IBM Support

Configuring single sign-on for IBM Content Navigator by using Tivoli Access Manager for e-business on WebSphere Application Server (FileNet P8)

Product Documentation


Abstract

This document contains the step-by-step instructions for configuring single sign-on (SSO) for IBM Content Navigator with a FileNet P8 repository by using Tivoli Access Manager for e-business Sign-On and WebSEAL on WebSphere Application Server.

Content

To configure single sign-on integration between IBM Access Manager for e-business and IBM Content Navigator, you must:

  1. Complete the pre-deployment tasks
  2. Configure and deploy IBM Content Navigator with IBM Tivoli Access Manager
  3. Verify your deployment of IBM Content Navigator with IBM Tivoli Access Manager

Additional resources
Troubleshooting your deployment


Before you begin
Ensure that you have the appropriate prerequisite software installed and configured in your environment.

If you plan to use Tivoli Access Manager for e-business for SSO, you must be aware of the following restrictions:
  • You use IBM Content Navigator to connect to only IBM FileNet P8 repositories. If you configure the IBM Content Navigator web application to connect to IBM Content Manager or IBM Content Manager OnDemand repositories, you cannot use single sign-on.
  • IBM Content Navigator for Microsoft Office is not supported if you deploy IBM Content Navigator with Tivoli Access Manager for e-business for SSO. If you use IBM Content Navigator for Microsoft Office, you must deploy IBM Content Navigator in a non-SSO environment or in an SSO environment that supports IBM Content Navigator for Microsoft Office.

    For more information, see the Hardware and software requirements for IBM Content Navigator. Select the version of IBM Content Navigator that you are running in your environment from the Hardware and software requirements for IBM Content Navigator web page.

Step 1 - Complete the pre-deployment tasks


  1. Install and configure Tivoli Access Manager for e-business by using the IBM Tivoli Access Manager for e-business V6.1.1 Installation Guide. See IBM Tivoli Access Manager for e-business 6.1.1 Knowledge Center for more information.

    You must install the following of Tivoli Access Manager components:
    • Policy Server
    • WebSEAL
    • Authorization Server
  2. Configure your IBM Content Navigator server with Tivoli Access Manager for e-business by following the steps provided for Application Engine in chapter 4, "Single sign-on using Tivoli Access Manager for e-business" of the Single Sign-On Solutions for IBM FileNet P8 (PDF) IBM Redbooks publication.

    Important: When you refer to the Application Engine documentation:
    • Replace all references to Application Engine with IBM Content Navigator.
    • Skip the step to create the junction in section 4.2.2.
    • Complete all of the steps up to section 4.2.6. Do not deploy IBM Content Navigator before you complete the remaining tasks.
    HA systems: For the Trust Association Interceptor (TAI) to establish trust for a request, it requires that the SvrSslCfg is run for the Java Virtual Machine on the Application Server and will result in creating the PDPerm.properties file on each application server.


    Run the pdjrtecfg script and then run the svrsslcfg script on each application server. For more information, see Product Documentation for WebSphere Network Deployment.


3. Install and configure IBM FileNet P8 Content Engine. See http://www.ibm.com/support/docview.wss?uid=swg27021508" target="_blank">Product Documentation for FileNet P8 for more information.

4. Install IBM Content Navigator. See http://www.ibm.com/support/knowledgecenter/SSEUEX_2.0.3/com.ibm.installingeuc.doc/eucao000.htm" target="_blank">Planning, Installing, and Configuring IBM Content Navigator for installation instructions. Do not deploy IBM Content Navigator.


Step 2 - Configure and deploy IBM Content Navigator with Tivoli Access Manager



Complete the following tasks:
  1. Create two junctions, one for IBM Content Navigator and one for the integrated help system using the server task pdadmin command on the Tivoli Access Manager WebSEAL server. Follow the steps in section 4.2.2 "Create the junction" in the Single Sign-On Solutions for IBM FileNet P8 (PDF) IBM Redbooks publication. For more information about the syntax and the options that you use to create a junction, see the server task create entry in the WebSEAL command line reference.

    Important: When you create the junctions, keep the following information in mind:
    • IBM Content Navigator and the integrated help system support only transparent junctions.
    • HA systems: When you specify the IBM Content Navigator host name, specify the IBM HTTP Server name. When you specify the port number, specify port 80.


    • a. To create the IBM Content Navigator junction, run the following command:


      pdadmin>server task default-sebseald-TAM_Server create -t tcp -h IBM_Content_Navigator_host_name -p port_number -c iv_creds,iv_user,iv_user_l -b supply -x /navigator


      For example:
      pdadmin>server task default-webseald-abc.net.com create -t tcp -h xyz.net.com -p 9080 -c iv_creds,iv_user,iv_user_l -b supply -x /navigator


      b. To create the integrated help system junction, run the following command:


      pdadmin>server task default-sebseald-TAM_Server create -t tcp -h IBM_Content_Navigator_host_name -p port_number -x /wcdocs


      For example:
      pdadmin>server task default-webseald-abc.net.com create -t tcp -h xyz.net.com -p 9080 -x /wcdocs


  2. Run the IBM Content Navigator Configuration and Deployment Tool and create a new deployment profile for WebSphere Application Server.

    IBM Content Navigator, Version 2.0.0 and 2.0.1 users: When you complete the Connect to WebSphere Application Server task, ensure that you select the Configure IBM Content Navigator for SSO (P8 only) option.
  3. Run all of the configuration and deployment tasks that apply to your system. For more information, see http://www.ibm.com/support/knowledgecenter/SSEUEX_2.0.3/com.ibm.installingeuc.doc/eucde000.htm" target="_blank">Configuring and deploying IBM Content Navigator.

    IBM Content Navigator, Version 2.0.2 and 2.0.3 users: When you run the Configure the IBM Content Navigator Web Application task, ensure that you select Application server authentication for the IBM Content Navigator authentication option.
  4. Optional. WebSEAL has the option to prevent cross-site scripting, which is a common security problem for web servers. To enable this option, add the HTTPOnly atttribute to the Session and Failover Set-Cookie headers and change the value of the use-http-onlycookies in the server stanza of the WebSEAL configuration file to yes. The WebSEAL default value is use-http-only-cookies=no.
  5. Restart the application server where IBM Content Navigator is deployed. Restart the WebSEAL server instance.

Step 3 - Verify your deployment of IBM Content Navigator with Tivoli Access Manager

To verify the deployment:


  1. In a web browser, enter a URL with the following format:

    http:// TAM_Server/context_root

    The default context root is navigator. For example, http://TAM_server_name/navigator

    Important: You must provide the Tivoli Access Manager credentials to access the link.
    Note: Login to IBM Content Navigator repositories from the admin desktop is manual, and repositories will not get logged in to automatically as part of SSO.

Troubleshooting your deployment



You might encounter one or more problems when you try to access IBM Content Navigator in a Tivoli Access Manager SSO environment.

You cannot connect to IBM Content Navigator
If the following setting is not present, you will see the session expired dialog while working with Workplace XT workflows, and you need to sign in again.

To prevent session timeouts:
  1. In your WebSphere Application Server administrative console, select Applications > Application Types > WebSphere enterprise applications.
  2. Select the IBM Content Navigator application that you are trying to access.
  3. Under Web Module Properties, select Session management.
  4. Edit the following general properties:
    • Select Override session management.
    • Select Enable cookies.
  5. Click Enable cookies and specify a different name in the Cookie name field. For example, enter ICNJSESSIONID.
  6. Click OK and save your changes to the master configuration.
  7. Restart the web application server to apply your changes.

[{"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.0.3;2.0.2;2.0.1;2.0","Edition":"","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}]

Document Information

Modified date:
17 June 2018

UID

swg27027367