Professional Documents
Culture Documents
Table of Contents
1 Introduction....................................................................................................................... 2
2 Configure SSO between WebSphere Portal and Lotus Domino.......................................2
2.1 Export the LTPA key file from WebSphere Portal................................................... 2
2.2 Import the LTPA key file into Lotus Domino........................................................... 5
2.3 Configure the Domino server to support multi-server SSO.................................... 10
2.4 Disable token regeneration (version 6.1.x)............................................................. 12
2.5 Synchronize the directories..................................................................................... 13
3 Testing SSO between WebSphere Portal and Lotus Domino......................................... 21
4 Conclusion...................................................................................................................... 24
5 Resources........................................................................................................................ 24
6 About the author............................................................................................................. 24
1 Introduction
If you have read the developerWorks white paper, Understanding single sign-on (SSO)
between IBM WebSphere Portal and IBM Lotus Domino, you should have a
good understanding of how SSO works between WebSphere Portal and Lotus Domino.
Now you are ready to configure SSO in your environment. This paper walks you through
the steps to do that and how to test that SSO is working correctly.
3. Enter a password and file path on the Portal server where the key file will be saved,
and then click the Export keys button.
NOTE: DO NOT click the Generate keys button near the top of the page. This
changes the current keys used by WebSphere Portal and will cause problems when
trying to get SSO to work.
If you clicked Generate keys, restart WebSphere Portal and server1, then come back
to this page and export the key file to ensure the key file you are exporting is the
At this point you are ready to import the key file into Lotus Domino; skip to the next
section for those details.
Figure 3. Security Configuration page showing password Export keys (for 6.0)
6. You should see a message that the keys were exported successfully; click the Save
link to save this to the master configuration (see figure 4).
Figure 4. Save to master configuration
1. Copy the LTPA key file (c:\ltpakey.file) from the Portal server to the Lotus Notes
Administration client machine.
NOTE: If you're moving the file from a UNIX to a Microsoft Windows machine
via ftp, make sure to use ASCII mode to transfer the file.
2. Open Domino Administrator and select File > Lotus Notes Application > Open.
3. In the Look in field, choose the primary Domino server; in the File name field, enter
names.nsf and click Open (see figure 5)
Figure 5. Open names.nsf
4. Under Configuration Servers, select All Server Documents (see figure 6).
Figure 6. Navigate to All Server Documents
6. Fill in the fields in the Web SSO document for your environment (see figure 8):
Configuration Name: The name you want to call the document (LtpaToken is the
default).
DNS Domain: The domain used to access WebSphere Portal and Lotus Quickr.
For more information refer to Section 2.2 in Understanding single sign-on (SSO)
between IBM WebSphere Portal and IBM Lotus Domino.
Domino Server Names: Set this to the server you want SSO to work with
WebSphere Portal (MAIL/IBM in our example).
Now that you have filled out the SSO Configuration doc, you must import the LTPA key
file, as follows:
1. Select Keys > Import WebSphere LTPA Keys, from the menu (see figure 9).
Figure 9. Import WebSphere LTPA Keys
2. Enter the location to which you copied the LTPA key file (c:\ltpakey.file in our
environment).
Figure 10. Enter Import File Name dialog
3. Enter the password; you should see the message: Successfully imported
WebSphere LTPA keys. This imports the key file into Lotus Domino and adds the
WebSphere Information section to the Web SSO Configuration doc (see figure 11).
Figure 11. Key file imported into Lotus Domino
NOTE: The most important part for SSO here is the LDAP Realm
(ldap.atlanta.ibm.com:389, in our example). The rule of thumb is:
If the LDAP Realm field is populated with a value, it is most likely correct, and you
should leave it.
If the LDAP Realm is populated with null, then the realm is one of two values,
depending on the version of WebSphere Portal:
Version 6.0: WMMRealm
Version 6.1: defaultWIMFileBasedRealm
Refer to Section 3.3.1 in Understanding single sign-on (SSO) between IBM
WebSphere Portal and IBM Lotus Domino for more details.
4. Click the Save and Close button at the top of the screen, to save the document.
5. Now, go to the Web > Web Configurations view of the Domino directory; you should
see the Web SSO document you just created (see figure 12).
Figure 12. Newly created Web SSO doc
Once you save and close the document, you are ready to enable multi-server Single
Sign-on on the Domino server.
Now that the Web SSO document has been created, you need to tell the Domino server
to use this document. To do this, follow these steps:
1. Open Domino administrator and select File > Lotus Notes Application > Open.
2. In the Look in field, choose the primary Domino server; in the File name field, enter
names.nsf and click Open (recall figure 5).
3. Under Configuration > Servers, select All Server Documents (recall figure 6).
10
4. Double-click the server with which you want SSO to work (MAIL/IBM in our example).
5. In the Server document, select the Internet Protocols tab and then the Domino Web
Engine tab (see figure 13).
Figure 13. Domino Web Engine tab
11
12
4. Under Key generation, uncheck (deselect) the Automatically generate keys option
(see figure 16).
Figure 16.
5. Click OK, click Save, and log out of the WebSphere Administration Console.
The LTPA key file will no longer be regenerated every ninety days.
13
Domino Directory
DN: uid=duser1,cn=users,dc=ibm,dc=com
cn: Domino User1
uid: duser1
mail: duser1@acme.com
The way to do this is by synchronizing the two directories. There are two options for this.
You can either add:
The decision as to which is the better choice comes down to which administrator you
want to be synching these directories:
If it's easier for the Domino Admin to update the Person documents, go with option 1,
add corporate DN to Domino person document.
If it's easier for the corporate LDAP Admin to update the person records, go with
option 2, add Domino DN to an attribute in corporate LDAP directory.
If you have no preference as to the directory you synchronize, then note that there is
one advantage with option 2: If users will authenticate with both WebSphere Portal and
Lotus Domino at times, using option 2 will allow them to always use the same name and
password to sign into both servers.
If you go with option 1, you would also need to ensure that the log-in attribute and
password are synchronized between the directories.
14
15
DN: uid=duser1,cn=users,dc=ibm,dc=com
cn: Domino User1
uid: duser1
mail: duser1@acme.com
notesdn: CN=Dom User1,O=ibm
Again, notice that the LDAP format of the name (comma separated) is used here.
Once the LDAP directory has been updated, you now must tell Lotus Domino how to
search this directory and what attribute contains the Domino DN of the user. To do this,
create a Directory Assistance database and an LDAP document, following these steps:
1. Open Domino administrator and select File > Application > New, and fill in the fields
as follows (see figure 19):
Server: Select the server you want to enable SSO with (MAIL/IBM in our example)
Title: The title you want for the database (Directory Assistance in our example)
File name: The file name you want to use on the server (da.nsf in our example)
2. Under the Specify Template for New Application section:
Server: Select the server you want to enable SSO with (MAIL/IBM in our example)
Template: Select Directory Assistance (8.5)
Also, enable the Show advanced templates option at the bottom of the window.
16
3. Click OK. The new database opens, and the information to connect to the corporate
LDAP directory is created.
4. In the Directory Assistance database, click the Add Directory Assistance button (see
figure 20).
Figure 20. Add Directory Assistance button
17
6. On the Naming Contexts (Rules) tab (see figure 22), set the fields as follows:
All OrtUnit's: *
Enabled: Yes
Trusted for Credentials: Yes **This is the only one you need to change**
18
19
20
Figure 24. Server doc showing Directory Assistance database name field
21
2. Change the URL in the browser to a database in which default and anonymous
access are no access, and the user has access (a mail file is usually one of the best
options.) You should see the database as shown in figure 26.
Figure 26. dom user1 database
If instead you get a sign-in screen (see figure 27), then SSO did not work. (The
upcoming third article in this series will address how to troubleshoot and debug the
issue.)
22
In addition to testing SSO by signing into WebSphere Portal first, you should also test
the reverse:
1. Open a browser to your mail file and sign in (dom user1; recall figure 26).
23
4 Conclusion
After having read the first paper in this series, you gained a good understanding of how
SSO works between WebSphere Portal and Lotus Domino. Now, you also know all the
detailed steps to get SSO working between the two, summed up as follows:
1.
2.
3.
4.
You should have little trouble setting up SSO between your two environments. If,
however, there is still an issue, the next paper in this series will walk you through
everything you need to do to troubleshoot, isolate, and resolve the problem.
5 Resources
http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-ssoportal-domino/index.html
developerWorks article, How to configure SSO with LTPA for IBM Lotus
Connections 2.0:
http://www.ibm.com/developerworks/lotus/library/connections-sso/
Charlie Price is an Advisory Software Engineer in IBM's Software Group. He has six
years of experience in technical support for IBM Lotus software, and two years in the
test organization, specializing in cross-product integration with Lotus, IBM, and other
third-party products.
24
Trademarks
developerWorks, Domino, IBM, Lotus, Notes, QuickPlace, Quickr, and WebSphere
are trademarks or registered trademarks of IBM Corporation in the United States, other
countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, and service names may be trademarks or service marks of
others.
25