RSA ClearTrust Ready Implementation Guide for Portal Servers and
2. Contact Information
Page: 1
RSA ClearTrust Ready Implementation Guide for Portal Servers and
2. Contact Information
Page: 1
3.Solution Summary
4. Integration Overview
To achieve
Page: 2
5. Product Requirements
Hardware requirements
Software requirements
Component Name: Lotus Domino
Component Name: Lotus Team Workplace
Component Name: RSA ClearTrust Agent for Domino
Page: 3
6.Product Configuration
This section provides instructions for integrating the partners??? product with RSA ClearTrust. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of the two products to perform the tasks outlined in this section and access to the documentation for both in order to install the required software components. All products/components, including the ClearTrust servers and Entitlements Manager, need to be installed and working prior to this integration. Perform the necessary tests to confirm that this is true before proceeding.
In order to achieve this integration, the following steps are necessary:
???Install & Configure Domino Server
???Install & Configure RSA ClearTrust Agent for Domino
???Install & Configure Lotus Team Workplace
Installation & Configuration of the Domino Server
Using the Domino 6.5.1 installation media, start the setup program. During the setup process, customize as necessary for your requirements, but be sure to choose to install the Domain Enterprise Server.
After the installation of the base server, install the Interim FixPack 1. Lotus Team Workplace (LTWP) requires Domino 6.5.1 IF1. Also, if you do not already have a Domino Administrator client already installed, you should install one at this time.
Configuration
Once the basic server and IF1 are installed, start the Domino server. When you start it for the first time, you will be prompted to configure the server. Unless you have a
During the setup process, if you save an external copy of the administrator???s id file, it will be easier to find from the client.
Page: 4
Also, be sure to select the Web Browsers (HTTP services) option, since it is not selected by default.
After this configuration process ends, start your Domino server, and ensure that it starts up correctly. You should also use the admin.id file created above to enable you to administer the server from a Domino Administrator.
Page: 5
Installation & Configuration of the RSA ClearTrust Agent for Domino
Prior to beginning installation of the RSA ClearTrust Agent, stop the Domino server. Then, start the agent setup program. Ensure that the agent detects the correct installation directory for Domino.
Make sure that the SSL settings entered in this process match the settings in your RSA ClearTrust servers??? configuration files. For more information, consult the RSA ClearTrust Agent for Domino???s Installation & Configuration Guide.
During the installation procedure you will be prompted for the address of a Dispatcher server, and an Entitlements server. While the dispatcher???s address is required, the Entitlements server???s address is required only if it is not connected to a dispatch server.
Remember the web server name you enter during the setup, as you will need to enter the exact same name into the Entitlements manager.
Installation & Configuration of Lotus Team Workplace
To begin installation, stop the Domino server, and then run the LTWP setup program. Ensure that it detects the correct Domino installation directory. After the installation concludes, a setup program will run. During the configuration, you will be asked for credentials for an administration account.
Note: Ensure that this user name is unique among user names from any LDAP stores you will attach LTWP to. LTWP authenticates to a separate data store by default, and will not be able to distinguish between users if there is overlap.
Once LTWP is installed and configured, restart Domino, and ensure that it starts successfully. Next, Domino must be configured for
Page: 6
Disable ClearTrust DSAPI Filter
Note: There is a known issue with authenticating via the QuickPlaceLoginForm while the agent is installed. While using RSA ClearTrust Agent v4.6 for Domino, authenticating a user via QuickPlaceLoginForm may cause the Domino server to exit. See Known Issues for more information.
Because of this issue, disable the RSA ClearTrust DSAPI filter for further configuration (it will be re- enabled later). To do this, start the Domino Administrator, and open up the server document for the server you created for LTWP. Under Internet Protocols, on the HTTP tab, you will see the DSAPI section halfway down on the right hand side of the document. Remove the ct_domino65_agent.dll entry, but make note of it, as you will replace it later. Then restart the Domino server.
Page: 7
Enable Domino SSO
Once the server restarts, start configuring the LTWP installation.
???Create a Web SSO Configuration document, or add the LTWP server onto an existing one. When creating the SSO document, this guide used a Domino SSO Key.
???Create a mapping form to map authentication to the QuickPlaceLoginForm.
???Restart the server.
1.Use the Domino Administrator and open the hub server:
a.Select the Configuration tab.
b.In the navigation pane, choose Server.
c.Click the Web button, and select Create Web SSO Configuration.
Note: If you have a mixed R5/D6 environment, you will need to use the Create Web R5 (SSO configuration) button found in the action bar of Server documents. If you have a pure D6 environment, you can use the method outlined here or use Internet Site documents. For more information, see the IBM Redbook.
Page: 8
2.In the SSO Configuration document, make the following entries
a.Select LtpaToken.
b.Leave the Organization field empty.
c.Select and add all of the servers from the directory to the Domino Server Names field (this uses the proper hierarchical name for each server).
d.Enter the Internet domain that all of your servers share (you should precede this name with a leading period; Domino 6 will insert it when the document is saved if you forget).
e.Select Keys from the action bar and click Create Domino SSO Key. You will receive a confirmation when it has been successfully created.
f.Save and close the Web SSO document.
Note: The Web SSO document is automatically encrypted with the user's ID that created it. If another administrator subsequently needs to edit the document, the administrator will receive a warning about the document being encrypted and will not be able to edit it.
If this happens, delete the document and create a new one so that you can add all the servers to the document.
Page: 9
3. Open each Server document and make the following changes to the Internet Protocols - Domino Web Engine tab:
a.Session authentication: Multiple Servers (SSO)
b.Web SSO Configuration: LtpaToken.
c.Then Click Save and Close.
4. Open domcfg.nsf. If domcfg.nsf does not exist you will need to create it. See the Domino documentation for information on how to do this.
Page: 10
5.Create a mapping form to map authentication to the QuickPlaceLoginForm.
a.Applies To: All Web Sites/Entire Server
b.Target Database: QuickPlace/resources.nsf
c.Target Form: QuickPlaceLoginForm
b. Then Click Save and Close.
6.Open the notes.ini file located in the Domino install directory and add the following parameter QuickPlaceUseDSAPIDNs=1
7.Restart both servers.
Page: 11
Point Team Workplace at Domino User Store
Open up LTWP home page in a browser, and login as the LTWP administrator created during installation. Under Server Settings, select User Directory, then Change Directory. Select Domino Server as the type, and point it at your Domino server. Then, select to disallow new users. Save your changes, and log out of LTWP. This is necessary so LTWP will pick up the Domino users.
By default, LTWP uses Cloudscape as its user repository. To ease the SSO process, it should be using only Domino users. By pointing LTWP at Domino, and not allowing new user creation, the only user in Cloudscape will be the LTWP administrator created during installation. The RSA ClearTrust repository, for the purposes of this implementation guide, will be kept separate from the Domino user repository, so those two will need to be separately synchronized.
Log back into LTWP as the LTWP administrator. This time, select Security under Server Settings. In the administrator section, click Add, and add a Domino user as LTWP administrator.
Page: 12
Cleaning Up
Now,
Note: The RSA ClearTrust DSAPI filter should be the last filter in the list. Authentication will not behave correctly otherwise.
Testing the Setup
When Domino starts, you should be able to see startup notices for LTWP and RSA ClearTrust DSAPI filters. Note that the LTWP message will show up as QuickPlace.
Using the RSA ClearTrust Entitlements Manager, create entries for the Domino server, and a sample Domino user. Then define resources for /homepage.nsf, and /QuickPlace on that server, and entitlements for your sample user. Remember that in Domino, you must protect the database and views separately (e.g. /abc, and /abc/*). Finally, add entitlements for the sample user for the Domino server resources.
Page: 13
From a new browser, browse to http://servername.domainname. You should see the Domino homepage. Then go to /homepage.nsf, which should show you the same page, after authentication via RSA ClearTrust.
When you navigate from there to the QuickPlace home page (/QuickPlace), you can see that you are automatically recognized by the RSA ClearTrust agent.
Page: 14
As a last check, navigate to the web administration database (/webadmin.nsf). You will Notice that even though the web admin database is protected by Domino, and not by RSA ClearTrust, the Domino agent supplies the credentials to Domino???s native authentication, and the user is recognized from his RSA ClearTrust SSO cookie.
Page: 15
7. Certification Checklist for Portal Servers and
Product Characteristics for SSO Support
Application/Portal is
Application/Portal runs on Web Server Platform supported by RSA ClearTrust Application/Portal login interface can be modified or replaced
Application/Portal can extract user information from RSA ClearTrust session cookie Application/Portal can extract user information from HTTP Headers
Application/Portal can extract authentication type from RSA ClearTrust session cookie Application/Portal can extract authentication type from HTTP Headers Application/Portal can perform SSO with other RSA
Login - General
HTTP basic authentication
Forms based
Forms based w/ URI retention
Login ??? Basic Authentication
Access Denied for unauthorized user Successful login for authorized user
Successful recognition of identity/personalization in 3rd Party Product
Successful recognition of identity/personalization after SSO with other RSA ClearTrust- supported Web Server
Login
Access Denied for unauthorized user Successful login for authorized user
Successful recognition of identity/personalization in 3rd Party Product
Successful recognition of identity/personalization after SSO with other RSA ClearTrust- supported Web Server
P
P
P
P
N/A
N/A
N/A
P
P
P
P
P
P
P
P
N/A
N/A
N/A
N/A
Page: 16
8. Known Issues
Authentication Via QuickPlaceLoginForm May Cause Domino Server Exit
While using RSA ClearTrust Agent v4.6 for Domino, authenticating a user via QuickPlaceLoginForm when the ClearTrust DSAPI filter is in place may cause the Domino server to exit. There is a fix available for this behavior from RSA technical support. To acquire this, ask for RSA ClearTrust Agent Hotfix 4.6.0.17.
This issue can also be worked around by deleting the login mapping created in the Web Configuration Database, and protecting the Team Workplace resources with ClearTrust.
Page: 17