Employee Workspace Series: Configuring and Developing a single sign-on portlet for DB2 Content Manager 8.2

Brief introduction

Parts 5th and 6th of the Employee Workspace series describe how to create a Document Management portlet to access DB2 Content manger. However, the two sections do not discuss authentication in detail. This article briefly discusses the authentication methods that are implemented in the Document Management portlet and shows how to use another authentication method to implement the one-sign-on (single sign-on) feature.

System environment

The following products are used in this article:

Lotus Workplace for Multiplatforms Version 2.01

IBM DB2 Content Manager for multiplatforms Version 8.2

IBM DB2 Information Integrator for Content Version 8.2

IBM WebSphere Application Server Version 5.1

IBM WebSphere Studio application Developer Version 5.1.2

IBM Portal Toolkit Version 5.0.2

IBM DB2 Universal Database Enterprise Version 8.1

The main difference between the system environment in this article and the environment used in the Employee Workspace series is that we are using Lotus Workplace 2.01, not WebSphere Portal Server 5.0. The Lotus Workplace Server 2.0.1 is an application server running on top of WebSphere Portal Server 5.0. It provides an integrated enterprise working environment that allows users to manage messages, send instant messages, and run portlet applications. Migrating the Document Management portlet to Lotus Workplace does not require any code modification.

All user information is stored in an LDAP user registry to keep the user information in the Lotus Workplace and DB2 Content Manager synchronized. This is required for the authentication method used in this article.

Voucher Vault

DB2 Content Manager server is integrated as a back-end server with portlets, so when you use a portlet to access DB2 Content Manager, you need to authenticate on the server. One way to authenticate is to use the DB2 Content Manager API by using a username and password. When connecting to the DB2 Content Manager Server, the portlet needs to prompt for a username and password, or to prompt for the user name and password stored in the portlet.

The document Management Portlet stores Vouchers (credential)-such as user names and passwords-in the Portlet's voucher Vault (credential Vault). Vouchers are maintained by each user in the portlet and must be synchronized with the user registry. This hides some of the complex logon-related problems of DB2 Content Manager to the user.

However, there are some drawbacks to this approach. First, it needs to provide users with a user interface to maintain their DB2 Content Manager credentials. Second, when the Portlet and DB2 Content Manager server share the same user registry server, it is not convenient for the user to manually control the synchronization between the voucher and the user registry. Finally, it exposes credentials as user names and passwords, which may introduce some security flaws.

To avoid these pitfalls, you can use the Lightweight Third-party authentication (light-weight third party AUTHENTICATION,LTPA) token method that you will discuss below to provide a single sign-on feature.

LTPA token

You can use the LTPA token to provide a single sign-on function between servers. When you configure the WebSphere application server where the Lotus Workplace server is located to use the LTPA token for a single sign-on, the LTPA token (a cookie) will contain the credentials of the authenticated user.

In addition to using a username and password to connect to the Java APIs of the DB2 Content Manager Server, the DB2 information Integrator for Content Java API also provides a non-visual (non-visual) Bea N, you can connect to the DB2 Content Manager server using the LTPA token as the credentials for authentication. Non-visual beans do not require the user to manually maintain their credentials, nor do they need to expose credentials as user names and passwords. But it requires both Lotus Workplace and DB2 Content Manager to accept the LTPA token for a single sign-on.

Configure Lotus Workplace and DB2 Content Manager

Lotus Workplace 2.0.1

As mentioned above, the Lotus Workplace server is running on top of the WebSphere Portal Server, while the WebSphere Portal Server is running on the WebSphere application server. To configure single sign-on for the Lotus Workplace server, you need to enable single sign-on for the WebSphere application server. For detailed instructions, see the section "Configuring Lotus Workplace products for seamless authentication" in Lotus Workplace information Center (see Resources).

DB2 Content Manager 8.2

In order to integrate with the Lotus Workplace using the single sign-on feature, the Content Manager System administration Client is required to perform the following configuration in the DB2 Content Manager server: