Enable single sign-on for SiteMinder

Enable single sign-on for SiteMinder

Configure IBM Connections to use Computer Associates' SiteMinder to implement user authentication and single sign-on (SSO).
When a user requests a page that is protected by SiteMinder, the Web Agent on the HTTP server intercepts the request and prompts the user for authentication. If the user provides valid credentials, the user is authenticated and an SMSESSION cookie is added to the request which is then passed on to the WAS. The SiteMinder Trust Association Interceptor (TAI) on the server verifies the information in the cookie and sets the User Principal that IBM Connections requires to identify the user.
This task describes a configuration that uses SiteMinder Policy Server 6.0 SP5, SiteMinder ASA 6.0 Agent for WAS (with CR00010 hotfix), and SiteMinder Web Agent v6qmr5-cr035.
Ensure that we can access Connections applications from a web browser.

Complete the installation and configuration of TAI/ASA. The instructions are included with SiteMinder.

Verify that TAI/ASA is registered with WebSphere Application Server.

Each href attribute in LotusConnections-config.xml is case-sensitive and must specify a fully-qualified domain name.

The connectionsAdmin J2C alias specified during installation must correspond to a valid account that can authenticate with SiteMinder. Map to a back-end TAM administrative user account. This account must be capable of authenticating for single sign-on against SiteMinder. If we update the user ID or credentials for this alias, see Change references to database administrative credentials.

WebSphere Application Server 7 Fix Pack 21 does not provide the key Java libraries that install and configure SiteMinder Application Server Agents (ASA) for WebSphere with WebSphere Application Server. The procedure to update the files is described in Step 1 of this task.

See CA SiteMinder BookShelf.

See CA SiteMinder Agent for WebSphere guide (PDF) and the CA eTrust SiteMinder Agent for IBM WebSphere Release Notes (PDF).

Create SiteMinder Agent and Domain objects with realms, rules, and a policy related to IHS, and WAS.

Download and apply the Unrestricted JCE policy files:

Go to the J2SE 5 SDK Security information web page.

Authenticate with the universal IBM user ID and password.

Download the Unrestricted JCE Policy files for SDK for all newer versions package.

Extract the files from the downloaded package.

Back up the existing copies (if any) of the US_export_policy.jar and local_policy.jar files, located in app_server_root/java/jre/lib/security.

Copy the new jar files from the extracted package to the same directory, overwriting any existing files.

Create agents on the SiteMinder Policy Server, including a Web Agent for IHS, and an Application Server Agent for WAS.

Open the SiteMinder Administration console.

Right-click Agents and select Create Agent.

Enter details of the Name and Description of the Web Agent for IHS.

Repeat these steps for the Application Server Agent.

Create Agent Configuration Objects on the SiteMinder Policy Server.
In the SiteMinder Administration Console, open the Agent Conf Objects pane and complete the following steps:

Configure the Web Agent for IHS:

Right-click Apache Default Settings Agent and select Duplicate Configuration Object.

Enter the Name and description of the Agent Configuration Object.

Update the following parameters to match the environment:

DefaultAgentName

Name of the Apache Agent created earlier

CookieDomain

your_domain
where your_domain is your IBM Connections domain.
If, for example, the URL is http://activities.myco.com/activities, the host name is activities.myco.com and the domain is myco.com. In this example, you would set CookieDomain=myco.com. .

RequireCookies

NO
This parameter configures the Web Agent to support basic authentication but without requiring all API client programs to support cookies.

BadCSSChars

<,>
This parameter enables the Invite colleagues functionality in Profiles.

LogOffUri

URI
Configure SiteMinder to recognize only one web address as the logout web address. Uncomment one of the following URIs by removing the number sign (#) character:
#LogOffUri="/activities/service/html/ibm_security_logout"
#LogOffUri="/blogs/ibm_security_logout"
#LogOffUri="/communities/communities/ibm_security_logout"
#LogOffUri="/dogear/ibm_security_logout"
#LogOffUri="/files/ibm_security_logout"
#LogOffUri="/forums/ibm_security_logout"
#LogOffUri="/homepage/web/ibm_security_logout"
#LogOffUri="/moderation/ibm_security_logout"
#LogOffUri="/news/ibm_security_logout"
#LogOffUri="/profiles/ibm_security_logout"
#LogOffUri="/search/ibm_security_logout"
#LogOffUri="/wikis/ibm_security_logout"

Under the System tab, update the Agent Configuration Object with the following value: FCCCompatMode - NO

Configure the Application Server Agent:

Right-click Apache Default Settings Agent and select Duplicate Configuration Object.

Enter the Name and description of the Agent Configuration Object.

Update the following parameters to match the environment:

DefaultAgentName

Name of the Apache Agent created earlier

CookieDomain

your_domain
where your_domain is your IBM Connections domain.
If, for example, the URL is http://activities.myco.com/activities, the host name is activities.myco.com and the domain is myco.com. In this example, you would set CookieDomain=myco.com.

AssertionAuthResource

/siteminderassertion

AssertbyUserID

True

Check whether the PrevalidateCookie property exists in the Configuration Values :

If PrevalidateCookie does exist, click Edit and set it to YES.

If PrevalidateCookie does not exist, click Add, add a parameter named PrevalidateCookie, and set it to YES.

Click OK and then click OK again to save the parameters.

When activated, the LogOffUri parameter clears the SMSESSION cookie and ensures the user is logged out of all Connections browser sessions.

To add parameters, edit the Agent Configuration Object on the SiteMinder Policy Server. Alternatively, we can edit the LocalConfig.conf file on the HTTP server if the Web Agent is configured to use it.

If we are editing the SiteMinder configuration file directly, we must surround the values of SiteMinder configuration parameters with quotation marks ("); for example: BadCSSChars="<,>". If we are changing these parameters within the SiteMinder Policy Server, do not use quotation marks.

Specify the SiteMinder Authentication Scheme configuration:

Open the SiteMinder Administration Console and navigate to...
Authentication Scheme Properties dialog box | Authentication Scheme type list | HTML Form template

Clear the Use Relative Target check box.

Enter the URL of the Connections HTTP server in the web Server Name field.

On the SiteMinder Policy Server, create a domain for the IHS web agent.

Create protected realms under the IHS Web Agent domain:

Use the Agent Object and Forms Authentication Scheme that you created in Step 3.a and Step 4, create SiteMinder realms that are protected by forms authentication.
See the Realms that require forms authentication table for a list of URLs that are protected by forms authentication.

Application Protected URL resource
ConnectionsDefaultRealm /
Activities /activities/follow/atomfba
/activities/service/atom2/forms
/activities/service/atom2/communityEvent
/activities/service/download/forms
/activities/service/getnonce/forms
Blogs /blogs/api_form
/blogs/atom_form
/blogs/follow/atomfba
/blogs/roller-ui/blog
/blogs/roller-ui/feed_form
/blogs/roller-ui/rendering/api_form
/blogs/roller-ui/rendering/feed_form
/blogs/services/atom_form
Bookmarks /dogear/atom_fba
Common resources /connections/opensocial/rest
Communities /communities/calendar/atom_form
/communities/follow/atomfba
/communities/forum/service/atom/forms
/communities/recomm/ajax
/communities/recomm/atom_form
/communities/service/atom/forms
Files /files/follow/atomfba
/files/form/cmis/repository
Forums /forums/atom/forms
/forums/follow/atomfba
Metrics /metrics
/cognos
Profiles /profiles/atom/forms
/profiles/atom2/forms
/profiles/follow/atomfba
URL Preview /connections/opengraph/form/api/oembed
/connections/thumbnail/form/api/imageProxy
Wikis /wikis/follow/atomfba

Use the Agent Object and Forms Authentication Scheme that you created in Step 3.a and Step 4, create SiteMinder realms that are protected by basic authentication.
See the Realms that require basic authentication table for a list of URLs that are protected by basic authentication.

Application Protected URL resource
Activities /activities/follow/atom
/activities/service/download
/activities/service/html/autocompleteactivityname
/activities/service/html/autocompleteentryname
/activities/service/html/autocompletemembers
/activities/service/atom
/activities/service/getnonce
Blogs /blogs/api
/blogs/atom
/blogs/follow/atom
/blogs/issuecategories
/blogs/roller-ui/BlogsWidgetEventHandler.do
/blogs/roller-ui/feed
/blogs/roller-ui/rendering/api
/blogs/roller-ui/rendering/feed
/blogs/services/atom
Bookmarks /dogear/api/app
/dogear/api/deleted
/dogear/api/notify
/dogear/atom
Common resources /connections/opensocial/basic/rest
Communities /communities/calendar/atom
/communities/calendar/handleEvent
/communities/calendar/ical
/communities/follow/atom
/communities/forum/service/atom
/communities/recomm/atom
/communities/recomm/handleEvent
/communities/service/atom
/communities/service/json
Files /files/basic/api
/files/basic/cmis
/files/basic/opensocial
/files/follow/atom
Forums /forums/atom
/forums/follow/atom
Home page /homepage/atom/search
/homepage/atom/mysearch
Metrics /cognos/servlet/ping
Required for Connections 4.5, CR3 only.
News /news/atom/service
/news/atom/stories/newsfeed
/news/atom/stories/public
/news/atom/stories/saved
/news/atom/stories/statusupdates
/news/atom/stories/top
/news/atom/watchlist
/news/atomfba/stories/public
Profiles /profiles/atom
/profiles/atom2
/profiles/audio.do
/profiles/follow/atom
/profiles/json
/profiles/photo.do
/profiles/vcard
URL Preview /connections/opengraph/basic/api/oembed
/connections/thumbnail/basic/api/imageProxy
Wikis /wikis/basic/api
/wikis/follow/atom

Protect login credentials with encryption: Using the Basic over SSL Template scheme, create a SiteMinder Authentication Scheme and apply the new Authentication Scheme to all the SiteMinder realms that require basic authentication.

Create Delete and Head actions for the Web Agent. By default, the Web Agent has only the Get, Post, and Put actions available. To add the Delete and Head actions:

In the SiteMinder Administration Console, click View and select Agent Types.

Select Agent Types in the Systems pane.

Double-click Web Agent in the Agent Type list.

In the Agent Type Properties dialog box, click Create.

Enter Delete in the New Agent Action dialog box and click OK.

Enter Head in the New Agent Action dialog box and click OK.

Click OK again to save the new action.

Create the following rules for each realm:

GetPostPutDelHead rule OnAuthAccept rule
Realm: CurrentRealm Realm: CurrentRealm
Resource: * (not /*) Resource: * (not /*)
Action: Web Agent actions -> Get,Post,Put,Delete,Head Action: Authentication events -> OnAuthAccept
When this Rule fires: Allow Access When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled Enable or Disable this Rule: Enabled

Create a policy and add the users who will be able to access the server to the policy. We can allow all users in the LDAP directory or a subset of users; for example: an LDAP branch, individual users, or groups of users.

Add the new rules to the new policy.

Specify realms that are not protected by SiteMinder.
Configure notification templates and some Atom feeds as unprotected URLs. The Blogs footer page must also be unprotected because Blogs uses the Velocity template to extract footer pages.

Application Unprotected URL resource
Activities /activities/auth
/activities/images
/activities/oauth
/activities/service/html/images
/activities/service/html/mainpage
/activities/service/html/styles
/activities/service/html/themes
/activities/service/html/servermetrics
/activities/service/html/serverstats
/activities/serviceconfigs
/activities/static/
Blogs /blogs/oauth
/blogs/serviceconfigs
/blogs/static/
Bookmarks /dogear/oauth
/dogear/peoplelike
/dogear/serviceconfigs
/dogear/static/
Common resources /connections/bookmarklet/tools/blet.js
/connections/bookmarklet/tools/discussThis.js
/connections/bookmarklet/tools/rlet.js
/connections/core/oauth
/connections/oauth
/connections/resources/ic
/connections/resources/socmail-client
/connections/resources/socpim
/connections/resources/web
/nav/common
Communities /communities/calendar/Calendar.xml
/communities/calendar/oauth
/communities/comm.widget
/communities/images
/communities/nav
/communities/recomm/oauth
/communities/recomm/Recomm.xml
/communities/resourceStrings.do
/communities/service/atom/oauth
/communities/service/html/communityview
/communities/service/html/community/autoCompleteMembers.do
/communities/service/html/singleas
/communities/service/opensocial/oauth
/communities/serviceconfigs
/communities/static/
/communities/stylesheet
/communities/tools/embedAS.html
/communities/widgets
Content Manager /wsi
/acce
/dm
Files /files/app
/files/basic/anonymous/api
/files/basic/anonymous/cmis
/files/basic/anonymous/opensocial
/files/form/anonymous/api
/files/form/anonymous/cmis
/files/form/anonymous/opensocial
/files/oauth
/files/static/
Forums /forums/oauth
/forums/serviceconfigs
/forums/static/
Home page /homepage/oauth
/homepage/search
/homepage/serviceconfigs
/homepage/static/
/homepage/web/updates/
Metrics /metrics/service/eventTracker
/metrics/service/oauth
/cognos/servlet
Moderation /moderation/app
/moderation/oauth
/moderation/static
News /help
/news/common/sand/static/
/news/follow/oauth
/news/microblogging/isPermitted.action
/news/oauth
/news/serviceconfigs
/news/sharebox/config.action
/news/static/
OAuth Provider /oauth2
Profiles /profiles/atom/forms/connections.do
/profiles/images
/profiles/oauth
/profiles/serviceconfigs
/profiles/static/
/profiles/widget-catalog
Search /search/atom/search
/search/oauth
/search/static/
URL Preview /connections/opengraph/form/anonymous/api/oembed
/connections/opengraph/basic/anonymous/api/oembed
/connections/opengraph/oauth/anonymous/api/oembed
/connections/thumbnail/api/imageProxy
Widget container /connections/opensocial/anonymous/rest
/connections/opensocial/common
/connections/opensocial/gadgets
/connections/opensocial/ic
/connections/opensocial/oauth
/connections/opensocial/rpc
/connections/opensocial/social
/connections/opensocial/xrds
/connections/opensocial/xpc
Wikis /wikis/basic/anonymous/api
/wikis/form/anonymous/api
/wikis/home
/wikis/js
/wikis/oauth
/wikis/static/

Map the Reader role in the Activities and Wikis applications All Authenticated in Application's Realm. See Roles.

On the SiteMinder Policy Server, create a domain for the Application Server Agent.

Add the following realm to the new WebSphere Application Server domain:

Realm name Protected resource
SM TAI Validation /siteminderassertion

Configure the Protected Resource of this realm to match the AssertionAuthResource parameter that you configured earlier for the Application Server Agent.
Make sure that SM TAI honors SM session-based cookies and the triggered LTPA cookies to be generated by WAS.

Set the timeout value of the session for each realm.

In the SiteMinder Policy Server, open the Realm Dialog and click Session.

In the Session Timeouts Group Box, enter timeouts for each realm. Enter the following values, if they are not already present:

Maximum Timeout Enabled

2 Hours 0 Minutes

Idle Timeout Enabled

1 Hours 0 Minutes

The maximum timeout and the idle timeout must be longer than the LTPA token timeout, which is defined in WebSphere Application Server. The LTPA token timeout is set to 120 minutes by default.

Install the Web Agent on IBM HTTP Server:

Download the latest version of the Web Agent from the CA website.

Install the Web Agent. For instructions, go to the SiteMinder BookShelf.

When we are prompted for the Agent Configuration details, specify the Agent Configuration Object that you created earlier.

Install the Application Server Agent on the WebSphere nodes:

Download the latest version of the Application Server Agent from the CA website.

Install the Application Server Agent on each node in your IBM Connections deployment. For instructions, see the SiteMinder Agent for WebSphere Agent Guide.

When we are prompted for the Agent Configuration details, specify the Agent Configuration Object that you created earlier.

Copy the smagent.properties file from the ASA installation conf folder to the WAS profile properties folder; for example: C:\program files\IBM\websphere\appserver\appsvr01\properties.
If Cognos is enabled, also copy the smagent.properties file to the properties folder of the WAS profile that hosts Cognos.

Configure Trust Association Interceptor on WAS.

From the administrative console for WAS, click Security > Global security.

Under Web and SIP security, click Trust association.

Click Enable Trust Association and then click Save.

Click Interceptors.

Delete any unused interceptors.
Do not delete the OAuth interceptor.

Click New and enter the following name for the new interceptor:
com.netegrity.siteminder.websphere.auth.SmTrustAssociationInterceptor

Add the following custom property under Global Security > Custom properties: com.ibm.websphere.security.performTAIForUnprotectedURI=true.

Click OK and then click Save.
Connections servers should be protected by both SM TAI and OAuth TAI. This is important for supporting the EE and Activities Stream features.

Restart WebSphere Application Server.

Create rewrite rules to remap Atom API requests. Open the IHS httpd.conf configuration file. The file is stored in the IHS_ROOT/conf directory. Add the following rules to the file:
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/oauth/(.*)/api/(.*) /blogs/oauth/roller-ui/rendering/api/$1/api/$2 [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/oauth/(.*)/feed/tags/atom(.*) /blogs/oauth/roller-ui/rendering/feed/$1/tags/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/oauth/(.*)/feed/entries/atom(.*) /blogs/oauth/roller-ui/rendering/feed/$1/entries/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/oauth/(.*)/feed/comments/atom(.*) /blogs/oauth/roller-ui/rendering/feed/$1/comments/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/oauth/(.*)/feed/blogs/atom(.*) /blogs/oauth/roller-ui/rendering/feed/$1/blogs/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteCond %{REQUEST_URI} !^/blogs/oauth/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L]
Do not close httpd.conf until after the next step.
Create rewrite rules that redirect URLs when users log out of Connections. Add the following rules to httpd.conf:
RewriteEngine On
RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteCond %{QUERY_STRING} !=logoutExitPage=your_logout_url
RewriteRule /(.*)/ibm_security_logout(.*)
LogOffUri?logoutExitPage=your_logout_url [noescape,L,R]
where LogOffUri is the URL that you uncommented earlier. After logging out of Connections, the user's browser is directed to your_logout_url. This URL could be the corporate home page or the SiteMinder login page.
You must add these rules to both the HTTP and HTTPS entries.
The following example illustrates a typical portion of httpd.conf after you have implemented this step:
RewriteEngine on RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteCond %{QUERY_STRING} !=logoutExitPage=http://corphome.myco.com
RewriteRule /(.*)/ibm_security_logout(.*)  /homepage/web/ibm_security_logout?logoutExitPage=http://corphome.myco.com [noescape,L,R]

RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L]

#Connections Config for SSL LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<IfModule mod_ibm_ssl.c>
Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName connections.myco.com
SSLEnable RewriteEngine on RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteCond %{QUERY_STRING} !=logoutExitPage=http://corphome.myco.com
RewriteRule /(.*)/ibm_security_logout(.*) /homepage/web/ibm_security_logout?logoutExitPage=http://corphome.myco.com [noescape,L,R]

RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L]

</VirtualHost>
</IfModule>
SSLDisable 
Uncomment the LoadModule rewrite_module modules/mod_rewrite.so line in httpd.conf. This line is commented out by default. When the line is commented out, the web server will not start.
For configurations with Connections 4.5 CR1 or later installed, remove the following rewrite rules:
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/api/(.*) /blogs/roller-ui/rendering/api/$1/api/$2 [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/tags/atom(.*) /blogs/roller-ui/rendering/feed/$1/tags/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/entries/atom(.*) /blogs/roller-ui/rendering/feed/$1/entries/atom/ [R,L]
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/comments/atom(.*) /blogs/roller-ui/rendering/feed/$1/comments/atom/ [R,L]
From the SSL and non-SSL sections of the http.conf file, remove the following rewrite rule::
RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*)
RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L] 
Save and close httpd.conf, restart the http server, and then verify the SiteMinder page displays when users access the http server.

Add a SiteMinder authenticator property to the Connections configuration by editing LotusConnections-config.xml.

Check out configuration file:

execfile("app_server_root/profiles/DMGR/bin/connectionsConfig.py")
If we are prompted to specify which server to connect to, enter 1.
LCConfigService.checkOutConfig("/tmp","cell_name")

where:

app_server_root is the WAS install directory

DMGR is the name of the dmgr profile. For example: Dmgr01

/tmp is the temporary working directory to which configuration XML and XSD files are copied while you edit them. Use forward slashes to separate directories, even with Windows.

cell_name is the name of the WAS cell hosting the Connections application. This argument is case sensitive. If we do not know the cell name, execute the following command in the wsadmin client to determine it:

print AdminControl.getCell()

For example:
LCConfigService.checkOutConfig("c:/temp","foo01Cell01")

Update the custom authenticator values by ...

Configure the custom authenticator to support server-to-server authentication for SiteMinder:
LCConfigService.updateConfig("customAuthenticator.name",
"SiteMinderAuthenticator")

Set the value of the custom.authenticator.cookieTimeout parameter to be equal to or less than the maximum timeout and idle timeout values that you configured earlier.
If the parameter does not already exist in LotusConnections-config.xml, create it. Open the file in a text editor and add the parameter to the customAuthenticator element. Specify the timeout value in minutes.
LCConfigService.updateConfig("customAuthenticator.CookieTimeout","timeout"
where timeout is a value in minutes that is less than or equal to the SiteMinder timeout values.

When the production environment is ready, set the AllowSelfSignedCerts parameter to false.
If the parameter does not already exist in LotusConnections-config.xml, create it. Open the file in a text editor and add the parameter to the customAuthenticator element.

Check LotusConnections-config.xml back in ...
LCConfigService.checkInConfig()

Restart the Connections deployment.

Stop IBM Connections servers, node agents, and deployment manager.

Start the deployment manager and nodes.

Allow time for the nodes to synchronize, and for the updated LotusConnections-config.xml file to be copied to each node.

Start IBM Connections.
What to do next
Advise the users to close all browser windows when they log out of Activities. This precaution avoids potential security problems that could arise because the SiteMinder session cookie in a browser window might still be updating while a user is logging out from a different browser window.

Parent topic:
Configure single sign-on

Related:

Security

Related:

Change references to administrative credentials
Enable single sign-on for standalone LDAP
Configure the AJAX proxy
Related information:

CA SiteMinder Web Access Manager Agent for WebSphere

Application	Protected URL resource
ConnectionsDefaultRealm	/
Activities	/activities/follow/atomfba /activities/service/atom2/forms /activities/service/atom2/communityEvent /activities/service/download/forms /activities/service/getnonce/forms
Blogs	/blogs/api_form /blogs/atom_form /blogs/follow/atomfba /blogs/roller-ui/blog /blogs/roller-ui/feed_form /blogs/roller-ui/rendering/api_form /blogs/roller-ui/rendering/feed_form /blogs/services/atom_form
Bookmarks	/dogear/atom_fba
Common resources	/connections/opensocial/rest
Communities	/communities/calendar/atom_form /communities/follow/atomfba /communities/forum/service/atom/forms /communities/recomm/ajax /communities/recomm/atom_form /communities/service/atom/forms
Files	/files/follow/atomfba /files/form/cmis/repository
Forums	/forums/atom/forms /forums/follow/atomfba
Metrics	/metrics /cognos
Profiles	/profiles/atom/forms /profiles/atom2/forms /profiles/follow/atomfba
URL Preview	/connections/opengraph/form/api/oembed /connections/thumbnail/form/api/imageProxy
Wikis	/wikis/follow/atomfba

Application	Protected URL resource
Activities	/activities/follow/atom /activities/service/download /activities/service/html/autocompleteactivityname /activities/service/html/autocompleteentryname /activities/service/html/autocompletemembers /activities/service/atom /activities/service/getnonce
Blogs	/blogs/api /blogs/atom /blogs/follow/atom /blogs/issuecategories /blogs/roller-ui/BlogsWidgetEventHandler.do /blogs/roller-ui/feed /blogs/roller-ui/rendering/api /blogs/roller-ui/rendering/feed /blogs/services/atom
Bookmarks	/dogear/api/app /dogear/api/deleted /dogear/api/notify /dogear/atom
Common resources	/connections/opensocial/basic/rest
Communities	/communities/calendar/atom /communities/calendar/handleEvent /communities/calendar/ical /communities/follow/atom /communities/forum/service/atom /communities/recomm/atom /communities/recomm/handleEvent /communities/service/atom /communities/service/json
Files	/files/basic/api /files/basic/cmis /files/basic/opensocial /files/follow/atom
Forums	/forums/atom /forums/follow/atom
Home page	/homepage/atom/search /homepage/atom/mysearch
Metrics	/cognos/servlet/ping Required for Connections 4.5, CR3 only.
News	/news/atom/service /news/atom/stories/newsfeed /news/atom/stories/public /news/atom/stories/saved /news/atom/stories/statusupdates /news/atom/stories/top /news/atom/watchlist /news/atomfba/stories/public
Profiles	/profiles/atom /profiles/atom2 /profiles/audio.do /profiles/follow/atom /profiles/json /profiles/photo.do /profiles/vcard
URL Preview	/connections/opengraph/basic/api/oembed /connections/thumbnail/basic/api/imageProxy
Wikis	/wikis/basic/api /wikis/follow/atom

GetPostPutDelHead rule	OnAuthAccept rule
Realm: CurrentRealm	Realm: CurrentRealm
Resource: * (not /*)	Resource: * (not /*)
Action: Web Agent actions -> Get,Post,Put,Delete,Head	Action: Authentication events -> OnAuthAccept
When this Rule fires: Allow Access	When this Rule fires: Allow Access
Enable or Disable this Rule: Enabled	Enable or Disable this Rule: Enabled

Application	Unprotected URL resource
Activities	/activities/auth /activities/images /activities/oauth /activities/service/html/images /activities/service/html/mainpage /activities/service/html/styles /activities/service/html/themes /activities/service/html/servermetrics /activities/service/html/serverstats /activities/serviceconfigs /activities/static/
Blogs	/blogs/oauth /blogs/serviceconfigs /blogs/static/
Bookmarks	/dogear/oauth /dogear/peoplelike /dogear/serviceconfigs /dogear/static/
Common resources	/connections/bookmarklet/tools/blet.js /connections/bookmarklet/tools/discussThis.js /connections/bookmarklet/tools/rlet.js /connections/core/oauth /connections/oauth /connections/resources/ic /connections/resources/socmail-client /connections/resources/socpim /connections/resources/web /nav/common
Communities	/communities/calendar/Calendar.xml /communities/calendar/oauth /communities/comm.widget /communities/images /communities/nav /communities/recomm/oauth /communities/recomm/Recomm.xml /communities/resourceStrings.do /communities/service/atom/oauth /communities/service/html/communityview /communities/service/html/community/autoCompleteMembers.do /communities/service/html/singleas /communities/service/opensocial/oauth /communities/serviceconfigs /communities/static/ /communities/stylesheet /communities/tools/embedAS.html /communities/widgets
Content Manager	/wsi /acce /dm
Files	/files/app /files/basic/anonymous/api /files/basic/anonymous/cmis /files/basic/anonymous/opensocial /files/form/anonymous/api /files/form/anonymous/cmis /files/form/anonymous/opensocial /files/oauth /files/static/
Forums	/forums/oauth /forums/serviceconfigs /forums/static/
Home page	/homepage/oauth /homepage/search /homepage/serviceconfigs /homepage/static/ /homepage/web/updates/
Metrics	/metrics/service/eventTracker /metrics/service/oauth /cognos/servlet
Moderation	/moderation/app /moderation/oauth /moderation/static
News	/help /news/common/sand/static/ /news/follow/oauth /news/microblogging/isPermitted.action /news/oauth /news/serviceconfigs /news/sharebox/config.action /news/static/
OAuth Provider	/oauth2
Profiles	/profiles/atom/forms/connections.do /profiles/images /profiles/oauth /profiles/serviceconfigs /profiles/static/ /profiles/widget-catalog
Search	/search/atom/search /search/oauth /search/static/
URL Preview	/connections/opengraph/form/anonymous/api/oembed /connections/opengraph/basic/anonymous/api/oembed /connections/opengraph/oauth/anonymous/api/oembed /connections/thumbnail/api/imageProxy
Widget container	/connections/opensocial/anonymous/rest /connections/opensocial/common /connections/opensocial/gadgets /connections/opensocial/ic /connections/opensocial/oauth /connections/opensocial/rpc /connections/opensocial/social /connections/opensocial/xrds /connections/opensocial/xpc
Wikis	/wikis/basic/anonymous/api /wikis/form/anonymous/api /wikis/home /wikis/js /wikis/oauth /wikis/static/