Configuring single sign-on for IBM Content Navigator by using Layer7 SiteMinder (Formerly CA Single Sign-On) on WebSphere Application Servers

The steps in this document are for guidance only. The steps to successfully configure single sign-on for IBM Content Navigator using Layer7 SiteMinder might be different in your environment. Talk to your web application server administrator to determine if you need to modify the steps based on the application server and single-sign on implementation at your site.

To configure single sign-on (SSO) between SiteMinder and IBM Content Navigator on a WebSphere Application Server

1. Configure your SSO environment
   1. Install and configure the SiteMinder Policy Server
   2. Install and configure the SiteMinder Web Agent
   3. Install and configure the SiteMinder Application Server Agent for WebSphere
2. Verify your SSO configuration
3. Configure and deploy IBM Content Navigator with SiteMinder SSO

At the end of this document is a section on Troubleshooting.

Before you begin

Ensure that you have the appropriate prerequisite software installed and configured in your environment.

• Install and configure IBM Content Navigator repository such as IBM P8 Content Platform Engine.
• It would be advisable to install and configure IBM Content Navigator on on-SSO environment and verify functionality before configuring it with SiteMinder SSO.
• Make sure SiteMinder SSO environment is configured to use fully qualified names.

Important:

The following applications and components that might be part of your environment do not support SiteMinder Single Sign-On, but can work in an environment that is configured with SiteMinder Single Sign-on:

• IBM Content Navigator Task Manager services
• IBM Content Navigator Sync client and sync services
• IBM Content Navigator for Microsoft Office (NMO)

For the latest support information, see the IBM Content Navigator Software Product Compatibility Report. Use the following web site to generate the appropriate report:

http://www.ibm.com/software/reports/compatibility/clarity/index.html

Step 1 - Configure your SSO environment

To configure SSO environment for IBM Content Navigator install and configure the following SiteMinder components:

• SiteMinder Policy Server
• SiteMinder Web Agent
• SiteMinder Application Server Agent for WebSphere

The following sections include the high level steps for installing and configuring the SiteMinder components.

This TechNote includes links to SiteMinder components based on Release 12.8 documentation as an example only. Refer to the Broadcom Technical Documentation for installation and configuration instructions for your version of SiteMinder:

https://techdocs.broadcom.com/us/product-content/recommended-reading/technical-document-index/ca-siteminder-informational-documentation-index.html

Step 1a - Install and configure the SiteMinder Policy Server

To install the Policy Server, refer to https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/installing/install-a-policy-server.html for instructions.

Step 1b - Install and configure the SiteMinder Web Agent

To install and configure the SiteMinder Web Agent, refer to the Web Agent Documentation on the Broadcom Technical Documentation site.

This TechNote includes links to the documentation for installing and configuring SiteMinder Web Agent for version 12.52 SP1 on Apache based web servers.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/installing/install-agents/web-agent-for-apache.html

Important:

• Register the web server as a trusted host before you configure the SiteMinder Web Agent.
• When configuring the SiteMinder Web Agent on a Policy server, set the following parameters with the values shown. Other parameters can be modified per your system requirements.
  • DefaultAgentName – type in the name of the agent created for the web server
  • SecureApps - Edit the #SecureApps entry, delete the leading #, and set the value to No
  • CookieDomain - Enter the network domain in which the web agent for the webserver is running. Include a leading period, for example: .gcbi.com.au.
  • UseHTTPOnlyCookies - Edit the #UseHTTPOnlyCookies entry, delete the leading #, and set the value to No.
  • ProxyAgent - Set to Yes if your web server is configured as proxy server.

The following authentication schemas are supported by IBM Content Navigator:

• Basic
• HTML Form template

When creating a realm for the IBM Content Navigator web server, use the following settings for the Resource:

• Agent – Default agent name for the web server created earlier
• Resource Filter - /navigator
• Default Resource Protection – Protected
• Authentication Scheme – Basic or HTML Form

When creating a Rule for the IBM Content Navigator web server, use the following settings:

• Resource - set it to *
• Allow Access
• Web Agent actions: GET, POST, HEAD, PUT, DELETE

Step 1c - Install and configure the SiteMinder Application Server Agent for WebSphere

The SiteMinder Agent for IBM WebSphere resides in a WebSphere Application Server and enables you to extend the SiteMinder environment to protect WebSphere-hosted resources (specifically resources in the Web and EJB containers).

Install the SiteMinder Application Server Agent (ASA) for WebSphere on the web application server where you plan to install IBM Content Navigator.

Highly available cluster systems: If WebSphere Application Server is not installed in the same directory on the Deployment Manager and on each node in the cluster, you must create an agent configuration object for each node in the cluster. If WebSphere Application Server is installed in the same directory on each node in the cluster, you can use the same agent configuration object for all of the nodes in the cluster.

If nodes in  a horizontal cluster are residing on their own server, you must install ASA on each node.

For more detailed instructions refer to CA SiteMinder for IBM WebSphere Agent Guide (R12.0 SP2).

Important:

• Register your ASA server as a trusted host before you configure SiteMinder ASA for WebSphere.
• When configuring ASA on a Policy server, use the following parameters on your ASA configuration object. You can modify other parameters according to your system requirements.
  • DefaultAgentName – type in the name of the agent created for the application server agent
  • ChallengeForCredentials - set to Yes
  • RequireCookies – set to Yes

When creating a realm for IBM Content Navigator ASA, use the following settings for the Resource:

• Agent – Default agent name for web server created earlier
• Resource Filter - /navigator
• Default Resource Protection – Protected
• Authentication Scheme – Basic or HTML Form

When creating a Rule for the IBM Content Navigator web server, use the following settings:

• Resource - set it to /*
• Allow Access
• Web Agent actions: GET, POST, HEAD, PUT, DELETE

Step 2 - Verify your SSO configuration

To verify that SiteMinder SSO is configured correctly on your system, use a snoop servlet. See Chapter 6 in the CA SiteMinder for IBM WebSphere Agent Guide for details.

Step 3 - Configure and deploy IBM Content Navigator with SiteMinder SSO

After you configure your environment for SSO, install and deploy IBM Content Navigator.

Tip: Install and configure IBM Content Navigator in a non-SSO environment first to verify functionality before configuring ICN with SiteMinder SSO.

For the exact details refer to the IBM Content Navigator Knowledge Center.

• Prerequisites

  Complete all the tasks in the Installing IBM Content Navigator topic in the Knowledge Center. Install the IBM Content Navigator software, but do not configure or deploy the IBM Content Navigator web application. Do not undeploy the IBM Content Navigator software if it was previously deployed in a non-SSO configuration.

• Procedure

  To configure IBM Content Navigator for SSO using SiteMinder:

  1. Run the IBM Content Navigator Configuration and Deployment Tool. Create a new deployment on a WebSphere Application Server or modify an existing deployment.
  2. Run all the configuration and deployment tasks that apply to your system.

     Important: When you run the Configure the IBM Content Navigator Web Application task, ensure you select Application server authentication for the IBM Content Navigator authentication option. This option configures IBM Content Navigator for SiteMinder SSO.

  3. Restart the application server where IBM Content Navigator is deployed.

     Highly available cluster systems: Restart the IBM Content Navigator cluster, the web server, and the node agent for each node in the cluster.

Troubleshooting

Errors in Asynchronous Tasks

If you receive an error in relation to "connecting to the repository" and "administrator credentials" in Asynchronous Tasks when deleting teamspaces, use the instructions in the following Content Navigator knowledge center topic to resolve the issue:

https://www.ibm.com/support/knowledgecenter/en/SSEUEX_3.0.7/com.ibm.installingeuc.doc/eucin019.htm

Also make sure there is no LTPA cookie name mismatch between Task Manager and what is configured in WebSphere. If you do notice errors related to the LTPA cookie name, change the name in Global security > Single sign-on (SSO) in the WebSphere console.