Tip

Secure and seamless integration of iNotes, Sametime and Quickr

This tip will outline how to configure SSL and SSO on a Domino server so that when a user logs into their iNotes client, they're also automatically and securely logged into Sametime and Quickr. I highly recommend reviewing how to configure SSL in your Notes/Domino environment with a separate CA first, as this article will examine how to use a working SSL certificate and SSO to perform the aforementioned process.

Get SSL working first

Once you have your SSL certificate and get it merged correctly, use the following steps to configure your server to use the certificate for secure HTTP/HTTPS communication.

Note: These steps assume that this is for a single site and that you're not using Internet Site documents. It also assumes that either an unlimited subdomain was acquired for all servers or that individual SSL certificates were purchased for each server involved in this setup.

  1. Copy the KYR and STH file for the SSL certificate to the DATA directory on the server.
  2. Open the server document for the server that SSL will be enabled on and edit the document.
  3. Go to the Ports tab, then the Internet Ports sub-tab.
  4. At the top (SSL key file name) specify the full name (not full path) of the KYR file you copied to the Domino server.
  5. Specify any other SSL settings you want for this SSL configuration, then click Save & Close.

For the new SSL configuration to work, you must restart the HTTP task on your server. Once you've restarted the HTTP task, test it by connecting to a database using an HTTPS URL.

Configure SSO for this and other servers in your domain

There are three main steps to configuring SSO on a server:

  1. Configure server(s) to manage HTTP from Internet Site documents

    To configure a server to use the Internet Site documents is as easy as editing the Server Document. On the Basics tab there is a field called Load Internet configuration from Server\Internet Site documents. Set that field to Enabled.

    Note: When configuring your server, there are a few things you should be aware of. When you make this change, go to the Ports > Internet Ports tab; you'll notice the Web sub tab. Many of the settings are no longer hidden, as they're no longer driven off of the Server document, but now need to have an Internet Site document configured to handle them. Also, go to Internet Protocols -> HTTP; you'll notice something similar -- missing options. The Internet Protocols > Domino Web Engine tab also now has hidden fields .

    To summarize, making this change will impact the server's HTTP configuration where the change is made. That's where the Internet Site documents come in.

  2. Establish an SSO Site Document for your Domino domain

    First you need to configure a special Internet Site document for the SSO configuration, as it will be used by each of the other Internet Site documents for SSO. In order to create this document, use the Create Web SSO Configuration action button in the Internet Sites view of your Domino Directory. There's only one page that needs to be filled out on this document for it to work.

    The following recommendations are based on the idea that you'll be using Domino as the Authentication Authority:

    Setting

    Default

    Recommendation

    Configuration

    LptaToken

    LptaToken

    Organization

    Null

    Domino Organization Unit of names

    DNS Domain

    Null (will change after org is entered

    Proper DNS Domain (company.com)

    Map names in Lpta Tokens

    Disabled

    Disabled

    Require SSL Protected communication (HTTPS)

    Disabled

    If everything is secured, access is Enabled.

    Restrict use of the SSO Token to HTTP/HTTPS

    Disabled

    If all communications to this server that require authentication require HTTP/HTTPS, choose Enabled

    Domino server names

    Null

    Select any servers using the SSO feature, the three servers in this example -- your iNotes, Sametime and Quickr servers.

    Windows single-sign on integration (if available)

    Disabled

    Disabled

    Expiration (minutes)

    30

    This is for the life of the token, not inactivity. Make it for as long as a user is likely to work for a day (600 minutes or so). Then use the next two settings for inactivity settings.

    Idle session timeout

    Unchecked

    Check Enabled -- this way if a user is inactive during the above setting for the following setting of minutes it will end the token and the user will have to login again.

    Minimum Timeout (minutes) -- only shows if Idle Session Timeout is checked as Enabled

    Null

    Whatever idle timeout you want. A common setting seems to be 60 minutes.

  3. Create Internet Site documents for the servers and configure them to use SSO for authentication

    Thus far we've configured all the involved servers to use Internet Site documents for their configuration. We've also created our SSO configuration document for this domain, so that these servers can share log-in credentials. This final step is the most critical. We need to ensure that each of the Internet Site documents are configured for SSO.

    First, create Web Site Internet Site document(s) for the iNotes, Sametime and Quickr servers. Add them from the Web navigator/outline in the Domino Directory, then select the Internet Sites sub navigator/outline.

    Configure the following HTTP/HTTPS communications-related items with your Domino server:

    • Mapping rules
    • File system compression settings
    • Domino Web Engine settings removed from the server document
    • HTTP/HTTPS security settings that were removed from the server document

    These documents need to be created for each server involved in SSO. You may need one for the iNotes server, one for the Sametime server and one for the Quickr server.

Basics tab

Setting

Default

Recommendation

Descriptive name for this site

Null

Whatever you want to identify it. I used IM Server, iNotes Server and Quickr Server.

Organization

Null

The same organization name you put for the SSO document in the previous step.

Use this website to handle requests

No

Leave as No unless this is the "default" Site document for your entire Domino environment.

Host names or addresses mapped to this site

Null

Use the FQDN and/or the IP Address(es) for this server.

Domino servers that host this site

*

You can set a limited list of servers or leave * for all Domino servers in your domain.

Configuration tab

Make sure the settings are appropriate for the server you're configuring the Internet Site document for. These fields are normally on the Server document, under the Internet Protocols tab, on the HTTP sub tab. Remember that the areas become hidden once you configure a server to use the Internet Site documents.

Domino Web Engine tab

The settings on this tab were originally found on the Server document under the Internet Protocols tab and the Domino Web Engine sub tab. For the sake of this discussion, only the top four fields are important. This is where we tell the server using this Internet Site document to use SSO for cross server authentication.

Setting

Default

Recommendation

Session Authentication

Disabled

Multiple Servers (SSO)

Web SSO Configuration

Null

LptaToken (unless you named it something else in an earlier step, then whatever you named the token)

Force Login on SSL

No

Depends on your needs, if hosting Anonymous as well as Authenticated apps probably best to leave as No. If all apps Authenticated and SSL configured, Yes might be the best choice as it would force all SSL communications to require a Login.

When overriding session authentication, generate session cookie

Yes

Leave as Yes.

Security tab

These settings were originally found on the Server document under the Ports tab, then the Internet Ports sub tab. For the sake of this discussion, there are settings here pertaining to SSL. Make certain that the appropriate SSL file is pointed to the Key file name field under the SSL Options section. In the section above SSL Options, in the SSL Authentication section, you'll want to also make sure that the appropriate settings for SSL authentication have been set.

About the author: Michael "Mike" Kinder is a senior application developer and administrator with over 15+ years experience in the Lotus Notes/Domino environment, including work with BlackBerry, Barracuda, Sametime, Quickr, and integration with other systems. He is hard at work on the e-Mail Assistant. Mike can be reached at mkinder@acadiasolutions.com.

This was first published in May 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.