Introduction

You must have IBM® Tivoli® Access Manager (TAM) for e-business, version 6.1.1, installed before you can perform this procedure. Also, ensure that you can access the installed IBM Sametime applications from a Web browser.

This setup requires the installation of Tivoli Access Manager, Base, Runtime, and Web Security applications, where:

• TAM WebSEAL is a reverse proxy server.
• TAM and IBM Sametime® should be configured to use the same LDAP server.
• Previously, WebSEAL for Sametime was configured using Standard WebSEAL Junctions.

Setting up Single Sign-on

Single sign-on (SSO) enables users to log in to one application of IBM Sametime and switch to other applications and resources without having to authenticate again. There are several different ways to configure SSO. This procedure describes one approach, in which we use an IBM WebSphere® Application Server Lightweight Third-party Authentication (LTPA) key and WebSEAL transparent junctions.

Before you begin

Prepare for SSO by determining which WebSphere Deployment Manager will provide the LTPA key(s) and export them for use on the Sametime components. This step applies to all Sametime components, and the LTPA key must be imported on all Deployment Managers and Community Servers.

For the purposes of this document, all servers using SSO must use the same LDAP directory that the Sametime Community Server uses. Although other configurations are possible, they are outside the scope of this article.

About this task

The Sametime Community Server installation creates an IBM Lotus® Domino® SSO key. You must replace the Domino SSO key with a WebSphere LTPA key to allow the Sametime Community server running on Domino and the other servers running on WebSphere Application Server to have an identical key for token validation and generation.

If Sametime servers running on WebSphere Application Server are managed by a different Sametime System Console, you must export the LTPA key from one of them and import it into the others.

1. In a browser, launch the Sametime System Console.
2. Log in to the Integrated Solutions Console for the Sametime server (Console Server).
3. Select Security --- Global Security --- WEB and SIP Security --- Single Sign-on (SSO), as shown in figure 1.

Figure 1. Global Security window



4. Make sure that the Domain name matches the Sametime Server domain and verify that Interoperability Mode is selected (see figure 2).

Figure 2. Single sign-on (SSO) window


5. Click OK and save the master configuration.
6. Then select Security --- Global Security; under Authentication, click LTPA. In the LTPA timeout section, set the timeout value to a value larger than the default, to minimize the potential for an LTPA token to expire during an active meeting.

Figure 3. LTPA window



7. Under the Cross-cell single sign-on (see figure 4) section, enter a Password, confirm the password, and specify a file name to store the key. Make a note of the location of the file created, to use when you import the file to the Sametime Community Server.

For example, we can save the key name as “LTPAkey” by typing “c:\LTPAkey” drive (for Microsoft® Windows® servers). Then click Export keys.

Figure 4. Cross-cell single sign-on section



8. Navigate to the directory where you exported the LTPA key and copy it to a location where you can access the file from the Sametime Community Server.

9. After creating LTPA keys for Sametime servers, configure the Sametime Community Server for SSO:

10. (Optional) If you have multiple CELLs in your deployment, use the “Import keys” (recall figure 4 above) option to import the LTPA keys you just exported. This also holds true if you need to import keys into your single CELL deployment from an existing WebSphere/WebSEAL configuration.

Importing LTPA keys to the Sametime Community Server

In this section we explain how to import the LTPA key from WebSphere to Domino. Before we start, however, ensure you have Domino Notes Administrator installed and configured on the Sametime Server machine.

NOTE: IBM Sametime 8.5 requires Lotus Domino version 8.0 or later; if you are maintaining an older Sametime server, it may be running a version of Lotus Domino prior to v8.

First, import the LTPA keys used by Sametime servers in the same DNS domain:

1. Open the Domino administrator console on the Domino server for the Sametime Community Server.
2. Select Configuration ---Web --- Web Configurations view (see figure 5). You may need to scroll down to see Web SSO configuration.

Figure 5. Web SSO Configurations view



3. Double-click “Web SSO Configuration for LtpaToken” to open the document, and click Keys --- Import WebSphere LTPA keys (figure 6).

Figure 6. Web SSO Configuration for LtpaToken document
.


4. Type in the exact file location of the key file you created on the Sametime SIP Proxy and Registrar server.
5. Enter the password you created on the server when you enabled SSO; click OK. The message "Successfully imported WebSphere LTPA keys" displays after the key has been imported.
6. In the Token Format field of the WebSphere Information section, select the LTPA token formats to be supported by Domino:

• LtpaToken - LTPAv1 only
• LtpaToken2 - LTPAv2 only
• LtpaToken and LtpaToken2 - both LTPAv1 and LTPAv2 formats are supported.








 
•  
•  
•  
•  
•  
• With this last option selected, both tokens are created, but the token returned to the client is determined by the TOKEN_TYPE_TO_RETURN flag under the AuthToken section of the Sametime.ini file. The default value is LTPA, which returns the LTPAv1 token. Changing the value to LTPA2 results in the LTPAv2 token being returned instead.

7. Click Save and Close.

Now Configure the Sametime Community Server so that LtpaToken gets set by the Sametime Proxy Web client instead of the Sametime token:

1. Log in to the Sametime System Console as the Sametime administrator.
2. Click Sametime Servers --- Sametime Community Servers.
3. In the list of Community Servers, click the name of a Sametime Community Server, to open its Configuration page.
4. Click the Community Services tab (see figure 7).

Figure 7. Community Servers tab



5. At the bottom of the "General" section, for the “Select the authentication type that users can use while logging into the community server” option, select the LTPA only radio button.
6. Restart the Domino server to put your changes into effect.

Making a junction from TAM to the Sametime server

1. First, make sure your Tivoli Access Manager packages are configured properly, as shown in figure 8.

Figure 8. Access Manager Configuration window



2. Go to your TAM server and log in to the PDADMIN command line utility by opening a command prompt window and typing “pdadmin” (see figure 9).

Figure 9. Command prompt window



3. Log in as Policy Server admin (see figure 10):

• Type “login” and then press Enter.
• Type “Sec_master” and then press Enter.
• Key in the sec_master password and then press Enter

Figure 10. Log in as Policy Server admin

Creating junctions for Sametime servers

For the Sametime Meeting and Sametime Proxy Servers, create the following transparent path junctions:

Junctions for Sametime Proxy Server:
/stwebclient
/stwebapi
/stwebav
/stbaseapi

Junctions for Sametime Meetings Server:
/stmeetings
/rtc
/userinfo
/DocumentShare
/AppShare
/admin
/summary
/rtcauth

Junctions for Sametime Community Server:

Syntax:
server task <WEBSEAL-INSTANCE-NAME> create -t <CONNECTION-PROTOCOL> -h <SAMETIME-SERVER-NAME> -p <SAMETIME-SERVER-PORT> -i -x -f -A -F <LTPA-TOKEN-NAME> -Z <LTPA-TOKEN-PASSWORD> /<JUNCTION-NAME>

where:

• WEBSEAL-INSTANCE-NAME is the instance name of your policy server. You can find it by using pdadmin command “server list”
• CONNECTION-PROTOCOL is TCP or SSL
• SAMETIME-SERVER-NAME is sametime server full DNS name
• SAMETIME-SERVER-PORTis the port sametime server use
• LTPA-TOKEN-NAME is the path of your LTPA key location. for example, C:\
• LTPA-TOKEN-PASSWORD is the LTPA Password you created in Sametime Console Server
• JUNCTION-NAME is the Web address path

Example for Sametime Proxy Server junction:
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebclient
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebapi
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stwebav
server task default-webseald--server create -t tcp -h stproxy.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stbaseapi

Example for Sametime Meeting Server:
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stmeetings
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /rtc
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /userinfo
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /DocumentShare
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /AppShare
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /admin
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /summary
server task default-webseald--server create -t tcp -h stmeetings.ibm.com -p 9080 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /rtcauth

 

Note:

If this functionality is used for the case when entering Meeting Rooms that are password protected, the user may not receive an authentication challenge for the room password.

If this is the case then modification to the /rtc junction definition above may be required.                                                                                                                                                                                                                      

Change the /rtc junction to forward original client BA header information ("-b ignore" switch when creating the junction).                                                                                                                                                                     

'Basic authentication mode' should be changed from 'filter' to 'ignore'  within the junction definition.

 

Sametime Community Server (STILL STANDARD JUNCTIONS):
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /CommunityCBR
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /sametime
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stconf.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /Stsrc.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /stcenter.nsf
server task <default-webseald--server> create -t tcp -h <CommunityServer> -p 80 -i -x -f -A -F “C:\PDHome\ltpa.key” -Z password /icons

Creating an ACL
After creating the junctions, keep the PDadmin utility open. We need to create an Access Control List (ACL) to override the WebSeal default in ACL for certain URIs

Here are the steps to create a Sametime default ACL:

1. Create an ACL called st-default-acl:

2. Then change the attributes for different user groups:

Attaching the new Access Control List to the junctions
Now we can attach the newly created ACL to the following objects on the WebSEAL Server, using this syntax:

For Sametime Proxy Server ACL:
/stbaseapi
/stwebclient
/stwebav
/stwebapi

For Sametime Meeting Server ACL:
/stmeetings
/rtc

Example:
acl attach /WebSEAL/server-default/stbaseapi st-default-acl
acl attach /WebSEAL/server-default/stwebclient st-default-acl
acl attach /WebSEAL/server-default/stwebav st-default-acl
acl attach /WebSEAL/server-default/stwebapi st-default-acl
acl attach /WebSEAL/server-default/stmeetings st-default-acl
acl attach /WebSEAL/server-default/rtc st-default-acl

Conclusion

You should now have a good idea of how to configure IBM TAM for Sametime Community Server, Meeting Server, Proxy Server, Media Manager, Advanced Server, and the Connect client, using TAM with the Sametime System Console as the authentication server.

Tell us what you think

Please visit this link to take a one-question survey about this article: http://www.surveymonkey.com/s/9Q6ZKGN

Resources

developerWorks® Sametime product page:
http://www.ibm.com/developerworks/lotus/products/instantmessaging/

Sametime Forum:
http://www-10.lotus.com/ldd/stforum.nsf?OpenDatabase

Sametime product documentation:
http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation

About the authors

Naveed Yousuf is a Software Engineer working on various teams at IBM's Dublin Software Lab since 1999. He has worked with the Sametime Systems Verification Test (SVT) team for the past four years, focusing on integration and interoperability across Sametime products. You can reach him at naveed_yousuf@ie.ibm.com.

Pat Curtin is a Software Engineer working on various teams at IBM's Dublin Software Lab since 1999. He works with the Lotus SVT team, focusing on integration and interoperability across Lotus products. You can reach him at PCURTIN@ie.ibm.com.

Tony Payne has worked as an IBM Sametime Software Engineer for 12 years, with a focus / special attention on cross-product interoperability and security architecture, and working on Level 3 Customer Support for the past two years. You can reach him at tony_payne@us.ibm.com.