Integrated netegrity SiteMinder 5.5 with IBM Sametime 6.5x

Customer scalability requirements for IBM software are being upgraded to enable seamless connectivity with other Third-party software in its existing IT and security infrastructure. Netegrity SiteMinder is one such third-party software that customers often deploy. SiteMinder is a security software solution, which can realize the security identity management of the whole organization and control the access to enterprise information assets. The SiteMinder provides single sign-on, single Sign-on,sso, across individual and multiple domains, simplifying the use of across multiple Web and application servers and across multiple operating system applications. It also provides policy-based centralized control for user authentication and access management. (For more information about using SiteMinder and Ibm/lotus products, see developerworks:lotus article "Netegrity SiteMinder authentication with Domino Document Manager 7 ". ）

This article outlines a way to successfully integrate Sametime 6.5x servers and SiteMinder 5.5, using the Basic authentication mode configured on the SiteMinder Policy server to provide a single sign-on for the Sametime server component. Remember that there are many other ways to successfully integrate the Sametime 6.5x server and SiteMinder 5.5. In this article, however, we only deal with one of these configurations. Our configuration information is based on a successful integration configuration, both within IBM and at the external customer site. We assume that the reader has experience in Domino, Sametime, LDAP configuration, and management.

If you are interested in an IBM security management solution similar to netegrity SiteMinder, see the DeveloperWorks Tivoli Security Products page.

Integration process

In this article, we'll focus on the following integration scenarios: How to integrate SiteMinder and Sametime 6.5x servers, Sametime 6.5x is already configured to use its local Domino directory. The following steps outline the methods for successfully configuring Netegrity SiteMinder and Sametime in this scenario.

LDAP Account Configuration

Netegrity SiteMinder only authenticates LDAP accounts (and does not authenticate the Domino directory account). For the configuration outlined in this article, you need to add an existing field to each LDAP user account that will access your Sametime/siteminder configuration and add the notes-specific name of the appropriate Domino user to this field.

For example, suppose you use the following 5 LDAP accounts in this configuration. On a Domino server, you must have 5 equivalent Domino accounts. For the configuration discussed in this article to take effect, additional values need to be added to each LDAP account in which to save the proper name Notes for the personal document under the corresponding Domino directory. In the following 5 examples, each LDAP account will add a field named Notesdn to hold the value:

Uid:	givenname	sn	cn	UserPassword	Notesdn
S65xadmin	st65x	Administrator	Administrator, st65x	< must be the same as the password/network password for the Domino account >	Cn=sametime admin/o=st65x
TestUser1	Test	User1	User1, Test	< must be the same as the password/network password for the Domino account >	Cn=test user1/o=st651
TestUser2	Test	User2	User2, Test	< must be the same as the password/network password for the Domino account >	Cn=test user2/o=st651
Testuser3	Test	User3	User3, Test	< must be the same as the password/network password for the Domino account >	Cn=test user3/o=st651
Testuser4	Test	User4	User4, Test	< must be the same as the password/network password for the Domino account >	Cn=test user4/o=st651

If you cannot add a new field to the LDAP account, you can use an existing empty field in the LDAP account to save the information (for example, description or Comments fields).

It should be noted that for this particular configuration, a process is needed to ensure data synchronization between the Domino directory and the LDAP since, typically in an environment where the directory is constantly changing (adding/removing users, and so on).

Installing and configuring Domino and Sametime 6.5x servers

Note: These steps describe the basic Domino server installation that can support Sametime. For more information about Domino Server installation and Domino environment, see Lotus Domino documentation.

For a Domino server installation, you should configure the following:

Do not select partitioned Server installation.

When prompted Type of Setup, select Domino application Server.

After the installation is complete, configure the Domino server appropriately. After you have completed the basic configuration of your Domino server, customize the server documentation as follows:

	Ensure that a fully qualified Internet host name is set to Servername.domain.com. Set is this a Sametime Server to Yes.
Ensure that the TCPIP port is enabled and the fully qualified Internet host name (servername.domain.com) is set in the Net address field.
security	The signature used to sign the Sametime proxy must be allowed to run unrestricted IBM LotusScript and Java proxies on the Sametime server. To ensure that the Sametime proxy signer is able to run unrestricted LotusScript and Java proxies on the Sametime server, open the server documentation for the Sametime server. Select the Security tab and enter the signer of the Sametime agent (for example, Sametime). Enter Development/lotus Notes Companion products in the Run unrestricted Lotusscript/java agents field. Then save the changes to the server document. Alternatively, you can use an ID in your environment that has the run delegate permission to sign all databases.
internet ProtOcols\http	Allow HTTP clients to browse databases is set to Yes. The Sets the home URL to/stcenter.nsf.
internet protocols\domino Web Engine tag	Set the session authentication to Disabled. The Sets the Java servlet support as the Domino servlet Manager.