test

Sun Java System Communications Express 6 2005Q4 Administration Guide

Chapter 4 Implementing Single Sign-On

Single Sign-On allows an end user to authenticate once and use multiple applications without re-authenticating. For example, you can login to Communications Express and use the calendar and mail applications without authenticating again, provided single sign-on is enabled in calendar and mail applications. In Communications Express you can perform the following types of Single Sign-On:

This chapter contains the following sections:

Setting up Access Manager Single Sign-On

This section provides information on how to set up Communications Express and Messenger Express to communicate with each other using Access Manager Single Sign-On.

If you have chosen to adopt Sun Java System LDAP Schema, v.2 as the schema model, you need to enable Access Manager in Communications Express to use Access Manager’s Single Sign-On mechanism to obtain valid user sessions.

To enable Communication Express users access the mail module rendered by the Messenger Express using the Access Manager Single sign-on, you need to modify the Messenger Express specific parameters using the configutil tool located at msg-svr_install_root/sbin /configutil. It is important to explicitly set the Messenger Express specific parameters after install, as the installer does not set these parameters. For more information on using the configutil tool, refer to Chapter 4, Configuring General Messaging Capabilities, of the Sun Java System Messaging Server Administration Guide

When setting up Access Manager Single Sign-on, Communications Express and Access Manager can be deployed in both SSL and non-SSL modes in the same web container instance or in different web container instances. When Access Manager and Communications Express are deployed in different Web Container Instances you need to Configure Access Manager Remote SDK on the system where Communications Express is deployed. Listed below are the deployment scenarios for Access Manager and Communications Express deployed in different web container instances in both SSL and non SSL modes.

ProcedureTo Enable Single Sign-On in Communications Express With Access Manager

Steps

  1. Open the uwc-deployed-path/WEB-INF/config/ uwcauth.properties file.

  2. Modify the following Communications Express parameters in uwcauth.properties file to enable Access Manager SSO.

    Parameter 

    Purpose 

    uwcauth.identity.enabled

    Specifies whether Access Manager is enabled. 

    Initially the value is set in the configurator. 

    Set the attribute to true to enable Access Manager.

    Set the attribute to false to disable Access Manager.

    uwcauth.identity.login.url

    Specifies the parameter of Access Manager login URL. 

    For example, uwcauth.identity.login.url=http://siroe.example.com:85/amserver/UI/login

    uwcauth.identity.cookiename 

    Specifies the cookie name used by Access Manager. 

    The value of uwcauth.identity.cookiename should correspond to the value specified in Access Manager configurator.

    Default cookie name used by Access Manager is iPlanetDirectoryPro

    uwcauth.identity.binddn 

    Specifies the complete DN of the amadmin. 

    For example, 

    uid=amAdmin, ou=People, o=siroe.example.com, o=example.com

    Note: The uwcauth.identity.binddn and uwcauth.identity.bindcred values should correspond to the values entered when installing Access Manager.

    For example, uwcauth.identity.binddn=uid=amAdmin, ou=People, o=siroe.example.com, o=example.com and uwcauth.identity.bindcred=password .

    uwcauth.identity.bindcred 

    Specifies the password of the amadmin. 

    uwcauth.http.port 

    Specifies the port number that Communications Express listens to when Communications Express is configured on a non SSL port. 

    Default port number is 80.

    uwcauth.https.port 

    Specifies the https port number that Communications Express listens to when Communications Express is configured on an SSL port. 

    Default https port number is 443

    identitysso.singlesignoff 

    Specifies the single sign-off status. 

    If set to true the logout destroys the Access Manager session completely and all applications participating in this Access Manager session are signed out.

    If set to false, only the Communications Express session is destroyed and the user is taken to the url configured in identitysso.portalurl .

    Default status is true.

    identitysso.portalurl 

    Specifies the URL to which Communications Express is to be redirected. 

    If Access Manager is enabled and single sign-off is set to false, Communications Express is redirected to the URL assigned to identitysso.portalurl.

    By default Communications Express is redirected to http://www.sun.com

  3. Set the value of the parameter uwcauth.messagingsso.enable to false when setting up Communications Express for Access Manager Single Sign-On.

    Communications Express will now use the Access Manager’s Single Sign-On mechanism for obtaining valid user sessions.

ProcedureTo Deploy Access Manager and Communications Express in the Same Web Container Instance

Steps

  1. Open the IS-SDK-BASEDIR/lib/AMConfig.properties file.

    An example of IS-SDK-BASEDIR is /opt/SUNWam/lib.

  2. Make sure the following property is set in AMConfig.properties file:

    com.iplanet.am.jssproxy.trustAllServerCerts=true

    AMConfig.properties is present in IS-SDK-BASEDIR/lib

    For example, /opt/SUNWam/lib

  3. Restart the web container for the changes to take effect.

    Access Manager and Communications Express deployed in the same web container instance in SSL mode can now use the Access Manager’s Single Sign-On mechanism for obtaining valid user sessions.

ProcedureTo Deploy Access Manager and Communications Express in Different Web Container Instance

Steps

  1. Change to IS-INSTALL-DIR/ bin

  2. Copy the Access Manager IS-INSTALL-DIR /bin/amsamplesilent file.

    cp amsamplesilent amsamplesilent.uwc

  3. Edit the copy of amsamplesilent created in the previous step.

    Set the parameters to correspond to the deployment details.

    If you are deploying Access Manager SDK in a web container, such as Sun Java System Web Server or Sun Java System Application Server, set the DEPLOY_LEVEL to value 4, that is, select the option “SDK only with container config.”

  4. Set AM_ENC_PWD to the value of the password encryption key used during the installation of Access Manager.

    The encryption key is stored in the parameter am.encryption.pwd under:

    ${IS_INSTALL_DIR}/lib/AMConfig.properties

  5. Set NEW_INSTANCE to true.

  6. If you are deploying Access Manager SDK in Sun Java System Web Server, set WEB_CONTAINER to WS6.

    If you are deploying Access Manager SDK in Sun Java System Application Server, set the WEB_CONTAINER to AS7 or AS8.

  7. For a more detailed description on the other parameters in the amsamplesilent file and to help you configure the Access Manager Remote SDK parameters refer to Chapter 1, Identity Server 2004Q2 Configuration Scripts, in the Sun Java System Identity Server Administration Guide

  8. Configure Access Manager SDK in the web container.

    Make sure directory server that is used by Access Manager is running.

  9. Start the web container instance in which the Access Manager SDK will be deployed.

  10. Change directory to IS-INSTALL-DIR/ bin.

  11. Run the following command:

    ./amconfig -s amsamplesilent.uwc

  12. Restart the web container instance for configurations to take effect.

    Access Manager and Communications Express deployed in the different web container instances in SSL and non-SSL mode will now use the Access Manager’s Single Sign-On mechanism for obtaining valid user sessions.

    Note –

    Refer to Tuning Communications Express, for instructions on enabling or disabling Access Manager after deploying Communications Express.

ProcedureTo Enable Single Sign-On in Messenger Express With Access Manager

Steps

  1. Run the configutil tool.

    msg-svr_install_root /sbin/configutil

    If you have deployed Messenger Express as MEM, ensure that the value of the following parameters in Messaging Server are the same on the mshttpd, a component of messaging server, at the backend and MEM in the front end:

    • local.webmail.sso.uwclogouturl

      • local.webmail.sso.uwchome

      • local.webmail.sso.uwcenabled

      • local.webmail.sso.uwcport

      • local.webmail.sso.singlesignoff

      • local.webmail.sso.uwccontexturi

      • local.webmail.sso.amcookiename

      • local.webmail.sso.amnamingurl

  2. Set the following Messenger Express parameters to enable Communication Express users access Messenger Express using the Access Manager Single Sign-on.

    Parameters 

    Purpose 

    local.webmail.sso.amnamingurl

    This configuration enables SSO from Access Manager. 

    The parameter should point to the URL Access Manager runs the naming service. 

    For example,

    configutil -o local.webmail.sso.amnamingurl -v http://siroe.example.com:85/amserver/namingservice

    local.webmail.sso.uwcenabled

    Enables Communications Express access Messenger Express. 

    To disable, set the parameter to 0. 

    local.webmail.sso.uwclogouturl

    Specifies the URL Messenger Express uses to invalidate the Communications Express session. 

    If you have configured local.webmail.sso.uwclogouturl explicitly in Messenger Express, then this value is used to logout. Otherwise, Messenger Express constructs the logout url based on the http host in the request header.

    For example, 

    http://siroe.example.com:85/base/UWCmain?op=logout 

    When Communications Express is not deployed under /, such as /uwc, the value of this parameter may look like:

    http://siroe.example.com:85/uwc/base/UWCmain?op=logout

    local.webmail.sso.uwcport

    Specifies the Communications Express port. 

    For example, 85. 

    local.webmail.sso.uwccontexturi 

    Specifies the URI path in which Communications Express is deployed. 

    Specify this parameter only when Communications Express is not deployed under /.

    For example, if Communications Express is deployed in /uwc, local.webmail.sso.uwccontexturi=uwc

    local.webmail.sso.amcookiename 

    Specifies the Access Manager session cookie name. 

    Ensure that in the uwcauth.properties file, the value of uwcauth.identity.cookiename is set to the value of local.webmail.sso.amcookiename.

    For example, iPlanetDirectoryPro

    local.webmail.sso.uwchome 

    Specifies the url required to access the home link. 

    Once the Messenger Express specific parameters are set, Communication Express users can access Messenger Express using the Access Manager Single sign-on.

Setting up Messaging Single Sign-On

This section explains how to set up Communications Express with Messaging Single Sign-On. If you have chosen to adopt Sun Java System LDAP Schema, v.1 as the schema model, you need to enable Messaging SSO in Communications Express to use the Messaging Single Sign-On mechanism for authentication.

When configuring Communications Express, the configuration wizard does not set any of the mandatory SSO related parameters. You need to manually set the required parameters as explained below. Also, note that Messaging SSO does not support virtual domains and Messenger Express will not run in SSL mode when Messaging SSO is enabled.

If you have deployed Messenger Express as MEM, ensure that the value of the following parameters in Messaging Server are the same at the backend and frontend:

ProcedureTo Enable Communications Express Using Messaging SSO

Steps

  1. Open the uwc-deployed-path/WEB-INF/config/ uwcauth.properties file.

  2. Modify the following mail specific parameters in uwcauth.properties file to enable Communications Express access Messenger Express.

    Parameters 

    Purpose 

    uwcauth.appprefix

    Specifies the prefix used to find cookies generated by other trusted applications for SSO. 

    The prefix is used to find cookies generated by other trusted applications during single sign-on. 

    If the deployment uses Messaging SSO, this attribute should be assigned the value of local.webmail.sso.prefix set during messaging server configuration.

    The default value is iPlanetDirectoryPro

    uwcauth.appid

    Specifies the application ID for Communications Express. 

    The default value is uwc. 

    uwcauth.cookiedomain

    Specifies the domain name saved as part of the single sign-on cookie. 

    uwcauth.messagingsso.enable

    Enables or disables messaging single sign-on functionality. 

    Set this parameter to true to enable single sign-on and false to disable single sign-on.

    Also, make sure that uwcauth.messagingsso.enable is set to false when setting up Communications Express for Access Manager Single Sign-On.

    The default value is true. 

    uwcauth.messagingsso.cookiepath

    Specifies the URI path for which the single sign-on cookie is saved. 

    The default value is /.

    messagingsso.xxx.url 

    Specifies the URL used to verify the SSO cookie. 

    The value of xxx should be replaced by the application ID of the server. 

    For example, if you want to enable SSO with Messaging Server whose application ID is “msg60”, you need to add the following configuration parameter: 

    mesagingsso.msg60.url=http://servername/VerifySSO?

    The value of xxx mentioned here should be identical to the value assigned in Messenger Express local.webmail.sso.id.

    The default value is http://servername /VerifySSO?

    messagingsso.uwc.url 

    When Communications Express is not deployed under /, such as /uwc, the value of the parameter may look like:

    http://servername:85/uwc/VerifySSO?

    messagingsso.appid 

    Specifies the Messaging Server application ID. 

    The value of messagingsso.appid should be same as the local.webmail.sso.id set during messaging server configuration .

    The default value is ims. 

    messagingsso.ipsecurity 

    Determines whether or not to restrict session access login IP address. 

    If set to true when the user logs in, the server remembers which IP address the user used to log in.Then it only allows that IP address to use the session cookie it issues to the user while establishing sso with messaging server.

    If set to false, Communications Express does not perform this IP address check and restricts the access to the session.

    The default value is true.

    Once the parameters in are set in uwc-deployed-path /WEB-INF/config/uwcauth.properties file, Communication Express users will be able to access Messenger Express using the Messaging Single Sign-on mechanism for authentication.

ProcedureTo enable Messenger Express Using Messaging SSO

Steps

  1. Run the configutil tool.

    msg-svr_install_root/sbin/configutil

  2. Set the following mail specific parameters using the configutil tool.

    Parameter 

    Purpose 

    local.sso.<uwc-appid\>.verifyurl

    When Communications Express is not deployed under /, such as /uwc, the default value of the parameter may look like:

    http://siroe.example.com:85/uwc/VerifySSO?

    local.webmail.sso.id 

    Specifies the value that is used to identify Messenger Express to other applications. 

    local.webmail.sso.cookiedomain

    The string value of this parameter is used to set the cookie domain value of SSO cookie by the Messenger Express HTTP server. 

    The value must begin with a period (.), for example, “.example.com ” when the fully qualified hostname is siroe.example.com .

    Ensure that the value specified for this parameter is the same as that entered for uwcauth.cookiedomain.

    For example, .example.com

    local.webmail.sso.enable

    Enables or disables Messaging single sign-on functionality. 

    Set the value to 0 to disable Messaging single sign-on functionality.

    local.webmail.sso.prefix

    Specifies the prefix used to find cookies generated by other trusted applications for SSO. 

    Ensure this value corresponds to the value entered for uwcauth.appprefix.

    local.webmail.sso.singlesignoff

    If set to 1, when the user logs out, the server removes all single sign-on cookies for the user matching the value of local.webmail.sso.apprefix.

    If set to 0, the server removes only its single sign-on user cookie.

    local.webmail.sso.uwcenabled

    Enables or disables Messenger Express access from Communications Express. 

    Set to 1, to enable Messenger Express access from Communications Express.

    Set to 0, to disable Messenger Express access from Communications Express.

    local.webmail.sso.uwclogouturl

    Specifies the URL used by Messenger Express to invalidate the Communications Express session. 

    f you have configured local.webmail.sso.uwclogouturl explicitly in Messenger Express then this value is used to logout. Otherwise, Messenger Express constructs the logout url based on the http host in the request header.

    For example, http://siroe.example.com:85/base/UWCMain?op=logout

    When Communications Express is not deployed under /, such as /uwc, the default value of the parameter may look like:

    http://siroe.example.com:85/uwc/base/UWCMain?op=logout

    local.webmail.sso.uwcport

    Specifies the Communications Express port. 

    For example, 85.

    local.webmail.sso.uwccontexturi 

    Specifies the path in which Communications Express is deployed. 

    Specify this parameter only when Communications Express is not deployed under /. For example, if Communications Express is deployed in /uwc, local.webmail.sso.uwccontexturi=uwc

    For example, uwc.

    local.webmail.sso.uwchome 

    Specifies the url required to access the home link. 

    For example, http://www.sun.com

    local.webmail.sso.ims.verifyurl 

    Specifies the URL used to verify the SSO cookie. 

    For example, http://siroe.example.com/VerifySSO?

    Here it is assumed that webmail is deployed on port 80.

    Communications Express users will now be able to access Messenger Express using Messaging Single Sign-on mechanism for authentication.