Sun Java System Messaging Server 6.3 Administration Guide

6.2 Trusted Circle SSO (Legacy)

This section describes trusted circle SSO. We do not recommend using this method of SSO since all future development will be with the Access Manager. However, there is some functionality available with trusted circle SSO that is not available with Access Manager SSO at this time. This section consists of the following sections:

6.2.1 Trusted Circle SSO Overview and Definitions

Before deploying SSO it is important to understand the following terminology.

6.2.2 Trusted Circle SSO Applications

Before implementing SSO, you must first consider which applications will be in this trusted circle. The applications which can be in this trusted circle are Messenger Express, Calendar Express, and the old iPlanet Delegated Administrator for Messaging (not recommended because it only supports Sun LDAP Schema 1).

Table 6–2 shows which applications can be accessed from each other via SSO. From a user’s point of view, logging into one of the applications on the first column, SSO works if the user is able to access application across the top row without having to re-enter user id and passwords.

Table 6–2 SSO Interoperability




Calendar Express  

Messenger Express  

Delegated Administrator  

Calendar Express 




Messenger Express 




Delegated Administrator 




6.2.3 Trusted Circle SSO Limitations

6.2.4 Example Trusted Circle SSO Deployment Scenarios

The simplest SSO deployment scenario consists of only Messenger Express and Delegated Administrator. A more complicated scenario can be created by adding Calendar Express—on the same machine or a different machine—using the same SSO prefix so they are in the same trusted circle. This is shown in Figure 6–1.

Figure 6–1 Simple SSO Deployment

This graphic shows a simple SSO Deployment.

An even more complex deployment would include Webmail Servers and load balancers.

Figure 6–2 Complex SSO Deployment

This graphics represents a complex SSO deployment.

6.2.5 Setting Up Trusted Circle SSO

This section describes setting up SSO for Messenger Express, Delegated Administrator, and Calendar Manager.

ProcedureTo Set Up SSO for Messenger Express, Delegated Administrator, and Calendar Manager

  1. Configure Messenger Express for SSO.

    1. Set the appropriate SSO configutil parameters.

      To enable single sign-on for Messenger Express with Delegated Administrator, set the configuration parameters as follows (assumes your default domain is These parameters are described in Table 6–3. You must be root user. cd to instance_root

      configutil -o local.webmail.sso.enable -v 1
      configutil -o local.webmail.sso.prefix -v ssogrp1

      ssogrp1 is the default SSO Prefix used by Delegated Administrator, although you can choose a different prefix, using the default would save a little typing when configuring Delegated Administrator and Calendar Server.

      configutil -o -v ims5

      ims5 is a name you pick to identify Messenger Express (ME) to other applications.

      configutil -o local.webmail.sso.cookiedomain -v “”

      The above domain must match the domain used by the ME/browser client to connect to the servers. Thus, although the hosted domain on this server may be called, we must use a real domain in the DNS. This value must start with a period.

      configutil -o local.webmail.sso.singlesignoff -v 1
      configutil -o local.sso.ApplicationID.verifyurl -v \

      ApplicationID is a name we give to the SSO application (example: ida for Delegated Administrator, ics50 for Calendar Server). ApplicationHost:port is the host and port number of the application. You will have one of these lines for each non-Messaging Server application. Example:

      configutil -o local.sso.ida.verifyurl -v \
    2. Restart Messenger Express http server after changing the configuration.

      cd instance_root./stop-msg http
      ./start-msg http
  2. Configure Directory Server for SSO.

    1. Create a proxy user account in the directory.

      The proxy user account allows the Delegated Administrator to bind to the Directory Server for proxy authentication. Using the following LDIF code (proxy.ldif) you could create a proxy user account entry using ldapadd.

      ldapadd -h -D "cn=Directory Manager" -w password -v -f proxy.ldif

      dn: uid=proxy, ou=people,, o=isp
      objectclass: top
      objectclass: person
      objectclass: organizationalperson
      objectclass: inetorgperson
      uid: proxy
      givenname: Proxy
      sn: Auth
      cn: Proxy Auth
      userpassword: proxypassword
    2. Create the appropriate ACIs for proxy user account authentication.

      Using the ldapmodify utility, create an ACI for each of the suffixes you created at the time you installed the Delegated Administrator.

      osiroot - The suffix you entered to store the user data (the default is o=isp). osiroot is the root of the Organization Tree.

      dcroot - The suffix you entered to store the domain information. (The default is o=internet.)

      osiroot - The suffix you entered to store the configuration information, it should have been the same value you entered to store the user data.

      The following is an example of an ACI entry (aci1.ldif) for the osiroot for the proxy user created earlier:

      dn: o=isp
      changetype: modify
      add: aci
      aci: (target="ldap:///o=isp")(targetattr="*")(version 3.0; acl
      "proxy";allow (proxy) userdn="ldap:///uid=proxy, ou=people,, o=isp";)

      ldapmodify -h -D "cn=Directory Manager" -w password -v 
      -f aci1.ldif

      Create a similar ACI entry (aci2.ldif) for the dcroot:

      dn: o=internet
      changetype: modify
      add: aci
      aci: (target="ldap:///o=internet")(targetattr="*")(version 3.0; acl 
      "proxy";allow (proxy) userdn="ldap:///uid=proxy, ou=people,, o=isp";)

      ldapmodify -h -D "cn=Directory Manager" -w password -v
      -f aci2.ldif
  3. Configure the Delegated Administrator

    1. Add the proxy user credentials and cookie name for context to the Delegated Administrator file.

      Uncomment and modify the following entries in the Delegated Administrator file:


      For example:

      LDAPDatabaseInterface-ldapauthdn= uid=proxy,ou=people,,o=isp

      The file is stored in the following location:


    2. Add the participating server’s verification URL.

      To verify a single sign-on cookie it receives, Delegated Administrator must know who to contact. You must provide a verification URL for all known participating servers.

      Following the example, assume Messenger Express is installed and its application ID is msg5. Edit the Delegated Administrator file and add an entry such as:


      The file is located in the following directory:


  4. Add Delegated Administrator single sign-on cookie information and enable UTF8 Parameter Encoding.

    1. Define a context identifier for Delegated Administrator.

      Edit the file and uncomment all lines containing the text servlet.*.context=ims50. Where * is any string.

      The file is located at:


    2. Specify a cookie name for the context in the Enterprise Server configuration.

      Edit the Enterprise Server file and add the following line to the bottom of the file before the #IDACONF-Start line:


      The file is located at:


    3. Enable UTF8 parameter encoding for ims5 contexts.

      To Enable UTF8 Parameter Encoding for ims5 Contexts in the Enterprise Server configuration add the following entry to the Enterprise Server file:


  5. Restart Messenger Express.

    After you’ve made the configuration changes described in steps 1a through 2c, you must restart Messenger Express for the changes to take effect:

  6. If you are deploying Calendar in this SSO group, configure Calendar Server.

    Edit ics.conf and add the following:

    sso.appid = "ics50"
    sso.appprefix = "ssogrp1"
    sso.cookiedomain = ""
    sso.enable = "1"
    sso.singlesignoff = "true"
    sso.userdomain = ""
  7. Restart Calendar Server


  8. Restart the Messenger Express http server:

    msg-svr-base/sbin/stop-msg http
    msg-svr-base/sbin/start-msg http

6.2.6 Messenger Express Trusted SSO Configuration Parameters

You can modify the single sign-on configuration parameters for Messenger Express, shown in 6.2.6 Messenger Express Trusted SSO Configuration Parameters, by using the configutil command. For more information about configutil, see the Sun Java System Messaging Server 6.3 Administration Reference

Table 6–3 Trusted Circle Single Sign-On Parameters




Sets the verify URL values for peer SSO applications. appid is the application ID of a peer SSO application whose SSO cookies are to be honored. For example, the default appid for Delegated Administrator is nda45.Its actual value is specified by the Delegated Administrator file entry NDAAuth-applicationID.

There should be one parameter defined for each trusted peer SSO application. The standard form of the verify URL is: 


If you are using a load balancer in front of multiple Webmail Servers and Message Store servers (running Messenger Express) or Calendar front ends, be sure to assign a different appid for each physical system with the real host names in the verifyurl. This will ensure that the correct system will be used to verify the cookie


The string value of this parameter is used to set the cookie domain value of all SSO cookies set by the Messenger Express HTTP server. The default value is null. 

This domain must match the DNS domain used by the Messenger Express browser to access the server. It is not the hosted domain name. 


Enables or disables all single sign-on functionality, including accepting and verifying SSO cookies presented by the client when the login page is fetched, returning an SSO cookie to the client on successful login and responding to requests from other SSO partners to verify its own cookies. 

If set to any non-zero value, the server performs all SSO functions. 

If set to zero, the server does not perform any of these SSO functions. 

The default value is zero.

The string value of this parameter is used as the application ID value when formatting SSO cookies set by the Messenger Express HTTP server. The default value is null. 

This is an arbitrary string. Its value must match what you specify for the Delegated Administrator in its file. The corresponding entry in would be:


Where XXX is the local.webmail.sso.prefix value set above, and YYY is the value of set here.


The string value of this parameter is used as the prefix value when formatting SSO cookies set by the Messenger Express HTTP server. Only SSO cookies with this prefix will be recognized by the server; all other SSO cookies will be ignored. 

A null value for this parameter effectively disables all SSO functionality on the server. 

The default value is null. 

This string must match what is used by the Delegated Administrator in its file without the trailing -. For example, if:


Then this value should be set here to ssogrp1.


The integer value of this parameter, if set to any non-zero value, clears all SSO cookies on the client with prefix values matching the value configured in local.webmail.sso.prefix when the client logs out. 

If set to zero, Messenger Express will clear its own SSO cookie when the client logs out. 

The default value is zero.