Sun Java System Portal Server 7.1 Configuration Guide

Configuration Tasks for the Communication Channels

The following are the high-level tasks involved in setting up the communication channels. Not all tasks are applicable to all sites. You must determine whether your site’s business requirements make the task necessary.

If you already have Sun Java System Messaging Server and Sun Java System Calendar Server installed either on the same server or on different servers, specify the respective URL when you create a channel.

Enabling Access to Mail and Calendar Applications

Both Messaging Server and Calendar Server verify the Internet Protocol (IP) address of the host where the browser requests a login session ID. If the IP address differs from the host IP address where the session ID is issued, Messaging Server and Calendar Server reject the session with a session timeout message.

You must change the value of the parameter that enables and disables an IP security check to allow the user to access mail through Portal Server. The parameter that specifies whether to restrict session access to the login IP address, is:

service.http.ipsecurity

To Disable `ipsecurity` for Messaging Server

To disable ipsecurity for Messaging Server, perform the following steps in the command line on the machine running the mail server.

Type the following command:

MessagingServer-base /sbin/server5/msg-messaging-server-hostname /configutil -o service.http.ipsecurity -v no

Change to root using the su command.

Stop Messaging Server using this command

MessagingServer-base /sbin/server5/msg-messaging-server-hostname /stop-msg

Start Messaging Server using this command:

MessagingServer-base /sbin/server5/msg-messaging-server-hostname /start-msg

To Disable `ipsecurity` for Calendar Server

To disable ipsecurity for Calendar Server, perform the following steps in the command line on the machine running the Calendar Server:

Assuming calendar server is installed in /opt/SUNWics5, type the following:

cd /opt/SUNWics5/cal/config/

Edit the ics.conf file and set ipsecurity to no. For example:

service.http.ipsecurity = "no"

Assuming calendar server is installed in /opt/SUNWics5, restart Calendar Server by typing:

/opt/SUNWics5/cal/sbin/stop-cal

/opt/SUNWics5/cal/sbin/start-cal

Refresh or re-authenticate to the Portal Desktop, and verify that the “Launch Calendar” link works.

Configuring the Services for the Default Organization

After the communication channels have been installed, the Instant Messaging and Address Book channels require more detailed configuration as explained subsequently. The Calendar and Mail channels have sample or default settings that can work without further configuration by an administrator.

If site-specific issues exist for any of the communication channels, including the Calendar and Mail channels, configuration by an administrator might be necessary before the channels work according to the needs of your site.

The following sections provide important information relating to the configuration of the communication channels.

Configuring the Address Book Channel

End-User Configuration

Unless you configure the communication channels with proxy authentication, end users must go to each channel’s edit page by clicking the edit button in the respective communication channel to further configure the channel. For more information, see Administrator Proxy Authentication: Eliminating End-User Credential Configuration .

CAUTION—Undetected Error: Missing Launch Link

If a client port number is entered incorrectly for any of the communication channels, end users do not receive an error message. The error manifests itself by not displaying the launch link for the respective channel, a result that does not help end users to identify the root cause of the problem.

Both administrators and end users can enter an incorrect client port number, but since end users can edit only the client port number for the Calendar and Mail channels, those are the only channels where this problem can occur.

CAUTION—Undetected Error: Missing Channel

Various situations can cause end users not to see a communication channel and not to see an error message explaining the problem. The cause might be a misconfigured template or configuration name, which doesn’t allow the template or configuration to be found. A communication channel does not display when any of the following conditions is true:

The SSOAdapter template is not found.
The SSO Adapter configuration is not found.
The display.template file is not found.

HTTPS Enabled

This applies to the Mail Channel only. If the Mail channel is connected to a more secure HTTP- enabled messaging server instead of the basic HTTP-enabled messaging server, you need to make some security-related adjustments for the Mail channel to work as intended. For more information, see Configuring the Mail Provider to Work with an HTTPS Enabled Sun Java System Messaging Server.

Configuring the Instant Messaging Channel

Sun Java System Instant Messengeris installed during the installation of Sun Java System Portal Server if the Enable IM in Sun Java System Portal Server option is selected.

While the Instant Messaging Portal channel is designed to work right out of the box, other configuration might be necessary depending upon your site’s needs. Therefore, after following the steps in Instant Messaging Channel see Additional Configuration for the Instant Messaging Channel to determine if any of that section’s subsections apply to your installation.

The Instant Messaging channel is based on a Sun Java System Portal Server content provider called IMProvider. The IMProvider is an extension of the JSPProvider in the Portal Server. As an extension of the JSPProvider, IMProvider uses the JSP files to generate the content page and the edit page for the Instant Messaging channel. The JSP files are also used to generate the pages used to launch the Instant Messenger. The IMProvider also defines an instant messaging-specific tag library and this tag library is used by the JSP files. The JSP files and the tag library use the channel properties that are defined by the IMProvider.

For more information on Sun Java SystemInstant Messenger, see Instant Messaging Administrator’s Guide.

Administrators and end users can access information about Sun Java System Instant Messengerby visiting the URL used in the codebase property for the Instant Messaging Channel configuration.

Instant Messaging Channel

To Configure the Instant Messaging Channel

From an Internet browser, log into the Sun Java System Portal Server administration console at http://hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole

Click the Identity Management tab to display the View drop down list in the navigation pane (the lower left frame).

Select Services in the View drop down list to display the list of configurable services.

Under the Sun Java System Portal Server Configuration heading, click the arrow next to Portal Desktop to bring up the Portal Desktop page in the data pane (the lower right frame).

Click the Manage Channels and Containers.

Scroll down to the Channels heading and click Edit Properties next to IMChannel to display the Instant Messenger service panel, which includes Basic Properties.

The following is a partial list of the properties displayed in the Edit IMChannel page with example values provided for each property.

Property	Example Value
`authMethod`	`idsvr`
`authUsernameAttr`	`uid`
`clientRunMode`	`plugin`
`codebase`	`imapplet.example.com`
`contactGroup`	`My Contacts`
`mux`	`imserver.example.com`
`muxport`	`49909`
`netletRule`	`IM`
`password`	(not applicable when `idsvr` is used for `authmethod` )
`port`	`49999`
`server`	`imserver.example.com`
`username`	(not applicable when `idsvr` is used for `authmethod` )

In the text field next to each property you want to input, enter the desired value. The following describes the properties and the type of information to enter as a value.

Property	Value
authMenthod	`Two values are possible, idsvr` or `ldap`. The `idsvr` value enables Single Sign-On to work. It also removes the `username` and `password` fields from the Instant Messenger channel edit page The value `idsvr` is usually preferable, to indicate that the authentication method to be used is the Sun Java System Portal Server authentication method.
authUsernameAttr	Enter the name of the attribute to use for the user name when authenticating using the `idsvr` authentication method.
clientRunMode	Enter the method for running the Instant Messaging client: `plugin` or `jnlp` (used for Java Web Start).
codebase	Enter the URL prefix from which the Instant messaging client is downloaded.
contactGroup	Enter the name of the contact group that is displayed in the Instant Messaging channel.
mux	Enter the hostname of the Sun Java System Instant Messaging Multiplexor to be used when the channel launches the Instant Messaging client.
muxport	Enter the port number associated with the Sun Java System Instant Messaging Multiplexor. The default port number is 49909.
netletRule	Enter the name of the netlet rule that is used with the Instant Messaging client when using the Secure Remote Access (SRA) gateway.
password	Enter the password to use when authenticating using the LDAP method. When stored in the display profile, this property is obfuscated using the `AMPasswordUtil` class.
port	Enter the port number associated with the Sun Java System Instant Messaging Server to be used by the channel. The default port number is 49999.
server	Enter the hostname of the Sun Java System Instant Messaging Server to be used by the channel.
username	Enter the username to use when authenticating using the LDAP method.

Scroll as needed and click Save.

Additional Configuration for the Instant Messaging Channel

The following sections provide information for additional configuration of the Instant Messaging Channel.

Allowing Multiple Organizations

When a Sun Java System Portal Server instance serves multiple organizations but uses a single server additional steps must be taken.

Portal Server and Sun Java System Portal Server allow administrators to set up users with the same User ID (uid) across an organization. For example, an organization could have two suborganizations that each have an end user named enduser22. This creates a conflict when these two end users attempt to access their respective accounts through the channel.

To avoid this potential conflict, one set of JSP launch pages per organization must be created to contain a pass-in-the-parameter domain set to the value of the organization’s attribute sunPreferredDomain. The default launch pages are:

/etc/opt/SUNWportal/desktop/default/IMProvider/jnlpLaunch.jsp

/etc/opt/SUNWportal/desktop/default/IMProvider/pluginLaunch.jsp

Inserting Instant Messenger Links in an Organization

By default Instant Messenger links are added to the Application channel, which provides the links to launch various applications, in the default organization. The Instant Messenger links allows end users to launch the Instant Messenger from the Application channel. You need to add Instant Messenger links manually if:

You want to add these links for another organization.
You do not have the sample portal installed.
You are using the AppProvider for another channel.

The contents for the Instant Messenger links are in the file PortalServer-base /SUNWportal/samples/InstantMessaging/dp-IMChannel.xml. The dp-IMChannel.xml file also contains the sample IMChannel .

Edit a copy of the file dp-IMChannel.xml to add the Instant Messenger links information to the display profile for another organization and install the file using the psadmin command as follows:

Inserting Instant Messenger Links

Change to the following directory:

PortalServer-base /SUNWportal/bin/

Create a copy of the dp-IMChannel.xml file as follows:.

cp dp-IMChannel.xml newfile.xml

To modify the Application channel, type the following psadmin command:
psadmin modify -u ADMIN_DN -w PASSPHRASE -d ORG_DN -m newfile.xml
where:

ADMIN_DN - Replace with LDAP administrator DN. For example: psadmin

PASSPHRASE - Replace with the administrator’s password.

ORG_DN - Replace with the DN of the Organization where the links are to be added. For example: o=example.com, o=isp

The URL for launching the Instant Messenger using Java Plug-in is a reference to the Instant Messaging channel with a launch argument. For example:

/portal/dt?action=content&provider=IMChannel&launch=plugin&username=sam

The URL for launching the Instant Messenger applet with Java Web Start is:

/portal/imlaunch?channel=IMChannel&launch=jnlp&username=sam

Enabling Secure Mode in Sun Java Server Portal Server

Netlet facilitates secure communication between the Instant Messenger and the server.

Note –

The Instant Messaging channel automatically uses the secured mode when accessed through the Secure Remote Access gateway. The Instant Messaging channel does not use the secured mode when it is not accessed through the gateway.

To enable the secure mode, you need to add the Netlet Rule.

To add the Netlet Rule:

Adding the Netlet Rule

From an Internet browser, log into the Portal Server administration console at http://hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole

Click the Identity Management tab to display the View drop down list in the navigation pane.

Select Services in the View drop down list to display the list of configurable services.

Scroll down to SRA Configuration and select Netlet.

Click the arrow icon beside Netlet. The Netlet Rules are displayed in the right panel.

Click Add under Netlet Rules.

Type IM in the Rule Name field.

Note –
The Netlet rule name can be different. You can configure the Instant Messaging channel to use a different Netlet rule.

Remove the default value in the URL field and leave the field blank.

Select the Download Applet check box and enter the following string:

$IM_DOWNLOAD_PORT:$IM_HOST:$IM_PORT

For example:

49916:company22.example.com:80

where:

IM_DOWNLOAD_PORT. The port on which Instant Messaging resources are downloaded using Netlet.

IM_HOST. The host name of the web container serving Instant Messenger. For example: company22.example.com

IM_PORT. The port number of the web container serving the Instant Messenger. For example, 80.

Select the default value in the Port-Host-Port List and click Remove.

In the Client Port field, Enter the local host port on which Netlet runs. For example: 49916.

Enter the Instant Messaging Multiplexor host name in the Target Host(s) field.

Enter the Instant Messaging Multiplexor port in the Target Port(s) field.

Note –
The values for Netlet Port, Instant Messaging Host, and Instant Messaging Port should be the same as the Instant Messaging service attributes mentioned in the Instant Messenger service panel as discussed in the final steps of Instant Messaging Channel.

Click Add to List.

Click Save to save the Netlet Rule.

Disallowing Users from Launching Instant Messenger

You can remove the ability for users to use the Instant Messaging channel by removing the channel from the user\qs display profile. For example, to remove the sample IMChannel that is automatically installed, do the following:

Disallowing Users from Launching Instant Messenger

From an Internet browser, log into the Portal Server administration console at http://hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole

Click the Identity Management tab to display the View drop down list in the navigation pane.

Select Services in the View drop down list to display the list of configurable services.

Click the arrow icon next to the Portal Desktop service.

Click the Manage Channels and Containers Link.

Select the check box to the left of the IMChannel channel.

Scroll as needed and click Delete to delete the channel.

Configuring the Address Book Channel

For the Address Book channel to work, you need to configure the defaults for the Address Book service. Because the AddressBookProvider is not pre-configured, channels the user creates based on the AddressBookProvider do not appear on the user’s Desktop or on the Content link unless the AddressBookProvider has been configured.

Note –

Creating channels based on the other communications channels in the pre-populated, user-defined channels set may result in the created channel displaying the message: Please specify a valid configuration. Although the other Communication Channels are defined to a sufficient extent to appear on the user’s Desktop, they require additional administrative tasks to ascertain which backend service to use.

Additionally, the communication channels require the desktop user to specify back-end credentials (such as username and password) after the administrative tasks are completed. The desktop user can specify these values in the channel by using the channel’s Edit button.

Note –

The userDefinedChannels set might need to be administered on a per-installation basis, because this set includes references to back-end services that might not apply to your particular setup. For example, all Lotus Providers in this set refer to interaction with Lotus back-end services for the communication channels. These do not apply if no one in the Portal Server user base uses Lotus backend services.

Configuring the Address Book Service Defaults

This section provides information about single sign-on (SSO) Adapter templates. These templates globally affect the display of the communication channels on users’ portal Desktops. To alter the display profile of users for the communication channels, you need to edit or create SSO Adapter templates and configurations.

To Configure the Address Book Service Defaults

From an Internet browser, log into the Portal Server administration console at http://hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole

Click the Service Configuration tab to display the list of configurable services in the navigation pane.

Scroll down the navigation pane to the Single Sign-on Adapter Configuration heading and click the arrow next to the item SSO Adapter, which brings up the SSO Adapter page in the data pane.

Click New under SSO Adapter Configuration to add an SSO adapter configuration.

The New Configuration page appears.

Type a configuration name and select SUN-ONE-ADDRESS-BOOK from the menu.

Click Next.

The Configuration Properties page appears.

Modify the properties as needed.

Scroll down the SSO Adapter page and click Save.

When done, click Save.

Configuring End-User Channel Settings

To Configure End-User Channel Settings

Log into the Desktop as the new user:
1. From an Internet browser, go to:
  
  http:// hostname.domain:port/portal/dt, for example http://psserver.company22.example.com:80/portal/dt
2. Enter the user ID and password.
3. Click Login.

Click the Edit button of each channel to configure the server settings.
- To configure the Mail channel settings:
  
  Server Name. Enter the host name of the mail server. For example, mailserver.example.com.
  
  IMAP Server Port. Enter the mail server port number.
  
  SMTP Server Name. Enter the name of the Domain Name Server (DNS) of the outgoing mail—Simple Mail Transfer Protocol (SMTP)— server.
  
  Client Port. Enter the port number configured for HTTP service.
  
  User Name. Enter the mail server user name.
  
  User Password. Enter the mail server user password.
  
  When sending a message place a copy in Sent Folder. Check this box to store copies of your outgoing messages in the Sent folder.
  
  Finished. Click this button to save the mail configuration.
  
  Cancel. Click this button to close the window without saving the configuration details.
  - To configure Address Book channel settings:
    
    The IMAP user ID and Password are the same as the User Name and User Password entered when configuring the mail channel settings. For details, refer to the previous bulleted item,Configuring the Address Book Service Defaults
    
    User Name. Enter your User Name.
    
    Password. Enter you Password.
    
    Finished. Click this button to save the server information.
    
    Cancel. Click this button to close the window without saving the details.
  - To configure the Calendar channel settings:
    
    Server Name. Enter the calendar server host name. For example, Calserver.example.com.
    
    Server Port. Enter the calendar server port number.
    
    User Name. Enter the calendar server user name.
    
    User Password. Enter the calendar server user password.
    
    Finished. Click this button to save the calendar configuration.
    
    Cancel. Click this button to close the window without saving the details.
  - To configure the Instant Messaging channel settings:
    
    Contact List. Select the desired contact list whose contacts will be displayed in the Instant Messaging Channel.
    
    Launch Method. Select the desired launch method: Java Plugin or Java Web Start.
    
    Server. Enter the Sun Java System Instant Messaging Server name. For example:IMserver.example.com
    
    Server Port. Enter the Sun Java System Instant Messaging Server port number. For example:49999
    
    Multiplexor. Enter the Multiplexor name, which must be the same machine as the Sun Java System Instant Messenger server. For example: IMserver.example.com
    
    Multiplexor Port. Enter the Multiplexor port number. For example:49909
    
    User Name. (This field only appears when the authentication method is set to the Sun Java System Portal Server authentication method, idsvr) Enter the Sun Java System Instant Messenger user name.
    
    User Password. (This field only appears when the authentication method is set to the Sun Java System Portal Server authentication method, idsvr) Enter the Sun Java System Instant Messenger user password.
    
    Finished. Click this button to save the Sun Java System Instant Messaging Server configuration.
    
    Cancel. Click this button to close the window without saving the details.
The Address Book, Calendar, and Mail channels each have display options that the user can set and the administrators cannot by default overwrite. After logging into the Portal Desktop, the user can change the display options for a channel by clicking the edit button in the panel for that channel. The display options are clearly marked and easily changed.

In Address Book, a display option that users can change is the Number of Entries option; in Calendar, a display option that users can change is the Display Day View option; in Mail, a display option that users can change is the Number of Headers option.

Changes made by users to the default communication channels display options take precedence. Any future changes made by administrators do not automatically take effect, and a new channel added by administrators is not automatically accessible by users.

Application Preference Editing: Configuring Communication Channel Edit Pages

You can configure the edit pages that end users see after they click the edit button in a communication channel’s tool bar for the Address Book, Calendar, and Mail channels. The Instant Messaging channel does not use application preference editing. For information about configuring the Instant Messaging Channel’s edit page, see Sun Java System Portal Server 7.1 Desktop Customization Guide.

For the three communication channels that allow application preference editing, you can change which options are available for end users to edit, what names and wording accompany those options, and how the options are formatted. Configuration of the communication channels edit pages can be performed in the display profile, various HTML templates, and an SSO Adapter template. You might also need to access an SSO Adapter configuration. These items together are involved in the configuration of the edit pages.

This section gives a brief explanation of application preference editing. Other chapters in this guide and the Sun Java System Portal Server 7.1 Desktop Customization Guide provide a more complete explanation of the template files and the display profile, including how they interact with each other and how you can access and edit them.

Display Profile Attributes for the Edit Pages

The communication channels have two collections in their display profile for creating the edit pages. They are ssoEditAttributes and dpEditAttributes.

You can edit these collections by accessing the Sun Java System Portal Server administration console. Either download the display profile to edit the XML code before uploading it back to the directory server, or edit specific properties in these collections using only the administration console.

The ssoEditAttributes collection controls the editing of the attributes contained by the SSO Adapter service, such as user name and user password. dpEditAttributes controls the editing for the display profile attributes, such as sort order and sort by, which are options that by default end users can edit.

Therefore, these collections list the attributes that can be edited and also contain information on the type of input and the header for the input string to use. For example:

<String name="uid" value="string|User Name:"/>
<String name="password" value="password|User Password:"/>

The name in the collection must match the name of the corresponding display profile SSO Adapter attribute. The value portion of the item contains two pieces of information separated by the “|” character. The first part of the value string specifies the attribute’s display type. The second part of the attribute’s value string specifies the text that is displayed next to the item.

The list below specifies how the type relates to a corresponding HTML GUI item:

string—Creates a text field where alphanumeric characters can be entered
password— Creates a password field where the input is replaced with “*”
check—Creates a checkbox
select—Creates a select box. Every select item must have a corresponding collection with a list of values and display text

For every select display type, you must have a corresponding collection that lists the value to be returned and the display value for the option. The collection name must be made up of the name value for the attribute and the text SelectOptions . For example, for the sortOrder attribute in the MailProvider, the collection name is sortOrderSelectOptions:

<Collection name="sortOrderSelectOptions" advanced="false" merge="replace" 
lock="false" propagate="true"> 
		<String name="top" value="Most recent at top"/> 
		<String name="bottom" value="Most recent at bottom"/> 
</Collection>

HTML Templates for the Edit Pages

Nine HTML templates are used to create edit pages for the communication channel providers. The templates are generic, to correspond to specific browser GUI types, and they primarily relate to specific HTML inputs in the edit pages.

The edit-start.template and the edit-end.template are exceptions. They contain most of the HTML that is used for page layout. HTML Templates for the Edit Pages contains a description of each template name and how it relates to the GUI types. Some of the templates are used to start, end and separate the attributes. These templates are available for each of the communication channels at:

/etc/opt/SUNWportal/desktop/default/ChannelName_Provider /html

For example, the templates for the Calendar channel edit pages can be accessed at:

/etc/opt/SUNWportal/desktop/default/CalendarProvider/html

Table 9–1 Templates for the Communication Channel Edit Pages


Template	Description
edit-start.template	Provides the starting HTML table for the edit page.
edit-checkbox.template	Provides a generic template for checkbox items.
edit-separate.template	Separates the display profile attributes from the SSO attributes.
edit-end.template	Ends the HTML table for the edit page.
edit-password.template	Provides a generic template for password items.
edit-string.template	Provides a generic template for text items.
edit-select.template	Provides a generic template for a select item.
edit-selectoption.template	Provides a generic template for a select option. This way the option can also be generated dynamically from the display profile.
edit-link.template	Provides a template to generate the link so the user can edit their client’s display attributes.

A Display Profile Example

This example demonstrates how certain SSO Adapter attributes work together with their corresponding display profile attributes to give end users the ability to change the entries for specific features in a communication channel’s edit page, thereby changing how the communication channels are configured and displayed on their Portal Desktops.

The SSO Adapter template in A Display Profile Example is for a sample mail channel. The SSO Adapter template contains two merged attributes:

uid—User ID
password—User password

A merged attribute is an attribute that end users can specify. Administrators decide which attributes are merged so that end users can edit them.

Example 9–2 Sample SSO Adapter Template

default|imap:///&configName=MAIL-SERVER-TEMPLATE
    &encoded=password
    &default=protocol
    &default=clientProtocol
    &default=type
    &default=subType
    &default=ssoClassName
    &default=smtpServer
    &default=clientPort
    &default=host
    &default=port
    &merge=username
    &merge=userpassword
    &clientProtocol=http
    &type=MAIL-TYPE
    &subType=sun-one
    &ssoClassName=com.sun.ssoadapter.impl.JavaMailSSOAdapter
    &smtpServer=example.sun.com
    &clientPort=80
    &host=company22.example.com
    &port=143

A Display Profile Example contains the channel’s display profile XML fragment for the channel’s ssoEditAttributes.

After you set an attribute to merge in an SSO Adapter template, you can edit that attribute in the display profile to reconfigure how the attribute is displayed to end users in an edit page and how end users can edit it.

Administrators edit the proper display profile collection to define how end users are queried for the necessary information. In this example, administrators could replace UserName with the question, What is your user name? The use of the string attribute display type before the “|” symbol is the most likely choice. However, an administrator can change this to the password type or to another type.

Example 9–3 Sample Mail Channel Display Profile XML Fragment


<Channel name="SampleMailChannel" provider="MailProvider">
<Properties>
<Collection name="ssoEditAttributes">
    <String name="username" value="string|User Name:"/>
    <String name="userpassword" value="password|User Password:"/>
</Collection>

For this example, in the Mail channel edit page, end users see text fields titled:

User Name:
User Password:

Enabling End Users to Set Up Multiple Instances of a Communication Channel Type

End users or administrators can create multiple types of communication channels . To create multiple types of communication channels, end users need to use the Create a new channel link found on the Content page.

Administrators can create multiple channels for an organization, role, or group. After administrators have made multiple instances of a particular component available, such as a second instance of the address book component, they can allow end users to configure a second Address Book channel on their Portal Desktops.

You can create an SSO Adapter template for each new communication channel type or they can use one SSO Adapter template and create multiple SSO Adapter configurations for each channel. For more information, see the SSO Adapter documentation in .

Depending on the amount of configuration done by the administrator, the end users may not need to enter as many configuration settings. Administrators can configure these settings by using the application preference editing feature. See Application Preference Editing: Configuring Communication Channel Edit Pages.

To create two Address Book channels, you make each refer to a different SSO adapter template. You can then add both Address Book channels to the visible page you just came from. Likewise, you can create one SSO Adapter template and two SSO Adapter configurations (dynamic). The SSO Adapter template would define the server settings as user definable values (merge) and the SSO Adapter configuration would then specify those server settings.

To Configure the Address Book for Different Servers

To configure the address book for different servers where end users can configure the servers as needed:

Specify the server information as user definable, merge, in the SSO Adapter template. For more information, see .

In the channel’s display profile , specify which attributes can be edited.ssoEditAttributes collection. For more information, see Application Preference Editing: Configuring Communication Channel Edit Pages and for specific information about the display profile, see the Sun Java System Portal Server 7.1 Desktop Customization Guide.

Administrator Proxy Authentication: Eliminating End-User Credential Configuration

You can enable administrator proxy authentication for the Address Book, Calendar, and Mail channels. If you extend support for proxy authentication between the Sun Java System Sun Java System Portal Server and Sun Java System Messaging Services (Sun Java System Messaging Server and Calendar Server), end users do not have to visit a channel’s edit page to enter their user name and user password credentials. An administrator’s credentials are used instead of an end-user’s credentials, and they are stored in the SSO Adapter template.

Within the template, the administrator’s User ID is stored as a value for the proxyAdminUid attribute while the administrator’s password is stored as a value for the proxyAdminPassword attribute. Every time a user launches a channel, these values are used to make a connection between a channel and its respective back-end server. A naming attribute for the user is also sent to the back-end server. For more information on naming attributes for administrator proxy authentication, see the userAttribute property in Overview of How to Configure Proxy Authentication.

Proxy authentication cannot be configured for Sun Java System Instant Messaging Server, Microsoft Exchange Server, or IBM Lotus Notes server.

Note –

Enabling administrator proxy authentication disables the end-user credential configuration for the associated Address Book, Calendar, or Mail channel. A message will be displayed in the channel.

CAUTION—Potential for Multiple End Users to be Directed to One Mail Account

Portal Server and Sun Java System Portal Server allow administrators to set up users with the same User ID across an organization. For example, the organization could have two suborganizations that each have an end user named enduser22 .

If administrator proxy authentication is enabled for a Sun Java System communication channel, and the end user naming attribute is set to the default, uid, both users could potentially access the same back-end user account.

Administrator proxy authentication enables administrators to change the user naming attribute in the SSO Adapter template. For example, you can change the attribute to an attribute that is unique for each employee, such as employee number, to ensure that portal end users access the correct back-end server account.

Overview of How to Configure Proxy Authentication

To enable administrator proxy authentication for the Address Book, Calendar, and Mail channels, you use the Sun Java System Portal Server administration console to access the SSO Adapter templates. Then you need to access the Sun Java System communication servers. Specifically, you need to:

Edit SSO Adapter Templates.

In the SSO Adapter Templates, you edit the strings that apply to the Address Book, Calendar, and Mail channels. One of the distinguishing factors of the strings is the protocol used:
- The Address Book channel uses the LDAP protocol
- The Calendar channel uses the HTTP protocol
- The Mail channel uses the IMAP or POP protocol.
Access Sun Java System Sun Java System Messaging Server to enable proxy authentication for the Address Book and Mail channels.
Access Sun Java System Calendar Server to enable proxy authentication for the Calendar channel.

To Edit SSO Adapter Templates For Enabling Administrator Proxy Authentication

From an Internet browser, log into the Sun Java System Portal Server administration console at http://hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole

Click the Service Configuration tab to display the list of configurable services in the navigation pane.

Select SSO Adapter to display the page for configuring the SSO Adapter in the data pane.

Click the string for the channel that you want to enable with administrator proxy authentication.

Click in the configuration description field.

Delete and key in the necessary information for administrator proxy authentication:

Overview of How to Configure Proxy Authentication describes the properties that need to be edited in the SSO Adapter Template to enable support for administrator proxy authentication.

Property	Value	Description
`enableProxyAuth`	`true` \| `false`	The value associated with this attribute is a flag to indicate if proxy authentication is enabled or not. If `true`, the SSO Adapter and Application Adapter perform proxy authentication. For example, `&enableProxyAuth=true`
`proxyAdminUid`	(configurable)	The value associated with this attribute is the administrator’s user name. For example, `&proxyAdminUid=ServiceAdmin`
`proxyAdminPassword`	(configurable)	The value associated with this attribute is the administrator’s user password. For example, `&proxyAdminPassword=mailpwd`
`userAttribute`	(configurable)	The value associated with this attribute is the user’s naming attribute. This value is mapped to an attribute on the user’s record (the user’s entry in the directory). A typical record has several attributes, including the User ID (`uid`) and employee number. By default, the naming attribute is set to `uid`. For example, `&userAttribute=` `uid` By editing the SSO Adapter template, you can map the naming attribute to another attribute, such as employee number.
The preceding four properties appear in the SSO Adapter template string again. You can set the configuration of the properties to `default` or `merge`. In the following examples, they are all set to default.
Property	Value	Example
`enableProxyAuth`	default	&default=`enableProxyAuth`
`proxyAdminUid`	default	&default=proxyAdminUid
`proxyAdminPassword`	default	&default=proxyAdminPassword
`userAttribute`	default	&default=userAttribute

To Set Up Sun Java System Messaging Server for Administrator Proxy Authentication

Type the following code:

MessagingServer-base /msg-instance-name /configutil -o service.http.allowadminproxy -v yes

Restart the Sun Java System Messaging Server.

See the Sun Java System Messaging Server Administrator’s Guide for detailed instructions on running configutil and restarting the server.

To Set Up Calendar Server for Administrator Proxy Authentication

Open the following file with the editor of your choice:

CalendarServer-base/cal/bin/config/ics.conf

Set the following attribute as shown:

service.http.allowadminproxy = "yes"

Restart the calendar server.

See the Calendar Server Administrator’s Guide for detailed instructions on restarting the server.

Configuring a Read-Only Communication Channel for the Authentication-Less Portal Desktop

The authentication-less (authless anonymous) Portal Desktop supports read-only communication channels.

Read-Only Communication Channels Facts and Considerations

You can configure read-only access to Address Book, Calendar, and Mail channels for the authless anonymous Portal Desktop. End users can access the information in a read-only communication channel by simply accessing the Portal Desktop; therefore, by entering the following URL in an Internet browser:

http://hostname.domain:port/portal/dt, for example http://psserver.company22.example.com:80/portal/dt

Without logging in, end users an access any read-only communication channels that administrators have configured. End users are usually prevented from editing these channels, however. For more information about the authentication-less Portal Desktop, including enabling anonymous log in, see the Sun Java System Portal Server 7.1 Desktop Customization Guide.

The calendar channel is the communications channel most commonly shared by multiple users. The following steps are for configuring a read-only calendar channel. In this example, the calendar being shared belongs to user library. The public read-only calendar is titled Library Schedule.

Note –

The following calendar set up demonstrates one possible approach. For more information about setting up users for the Sun Java System Calendar Server, see the create userid option of the csuser command in the Sun Java System Calendar Server Administrator’s Guide.

To Set Up a Calendar User

Create a calendar user by issuing a command such as the following:

csuser -g Library -s Admin -y libadmin -l en -m libadmin@library.com -c librarySchedule create libadmin

Where user libadmin has a given name of Library, surname of Admin, password of libadmin, preferred language of en (English), email address of libadmin@library.com , and calendar ID of librarySchedule.

Set the access permissions to world readable for:

libadmin:librarySchedule

You can set the access permissions using the cscal utility or the end user can do this using Calendar Express.

To Configure a Read-Only Communication Channel

Configure the settings for the end user—which in this case is authless anonymous—and create a calendar SSO adapter configuration.
1. From an Internet browser, log on to the Sun Java System Portal Server administration console at http:// hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole
2. Click the Identity Management tab to display the View drop down list in the navigation pane.
3. Click Users in the View drop down list.
4. Scroll down as needed to the authless anonymous user and click the accompanying arrow to bring up the authlessanonymous page in the data pane.
  
  Now you can add the SSO Adapter service to the authless anonymous user.
5. Click Services in the View drop down list within the authlessanonymous page to display the available services.
6. Click Add.
7. Click the checkbox for SSO Adapter.
8. Click Save.

Create a calendar SSO Adapter configuration for the authless anonymous user.
1. If not already logged in, log into the Sun Java System Portal Server administration console.
2. Click the Identity Management tab to display the View drop down list in the navigation pane.
3. Select Services in the View drop down list to display the list of configurable services.
4. Click the arrow next to SSO Adapter to display the SSO Adapter page in the data pane.
5. In the blank configuration description field, type in a group-oriented SSO Adapter configuration string (with a User ID and password). A typical configuration has been provided subsequently for your reference. The attributes available in this string can vary depending upon how you configured the Sun Java System Portal Server SSO Adapter template. By default the SSO Adapter template expects the user to specify the following information:
  - host
    - port
      - client port
      - uid
      - password
        
        If the configuration description field is not blank when you get to it, select all the text in the field and delete it before entering a string in the following format:
        
        default|undef://? uid:password@host:port /?configName=configuration-name &configDesc=configuration-description
        
        For example:
        
        default|undef://?libadmin:libadmin@example.com:3080/?configName= sunOneCalendar_librarySchedule&configDesc=SUN-ONE-CALENDAR
6. Click Add.
7. Click Save.

Create a new calendar channel for the authless anonymous user that is based on the newly created SSO Adapter configuration.
1. Log in to the Sun Java System Portal Server administration console.
2. Click the Identity Management tab to display the View drop down list in the navigation pane.
3. Click Users in the View drop down list.
4. Scroll down to the authless anonymous user, and click the accompanying arrow.
  
  The authlessanonymous page appears in the data pane.
5. Click Portal Desktop in the View drop down list.
  
  The Edit link is displayed.
6. Click the Edit link.
7. Click the Channel and Container Management link.
8. Scroll down to the Channels section and click New.
9. Enter a name in the Channel Name field. For example:
  
  LibraryScheduleChannel
10. Choose the correct provider from the provider drop down list. For this example the correct provider is Calendar Provider.
11. Click OK, which returns you to the Channel and Container Management page.
  
  Now you can edit the channel properties.
12. Scroll down to the Channels section and click Edit Properties next to your newly created channel. For example:
  
  LibraryScheduleChannel
13. Edit fields as appropriate. For example:
  - title: Library Schedule
    - description: Library Schedule
      - ssoAdapter: sunOneCalendar_librarySchedule
      - loadSubscribedCalendars: false (no checkmark)
      - is editable: false (no checkmark)
14. Scroll as needed and click Save.

Add the new calendar channel to Portal Desktop of the Authless Anonymous user:
1. Near the top of the page, click Top, which returns you to the Channel and Container Management page.
2. Scroll down the Container Channels section and click the link for the container that you want to add the new channel to. For example, MyFrontPageTabPanelContainer. Do not click the accompanying Edit Properties link.
3. Under the Channel Management heading, click the name of the channel you just created.
  
  For example, LibraryScheduleChannel, in the Ready For Use list.
4. Add the channel to the Available to End Users on the Content Page list or to the Visible on the Portal Desktop list.
  
  Click the Add button above the list for which you want to add the channel.
5. Scroll back up the page to click Save under the Channel Management heading.
6. Restart the web container.

Configuring Microsoft Exchange Server or IBM Lotus Notes

Besides supporting Sun Java System Messaging Server and Sun Java System Calendar Server for the communication channels, Sun Java System Portal Server also supports Microsoft Exchange Server and IBM Lotus Notes server.

To Configure Microsoft Exchange 5.5 Server for Address Book, Calendar, and Mail

Log into your Primary Domain Controller (PDC) as an administrator of the domain.

Select Start, Programs, Administrative Tools, User Manager for Domains and create an account with user name MAXHost.

Select Groups and add MAXHost to the groups, Administrators, and Domain Admins.

Ensure that MAXHost can log on locally to the MAIL_HOST, Domain Controllers, and MAX_HOST.

Set the password.

Go to Start, Programs, Microsoft Exchange, Microsoft Exchange Administrator.

For each end user, set permissions to the mailbox.

To enable the permissions tab, go to Tools, Options, Permissions, and enable Show Permissions Page for All Objects.

Double-click on the user name.

Select the permissions tab and select Add from the permissions page to add MAXHost and leave role as User.

Repeat steps 9 through 11 for each user who accesses the communication channels.

Unzip the ocxhost.zip file located in the following directory:

PortalServer-base/SUNWportal/export.

When unzipping the file, you see the following file format:

Archive: ocxhost.zip
creating: ocxhost
creating: ocxhost/international
inflating:ocxhost/international/ocxhostEnglishResourceDll.dll
inflating:ocxhost/ocxhost.exe

Register ocxhost as follows:
1. Locate the ocxhost.exe.
2. Select Start and Run.
3. Type the following in the Run window:
  
  ocxhost.exe /multipleuse

To set the properties of ocxhost utility:
1. Configure the necessary DCOM settings for the ocxhost utility using the dcomcnfg utility. That is:
  1. Select Start and Run.
  2. Type dcomcnfg and select OK.
  3. In the Distributed COM Configuration Properties dialog box:
  4. Select Default Properties tab:
    - Check the Enable Distributed COM on the computer check box.
      - Set the default Authentication Level to Connect.
        
        Set the default Impersonation Level to Identify.
  5. Select the Applications tab.
  6. Double-click the ocxhost utility in the Properties dialog.
    
    The ocxhost properties window is displayed.
  7. Check Run Application on this Computer under the Location tab.
  8. Set Use custom access permissions, Use custom launch permissions, and Use custom configuration permissions under the Security tab.
  9. Select Edit for the Access, Launch, and Configuration settings and ensure that the following users are included in the Access Control List (ACL):
    - Interactive
      - Everyone
        
        System
  10. Select a User under the Identity tab in the ocxhost properties window.
  11. Select Browse and locate the MAXHost.
  12. Enter the password and confirm the password.
  13. Select OK.
    
    The ocxhost DCOM component is now configured and ready to communicate with the Exchange Servers.

To Configure Microsoft Exchange 2000 Server for Address Book, Calendar, and Mail

To set up Portal Server to access Calendar data from an Exchange Server 2000 environment in a complex Windows 2000 Domain configuration, install ocxhost.exe on a dedicated System (called MAX_HOST).

Examples of a complex Domain configuration can be:

A configuration that includes an Exchange Server that is a Cluster and front-end, and a back-end Exchange Server.
A configuration in which a Windows user and Exchange Mailbox of the same end user are in different Domains.

Installing ocxhost.exe on a dedicated machine is useful for two reasons:

It allows easier troubleshooting if a user cannot access his calendar from the portal.
It allows a more restrictive security setup if a firewall exists between the Portal Server and the Windows Domain.

The following instructions assume that:

MAX_HOST

is the name of the dedicated Windows 2000 System running Outlook 2000 and where ocxhost.exe is installed.

MAIL_HOST

is the Exchange Server on which the mailboxes of the end users reside.

PORTAL

is the Java Enterprise System Portal Server 7 2005Q3

DOMAIN

is the Windows Domain with MAX_HOST and MAIL_HOST

When setting up the dedicated Windows 2000 System (MAX_HOST) note the following requirements and assumptions:

Windows 2000 Server SP3 or Windows 2000 Professional.
Microsoft Outlook 2000 with CDO enabled.
The Operating System and Outlook 2000 is installed. Assign an IP Address and bring the new Host in the same Domain as the Exchange Server.

Create a User MAXhost in the Domain.
1. Log into your Host (MAX_HOST) as an administrator of the domain.
2. Select Start, Programs, Administrative Tools, Active Directory Users and Computers and create an domain account with user name MAXHost.
3. Select User->Properties->Member of and add the group Administrators (local)
4. Ensure that MAXHost can log on locally to the MAIL_HOST and MAX_HOST.
5. Set the password.

Configure Outlook for MAXHost user.
1. Log in to your MAX_HOST System as Domain user MAXHost
2. Configure the Outlook Profile for the user MAXHost by starting Outlook (refer to Microsoft Documentation if required).
3. Close Outlook after completing the Outlook setup for MAXHost user.
  
  Note –
  Outlook may not run concurrently with ocxhost.exe.

Configure Microsoft Exchange Server for Address Book, Calendar, and Mail.
1. Log in to your Exchange 2000 Server (MAIL_HOST) as MAXHost.
2. If you are using an Exchange 2000 Front-End Server, log in to your front-end Server as MAXHost.
3. Go to Start, Programs, Microsoft Exchange, Active Directory Users and Computers.
4. For each end user, set permissions to the mailbox.
5. Select View->Advanced Features
6. Double-click on the user name.
7. Select the Exchange Advanced tab and select Mailbox Rights.
8. Add MAXHost and give MAXHost full access.
  
  Repeat steps Configuring Microsoft Exchange Server or IBM Lotus Notes through Configuring Microsoft Exchange Server or IBM Lotus Notes for each user who access the communication channels.

Install ocxhost.exe on the MAX_HOST.
1. Log in to MAX_HOST as domain user MAXhost.
2. Unzip the ocxhost.zip file located in the following directory:
  
  PortalServer-base/SUNWportal/export .
  
  When unzipping the file, you see the following file format:
  - Archive: ocxhost.zip
    - creating: ocxhost
      - creating: ocxhost/international
      - inflating:ocxhost/international/ocxhostEnglishResourceDll.dll
      - inflating:ocxhost/ocxhost.exe
3. Register ocxhost as follows:
  1. Locate the ocxhost.exe file.
  2. Select Start and Run.
  3. Type ocxhost.exe /multipleuse and select OK.
    
    Note –
    Perform this registration only once. Each time this command is executed the DCOM settings described in the next step are cleared and need to be reconfigured.
4. Configure the necessary DCOM settings for the ocxhost utility using the dcomcnfg utility.
5. Select Start and Run.
6. Type dcomcnfg and select OK.
7. In the Distributed COM Configuration Properties dialog box select Default Properties tab and use the following settings:
  - Check the Enable Distributed COM on the computer check box.
    - Set the default Authentication Level to Connect.
      - Set the default Impersonation Level to Identify.
8. Select the Applications tab.
9. Double-click the ocxhost utility in the Properties dialog.
  
  The ocxhost properties window is displayed.
10. Check Run Application on this Computer under the Location tab.
11. Set Use custom access permissions, Use custom launch permissions and Use custom configuration permissions under the Security tab.
12. Select Edit for the Access, Launch, and Configuration settings and ensure that the following users are included in the Access Control List (ACL):
  - Interactive
    - Everyone
      - System
13. Select a User under the Identity tab in the ocxhost properties window.
14. Select Browse and locate the MAXHost.
15. Enter the password and confirm the password.
16. Select OK.
  
  The ocxhost DCOM component is now configured and ready to communicate with the Exchange Servers. It is launched by RPC call when the first access from the Portal Server occurs.

Change MAXHost users group.

For security reasons you may want to remove the domain user from the Administrators group:
1. Log out and log in again as Administrator on MAX_HOST.
2. Remove the user MAXHost from local Administrators group, (and assign it to Domain User Group).
  
  Note –
  Do not use a firewall should between the Portal and the MAX_HOST.
  
  (RPC calls using dynamic ports are used for the communication from Portal Server to ocxhost.exe.)
  
  Do not use a firewall between the MAX_HOST and the MAIL_HOST.

To Configure Microsoft Exchange 2003 Server for Address Book, Calendar, and Mail

To set up Portal Server to access Calendar data from an Exchange Server 2003 environment in a complex Windows 2000 Domain configuration, install ocxhost.exe on a dedicated System (called MAX_HOST).

Examples of a complex Domain configuration can be:

A configuration that includes an Exchange Server that is a Cluster and front-end, and a back-end Exchange Server.
A configuration in which a Windows user and Exchange Mailbox of the same end user are in different Domains.

Installing ocxhost.exe on a dedicated machine is useful for two reasons:

It allows easier troubleshooting if a user cannot access his calendar from the portal.
It allows a more restrictive security setup if a firewall exists between the Portal Server and the Windows Domain.

The following instructions assume that:

MAX_HOST

is the name of the dedicated Windows 2000 System running Outlook 2000 and where ocxhost.exe is installed.

MAIL_HOST

is the Exchange Server on which the mailboxes of the end users reside.

PORTAL

is the Java Enterprise System Portal Server 7.1

DOMAIN

is the Windows Domain with MAX_HOST and MAIL_HOST

When setting up the dedicated Windows 2000 System (MAX_HOST) note the following requirements and assumptions:

Windows 2000 Server SP3 or Windows 2000 Professional.
Microsoft Outlook 2000 with CDO enabled.
The Operating System and Outlook 2000 is installed. Assign an IP Address and bring the new Host in the same Domain as the Exchange Server.

Create a User MAXhost in the Domain.
1. Log into your Host (MAX_HOST) as an administrator of the domain.
2. Select Start, Programs, Administrative Tools, Active Directory Users and Computers and create an domain account with user name MAXHost.
3. Select User->Properties->Member of and add the group Administrators (local)
4. Ensure that MAXHost can log on locally to the MAIL_HOST and MAX_HOST.
5. Set the password.

Configure Outlook for MAXHost user.
1. Log in to your MAX_HOST System as Domain user MAXHost
2. Configure the Outlook Profile for the user MAXHost by starting Outlook (refer to Microsoft Documentation if required).
3. Close Outlook after completing the Outlook setup for MAXHost user.
  
  Note –
  Outlook may not run concurrently with ocxhost.exe.

Configure Microsoft Exchange Server for Address Book, Calendar, and Mail.
1. Log in to your Exchange 2003 Server (MAIL_HOST) as MAXHost.
2. If you are using an Exchange 2003 Front-End Server, log in to your front-end Server as MAXHost.
3. Go to Start, Programs, Microsoft Exchange, Active Directory Users and Computers.
4. For each end user, set permissions to the mailbox.
5. Select View->Advanced Features
6. Double-click on the user name.
7. Select the Exchange Advanced tab and select Mailbox Rights.
8. Add MAXHost and give MAXHost full access.
  
  Repeat steps Configuring Microsoft Exchange Server or IBM Lotus Notes through Configuring Microsoft Exchange Server or IBM Lotus Notes for each user who access the communication channels.

Install ocxhost.exe on the MAX_HOST.
1. Log in to MAX_HOST as domain user MAXhost.
2. Unzip the ocxhost.zip file located in the following directory:
  
  PortalServer-base/SUNWportal/export .
  
  When unzipping the file, you see the following file format:
  - Archive: ocxhost.zip
    - creating: ocxhost
      - creating: ocxhost/international
      - inflating:ocxhost/international/ocxhostEnglishResourceDll.dll
      - inflating:ocxhost/ocxhost.exe
3. Register ocxhost as follows:
  1. Locate the ocxhost.exe file.
  2. Select Start and Run.
  3. Type ocxhost.exe /multipleuse and select OK.
    
    Note –
    Perform this registration only once. Each time this command is executed the DCOM settings described in the next step are cleared and need to be reconfigured.
4. Configure the necessary DCOM settings for the ocxhost utility using the dcomcnfg utility.
5. Select Start and Run.
6. Type dcomcnfg and select OK.
7. In the Distributed COM Configuration Properties dialog box select Default Properties tab and use the following settings:
  - Check the Enable Distributed COM on the computer check box.
    - Set the default Authentication Level to Connect.
      - Set the default Impersonation Level to Identify.
8. Select the Applications tab.
9. Double-click the ocxhost utility in the Properties dialog.
  
  The ocxhost properties window is displayed.
10. Check Run Application on this Computer under the Location tab.
11. Set Use custom access permissions, Use custom launch permissions and Use custom configuration permissions under the Security tab.
12. Select Edit for the Access, Launch, and Configuration settings and ensure that the following users are included in the Access Control List (ACL):
  - Interactive
    - Everyone
      - System
13. Select a User under the Identity tab in the ocxhost properties window.
14. Select Browse and locate the MAXHost.
15. Enter the password and confirm the password.
16. Select OK.
  
  The ocxhost DCOM component is now configured and ready to communicate with the Exchange Servers. It is launched by RPC call when the first access from the Portal Server occurs.

Change MAXHost users group.

For security reasons you may want to remove the domain user from the Administrators group:
1. Log out and log in again as Administrator on MAX_HOST.
2. Remove the user MAXHost from local Administrators group, (and assign it to Domain User Group).
  
  Note –
  Do not use a firewall should between the Portal and the MAX_HOST.
  
  (RPC calls using dynamic ports are used for the communication from Portal Server to ocxhost.exe.)
  
  Do not use a firewall between the MAX_HOST and the MAIL_HOST.

To Set Up SSO Adapter for Calendar

Set up SSO Adapter for Calendar if you are using a dedicated Server for ocxhost.exe (MAX_HOST).

Create an SSO Adapter template.
1. Log in to the Access Manager administration console.
2. Select the Service Configuration Tab.
3. Select SSOAdapter.
4. Select New.
5. Enter a name for your new template and select the existing EXCHANGE-CALENDAR from the list.
6. Select Next.
7. In the line for the ocxHost enter the dns-name or IP-Address of the system were oxchost.exe resides, in this case MAX_HOST.
8. Select Save.

Create an SSO Adapter configuration for your organization.
1. From the Identity Management tab, select your organization.
2. Select Services from the scroll down menu
3. Select SSOAdapter.
4. Under SSO Adapter Configurations, select New.
5. Enter a name for the configuration and select the previously created Template.
6. Select Next.
7. Modify the properties as needed.
  
  You can provide a default Host name which is your MAIL_HOST (DNS name or IP-Address), or you can leave it blank
8. Select Save and note the message Changes Saved.

To Uninstall `ocxhost.exe`

Unregister ocxhost as follows:

Locate the ocxhost.exe utility.

Select Start and Run.

Type the following in the Run window:

ocxhost.exe /unregserver

Delete the files ocxhost.exe and ocxhostEnglishResourceDll.dll

To Configure Lotus Domino Server for Address Book, Calendar, and Mail

Open the Lotus Administrator by selecting Start, Programs, Lotus Applications, and Lotus Administrator.

Go to Administration, Configuration, Server, Current Server Documents.

In the Security tab, set the following settings:
1. Under Java/COM Restrictions, set Run restricted Java/Javascript/COM and Run unrestricted Java/Javascript/COM to *.
2. Under Security Settings, set:
  - Compare Notes Public keys against those stored in Directory to No.
    - Allow anonymous Notes connections to No.
      - Check Passwords on Notes IDs to Disabled.
3. Under Server Access, set Only allow server access to users listed in this Directory to No.
4. Under Web Server Access, set Web Server Authentication to More Name Variations with lower security.

In the Ports tab:
1. Select the Notes Network Ports tab and ensure that TCPIP is ENABLED.
2. Select Internet Ports tab and the Web tab.
  1. Ensure that TCP/IP port status is Enabled.
  2. Under Authentication options, ensure that Name and password and Anonymous are Yes.
  3. Select the Directory tab and ensure that:
    - TCP/IP port status is Enabled.
      - Authentication options items Name and Password and Anonymous are Yes.
        
        SSL port status is Disabled.
  4. Select the Mail tab and ensure that:
    - TCP/IP port status is Enabled.
      - Authentication options Name and Password and Anonymous are set as follows:
    Mail (IMAP)
    
    Mail (POP)
    
    Mail (SMTP Inbound)
    
    SMTP (Outbound)
    
    Name and Password
    
    Yes
    
    Yes
    
    No
    
    Anonymous
    
    N/A
    
    N/A
    
    Yes
  5. Select the IIOP tab and ensure that:
    - TCP/IP port status is Enabled.
      - Authentication options items Name and Password and Anonymous are Yes.
        
        TCP/IP port number is not set to 0. It should be 63148.
        
        SSL port status is Disabled.
3. Select the Internet Protocols tab and the IIOP sub-tabs. Ensure that the Number of threads is at least 10.

Save and close.

Restart the server by typing the following in the Domino server console:

restart server

Restarting the server enables the settings to take effect.

Enable DIIOP server by typing the following command in the console:

load diiop

Check to see if diiop_ior.txt has been generated at location:
C:\\Lotus\\Domino\\Data\\domino\\html\\diiop_ior.txt

Enable HTTP service by typing the following command in the console:

load http
- If another service is using port 80, the HTTP service does not start. Stop the service running on port 80 and retype the following in the console: load http
  
  Or
  - Use the existing service. To do this, copy the diiop_ior.txt file into the root or home directory of the web server running on port 80. You can include both the HTTP service and the DIIOP service in the notes.ini file to ensure that both services start when you start the server.

Mail (IMAP)	Mail (POP)	Mail (SMTP Inbound)	SMTP (Outbound)
Name and Password	Yes	Yes	No
Anonymous	N/A	N/A	Yes

To Configure Portal Server to Access Lotus Notes

To access a Lotus Notes system using the Sun Java System Portal Server Mail and Calendar channels, you must add another file to the Sun Java System Portal Server. This file is called NCSO.jar. It must be obtained from the Lotus Notes product CD or the IBM web site.

This file is available with the Domino Designer and Domino Server products from IBM in the domino\\java subdirectory. It is also available in a Web download from the following Web site:

http://www-10.lotus.com/ldd/toolkits

Go to the Lotus Domino Toolkit link and then to the Java/Corba R5.0.8 update link.

Note –
The download file, which performs the extraction of this file and other files, is an .exe file.

Place the NCSO.jar file in the global class path of the web container (web server or application server) as described in the subsequent sections about each of the four possible web containers. For three of the four web containers, the NCSO.jar file is placed in /usr/share/lib. The following table summarizes the steps that follow.

The table outlines the process of placing the JAR file in the global class path by indicating where the NCSO.jar file can be placed: in the System Classpath or in the Portal WAR. The table also indicates if special instructions are needed. If so, they are included later in this section.

Web Container	System Classpath	Portal WAR	Special Instructions
Sun Java System Web Server	Yes	Yes	N/A
Sun Java System Application Server	Yes	Yes	N/A
BEA WebLogic Server	Yes	No	How to update system classpath
IBM WebSphere Application Server	No	Yes	How to prune JAR file

The following instructions are provided for each web container:

Note –

To complete the following steps for your web container, you must have administrative rights to it. Also you should have access to the web container documentation to obtain detailed information on various web container processes and commands.

For more information concerning the Sun Java System web containers, see Sun Java System Application Server Administrator’s Guide or Sun Java System Sun Java System Web Server, Enterprise Edition Administrator’s Guide.

Sun Java System Web Server

To Configure Lotus Notes with the Sun Java System Web Server

Place the NCSO.jar in the following Sun Java System Portal Server directory:

/usr/share/lib

Update the web container class path to include:

/usr/share/lib/NCSO.jar
1. Launch the Sun Java System Web Server administration console.
2. Select the Sun Java System Web Server instance.
3. Click Manage.
4. Select the Java tab.
5. Select the JVM Path Settings.
6. Add /usr/share/lib/NCSO.jar to the classpath suffix.
7. Select ok
8. Select Apply

Restart the Sun Java System Web Server . Though often not mandatory, this practice is a good one.

Optional Placement of the `NCSO.jar` file

Place the NCSO.jar file in the following directory:

PortalServer-base/SUNWportal/web-src/WEB-INF/lib

Redeploy the web application with the following command:

PortalServer-base/SUNWportal/bin/deploy redeploy

Restart the web container.

Sun Java SystemApplication Server

To configure Lotus Notes with Sun Java System Application Server

Place the NCSO.jar in the following Sun Java System Portal Server directory:

/usr/share/lib

Update the web container class path to include /usr/share/lib/NCSO.jar using the Sun Java System Application Server administration console.
1. Launch the Sun Java System Application Server administration console.
2. Select the domain.
3. Select the server instance.
4. Select the JVM Settings tab in the server instance view.
5. Select Path Settings under the JVM Settings tab.
6. Add /usr/share/lib/NCSO.jar in the Classpath Suffix list.
7. Select Save.
8. Select Apply Changes under the General tab of the instance.
9. Select Restart.

Optional Placement of the `NCSO.jar` File

Place the NCSO.jar file in the following directory:

PortalServer-base/SUNWportal/web-src/WEB-INF/lib

Redeploy the web application with the following command:

PortalServer-base/ SUNWportal/bin/deploy redeploy

Where PortalServer-base represents the directory in which the Sun Java System Portal Server was originally installed.

Restart the web container.

To Configure Lotus Notes With BEA WebLogic Server

Place the NCSO.jar in the following Sun Java System Portal Server directory:

/usr/share/lib

Update the web container class path to include /usr/share/lib/NCSO.jar using the command line.
1. Change directories to the web container install directory:
  
  WebContainer-base /bea/wlserver6.1/config
  
  Where WebContainer-base represents the directory in which the web container was originally installed.
2. Change directories to the directory that contains the domain instance:
  
  mydomain
3. Edit the startWebLogic.sh file using the editor of your choice.
4. Add /usr/share/lib/NCSO.jar to the end of the CLASSPATH.
  
  Note –
  The startWebLogic.sh file may contain multiple CLASSPATH definitions. Locate the last definition of the variable and add the following string to the very end of the CLASSPATH:
  
  /usr/share/lib/NCSO.jar
5. Restart the web container.

Configuring Lotus Notes For IBM WebSphere

Prune the classes under org/w3c/dom/ and org/xml/sax/ from the NCSO.jar file and rejar.

The classes should include the following:

org/w3c/dom/Document.class

org/w3c/dom/Node.class
org/xml/sax/InputSource.class
org/xml/sax/SAXException.class

You can perform this task in many ways. Two examples are provided here. Follow the method that suits you best:
The following method requires you to manually unjar and rejar the file:
1. Download and place the file in the following directory:
  
  /tmp/ncsoprune/work
2. Unjar the file while it is in that directory.
3. Remove the preceding four classes.
4. Rejar the file.
The following method requires you to run a script that automates the jar and unjar logic.
1. Download and place the file in the following directory:
  
  /tmp/ncsoprune/work
2. Run the following script:

!/bin/ksh JAR=/usr/j2se/bin/jar JAR_FILE=NCSO.jar RM=/usr/bin/rm BASE_DIR=
/tmp/ncsoprune WORK_DIR=${BASE_DIR}/work 
cd to director of jar file cd $WORK_DIR # unjar $JAR xvf $JAR_FILE 
prune classes $RM $WORK_DIR/org/w3c/dom/Document.class 
$RM $WORK_DIR/org/w3c/dom/Node.class 
$RM $WORK_DIR/org/xml/sax/InputSource.class $RM 
$WORK_DIR/org/xml/sax/SAXException.class 
jar $JAR cvf $BASE_DIR/$JAR_FILE META-INF com lotus org

Place the re-jarred NCSO.jar file in the following directory:

PortalServer-base/SUNWportal/web-src/WEB-INF/lib

Redeploy the web application with the following command:

PortalServer-base/ SUNWportal/bin/deploy redeploy

Where PortalServer-base represents the directory in which the Sun Java System Portal Server was originally installed.

Restart the web container.

To Create a New User Under the Default Organization

From an Internet browser, log on to the Sun Java System Portal Server administration console at http://hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole

Click the Identity Management tab to display the View drop down list in the navigation pane.

Select Users in the View drop down list to display the User page.

Click New to display the New User page in the data pane.

Select the services to be assigned to the user.

Select at a minimum Portal Desktop and SSO Adapter.

Enter the user information.

Click Create.

The new user’s name appears in the Users list in the navigation pane.

Configuring the Mail Provider to Work with an HTTPS Enabled Sun Java System Messaging Server

The Mail channel automatically supports the HTTP protocol, but not the more secure HTTPS protocol. If your Sun Java System Messaging Server is enabled for HTTPS, however, you can follow the steps in this section to configure the Mail provider to work properly with the Sun Java System Messaging Server. These steps do not apply to Microsoft Exchange Server and IBM Lotus Notes server.

Web Container Facts and Considerations

In terms of configuring the mail provider for HTTPS for Sun Java System Messaging Server, the steps regarding the web container differ depending upon which web container you are using: Sun Java System Web Server, Sun Java System Application Server, BEA WebLogic Server, or IBM WebSphere Application Server. Regardless of which web container you use, you need administrative rights to it.

You should refer to the web container documentation for information on initializing a trust database, adding certificates, and restarting the web container. For more information on these tasks and other security-related issues concerning the Sun Java System web containers, see Sun Java System Application Server Administrator’s Guide to Security or Sun Java System Sun Java System Web Server, Enterprise Edition Administrator’s Guide.

To Configure the Mail Provider to Work with an HTTPS Enabled Sun Java System Messaging Server

Initialize the trust database for the web container running Sun Java System Portal Server. For more information, refer to the proper documentation as discussed in the preceding paragraph.

Install the SSL certificate for the Trusted Certificate Authority (TCA) if it is not already installed.

Restart the web container. Even though restarting is not mandatory, this practice is a good one.

Add a new SSO Adapter template specifically for HTTPS. The name of the template used in this example is SUN-ONE-MAIL-SSL, which is descriptive since the security protocol, SSL, is included in the name.

Note –

You can configure an SSO Adapter template and related SSO Adapter configurations in many ways. The steps presented subsequently explain a typical configuration. They describe how to create a new template and a new configuration since this is a safer practice than simply editing existing templates and configurations.

If you are comfortable with the editing option, then proceed in that manner. If you change the name of the SSO Adapter template and SSO Adapter configuration as part of the edits you make, you also need to change the SSO Adapter name by editing the properties of the Mail channel.

The two items you would need to edit in the SSO Adapter template or SSO Adapter configuration are:

clientProtocol
clientPort

In creating a new SSO Adapter Template for this example, the clientProtocol attribute is set as a default attribute. Therefore, it appears in an SSO Adapter template not in an SSO Adapter configuration. The clientProtocol attribute must be changed from http to https. The edited template fragment for this attribute appears as follows:

clientProtocol=https

For this example, the clientPort attribute is set as a merge attribute. Therefore, it appears in an SSO Adapter configuration (see Web Container Facts and Considerations ). If the clientPort attribute were set as a default attribute, it would appear in an SSO Adapter template. The client port should be changed to a port reserved exclusively for HTTPS. Here port 443 is used since the HTTPS protocol uses this port number as the default. The edited template fragment for this attribute appears as follows:

&clientPort=443

From an Internet browser, log into the Sun Java System Portal Server administration console at http:// hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole

Click the Service Configuration tab to display the list of configurable services in the navigation pane.

Click the arrow next to SSO Adapter to bring up the SSO Adapter page in the data pane.

Type a template name and select an existing template from the menu.

Click Next.

The Template Properties page appears.

Modify the properties as needed.

Web Container Facts and Considerations is a typical configuration which has been provided for your reference. The template you enter probably has different information. For example, you probably enter a different value for the configName property type unless you want to use the name SUN-ONE-MAIL-SSL . Furthermore, the attributes you set as default and merge probably differ from this example, depending upon the needs of your site.

When done, click Save.

default|imap:///?configName=SUN-ONE-MAIL-SSL &encoded=password 
&default=protocol &default= clientProtocol &default=type &default=subType
&default=enableProxyAuth &default=proxyAdminUid &default=proxyAdminPassword
&default=ssoClassName &merge=host &merge=port &merge=uid &merge=password 
&merge=smtpServer &merge=clientPort &clientProtocol=https &enableProxyAuth=false
&proxyAdminUid=[PROXY-ADMIN-UID] &proxyAdminPassword=[PROXY-ADMIN_PASSWORD
&type=MAIL-TYPE &subType=sun-one &	ssoClassName=
com.sun.ssoadapter.impl.JavaMailSSOAdapter 
&default=enablePerRequestConnection &enablePerRequestConnection=false

If more than one string that begins with the IMAP protocol exists, this is acceptable.

Add a new SSO Adapter configuration specifically for HTTPS.

The name of the configuration used in this example is sunOneMailSSl, because it is similar to the name used for the respective SSO Adapter template.

Note –
See the Note from the preceding step, Web Container Facts and Considerations.
1. From an Internet browser, log on to the Sun Java System Portal Server administration console at http:// hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole
2. Click the Identity Management tab to display the View drop down list in the navigation pane.
3. Click Services in the View drop down list.
4. Scroll down the navigation pane to the Single Sign-on Adapter configuration heading and click the arrow next to SSO Adapter to bring up the SSO Adapter page in the data pane.
5. Click in the blank configuration description field—which is just above the Add and Remove buttons.
6. Click New under SSO Adapter Configuration to add an SSO adapter configuration.
7. The New Configuration page appears.
8. Type a configuration name and select an SSO Adapter template from the menu.
9. Click Next.
10. The Configuration Properties page appears.
11. Modify the properties as needed.
12. When done, click Save.

Add a new Mail channel to Portal Desktop.

Web Container Facts and Considerations and Web Container Facts and Considerations explained how to create a new SSO Adapter template and SSO Adapter configuration to create a new channel. In this step you make the channel available to end users.

Choose a descriptive name for the new channel. The example name chosen here is SunOneMailSSLChannel.
1. From an Internet browser, log on to the Sun Java System Portal Server administration console at http:// hostname:port /psconsole, for example http://psserver.company22.example.com:80/psconsole
2. Click the Identity Management tab to display the View drop down list in the navigation pane.
3. Select Services in the View drop down list to display the list of configurable services.
4. Under the Sun Java System Portal Server Configuration heading, click the arrow next to Portal Desktop to bring up the Portal Desktop page in the data pane
5. Scroll as needed and click the Manage Channels and Containers link.
6. Scroll down to the Channels heading and click New.
7. In the Channel Name field, type your site’s name for the new channel. For example, SunJavaMailSSLChannel.
8. In the Provider drop down menu, select MailProvider.
9. Click OK, which returns you to the Channel and Container Management Web page where the channel you just created now exists.
10. Scroll down to the Channels heading and click Edit Properties next to the name of the channel you just created, which for this example is SunOneMailSSLChannel.
11. Scroll down to the title field, select and delete any words that currently exist, for example mail, and type a provider title. A possible name is SSL Mail Account.
12. In the description field, select and delete any words that currently exist, for example mail, and type a provider description. The same example is used here for description as for the title in the preceding substep: SSL Mail Account.
13. Scroll down the page; select and delete any words that currently exist in the SSO Adapter field, for example sunOneMail ; and type the same SSO Adapter configuration name used in Web Container Facts and Considerations , which for this example is sunOneMailSSL.
14. Scroll down and click Save.
15. Scroll back up the page to click the word top, which is the first item following the words Container Path.
16. Scroll down to the Container Channels heading and click the link for the container that you want to add the new channel to. For example, MyFrontPageTabPanelContainer. Do not click the accompanying Edit Properties link.
17. Scroll down to the Channel Management heading, scroll as needed in the Ready For Use frame, and click the name of your newly created channel to select it.
  
  Remember, for this example the channel name is SunOneMailSSLChannel.
18. Add the channel to the Available to End Users on the Content Page list or to the Visible on the Portal Desktop list.
  
  Click the Add button above the list for which you want to add the channel.
19. Scroll back up the page and click Save under the Channel Management heading.
  
  You should now be able to log in and use an HTTPS enabled messaging server.

Configuring Instant Messaging Server

After installing Instant Messaging server, you need to manually configure it for Portal Server.

To Configure Instant Messaging Server

Install Instant Messaging Server.

Run the following command to configure Instant Messaging server.

Instant-Messaging-server-base/SUNWiim/configure

The Instant Messaging configurator appears.

Type the following values in the configurator pages:

Components	Select the following components: Instant Messaging Server, Instant Messenger Resources Identity Server, and Instant Messaging Service.
Server Components Client components	Select these options.
Use Access Manager for Single—Sign-on Use Access Manager for Policy	Select these options.
User ID Group ID Runtime Directory	Type the user ID and group ID. For example, in Solaris 10, these values are root and root respectively. The default value of runtime directory is `/var/opt/SUNWiim`.
Domain Name	Type the domain name.
XMPP port	By default, it is 522.
Multiplexed XMPP port	By default, it is 4522.
Disable Server	Do not select this option.
Ldap hostname	It is `machine-name.host-name`.
Ldap Port Number	By default, it is 389.
Base dn	By default, it is dc=sun,dc=com.
Bind dn	By default, it is cn=Directory Manager.
Bind Password	Type the password.
Enable E-mail Integration Smtp server Enable E-Mail Archiving	Select this option. Provide the domain name. Select this option.
Deploy Messenger Resources Codebase Web Administration URL Web Administrator User Id Web Administrator User Password	Provide the details.
Deploy IM HTTP Gateway Context Root Web Administration URL Web Administrator User Id Web Administrator User Password	Provide the details.
Enable Calendar Agent	Select this option if you wish to enable the calendar agent.
Start Services After Successful Configuration Start Services When System start	Select these options.

Click Done.

To Configure Instant Messaging Server in Portal Server

Click the Edit button displayed with the Instant Messaging portlet.

The Instant Messaging portlet is displayed in the Edit mode.

Provide the following details.

Launch Method	The launch method can be Java Plugin or Java Web Start.
Server Hostname	The fully qualified domain name of the machine where you installed Messaging Server.
Server Port	The port on which the Messaging Server is running.

Configuration Tasks for the Communication Channels

Enabling Access to Mail and Calendar Applications

To Disable ipsecurity for Messaging Server

To Disable ipsecurity for Calendar Server

Configuring the Services for the Default Organization

End-User Configuration

CAUTION—Undetected Error: Missing Launch Link

CAUTION—Undetected Error: Missing Channel

HTTPS Enabled

Configuring the Instant Messaging Channel

Instant Messaging Channel

To Configure the Instant Messaging Channel

Additional Configuration for the Instant Messaging Channel

Allowing Multiple Organizations

Inserting Instant Messenger Links in an Organization

Inserting Instant Messenger Links

Enabling Secure Mode in Sun Java Server Portal Server

Adding the Netlet Rule

Disallowing Users from Launching Instant Messenger

Disallowing Users from Launching Instant Messenger

Configuring the Address Book Channel

Configuring the Address Book Service Defaults

To Configure the Address Book Service Defaults

Configuring End-User Channel Settings

To Configure End-User Channel Settings

Application Preference Editing: Configuring Communication Channel Edit Pages

Display Profile Attributes for the Edit Pages

HTML Templates for the Edit Pages

A Display Profile Example

Example 9–2 Sample SSO Adapter Template

Example 9–3 Sample Mail Channel Display Profile XML Fragment

Enabling End Users to Set Up Multiple Instances of a Communication Channel Type

To Configure the Address Book for Different Servers

Administrator Proxy Authentication: Eliminating End-User Credential Configuration

CAUTION—Potential for Multiple End Users to be Directed to One Mail Account

Overview of How to Configure Proxy Authentication

To Edit SSO Adapter Templates For Enabling Administrator Proxy Authentication

To Set Up Sun Java System Messaging Server for Administrator Proxy Authentication

To Set Up Calendar Server for Administrator Proxy Authentication

Configuring a Read-Only Communication Channel for the Authentication-Less Portal Desktop

Read-Only Communication Channels Facts and Considerations

To Set Up a Calendar User

To Configure a Read-Only Communication Channel

Configuring Microsoft Exchange Server or IBM Lotus Notes

To Configure Microsoft Exchange 5.5 Server for Address Book, Calendar, and Mail

To Configure Microsoft Exchange 2000 Server for Address Book, Calendar, and Mail

To Configure Microsoft Exchange 2003 Server for Address Book, Calendar, and Mail

To Set Up SSO Adapter for Calendar

To Uninstall ocxhost.exe

To Configure Lotus Domino Server for Address Book, Calendar, and Mail

To Configure Portal Server to Access Lotus Notes

Sun Java System Web Server

To Configure Lotus Notes with the Sun Java System Web Server

Optional Placement of the NCSO.jar file

Sun Java SystemApplication Server

To configure Lotus Notes with Sun Java System Application Server

Optional Placement of the NCSO.jar File

To Configure Lotus Notes With BEA WebLogic Server

Configuring Lotus Notes For IBM WebSphere

To Create a New User Under the Default Organization

Configuring the Mail Provider to Work with an HTTPS Enabled Sun Java System Messaging Server

Web Container Facts and Considerations

To Configure the Mail Provider to Work with an HTTPS Enabled Sun Java System Messaging Server

Configuring Instant Messaging Server

To Configure Instant Messaging Server

To Configure Instant Messaging Server in Portal Server

To Disable `ipsecurity` for Messaging Server

To Disable `ipsecurity` for Calendar Server

To Uninstall `ocxhost.exe`

Optional Placement of the `NCSO.jar` file

Optional Placement of the `NCSO.jar` File