361 Lotus blogs updated hourly. Who will post next? Home | Downloads | Events | Pods | Blogs | Search | myPL | About 
 
Latest 7 Posts
Loading widget data in IBM Connections 5 by the aggregator
Wed, Nov 19th 2014 156
Presentation from Social Connections VII Stockholm
Mon, Nov 17th 2014 151
An important tool results from the whole POODLE/SHA-2 debacle
Mon, Nov 10th 2014 420
IBM Domino, POODLE, SHA-1 and why it's also sad when IBM decides to update the security stack
Mon, Oct 27th 2014 546
Mac Yosemite, Java, IBM Notes and OnTime Group Calendar
Fri, Oct 17th 2014 387
How to increase the number of worker threads for different internet protocols
Mon, Oct 13th 2014 86
WebSphere Application Server Liberty Profile webcast replay
Wed, Aug 6th 2014 59
Top 10
IBM Domino, POODLE, SHA-1 and why it's also sad when IBM decides to update the security stack
Mon, Oct 27th 2014 546
An important tool results from the whole POODLE/SHA-2 debacle
Mon, Nov 10th 2014 420
Mac Yosemite, Java, IBM Notes and OnTime Group Calendar
Fri, Oct 17th 2014 387
Loading widget data in IBM Connections 5 by the aggregator
Wed, Nov 19th 2014 156
Presentation from Social Connections VII Stockholm
Mon, Nov 17th 2014 151
Terminology is the most important thing to know when when starting out with WebSphere Application Server
Fri, Nov 29th 2013 125
Installing TDI v. 7.1 on Windows Server 2012
Wed, May 7th 2014 122
How to increase the number of worker threads for different internet protocols
Mon, Oct 13th 2014 86
Premaster RSA secret error with 4096-bit encryption in WAS ISC
Sun, Jun 15th 2014 64
WebSphere Application Server Liberty Profile webcast replay
Wed, Aug 6th 2014 59


Turning the login procedure for IBM Connections on its head
   

In the latter part of last year I was involved in installing IBM Connections at a customer site for initially 20.000 users and then, if all went well, for the full 70.000 users. The challenges in evangelizing the solution and getting people to use it is for another blog post but the project is interesting from other perspectives as well.

Firstly they wanted to change the layout of IBM Connections and add their own colors etc. which wasn't a biggie. Next they wanted to change certain core words within IBM Connections. In Danish the word for "Communities" is "Fællesskaber" but they wanted it to be "Grupper". Changing that throughout IBM Connections was a hazzle and we have to migrate these changes by hand when we upgrade to version 3 but it was possible which is the good story here. The last one was the biggest requirement and the the requirement it took the most work to satisfy. They wanted to turn the entire login process for IBM Connections on its head.

So what do I mean by that?

By default IBM Connections works by you importing all valid users into the Profiles database using TDI or a handcrafted tool and then hooking Websphere Application Server up to LDAP. They didn't want that and the users actually didn't exist in a LDAP directory but instead in another (Domino based) member database.

They had a number of requirements:

  1. IBM Connections should work with their existing single-sign-on (SSO) solution which supported a number of different login methods incl. two-factor and digital certificates.
  2. Before being granted access to IBM Connections the user should accept an End User License Agreement (EULA) and if not the user should be denied access to IBM Connections.
  3. Users wasn't allowed to be available in IBM Connections before opting in to using it by accepting the EULA i.e. they didn't want users in the Profiles database before they had accepted the EULA.
The access procedure they wanted may be illustrated as below.


(click the image to a larger version)

So what does an IBM Business Partner do? Say "Sorry that isn't possible" and "That's really not the way that IBM Connections work"? Well of course not because it was and is possible due to IBM Connections being built on top of Websphere Application Server which is an open and highly extensible platform.

The key piece to the puzzle is a piece of technology called a Trust Association Interceptor - or TAI for short - and is a way to change the way Websphere handles authentication and how Websphere normally integrates with reverse proxies such as WebSEAL.

A TAI is a Java class written to a specification (interface) from IBM and very easy to write. The functionality may of course be complex but the way you integrate with Websphere Application server isn't. Once the TAI was written and installed into Websphere Application Server the customer now has an access procedure like this:

  1. User tries to access IBM Connections.
  2. If the user isn't logged in using the 3rd party SSO solution the user is sent to the login screen (1 in the diagram above).
  3. If the user is logged in (and tokens are still valid) an EULA check is performed to verify that the latest EULA has been agreed to.
  4. If not the user is sent to the EULA system (2 in the diagram above) to accept the EULA instructing the EULA system to return the user to IBM Connections afterwards.
  5. If the user did accept the latest EULA we check to see if the user is available in IBM Connections.
  6. If the user isn't in Profiles yet the user is sent to the Populator system (3 in the diagram above) that handles collecting using information and populating Profiles. Once completed the user is returned to Websphere Application Server.
  7. If the user is in Profiles already the user is granted access to IBM Connections (bottom on the diagram).
It sounds complex but it's done in less than 500 lines of code incl. comments and documentation. That isn't too bad is it? What's really cool is that it allows for some very exciting ways to integrated IBM Connections into existing environments.

I'll post more about TAI's over the next few days about how you write them and more about the technical underpinnings. Stay tuned.



---------------------
http://lekkimworld.com/2011/06/07/turning_the_login_procedure_for_ibm_connections_on_its_head.html
Jun 07, 2011
9 hits



Recent Blog Posts
156


Loading widget data in IBM Connections 5 by the aggregator
Wed, Nov 19th 2014 3:07a   Mikkel Heisterberg
One of the areas that changed fundamentally in IBM Connections 5 is how widget resources (JavaScript and CSS) is loaded by the browser. In prior versions the resources were loaded by the end-user browser through the AJAX proxy in IBM Connections Profiles or Communities depending on the feature in use. Starting with IBM Connections 5 the resources are aggregated and loaded by the Common feature that now also caches the resources. For end users this is great as speed and performance improves but f [read] Keywords: connections ibm ajax css javascript widget
151


Presentation from Social Connections VII Stockholm
Mon, Nov 17th 2014 3:10a   Mikkel Heisterberg
Below is my presentation from Social Connections VII in Stockholm on 13-14 November 2014. [read] Keywords: connections
420


An important tool results from the whole POODLE/SHA-2 debacle
Mon, Nov 10th 2014 1:41a   Mikkel Heisterberg
My stance on the POODLE / SHA-2 issues with Domino is well known and I haven't been holding anything back. And now - after a while - IBM is starting to release the promised tools to lay the foundation for SHA-2 signature support and TLS 1.0 support on IBM Domino. As part of my IBM Support Updates today I saw and entry called "Planned SHA-2 deliveries for IBM Domino 9.x". This is a technote outlining how IBM is bringing TLS 1.0 and SHA-2 support. This is all well and good and great that IBM st [read] Keywords: domino ibm ldd lotus linux
546


IBM Domino, POODLE, SHA-1 and why it's also sad when IBM decides to update the security stack
Mon, Oct 27th 2014 2:00a   Mikkel Heisterberg
Over the last few weeks the news hit about the PODDLE attack and the withdrawal of SHA-1 as an acceptable hash algorithm by Google Chrome. This is turn has prompted IBM to update the security stack in IBM Domino for all web protocols incl HTTP, LDAP and SMTP. While this is VERY good news and it will be very welcomed that we do no longer have to resort to fronting IBM Domino by IBM HTTP Server or Apache to get adequate TLS protocol support I find the whole situation a bit sad. In full disclosure [read] Keywords: domino ibm google microsoft network podcast security server smtp
387


Mac Yosemite, Java, IBM Notes and OnTime Group Calendar
Fri, Oct 17th 2014 1:51a   Mikkel Heisterberg
After upgrading my Mac to OS X Yosemite (10.10) I had to reinstall Java to make IBM Notes startup just like Rene describes. To install go to the download page for Java on apple.com, download and install. It takes around 5 minutes and you are ready to go. Once installed the Java runtime makes IBM Notes fly again and I can confirm that the OnTime Group Calendar UI's run just fine on OS X Yosemite. [read] Keywords: ibm notes apple eclipse java mac
86


How to increase the number of worker threads for different internet protocols
Mon, Oct 13th 2014 9:13a   Mikkel Heisterberg
Came across this technote outlining how to configure the worker threads for the different internet protocols on IBM Domino. How to increase the number of worker threads for different internet protocols [read] Keywords: domino ibm




59


WebSphere Application Server Liberty Profile webcast replay
Wed, Aug 6th 2014 10:47p   Mikkel Heisterberg
In case you haven't heard about WebSphere Application Server Liberty Profile and you are doing any work with J(2)EE servers you really should do your self the favour and read up on it. In essence it's the best thing since sliced bread for application developers that target WebSphere Application Server and here's why: It downloads and installs in less that 5 minutes It's binary compatible with the full WebSphere Application Server so you can be certain that code that runs on Liberty Profile [read] Keywords: ibm application eclipse mac profile server websphere
45


Social Connections VI Prague - An introduction to IBM Connections as an appdev platform
Tue, Jun 17th 2014 5:50a   Mikkel Heisterberg
[read] Keywords: connections ibm
64


Premaster RSA secret error with 4096-bit encryption in WAS ISC
Sun, Jun 15th 2014 11:40p   Mikkel Heisterberg
Had a customer the other day that couldn't import their SSL certificate into the WebSphere Application Server (WAS) Integrated Solutions Console (ISC) due to a "RSA premaster secret" error being shown when attempting the import. A PMR with IBM Support confirmed my suspicion that export restrictions was in play. Here is the response from IBM Support. The premaster RSA secret error with 4096-bit encryption is usually due to the unrestricted JCE policy requirement. Please, try to install the [read] Keywords: ibm application java password security server websphere
54


R.I.P. Tim
Mon, May 12th 2014 12:38p   Mikkel Heisterberg
I'm deeply saddened by the news that Tim Tripcony has passed. There are very few people that I as a programmer / coder look up to, who inspire and impress me and who I admire. Tim was one of those and now I'll never get to admit it to his face. R.I.P. Tim. [read] Keywords:




Created and Maintained by Yancy Lent - About - Blog Submission - Suggestions - Change Log - Blog Widget - Advertising - Mobile Edition