Server User Manual

ManualsBrandsIBM ManualsServerLOTUS TEAM WORKPLACE 6.5.1

RSA ClearTrust Ready Implementation Guide

for Portal Servers and Web-Based Applications

Last Modified March 15, 2005

1. Partner Information

Partner Name IBM Corporation

Web Site www.ibm.com

Product Name IBM Lotus Team Workplace

Version & Platform 6.5.1, Windows 2003 Enterprise

Product Description IBM Lotus Team Workplace (QuickPlace) is a business-ready, self-

service work space expressly designed for team collaboration. With

Lotus Team Workplace, users can instantly create secure work

spaces on the Web, providing them with a "Place" to coordinate,

collaborate and communicate on any project or ad hoc initiative.

Product Category Internet / Intranet

2. Contact Information

Sales contact Support Contact

Phone 800-IBM-4YOU 800-IBM-SERV

Web www.lotus.com/products www.ibm.com/software/lotus/support

Page: 1

Summary of content (17 pages)

PAGE 1
RSA ClearTrust Ready Implementation Guide for Portal Servers and Web-Based Applications Last Modified March 15, 2005 1. Partner Information Partner Name Web Site Product Name Version & Platform Product Description Product Category IBM Corporation www.ibm.com IBM Lotus Team Workplace 6.5.1, Windows 2003 Enterprise IBM Lotus Team Workplace (QuickPlace) is a business-ready, selfservice work space expressly designed for team collaboration.
PAGE 2
3. Solution Summary Feature Details Use UserID for SSO Yes Use UserID for Personalization Yes Recognize Authentication Type No API-level Authorization Support (RuntimeAPI) No User Management (AdminAPI) No 4. Integration Overview To achieve single-sign-on with Lotus Team Workplace, the RSA ClearTrust Agent for Domino is installed on the Domino server. The agent is then configured to protect all Team Workplace pages, as well as any other desired pages.
PAGE 3
5. Product Requirements Hardware requirements Component Name: Lotus Domino Memory Hard Drive 256Mb 1Gb (1.5Gb recommended) Software requirements Component Name: Lotus Domino Operating System AIX OS/400 Windows 2000 Windows 2003 Solaris Red Hat Enterprise Linux Version (Patch-level) 5.1, 5.2 VSR1, VSR2, i5OS VSR3 Server, Advanced Server Server, Enterprise 8, 9 2.1 Component Name: Lotus Team Workplace Operating System AIX OS/400 Windows 2000 Windows 2003 Solaris Version (Patch-level) 5.1, 5.
PAGE 4
6. Product Configuration This section provides instructions for integrating the partners’ product with RSA ClearTrust. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of the two products to perform the tasks outlined in this section and access to the documentation for both in order to install the required software components.
PAGE 5
Also, be sure to select the Web Browsers (HTTP services) option, since it is not selected by default. After this configuration process ends, start your Domino server, and ensure that it starts up correctly. You should also use the admin.id file created above to enable you to administer the server from a Domino Administrator.
PAGE 6
Installation & Configuration of the RSA ClearTrust Agent for Domino Prior to beginning installation of the RSA ClearTrust Agent, stop the Domino server. Then, start the agent setup program. Ensure that the agent detects the correct installation directory for Domino. Make sure that the SSL settings entered in this process match the settings in your RSA ClearTrust servers’ configuration files. For more information, consult the RSA ClearTrust Agent for Domino’s Installation & Configuration Guide.
PAGE 7
Disable ClearTrust DSAPI Filter Note: There is a known issue with authenticating via the QuickPlaceLoginForm while the agent is installed. While using RSA ClearTrust Agent v4.6 for Domino, authenticating a user via QuickPlaceLoginForm may cause the Domino server to exit. See Known Issues for more information. Because of this issue, disable the RSA ClearTrust DSAPI filter for further configuration (it will be reenabled later).
PAGE 8
Enable Domino SSO Once the server restarts, start configuring the LTWP installation. • Create a Web SSO Configuration document, or add the LTWP server onto an existing one. When creating the SSO document, this guide used a Domino SSO Key. Create a mapping form to map authentication to the QuickPlaceLoginForm. Restart the server. • • 1. Use the Domino Administrator and open the hub server: a. Select the Configuration tab. b. In the navigation pane, choose Server. c.
PAGE 9
2. In the SSO Configuration document, make the following entries a. Select LtpaToken. b. Leave the Organization field empty. c. Select and add all of the servers from the directory to the Domino Server Names field (this uses the proper hierarchical name for each server). d. Enter the Internet domain that all of your servers share (you should precede this name with a leading period; Domino 6 will insert it when the document is saved if you forget). e.
PAGE 10
3. Open each Server document and make the following changes to the Internet Protocols Domino Web Engine tab: a. Session authentication: Multiple Servers (SSO) b. Web SSO Configuration: LtpaToken. c. Then Click Save and Close. 4. Open domcfg.nsf. If domcfg.nsf does not exist you will need to create it. See the Domino documentation for information on how to do this.
PAGE 11
5. Create a mapping form to map authentication to the QuickPlaceLoginForm. a. Applies To: All Web Sites/Entire Server b. Target Database: QuickPlace/resources.nsf c. Target Form: QuickPlaceLoginForm b. Then Click Save and Close. 6. Open the notes.ini file located in the Domino install directory and add the following parameter QuickPlaceUseDSAPIDNs=1 7. Restart both servers.
PAGE 12
Point Team Workplace at Domino User Store Open up LTWP home page in a browser, and login as the LTWP administrator created during installation. Under Server Settings, select User Directory, then Change Directory. Select Domino Server as the type, and point it at your Domino server. Then, select to disallow new users. Save your changes, and log out of LTWP. This is necessary so LTWP will pick up the Domino users. By default, LTWP uses Cloudscape as its user repository.
PAGE 13
Cleaning Up Now, re-insert the ClearTrust DSAPI filter in the server document. Then, restart the server one last time. Note: The RSA ClearTrust DSAPI filter should be the last filter in the list. Authentication will not behave correctly otherwise. Testing the Setup When Domino starts, you should be able to see startup notices for LTWP and RSA ClearTrust DSAPI filters. Note that the LTWP message will show up as QuickPlace.
PAGE 14
From a new browser, browse to http://servername.domainname. You should see the Domino homepage. Then go to /homepage.nsf, which should show you the same page, after authentication via RSA ClearTrust. When you navigate from there to the QuickPlace home page (/QuickPlace), you can see that you are automatically recognized by the RSA ClearTrust agent.
PAGE 15
As a last check, navigate to the web administration database (/webadmin.nsf). You will Notice that even though the web admin database is protected by Domino, and not by RSA ClearTrust, the Domino agent supplies the credentials to Domino’s native authentication, and the user is recognized from his RSA ClearTrust SSO cookie.
PAGE 16
7. Certification Checklist for Portal Servers and Web-Based Apps Date Tested: February 7, 2005 Product Tested Version RSA ClearTrust Team Workplace Domino ClearTrust Agent for Domino 5.5.2, 5.5.3 6.5.1 6.5.1IF1, 6.5.2, 6.5.3 4.
PAGE 17
8. Known Issues Authentication Via QuickPlaceLoginForm May Cause Domino Server Exit While using RSA ClearTrust Agent v4.6 for Domino, authenticating a user via QuickPlaceLoginForm when the ClearTrust DSAPI filter is in place may cause the Domino server to exit. There is a fix available for this behavior from RSA technical support. To acquire this, ask for RSA ClearTrust Agent Hotfix 4.6.0.17.