test

Sun Java System Communications Express 6.3 Administration Guide

Setting up Access Manager Single sign-on

This section provides information about how to set up Communications Express and Messenger Express to communicate with each other by using Access Manager Single sign-on.

If you have chosen to adopt Sun Java System LDAP Schema, v.2 as the schema model, you need to enable Access Manager in Communications Express to use Access Manager’s Single sign-on mechanism to obtain valid user sessions.

To enable Communications Express users to use Access Manager Single sign-on to access the mail module rendered by Messaging Express, you need to modify the Messaging Express specific parameters by using the configutil tool located at msg-svr_install_root/sbin/configutil. It is important to explicitly set the Messenger Express specific parameters after install, as the installer does not set these parameters. For more information about how to use the configutil tool, refer to Chapter 4, Configuring General Messaging Capabilities, of the Sun Java System Messaging Server Administration Guide.

When setting up Access Manager Single Sign-on, Communications Express and Access Manager can be deployed in both SSL and non-SSL modes in the same web container instance or in different web container instances. When Access Manager and Communications Express are deployed in different Web Container instances, you need to configure Access Manager Remote SDK on the system where Communications Express is deployed. The following is the list of the different deployment scenarios for Access Manager and Communications Express deployed in different web container instances in both SSL and non SSL modes:

Setting the Properties to Enable Single Sign-on in Communications Express With Access Manager

Open the uwc-deployed-path/WEB-INF/config/ uwcauth.properties file.

Modify the following Communications Express parameters in uwcauth.properties file to enable Access Manager Single Sign-on.

Parameter 

Purpose 

uwcauth.identity.enabled

Specifies whether Access Manager is enabled. 

Initially the value is set by the configuration wizard. 

Set the attribute to true to enable Access Manager.

Set the attribute to false to disable Access Manager.

uwcauth.identity.cookiename

Specifies the cookie name used by Access Manager. 

The value of uwcauth.identity.cookiename should correspond to the value specified in Access Manager configurator.

The default cookie name used by Access Manager is iPlanetDirectoryPro

uwcauth.identity.binddn

Specifies the complete DN of amadmin.

For example: 

uid=amAdmin, ou=People, o=siroe.example.com, o=example.com

Note: The uwcauth.identity.binddn and uwcauth.identity.bindcred values should correspond to the values entered when you install Access Manager.

For example, uwcauth.identity.binddn=uid=amAdmin, ou=People, o=siroe.example.com, o=example.com and uwcauth.identity.bindcred=password.

uwcauth.identity.bindcred

Specifies the password of amadmin.

uwcauth.http.port

Specifies the port number that Communications Express listens to when Communications Express is configured on a non SSL port. 

The default port number is 80.

uwcauth.https.port

Specifies the HTTPS port number that Communications Express listens to when Communications Express is configured on an SSL port. 

The default HTTPS port number is 443

identitysso.singlesignoff

Specifies the single sign-off status. 

If set to true the logout destroys the Access Manager session completely and all applications participating in this Access Manager session are signed out.

If set to false, only the Communications Express session is destroyed and the user is taken to the URL configured in identitysso.portalurl.

The default status is true.

identitysso.portalurl

Specifies the URL to which Communications Express must be redirected. 

If Access Manager is enabled and single sign-off is set to false, Communications Express is redirected to the URL assigned in identitysso.portalurl.

By default Communications Express is redirected to http://www.sun.com.

Set the value of the parameter uwcauth.messagingsso.enable to false when you set up Communications Express for Access Manager Single sign-on.

Communications Express will now use the Access Manager’s Single sign-on mechanism for obtaining valid user sessions.

ProcedureTo Deploy Access Manager and Communications Express in the Same Web Container Instance

  1. Open the IS-SDK-BASEDIR /lib/AMConfig.properties file.

  2. Make sure the following property is set in the AMConfig.properties file:

    com.iplanet.am.jssproxy.trustAllServerCerts=true

    AMConfig.properties is present in IS-SDK-BASEDIR/lib.

  3. Restart the web container for the changes to take effect.

    Access Manager and Communications Express deployed in the same web container instance in the SSL mode can now use the Access Manager’s Single sign-on mechanism for obtaining valid user sessions.

ProcedureTo Deploy Access Manager and Communications Express in a Different Web Container Instance

  1. Change directory to IS-INSTALL-DIR/ bin.

  2. Copy the Access Manager IS-INSTALL-DIR /bin/amsamplesilent file.

    $ cp amsamplesilent amsamplesilent.uwc

  3. Edit the copy of amsamplesilent created in the previous step.

    Set the parameters to correspond to the deployment details as discussed in the next steps.

    If you are deploying Access Manager SDK in a web container, such as Sun Java System Web Server or Sun Java System Application Server, set the DEPLOY_LEVEL to value 4 That is, select the option “SDK only with container config.”

  4. Set the AM_ENC_PWD to the value of the password encryption key used during the installation of Access Manager.

    The encryption key is stored in the parameter am.encryption.pwd under:

    IS-INSTALL-DIR/lib/AMConfig.properties

  5. Set the NEW_INSTANCE to true.

  6. If you are deploying Access Manager SDK in Sun Java System Web Server, set WEB_CONTAINER to WS6.

    If you are deploying Access Manager SDK in Sun Java System Application Server, set the WEB_CONTAINER to AS7 or AS8.

    For a more detailed description on the other parameters in the amsamplesilent file and to help you configure the Access Manager Remote SDK parameters refer to Chapter 1, Identity Server 2004Q2 Configuration Scripts, in the Sun Java System Identity Server Administration Guide.

  7. Configure Access Manager SDK in the web container.

    Make sure directory server that is used by Access Manager is running.

  8. Start the web container instance in which the Access Manager SDK is deployed.

  9. Change directory to IS-INSTALL-DIR/ bin.

  10. Type the following command:

    ./amconfig -s amsamplesilent.uwc

    Restart the web container instance for the configurations to take effect.

    Access Manager and Communications Express deployed in the different web container instances in SSL and non-SSL mode will now use the Access Manager’s Single sign-on mechanism for obtaining valid user sessions.

    Refer to Compressing Server Response for Communications Express, for instructions on enabling or disabling Access Manager after deploying Communications Express.

Enabling Single Sign-on in Messaging Express with Access Manager

Use the configutil command provided by Messaging Server to edit the Messaging Express related parameters.

Set the following Messenger Express parameters to enable Communications Express users access Messenger Express by using Access Manager Single Sign-on.

Parameters 

Purpose 

local.webmail.sso.amnamingurl

Enables SSO from Access Manager. 

The parameter should point to the URL that Access Manager uses to run the naming service. 

For example: 

configutil -o local.webmail.sso.amnamingurl -v http://siroe.example.com:85/amserver/namingservice

local.webmail.sso.uwcenabled

Enables Communications Express access Messenger Express. 

To disable, set the parameter to 0.

local.webmail.sso.uwclogouturl

Specifies the URL that Messenger Express uses to invalidate the Communications Express session. 

If you have configured local.webmail.sso.uwclogouturl explicitly in Messenger Express, this value is used to log out. Otherwise, Messenger Express constructs the logout URL based on the HTTP host in the request header.

For example: 

http://siroe.example.com:85/base/UWCmain?op=logout

When Communications Express is not deployed under /, such as /uwc, the value of this parameter might be as follows::

http://siroe.example.com:85/uwc/base/UWCmain?op=logout

local.webmail.sso.uwcport

Specifies the Communications Express port. 

For example, 85. 

local.webmail.sso.uwccontexturi

Specifies the URI path in which Communications Express is deployed. 

Specify this parameter only when Communications Express is not deployed under /.

For example, if Communications Express is deployed in /uwc, then the URI path is local.webmail.sso.uwccontexturi=uwc

local.webmail.sso.amcookiename

Specifies the Access Manager session cookie name. 

Ensure that in the uwcauth.properties file, the value of uwcauth.identity.cookiename is set to the value of local.webmail.sso.amcookiename.

For example, iPlanetDirectoryPro

local.webmail.sso.uwchome

Specifies the URL required to access home link. 

Once Messenger Express specific parameters are set, Communications Express users can access Messenger Express by using the Access Manager Single sign-on.

If you have deployed Messenger Express as MEM, ensure that the value of the following parameters in Messaging Server are the same on the mshttpd, a component of messaging server, at the back-end and MEM in the front end:

After setting the above values, restart the Messaging Server and the Web Container for the changes to take effect.