This document describes the necessary steps to configure single sign-on (SSO) between IBM Content Manager Services for Lotus Quickr and Lotus Quickr 8.5 for WebSphere Portal by using LDAP.
To configure single sign-on:
- Enable single sign-on in Content Manager EE library server.
- Configure single sign-on for IBM Content Manager Services for Lotus Quickr.
- Configure Lotus Quickr 8.5 for WebSphere Portal for SSO by using LDAP.
Enabling single sign-on (SSO) in the Content Manager EE library server
Before proceeding with this step, you must install Content Manager EE, LDAP, and IBM Content Manager Services for Lotus Quickr. The following procedure is explained by using a common LDAP which is shared across all the components in the stack, Content Manager EE, IBM Content Manager Services for Lotus Quickr, and Lotus Quickr 8.5 for WebSphere Portal.
Important: The minimum version required for LDAP is Content Manager EE Version 126.96.36.199 or later.
To enable single sign-on in Content Manager EE library server:
- Clear password is required for all users and enable AllowTrustedLogon
- Start the Content Manager EE system administration client .
- Select Tools > Manage Database Connection ID > Change Database Shared Connection ID from the Administration Client menu.
- Clear the Password is required for all users logging on to CM check box. Click OK to save the change.
- In the navigation pane, click Library server parameters > Configurations.
- Right-click Library Server Configuration in the right pane and select Properties.
- Set Max user action to Allow logon without warning and select the Allow trusted logon check box.
- Click OK to save the changes.
- Setup LDAP user import information
- Log in to Content Manager EE system administration client.
- Click Tools > LDAP Configuration.
- Go to the LDAP tab and select Enable LDAP User import and authentication check box.
- To configure the LDAP properties click on the Server panel and enter your LDAP server information.
- Tip: In WebSphere Administration Console, the values for LDAP user registry settings must be configured correctly to filter the existing users in LDAP to log in to IBM Content Manager Services for Lotus Quickr.
- Example: In WebSphere Administration Console, Secure administration, applications, and infrastructure > Standalone LDAP registry > Advanced Lightweight Directory Access Protocol(LDAP) user registry setting, if you are using sAMAccountName in your organization as the User ID value, the User filter setting should set to(&(sAMAccountName=%v)(objectcategory=user)) and User ID map should be user:sAMAccountName.
- Create privilege set for SSO users
- Log in to the Content Manager EE system administration client
- Expand Authorization.
- Click Privilege Sets.
- Select AllPrivs privilege set. This privilege set is used as an example. Modify the privilege set information as required.
- Right-click and select Copy > Advanced. Enter a name for this privilege set. Example: SSOPriv.
- For the newly created priviledge set (created in Step f.), select AllowTrustedLogon and clear the SystemSuperDomainAdmin check box. This privilege is not required.
- Click OK.
Important: Do not clear the
SystemSuperDomainAdmin check box from the
AllPrivs privilege set in Step d.
4. Add LDAP users in Content Manager EE
- Log in to the Content Manager EE system administration client
- Expand Authentication.
- Right-click and select Users > New.
- Set Password expiration to Never expires.
- Click LDAP button and provide the user name you want to import.
- After the names are returned, highlight the name and click OK.
- Set Maximum privilege set to SSOPriv, the privilege set that you created in Step3.
- In the Set Default panel, enter Default item access control list and click OK to create new SSO user.
- Restart the Content Manager EE server.
Note: If the LDAP server is a IBM Tivoli Directory Server (ITDS), install the ITDS client on the same machine as the Content Manager EE.
- During the LDAP client installation, select the Java client and C client only.
- Add the file path C:\IBM\LDAP\V6.1\bin;C:\IBM\LDAP\V6.1\lib; to the environment variable PATH.
- Copy the DLL file from C:\Program Files\IBM\db2cmv8\ldap to C:\Program Files\IBM\db2cmv8\cmgmt\ls\icmnlsdb.
- Restart your server..
- Install the Content Manager EE Client for Windows.
- Verify whether the LDAP user can log in to Content Manager EE by using the client.
Configuring SSO for IBM Content Manager Services for Lotus Quickr
To configure SSO for IBM Content Manager Services for Lotus Quickr:
- Set up LDAP for IBM Content Manager Services for Lotus Quickr
- Logon to WebSphere Administration client that you deployed IBM Content Manager Services for Lotus Quickr on.
- Click Application > Enterprise Applications > clb.cm.websvc > Security role to user/group mapping.
- Ensure that Everyone check box is clear. Select All authenticated check box and click OK.
- Click Security > Secure administration, applications, and infrastructure.
- Check Enable administrative security.
- Check Enable application security.
- Clear Java 2 security check box.
- Set the Available realm definitions to Standalone LDAP registry.
- Click Configure and set up the LDAP information and make sure you enter the same information that you entered when you created LDAP user information in Content Manager EE system administration client. See Set up LDAP user import information.
- Select the Reuse connection check box.
- Select the Ignore case for authorization check box.
- Clear the SSL enabled check box.
- Click Test connection and make sure you can successfully connect to the LDAP server.
- Click Apply and Save the changes to the master configuration.
- Restart the WebSphere Application server for the changes to take effect.
To configure Lotus Quickr 8.5 for WebSphere Portal for SSO, see Lotus Quickr 8.5 for WebSphere Portal product documentation.
To complete the SSO configuration between Lotus Quickr 8.5 for WebSphere Portal and IBM Content Manager Services for Lotus Quickr, you must synchronize the LTPA tokens between the two servers.
To synchronize the LTPA tokens:
- On the Lotus Quickr 8.5 for WebSphere Portal server, open the WebSphere administration console.
- Expand Security > Secure administration ,applications and infrastructure.
- Click Authentication mechanisms and expiration.
- In the Single sign-on section, create a password and write it down.
- Type the full path to a file on the application server where you want to store the keys, such as /home/wasadmin/ltpa.keys.
- Click Export keys. WebSphere exports the LTPA keys into the location you specified.
- Click Apply and save the changes.
- Copy the LTPA key file you just generated to the IBM Content Manager Services for Lotus Quickr server and note the location.
- Open the WebSphere administration console on the IBM Content Manager Services for Lotus Quickr. Follow steps b and step c.
- Navigate to the Single sign-on section and re-enter the password you entered previously in step d .
- Type the full path to the LTPA key file from step h on the IBM Content Manager Services for Lotus Quickr Services server.
- Click OK and Save.
- Restart the Lotus Quickr 8.5 for WebSphere Portal server and the IBM Content Manager Services for Lotus Quickr WebSphere Application Server for the changes to take effect.