ID304 Lotus Connections 3.0 TDI, SSO, and User Life Cycle
Management: What you NEED to know!
Jay Boyd | Lotus Connections Team Lead | IBMLuis Benitez |
Social Software Product Manager | IBM
Who we are
Tweet Away
Agenda
Options for Securing Lotus Connections
SSO
New User Life Cycle Options in 3.0
Q&A
Not ideal security...
Photo credit: http://www.flickr.com/photos/fboyd/2494909325/
Securing Lotus Connections
Lotus Connections has tons of security optionsVirus Scanning
SSL (even forced!)
Forced Authentication
Filtering active content
MIME control
and...
Photo credit: http://www.flickr.com/photos/juanpol/2704542/
Lotus Connections supports the Internet Content Adaptation
Protocol (ICAP) and its applications use this protocol to
communicate with virus detection products. Ensure that the virus
detection product used in your enterprise supports the ICAP 1.0
protocol. Lotus Connections is certified to work with Symantec
AntiVirus Scan Engine 5.1 and McAfee web Security Appliance (3400)
and (3300).
Lotus Connections provides security measures, such as an active
content filter and content upload limits, that you can use to
mitigate the risk of malicious attacks. Because these security
measures can also limit the flexibility of the applications, you,
as the system administrator, must evaluate the security of your
network and determine whether or not you need to implement
them.
Any software that displays user authored content can be
vulnerable to cross-site scripting (XSS) attacks. Attackers can
introduce JavaScript into their content that can, among other
things, steal a user's session. Session stealing in a single
sign-on (SSO) environment poses particular challenges because any
vulnerability to XSS attacks can render the entire single sign-on
domain vulnerable.
Agenda
Options for Securing Lotus Connections
SSO
New User Life Cycle Options in 3.0
Q&A
Single Sign On
My favorite
Improves usability
Great for adoption
Photo credit:
http://commons.wikimedia.org/wiki/File:Single_sign_on_aproaches.png
What's supported
SSO with Domino apps (of course!)
with WebSphere apps (any doubt?)
with Quickr J/D (go go Gadget docs)
with Sametime (duh!)
via Tivoli Access Manager 6.1.1
via CA's Siteminder 6.0
via SPNEGO
Portlets are an exception :(
SPNEGO = Simple and Protected Negotiation
Portlets don't support SSO via TAM/Siteminder/SPNEGO they
require LTPA
Single Sign On: Connections 3.0 Options
SSO allows a user to authenticate once and then use other
systems that are within the same authentication configuration
without providing userid/password authentication subsequent
times.
LTPA (WebSphere default)
SPNEGO
TAM (Form Based Auth, Transparent Junctions, LTPA)
SiteMinder (FBA, ASA/WebAgent)
TAM/SPNEGO
Except with LTPA, authentication is forced, there is no
anonymous access
Cookies are key with most SSO options
(these are not your mother's Cookies)
CookiesTextual information consisting of Name/Value pairs
Usually used to provide State in an otherwise Stateless protocol
(HTTP)
Domain and Path determine when Cookies are included with an HTTP
Request
SPNEGO uses Security tokens in the HTTP Header with every
request
Single Sign On: LTPA
Lightweight Third-Party AuthenticationIBM proprietary, supported
by IBM products such as WebSphere and Domino
Represented as Cookies called LtpaToken (older format, not on by
default in WAS7, Domino requires version1) or LtpaToken2, value is
encryptedUserID
Authentication Realm
Authentication Expiration Time
Important to use both of these if integrating with Domino and
Portal
Single Sign On: Keys to successful LTPA Configuration
All participating Servers:Same Authentication Realm (correlates
to Cookie domain)
Synchronized system time
Identical LDAP configuration (WAS Federated Repository)
Share the same LTPA keys
Servers should use FQDNipconfig/all or hostname / domainname
commands should show FQDN
Single Sign On: Troubleshooting LTPA
Verify SSO Domain name
Verify Servers are within the same domain (or a subdomain)
Verify Servers imported the same LTPA Key
Single Sign On: Troubleshooting LTPA
Ensure authentication expiration is consistent
Ensure auto generation is off
Simple Connections Deployment
Connections Enterprise Deployment
Single Sign On: TAM
Single Sign On: TAM
TAM 6.1.1
TAM Form Based Auth, Transparent Junctions, LTPA
Yes, the configuration is complex and there are a ton of
security realms
Yes, the Delete Action must be configured
TAM acts as a Reverse Proxy; don't forget to enable dynamicHosts
in LotusConnections-config.xml
Cookies: PD-H-SESSION-ID & PD-S-SESSION-ID
Single Sign On: TAM
TAM acts as a reverse proxy, only forwarding a request for
protected URLs once the user is Authenticated.
Very specific configuration:Form Based Authentication
Transparent Junction
LTPA authentication
Anonymous Access ACLs pass through for all ATOM url patterns
Test with a browser - - feeds that require authentication should
prompt for Basic Auth, never TAM Form Authentication
** double check your configuration settings with the Connections
3 Documentation **
Import the LTPA key and password from TAM and Import into
WebSphere and set the SSO domain name
Do not use TAM components as a caching proxy, configuration
complexity is very high
Lotus Connections only supports WebSeal Transparent Junction
configuration
Configure TAM for URL rewriting in XML and Javascript
content
TAM configuration setting 'use-same-session = yes' is
required
Single Sign On: SiteMinder
Single Sign On: SiteMinder
SiteMinder Policy Server 6.0 SP5, SiteMinder ASA 6.0 Agent for
WebSphere Application Server (with CR00010 hotfix), and SiteMinder
Web Agent v6qmr5-cr035
Yes, the configuration is complex and there are a lot of
security realmsProtect Web Applications with FBA
Protect ATOM feeds with BA
Yes, the Delete Action must be configured
Cookies: SMSESSION
Watch for PERL script to be posted that creates realms
** double check your configuration settings with the Connections
3 Documentation **
Configuration is hard, we feel your pain :(
Single Sign On configuration is hard
Scripts are needed to automate ConfigurationPerl
Detailed examples help (Prescriptive Deployment scenarios)
http://www-10.lotus.com/ldd/lcwiki.nsf/xpViewCategories.xsp?lookupName=Deployments
TAM and SiteMinder SSO Validation Wizard is available!
Single Sign On: SPNEGO
Single Sign On: SPNEGO
Simple and Protected GSSAPI Negotiation Mechanism
Generic Security Services Application Program InterfaceMost
notable implementations are Kerberos based
Used when a client application wants to authenticate to a remote
server, but neither end is sure what authentication protocols the
other supports.
Most wide use is Microsoft's Integrated Windows
AuthenticationKerberos
NTLM
Single Sign On: SPNEGO
Client & Server perform negotiation, determining the
preferred algorithm to use
On 1st request browser gets back a 401, Headers indicate
Authorization: Negotiate
If capable, Client & Server agree on protocol and on every
subsequent request the client infrastructure generates a new
security token that is included in the header
Single Sign On: Troubleshooting SPNEGO
Configuring SPNEGO can be difficultInstall Connections First,
verify, then configure SPNEGO
Follow base WebSphere documentation and use standard SNOOP
application to verify your configuration.
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_SPNEGO_troubles.html
** double check your configuration settings with the Connections
3 Documentation **
Connections Server to Server Communication
& SSO
Server to Server CommunicationObtaining User information from
Profiles (WPI)
Obtaining Membership information from Communities (WCI)
Community Life Cycle
Search Indexing
All communication is authenticated and uses HTTP
Interservice URL vs Service URL
LotusConnections-config.xml: customAuth element specifies
authentication type
Connections Server to Server Communication
& SSO
Connections Server to Server Communication
& SSO
Connections Server to Server Communication
& SSO Alternative Inter Service Configuration
SSO: LotusConnections-config.xml
Agenda
Options for Securing Lotus Connections
SSO
New User Life Cycle Options in 3.0
Q&A
Why we need this
Listened to many customers
Heard of situations whereMaternity / Paternity Leave
Leave of Absence (Education, Military, etc)
Left the company
Etc
Why we need this (cont'd)
In 2.5, we had profile types
Required manual work via TDINo need to re-invent the wheel!
Wanted to simplify this process for everyone
Photo credit: http://www.dehats.com/drupal/?q=node/69
Tivoli Directory Integrator: Keeping
Profiles in Sync
TDI assembly line: connectors, flow controls, loops,
branches
Supports two-way synchronization on LDAP attributes
Hooks enable scripting and customization
Use it forInitial population
Frequent updates
3.0 Introduces Inactive Users!!!
A TDI assembly line is made up of components (connectors, flow
controls, loops, branches) that collect data from your source
repositories and reformat it into the Profiles database.
Supports two-way synchronization on LDAP attributes.
Assembly line hooks are available for scripting and
customization
TDI should be used to initially populate Profiles and then
frequently used to keep it in sync
Connections release 3 allows you to mark a person as inactive
when they aren't found in LDAP
Data Integrity don't delete old data
If you delete a user, you lose authorship information and data
consistency
Don't delete the data, let your TDI assembly line inactivate the
user
Profiles Platform Commands
Drive administrative events from a single application
Provides a framework for future unified commands
User Life Cycle should be preceded by name synchronization in
each ApplicationEach application maintains its own user mapping
table in the application database and it needs to be synchronized
with LDAP, inactivating users not found in LDAP
Inactivating clears the user's login ids & email.
Frequent periodic TDI Sync can be created to automatically mark
users inactive
Profiles propagates the command to inactivate a user across all
components
Administrator can re-activate users
Initial Synchronization
wsadmin command session
[root@tapstage bin]# ./wsadmin.sh -lang jythonwsadmin>
execfile("activitiesAdmin.py")Connecting to
WebSphere:name=ActivitiesAdminService,type=LotusConnections,
cell=tapstageCell01,
Synchronize users
Wsadmin>
ActivitiesMemberService.syncAllMembersByExtId(...)syncAllMembersByExtId
request processedwsadmin>
SyncAllMembersByExtId() takes several parameters indicating how
a mismatch can be resolved (either by a matching email address,
login id or left for later manual resolution).
Check the logs....
Locate the log file on the node specified when you started the
WSADMIN command
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/clusterA_server1/ActivitiesUlcSyncCmd.log
Typical log messages about users that are not found and are
Inactivated
[2010-12-21 07:34:32] CLFWY0261I: The synchronize command
inactivated member Betsy Craig [current external id:
b5bd83c0-8f09-1028-910f-db07163b51b2, application id
001G091E0E4B47BEF6967B3131AD59003CD0]
Resolving user mismatches
Mismatch Needs investigation
[2010-12-21 07:34:31] CLFWY0242W: The synchronize command found
that active member Benjamin Button [current external id: LDAP_ID,
application id LC_ID] could not be matched via external id, but
could be matched via login or email to external id NEW_LDAP_ID. The
member was not updated since this action was disabled by the
command.
Review the information from HR systems about the user identified
by external id NEW_LDAP_ID and determine if this entry matches
Benjamin Button or if the person has left the company.
Resolving user mismatches (continued)
If the User has left, inactivate:
ActivitiesMemberService.inactivateMemberByExtId("LDAP_ID)
If Old and New ids reflect the same person, synchronize the user
accounts
ActivitiesMemberService.syncMemberByExtId("OLD_LDAP_ID,
{"newExtId": "NEW_LDAP_ID"})
Good details here:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Synchronizing_user_data_using_administrative_commands_lc3
Use Batch commands, external ids are consistent across all
applications.
Investigate once, create batch script to update across all
apps
Returning users can be re-linked with their old data
ProfilesService.swapUserAccessByUserId("oldUserId","newUserId")
Agenda
Options for Securing Lotus Connections
SSO
New User Life Cycle Options in 3.0
Q&A
Related Sessions
JMP205IBM Lotus Connections 3.0 Administration Overview Sunday,
1:30pm
SHOW202Enterprise 2.0 Hero: A Beginners Guide to Installing IBM
Lotus Connections 3.0 Monday, 4:30pm
SHOW203Lotus Connections 3.0 Enterprise Integration for
Administrators Sunday, 4:00pm
BP105Twelve MORE Things Your Mother Never Told You About
Deploying IBM Lotus Connections 3.0 Thursday, 10am
BP114IBM Lotus Connections Administration: From the Command Line
to a Graphical UI Tuesday, 4:45pm
BP303Social Comes to You: How to Bring IBM Lotus Connections to
Your Application in Context! Wednesday, 11:15am
INV111Making Decisions Collaboratively with Cognos Business
Intelligence and IBM Lotus Connections Tuesday, 10am
AD303Connecting Developers and Community with Rational Jazz and
Lotus Connections Tuesday, 1:30pm
AD304Customizing Lotus Connections 3.0 Tuesday 10am
ID301What's New in IBM Lotus Connections 3.0 Monday, repeats on
Tuesday, 11am
ID302Best Practices for a Happy and Healthy IBM Lotus
Connections Deployment! Tuesday, 1:30
ID303Exceptional Work Experience - Integrating and Extending
Lotus Connections, WebSphere Portal, Lotus Quickr, Lotus Notes,
Lotus Sametime and ECM Monday, 11am
ID305Build Large-scale Performing Enterprise Solutions for IBM
Lotus Connections Tuesday, 4:45
ID306Compliance and Moderation with Lotus Connections 3.0
Wednesday, 4:15
References
V3 System Requirements:
http://www-01.ibm.com/support/docview.wss?uid=swg27019882
V3 Single Sign On:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_single_signon_lc3
All about security in v3:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Security_lc3
Configuring Siteminder with Lotus Connections 3.0:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Scenario_3_Setting_up_SiteMinder_Single_Sign-On_(SSO)_with_Lotus_Connections_3.0
Use caution with the version 2.5 guides concepts remain the
same, but details may have changed in some cases:Lotus Connections
2.5 and Kerberos/SPNEGO:
http://www.ibm.com/developerworks/lotus/library/connections-kerberos/index.html
Configuring IBM TAM with Lotus Connections 2.5:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_IBM_Tivoli_Access_Manager_SSO_for_IBM_Lotus_Connections_2.5
Lotus Connections 2.5 Security Guidelines:
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/IBM_Lotus_Connections_2.5_secure_configuration_guidelines
Legal Disclaimer
IBM Corporation 2011. All Rights Reserved.The information
contained in this publication is provided for informational
purposes only. While efforts were made to verify the completeness
and accuracy of the information contained in this publication, it
is provided AS IS without warranty of any kind, express or implied.
In addition, this information is based on IBMs current product
plans and strategy, which are subject to change by IBM without
notice. IBM shall not be responsible for any damages arising out of
the use of, or otherwise related to, this publication or any other
materials. Nothing contained in this publication is intended to,
nor shall have the effect of, creating any warranties or
representations from IBM or its suppliers or licensors, or altering
the terms and conditions of the applicable license agreement
governing the use of IBM software.References in this presentation
to IBM products, programs, or services do not imply that they will
be available in all countries in which IBM operates. Product
release dates and/or capabilities referenced in this presentation
may change at any time at IBMs sole discretion based on market
opportunities or other factors, and are not intended to be a
commitment to future product or feature availability in any way.
Nothing contained in these materials is intended to, nor shall have
the effect of, stating or implying that any activities undertaken
by you will result in any specific sales, revenue growth or other
results. IBM, the IBM logo, Lotus, Lotus Connections, Lotus Notes,
Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and
Lotusphere are trademarks of International Business Machines
Corporation in the United States, other countries, or both. Unyte
is a trademark of WebDialogs, Inc., in the United States, other
countries, or both.Java and all Java-based trademarks are
trademarks of Sun Microsystems, Inc. in the United States, other
countries, or both.Microsoft and Windows are trademarks of
Microsoft Corporation in the United States, other countries, or
both.
UNIX is a registered trademark of The Open Group in the United
States and other countries.Linux is a registered trademark of Linus
Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or
service marks of others.All references to Renovations refer to a
fictitious company and are used for illustration purposes only.
Click to add text
2011 IBM Corporation
2011 IBM Corporation
2011 IBM Corporation
