  
9Jan 9, 2015, 7:35:35 AMMartin J Mc Cann  
8Jan 9, 2015, 7:30:27 AMMartin J Mc Cann  
7Jan 9, 2015, 7:09:19 AMMartin J Mc Cann  
6Jun 1, 2012, 6:22:13 PMLeslie Gallo  IBM contributor
5Jun 1, 2012, 8:38:25 AMRoar Johnsen  IBM contributorMinor change
4May 29, 2012, 1:33:07 PMLeslie Gallo  IBM contributor
2May 29, 2012, 1:30:04 PMLeslie Gallo  IBM contributor
1May 29, 2012, 12:53:51 PMNaveed Yousuf  IBM contributor
1May 29, 2012, 1:18:22 PMLeslie Gallo  IBM contributor
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedHelpAbout
  • IBM Collaboration Solutions wikis
  • IBM developerWorks
  • IBM Software support
  • Twitter LinkIBMSocialBizUX on Twitter
  • FacebookIBMSocialBizUX on Facebook
  • ForumsLotus product forums
  • BlogsIBM Social Business UX blog
  • Community LinkThe Social Lounge
  • Wiki Help
  • Forgot user name/password
  • About the wiki
  • About IBM
  • Privacy
  • Accessibility
  • IBM Terms of use
  • Wiki terms of use