Note: This
document discusses Installation of IBM Connections 3.0.1 and Integrating it
with Websphere Portal 8.0 using LTPA Tokens for Single Sign On and IBM
Connections Portlets 3.0.1 in a Standalone test / development environment.
The IBM Connections Wiki online contains detailed information
i.e. I will only discuss the steps to follow and important things to take note
of during Installation, Configuration and while implementing SSO b/w IC3.0.1
and WP8.
To check IBM Connections 3.0.1 wiki online go to:
Deployment Topology and Software Required.
VM1: dsbox.rcds.net
Windows Server 2003 with Active Directory Configured. (32
bit).
VM2: lcbox.rcds.net
Windows Server 2003 (32 bit), IBM WebSphere Application
Server 7 with fix pack 7.0.0.19, IBM Http Server 7, Tivoli Directory Integrator
7 with fix pack 7, IBM DB2 UDB 9.7, IBM Connections 3.0.1.
VM3: wpbox.rcds.net
Windows Server 2008 R2
Standard. (64 bit), IBM WebSphere Portal 8.0.0.0 with interim fix:
8.0.0.0-WP-IFPM64172
THIS DOCUMENT IS DIVIDED INTO TWO PARTS.
Part 1. Installing IBM Connections 3.0.1.
a. Pre-Installation
- Install and configure Directory Server
- Install, configure and apply fix pack on WAS 7
- Install and configure DB2 UDB
- Install and configure IBM HTTP Server 7
- Install, configure and apply fix pack on WAS 7
- Install and configure DB2 UDB
- Install and configure IBM HTTP Server 7
Configure Federated repository
b. Installation.
- Install IBM Connections 3.0.1
- Install, configure and apply fix pack on IBM Tivoli Directory Integrator 7
- Populate database using populationwizar.bat file.
c. Post Installation.
- Reviewing the JVM heap size
- Configuring IBM HTTP Server
- Configuring administrators for Home page and Blogs
- Configuring Blogs
- Enabling Search dictionaries
- Creating the initial Search index
- Copying Search conversion tools to local nodes
- Accessing Windows network shares
- Configuring Moderation
Part 2. Integrating IC 3.0.1 with WP8.
a. Deploying IBM Connections Portlets 3.0.1.1.
- Configuring the resource environment provider
- Configuring the DynaCache
- Setting up an authentication alias for the portlets
- Configuring 3.0.1.1 portlets to use common directory services
- Importing a certificate to support SSL
- Configuring authentication for the portlets
- Installing the IBM Connections 3.0.1.1 Portlets for IBM WebSphere Portal
- Configuring the application-specific AJAX proxy to support authentication
- Configuring the DynaCache
- Setting up an authentication alias for the portlets
- Configuring 3.0.1.1 portlets to use common directory services
- Importing a certificate to support SSL
- Configuring authentication for the portlets
- Installing the IBM Connections 3.0.1.1 Portlets for IBM WebSphere Portal
- Configuring the application-specific AJAX proxy to support authentication
-----------------------------------------------------------------------------------------------------------
Part 1. INSTALLING IBM CONNECTIONS 3.0.1.
a. PreInstallation Tasks.
Details are at : http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Preinstallation_tasks_ic301
1. Install Directory Server. (you can use TDS or AD or any other DS available).
2. Install Websphere Application Server ND 7.0.
3. Install Update Installer 7.0.0.23 for Websphere Application Server.
4. Install WAS 7 fix pack 7.0.0.19 using Update Installer.
a. Upgrades WAS ND 7.0.0.0 to 7.0.0.19.
5. Install DB2 9.7.
6. Install IBM HTTP Server 7.0
7. Create user name LCUser and password lcuser in windows.
8. Run dbwizard30.bat from LC 3.0.1 wizards directory.
a. Verified activities, blogs, communities, dogear, profiles, homepage, wikis, files, forums, databases are created.
b. Check that LCUser has been granted permission via the log files.
9. Configure Federated repository.
Note: Use the same procedure and names for Websphere Portal 8.
a. Login to Integrated Console.
b. Go to security and scroll down in the available realm definitions, make sure that federated repository is selected. click on configure.
c. Scroll down and click manage repository under the Related Items heading.
d. Click the add button and select ldap repository.
e. Type any name in repository identifier e.g RCDSRepository.
f. From the LDAP Server heading select Microsoft Active Directory in the directory type drop down button.
g. Type primary hostname e.g myds.mydomain.com and port 389. SSL is 636
h. On right hand side in bind distinguished name type e.g.
CN=bind admin,CN=Users,DC=RCDS,DC=NET
i. Enter password.
j. do not change login properties leave it as ( uid ).
k. Click Apply and Save Change.
l. In Federated Repositories scroll down and click Add base entry to realm.
m. Select Repository you have just created.
n. type distinguished name of a base entry e.g o=rcds
o. In Distinguished name of base entry in this repository text box type DC=RCDS,DC=NET.
p. Click Apply and then Ok.
q. Save changes and restart all servers.
r. Make sure you don't have Integrated Console Admin User in your directory server repository. else you need to login via full DN name. e.g uid=wasadmin, o=defaultWIMFileBasedRealm
b. Installation:
Details are at : http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Installing_IBM_Connections_3.0.1_ic301
1. Run LaunchPad.exe from LC301 Install files and give details for installation paths.
a. Select EULA and Specify path to install Lotus Connections 3.0.1.
b. Select the applications that you want to install and click Next..
c. Enter WAS and db2 environment information.
d. Disable Notifications if email notifications are not required, otherwise provide email server details to setup email notifications.
2. After Installation of lotus connections download and install TDI 7.0.
3. Install TDI fix pack 7.
a. download fix pack and place .zip file in tdi\v7.0 directory.
b. use applyupdates.bat file from tdi\v7.0\bin directory to update fix pack.
4. Copy LC Wizards directory to the file system where TDI is installed and right click and uncheck read only attribute from the directory.
5. Run the populate database wizard from the LC Wizards directory. (populationwizard.bat)
Note: Before running make sure that time zone is same and time is synced on all machines.
a. Click next on welcome screen.
b. Select DB2 Universal database(TM).
c. Enter details for db2 server.
d. use LCUser / lcuser to connect to DB2 database in the wizard.
e. enter ldap server name and port. e.g dsbox.rcds.net / 389.
f. enter bind DN. e.g CN=bind admin,CN=Users,DC=RCDS,DC=NET / ***********
g. enter LDAP User search base and filter. e.g. DC=RCDS,DC=NET / (&(sAMAccountName=*)(objectclass=user))
h. on profiles database mapping page do not change anything select next.
j. On Optional database tasks page, click No on (Run the task that marks the profiles of each Manager.
k. verify the summary and click configure.
l. you will receive a message similar to this at the end.
CLFRN0027I: After iteration, success records is 4, duplicate records 13, failure records is 4, last successful entry is CN=vmm admin,CN=Users,DC=RCDS,DC=NET.
(Note that failure records represents those that have no surname in AD).
Note: Search Filter of different Directory Servers.
Microsoft Active Directory and Active Directory Application Mode:
source_ldap_search_filter=(&(sAMAccountName=*)(objectclass=user))
IBM Lotus Domino:
source_ldap_search_filter=(&(uid=*)(objectclass=dominoPerson))
Sun Java™ System Directory Server:
source_ldap_search_filter=(&(uid=*)(objectclass=inetOrgPerson))
Novell eDirectory:
source_ldap_search_filter=(&(uid=*)(objectclass=inetOrgPerson))
IBM Tivoli Directory Server:
source_ldap_search_filter=(&(uid=*)(objectclass=inetOrgPerson))
c. Post-installation tasks.
Follow all the steps below. Step 5,6 and 7 is not required if you are building a standalone environment. Details are available online at
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Mandatory_postinstallation_tasks_ic301
1. Reviewing the JVM heap size
Review the size of the Java™ Virtual Machine heap and adjust it, if necessary, to avoid out-of-memory errors or to suit your hardware capabilities.
2. Configuring IBM HTTP Server
Configure IBM® HTTP Server to manage web requests to IBM Connections.
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_IBM_HTTP_Server_ic301
a. Defining IBM HTTP Server
Define IBM HTTP Server to manage web connections.
b. Configuring IBM HTTP Server for SSL
Configure IBM HTTP Server to use the SSL protocol.
c. Adding certificates to the WebSphere trust store
Import a self-signed IBM HTTP Server certificate into the default trust store of IBM WebSphere Application Server.
d. Determining which files to compress
If you are not compressing content with the IBM WebSphere Application Server Edge components or a similar device, consider configuring the IBM HTTP Server to compress certain types of content to improve browser performance.
e. Updating web addresses in IBM HTTP Server
Update the web addresses that IBM HTTP Server uses to access IBM Connections applications.
Note: You need to check out LotusConnections-config.xml file edit it and check in LotusConnections-config.xml again in this step.
Follow this procedure below to check out / in LotusConenctions-config.xml file.
a. Start the wsadmin tool and use the following command to access the LotusConnections- config.xmlfile:
b. execfile("<WAS_HOME>/profiles/<DMGR>/config/bin_lc_admin/ connectionsConfig.py")
where
<WAS_HOME> is the location of your WebSphere® Application Server Network Deployment installation.
<DMGR> is the name of the IBM® WebSphere Application Server Deployment Manager for the cell.
c. Check out the LotusConnections-config.xml file using the following command: LCConfigService.checkOutConfig("/<working_directory>", "<cell_name>")
where
<working_directory> is the temporary working directory to which the configuration file is copied. The file is kept in this working directory while you edit it.
<cell_name> is the name of the IBM WebSphere Application Server cell hosting the Search feature of Lotus® Connections. This argument is case sensitive. If you do not know the cell name, type the following command in the wsadmin command processor:
print AdminControl.getCell()
For example:LCConfigService.checkOutConfig("/temp","east01Cell01")
d. Open the LotusConnections-config.xmlfile in a text editor to edit the file.
e. Save and close the LotusConnections-config.xml file.
f. Check in the LotusConnections-config.xml file using the following command:LCConfigService.checkInConfig()
g. Enter the following command to deploy the changes: synchAllNodes()
h. Stop and restart the WebSphere Application Server instance hosting Lotus Connections.
3. Configuring administrators for Home page and Blogs
You must create administrators for Home page and Blogs before you can use those applications.
4. Configuring Blogs
Configure the Blogs application so that you and other users can create blogs.
5. Enabling Search dictionaries
During installation, only the English language dictionary is enabled by default. When your organization spans multiple geographies and multiple languages, you need to enable the relevant language dictionaries for your deployment to ensure that Search returns optimum results for your users.
6. Creating the initial Search index
Enable Search functionality by building the index and copying it to each node that is running the Search application.
7. Copying Search conversion tools to local nodes
Copy Search conversion tools to local nodes to enable full indexing of data.
8. Accessing Windows network shares
Configure a user account to access network shares in an IBM Connections deployment on the Microsoft® Windows® operating system
9. Configuring Moderation
Configure moderation so that moderators can review content for blogs, forums, and community files from a central interface.
-----------------------------------------------------------------------------------------------------------
Part 2. Integrating IC 3.0.1 with WP8.
a. Deploying IBM Connections Portlets 3.0.1.1.
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Deploying_the_IBM_Connections_portlets_ic301
Perform all these steps on Websphere portal 8 VM and check the link above for details , I have explained only the topics that require more attention.
1. Configuring the resource environment provider.
You must add IBM Connections server URLs to the WebSphere Resource Environment provider as part of the configuration.
In step 7 while configuring the resource environment provider you do not need to define connections services or context root in a standalone deployment, just define globalBaseURL that is IC 3.0.1 Server url. e.g https://LCBox.rcds.net
2. Configuring the DynaCache.
Configure DynaCache to store community feeds in order to reduce server requests.
3. Setting up an authentication alias for the portlets.
Set up an authentication alias with user credentials from the common LDAP shared between IBM Connections and Portal to manage VMM services.
4. Configuring 3.0.1.1 portlets to use common directory services.
Configure the IBM Connections portlets to use the common directory services to enable directory lookup from IBM Connections in the IBM WebSphere Portal environment. This enables typeahead for finding names.
5. Importing a certificate to support SSL.
Import a certificate so that IBM Connections and WebSphere Portal can communicate over Secure Socket Layer (SSL).
6. Configuring authentication for the portlets.
Set up single sign-on integration between IBM Connections 3.0.1 and WebSphere Portal 8.
Make sure you have configured the same Federated Repository with both servers as described above in this document.
Follow these steps on both IBM Connections 3.0.1 and Websphere Portal 8 Machines.
1. Log in to the WebSphere Administrative Console on the IC 3.0.1 Machine. (Use http://fully_qualified_host_name:port_number/ibm/console to access the Console in a Web browser.)
Select Security > Global Security > Authentication > Web and SIP Security > Single Sign-on (SSO).
The Enabled, Interoperability Mode, and Web inbound security attribute propagation boxes should all be checked.
( if it asks for LTPA cookie names type LtpaToken and LtpaToken2 ).
Provide a domain name. e.g. (.rcds.net) (The first dot from L to R represents the domain start point).
Click Apply.
2. Change the Web authentication setting for unsecure pages to receive authentication data.
- Select Security > Global Security > Authentication > Web and SIP Security > General settings.
- Check the Use available authentication data when an unprotected URI is accessed box.
- Click Apply.
3. Enable single sign-on by having both WebSphere Application Server servers exchange their LTPA keys.
- Select Security > Global Security > Authentication > LTPA.
- In Cross Single Sign On enter your password, confirm password and the name of the file to export the keys, and then click Export keys. e.g c:\wpboxltpa.key
4. Import the keys to the Websphere Portal 8 Machine.
- Copy the key file to the WP 8 Machine.
- Log in to the WebSphere Administrative Console on the WP 8 Machine.
- Select Security > Global Security > Authentication > LTPA.
- Use the password you entered on IC 3.0.1 Machine, and enter the name of the file copied to the WP 8 Machine and Click Import keys.
- Save the configuration
Repeat steps 1-4 on the WP 8 Machine(that is, change the single sign-on preferences, General Settings, export the keys from the WP 8 Machine computer, and import the keys on the IC 3.0.1 Machine).
5. Save the configuration on both servers and restart them.
If single sign-on is configured correctly, you do not need to log in to the second machine ISC (which ever it may be either IC3.0.1 or WP 8) once you log into first machine ISC. You see the username displayed in the upper corner of the home page.
7. Installing the IBM Connections 3.0.1.1 Portlets for IBM WebSphere Portal
Install the IBM Connections Portlets for IBM WebSphere Portal.
8. Configuring the application-specific AJAX proxy to support authentication
Configure the application-specific AJAX proxy to manage authentication for the IBM Connections portlets.
1. Follow these link below first.
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_the_applicationspecific_AJAX_proxy_to_support_authentication_ic301
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_the_Portal_AJAX_proxy_to_support_authentication_ic301
2. If your AJAX proxy doesn't work do this.
a. Close ajax proxy applicaiton from ISC on WP 8.0 Machine.
b. Modify and enter the lines blow in proxy-config.xml file at <Portal_Root>\wp_profile\config\cells\<nodeName>\applications\AJAX Proxy Configuration.ear\deployments\AJAX Proxy Configuration\wp.proxy.config.war\WEB-INF\proxy-config.xml
<policy url="{$ibm_connections_policy}" acf="none" basic-auth-support="true">
<actions>
<method>GET</method>
<method>HEAD</method>
<method>POST</method>
<method>PUT</method>
<method>DELETE</method>
</actions>
<cookies>
<cookie>LTPA</cookie>
<cookie>LTPA2</cookie>
<cookie>LtpaToken</cookie>
<cookie>LtpaToken2</cookie>
<cookie>JSESSIONID</cookie>
<cookie>PD-H-SESSION-ID</cookie>
<cookie>PD-S-SESSION-ID</cookie>
<cookie>SMSESSION</cookie>
</cookies>
<headers>
<header>User-Agent</header>
<header>Accept-Language</header>
<header>Authorization*</header>
<header>Content*</header>
</headers>
<meta-data>
<name>forward-credentials-from-vault</name>
<value>true</value>
</meta-data>
</policy>
3. Restart WP 8 Server and test via the method below.
Verify that the global proxy configurations are working in an SSO environment:
• Open a new browser window and enter one of the following test URLs:
If you have a web server configured for Portal as well as Connections, use:
• http://<WP_Server>/wps/proxy/https/<CONNECTIONS_SERVER_BASE_URL>/profiles/atom/profileService.do?lang=en
For example http://myportalwebserver/wps/proxy/https/myconnectionswebserver/profiles/atom/profileService.do?lang=en
If you have a web server configured for Connections but not for Portal, use:
• http://<WP_Server:Port>/wps/proxy/https/<CONNECTIONS_SERVER_BASE_URL>/profiles/atom/profileService.do?lang=en
For example http://myportalserver:10400/wps/proxy/https/myconnectionswebserver/profiles/atom/profileService.do?lang=en
If you do not have web servers configured for either Portal or Connections, use:
• http://<WP_Server:Port>/wps/proxy/https/<CONNECTIONS_SERVER_BASE_URL:Port/profiles/atom/profileService.do?lang=en
For example http://myportalserver:10400/wps/proxy/https/myconnectionsserver:9444/profiles/atom/profileService.do?lang=en
• Enter the user name and password of a Connections user.
• If you are prompted to save or open a document, then the proxy has been properly configured.
• If you are prompted to enter a user name and password, then the proxy has been properly configured but SSO is not enabled.
• If you receive a 403 error in response then the proxy is not properly configured.
• If you receive a 500 or any other response code, this means the proxy was properly configured but something else is not working.
If you have completed all the steps above up till here then congratulations. Your Integrations is Done.
