440 likes | 654 Vues
Sametime Security and Authentication. Eli M. Harris. Collaboration. What We'll Cover . Understanding Sametime Security Methods Using Domino Authentication Using LDAP Authentication Configuring Sametime Connectivity Authenticating Sametime with other Products.
 
                
                E N D
Sametime Security and Authentication Eli M. Harris Collaboration
What We'll Cover ... • Understanding Sametime Security Methods • Using Domino Authentication • Using LDAP Authentication • Configuring Sametime Connectivity • Authenticating Sametime with other Products
Anonymous access • Recommended for intranet access only • Allows anyone to access the Sametime server and databases • With or without a person document in the Sametime directory • Authenticated access • User name and password verified in a known directory before access is granted User Identification
Don't Forget • Database ACL rules also apply • Anonymous entry in the ACL • Default Entry applies to all authenticated users if not found in ACL • Maximum Internet Name and Password access setting • Server document Internet port settings • Name and password required: Yes/No • Anonymous access permitted: Yes/No Standard Domino Security
Lightweight Directory Access Protocol (LDAP) is an defined TCP/IP protocol for accessing directory services • Examples of public LDAP servers Bigfoot Four11 SwitchBoard • Sametime must be configured to operate as a client to an LDAP server Using an LDAP Directory
Using an LDAP Directory (continued) • For more information on using an LDAP directory in Domino • Go to http://www.e-promag.com • Article #2724 • Using LDAP in Domino • By Chris Miller Resource See also: Beyond the Basics of LDAP (Chris Miller)
Directory Assistance • Used to extend client authentication and name lookups to secondary Domino directories and to LDAP directories • Extended Directory Catalog • Allows you to aggregate directory information from several different Domino directories Managing Multiple Authentication Sources
Can you see the directories cascaded in the Domino Administrator under People and Groups ? • Possible causes of failure Cross Certification Insufficient access to the Target Directory ACL • You can also setup a location using the Sametime server as the home server and attempt to address an e-mail message Managing Multiple Authentication Sources (continued)
How do you troubleshoot Sametime Authentication ? • Can the user login using the Sametime Connect client? • Can the user login using the Sametime Meeting Room client ? • Can the user login to another database unrelated to Sametime (such as names.nsf) via HTTP ? • These answers can help find the issue Troubleshooting Authentication
Default authentication method for Sametime 3 • How Domino Single Sign-on works • Creates an LTPA token when a user is authenticated • This token is stored in the user's browser as a cookie • When the user tries to access restricted areas, the token is presented and appropriate access is granted Domino Single Sign-on
Issue • Things to know about LTPA Tokens • Requires the user to have cookies enabled in their browser • Users must enter a fully qualified domain name of the Sametime server Example: Sametime.sunandson.com, not Sametime • The same LTPA token can be used to authenticate when the user accesses other servers in the same DNS domain during a single browser session LTPA Tokens
Using the Secrets and Tokens Authentication system • Way of improving security at the authentication level, as opposed to encryption or other levels • Enhances security in the following areas Sametime enabled databases deployed on a Domino server Multiple Sametime servers in a Domino domain Sametime Secrets and Tokens Authentication System
Required for use of 3rd party authentication systems that use the Domino Directory Services API (DSAPI) • For example, Netegrity SiteMinder • How Secrets and Tokens work • Uses 2 databases to generate keys that allow users to move from one network to another after authenticating with a user name and password Sametime Secrets and Tokens Authentication System (continued)
Select the LDAP option during the installation • LDAP Server Name • Port Number - Default is 389 • Modify the Directory Assistance document in the Directory Assistance Database (DA.NSF) to specify the DN • Configure the LDAP directory settings from the Sametime administration tool Configuring Sametime to use LDAP
What do you do if you didn't choose LDAP during the installation ? • NO LDAP option will be available in the Sametime administration tool • Must be manually configured Create an LDAP document in the Directory assistance database Configure the LDAP server settings using a Notes client • Open the Sametime Configuration database (STCONFIG.NSF) • Choose Create >Other>LDAP Server Configuring Sametime to use LDAP (continued)
Sametime makes 5 separate connections to the LDAP server • When authenticating users • When resolving user names during login • Resolving User and Group names as a response to 'Add a Person or Group' • Browsing directory • Getting the content of public groups • Must enable in both Sametime and DA Using SSL to encrypt LDAP connections in Sametime
Note • Sametime offers different options for encrypting LDAP connections • Encrypt all data The most secure - Encrypts all 5 connections • Encrypt only user passwords Intermediate level of security Must modify Sametime.ini as follows: • [Directory]ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1 • Can slow server performance Using SSL to encrypt LDAP connections in Sametime (continued)
Lesson • Having trouble with Sametime and your firewall? • You need to know which ports Sametime is using as default Knowing these ports will help you pass your Sametime Administration certification exam • You also need to know where to change these port settings Which port settings will affect which Sametime service? Sametime Connectivity
Configured in the Server document • Internet Web Ports HTTP • Default 80 • if Tunneling is enabled - Default 8088 SSL - Default 443 • Internet Directory Ports LDAP - Default 389 Configuring Basic Sametime Ports
Configured in Sametime Administration • Listening for connections from other Sametime Servers Default 1516 • Listening for direct Sametime Client Connections Default 1533 • Listening for HTTP connections Default 8082 Also allows the Sametime to tunnel on port 80 Configuring Community Services Ports
Configured in Sametime Administration • Listening for connections from other Sametime Servers or T.120 connections Default 1503 • Listening for direct Meeting Room Client Connections Default 8081 • Listening for HTTP connections when direct Meeting Room Connections fail Default 80 - Used for HTTP tunneling Configuring Meeting Services Ports
GOTCHA! • Configured in Sametime Administration • Listening for Real-time Streaming Protocol (RTSP) call control connections from Sametime Broadcast clients Default 554 Also used for connections from HTTP Proxy servers • Broadcast gateway address for control connections Uses this port for internal connections - Default 8083 Do not change this setting unless absolutely necessary Configuring Broadcast Services Ports
Decision Point • Time to Live (TTL) should also be configured • Specifies how long the multicast traffic will propagate on the network before being discarded • The farther apart the servers are geographically, the longer the TTL should be What should the TTL be ? Configuring Broadcast Services Ports (continued)
Which port does Sametime use for Audio/Video control connections? • Uses the port setting for the Meeting Room Client - Default 8081 • Uses this port for call control functions • Listens for call setup connections from H.323 compliant clients • Default Port 1720 • Also uses TCP ports 49152 - 65535 for H.245 protocol used by H.323 clients Configuring Audio/Video Services Ports
Warning • Uses a Dynamic UDP port range for inbound Audio/Video Streams • Default 49252 - 65535 • Port used to tunnel audio and video streams • If UDP is unavailable, this port is used to tunnel the A/V stream using TCP instead of UDP • Default 8084 • Don't try to tunnel everything on port 80 Configuring Audio/Video Services Ports (continued)
One of the best features of Sametime which extends Sametime thru firewalls • The Community, Meeting, and Broadcast services use port 80 to connect to the Community Services Multiplexer (MUX) • The Multiplexer can distinguish between different types of HTTP connection requests • The MUX then creates intraserver connections to pass the data HTTP Tunneling
Tradeoff • Audio/Video and Tunneling • The Audio/Video Control connection requires either a direct TCPIP or connection through a socks proxy • Default port - 8084 • If the Meeting Services connection occurred using HTTP Tunneling, Audio/Video is not supported ! HTTP Tunneling (continued)
Sametime has lots of services ! • Each service is an executable file • The overview feature of the Sametime Administration tool lists the appropriate exe file name • What can you do to help troubleshoot connectivity with one of these services on your Sametime Server? Sametime Server Services and ports
Secret • Launching these services separately in a DOS window will give you excellent debugging information • Disable or stop service in Windows Services if necessary • Find the appropriate exe filename • Launch service separately from a command line Sametime Server Services and ports (continued)
Next Steps • Configuring Sametime awareness with Quickplace • Need to set up multi-server session-based authentication for the Quickplace server so it shares the authentication token with the Sametime server • Add these settings to the NOTES.INI file on the Quickplace Server: • NoWebFileSystemACLs=1 • h_ScopeUrlInQP=1 Quickplace with Sametime
2. Enable session-based authentication in the Domino Directory for the Quickplace Server: • a. Edit the Server document. • b. Click the Internet Protocols - Domino Web Engine tab. • c. Next to Session authentication, select multi-server. 3. If there is not a Domino Web Server Configuration database on the Quickplace Server, perform the following: • a. Create a database from the Domino Web Server Configuration (5.0) template and give it the file name DOMCFG.NSF. Quickplace with Sametime (continued)
b. Open the new database. • c. Choose Create - Mapping a Login Form. • d. In the “Target Database file name” field, enter • QUICKPLACE/RESOURCES.NSF. • e. In the “Target form name” field, enter QuickPlaceLoginForm. • f. Save the new form. Final steps to configure QP3 with Sametime • a. From Domino Designer, open the database QUICKPLACE/RESOURCES.NSF. • b. Open the QuickPlaceLoginForm. • c. Copy the <Computed Value> field from this form to the login form in DOMCFG.NSF. Quickplace with Sametime (continued)
Resource • Integrating WebSpherePortal Server gives you the ability to add online awareness to any aspect of your portal • Many steps are required to allow these 2 products to integrate properly • Here are some of the most important ones to know WebSpherePortal Server with Sametime
Check the portal environment properties file on the WebSpherePortal server for the following entries • <WASROOT>\lib\app\config\CSEnvironment.properties • CS_Server_Domino_Directory.enabled=true • CS_Server_Domino_Directory_1.hostname=www.lotus.com • CS_Server_Sametime.enabled=true Check these settings on the Domino Server document • On the Basics Tab, fully qualified host name is correct • On the Ports Tab, the Net Address of the TCPIP port is the fully qualified host name • On the Internet Protocols Tab, HTTP Sub-tag, the host name field contains the fully qualified host name WebSpherePortal Server with Sametime (continued)
Domino LDAP specific settings for the portal • Users wpsadmin, wpsbind, and wpsadmins need Reader access to the Domino directory (or in a group) • A Domino LDAP configuration document must exist and the LDAP fields list must contain MailFile, Mail Server and http_hostName as available via LDAP Domino Single Sign On settings • Import LTPA token from WebSphere into Web SSO document • Enter same IP domain name in TokenDomain field which was entered in WebSphereAdmin when generating the token • Change the LDAP Realm manually to hostname\:389 WebSpherePortal Server with Sametime (continued)
Ensure hostaddress.xml is correct on WebSphereServer • Located at <WASROOT>\PortalServer\app\wps.ear\wps.war\peopleawareness\hostAddress.xml • <?xml version="1.0" encoding="UTF-8" ?><sametime><hostaddress>sametime.sunandson.com</hostaddress><httpPort>80</httpPort></sametime> Sametime.ini settings on the Sametime server • VPS_BYPASS_TRUSTED_IPS=1or • VPS_TRUSTED_IPS= IPAddress,IPAddress,... WebSpherePortal Server with Sametime (continued)
When in doubt, search it out ! • Online Help • Lotus Developer Domain http://www.lotus.com/ldd • Download Sametime documentation Sametime Installation Guide Sametime Administrator's Guide Sametime Audio/Video Guide and more ! • Search the forum • SearchDomino.com search engine Online Resources
Questions? Submit your questions now by clicking on the “Ask a Question” button in the bottom left corner of your presentation screen. Your Turn! Thank you! You can send additional questions to Eli Harris via editor@searchdomino.com.