sametime security and authentication eli m. harris collaboration
TRANSCRIPT
Sametime Security and Authentication
Eli M. Harris
Collaboration
Understanding Sametime Security MethodsUsing Domino AuthenticationUsing LDAP AuthenticationConfiguring Sametime ConnectivityAuthenticating Sametime with other Products
What We'll Cover ...
Understanding Sametime Security Methods
User Identification
Anonymous access Recommended for intranet access only Allows anyone to access the Sametime server
and databases With or without a person document in the
Sametime directoryAuthenticated access
User name and password verified in a known directory before access is granted
Standard Domino Security
Database ACL rules also apply Anonymous entry in the ACL Default Entry applies to all authenticated
users if not found in ACL Maximum Internet Name and Password
access settingServer document Internet port settings
Name and password required: Yes/No Anonymous access permitted: Yes/No
Don't Forget
Using an LDAP Directory
Lightweight Directory Access Protocol (LDAP) is an defined TCP/IP protocol for accessing directory services
Examples of public LDAP serversBigfootFour11SwitchBoard
Sametime must be configured to operate as a client to an LDAP server
Using an LDAP Directory(continued)
See also:Beyond the Basics of LDAP (Chris Miller)
For more information on using an LDAP For more information on using an LDAP
directory in Dominodirectory in Dominoƒ Go to http://www.e-promag.comGo to http://www.e-promag.comƒ Article #2724Article #2724
°Using LDAP in Domino
°By Chris MillerResource
Managing Multiple Authentication Sources
Directory Assistance Used to extend client authentication and name
lookups to secondary Domino directories and to LDAP directories
Extended Directory Catalog Allows you to aggregate directory information
from several different Domino directories
Managing Multiple Authentication Sources (continued)
Can you see the directories cascaded in the Domino Administrator under People and Groups ?
Possible causes of failureCross CertificationInsufficient access to the Target Directory ACL
You can also setup a location using the Sametime server as the home server and attempt to address an e-mail message
Troubleshooting Authentication
How do you troubleshoot Sametime Authentication ?
Can the user login using the Sametime Connect client?
Can the user login using the Sametime Meeting Room client ?
Can the user login to another database unrelated to Sametime (such as names.nsf) via HTTP ?
These answers can help find the issue
Using Domino Authentication
Domino Single Sign-on
Default authentication method for Sametime 3How Domino Single Sign-on works
Creates an LTPA token when a user is authenticated
This token is stored in the user's browser as a cookie
When the user tries to access restricted areas, the token is presented and appropriate access is granted
LTPA Tokens
Things to know about LTPA Tokens Requires the user to have cookies enabled in
their browser Users must enter a fully qualified domain
name of the Sametime serverExample: Sametime.sunandson.com, not Sametime The same LTPA token can be used to
authenticate when the user accesses other servers in the same DNS domain during a single browser session
Issue
Sametime Secrets and Tokens Authentication System
Using the Secrets and Tokens Authentication system
Way of improving security at the authentication level, as opposed to encryption or other levels
Enhances security in the following areasSametime enabled databases deployed on a Domino serverMultiple Sametime servers in a Domino domain
Sametime Secrets and Tokens Authentication System (continued)
Required for use of 3rd party authentication systems that use the Domino Directory Services API (DSAPI)
For example, Netegrity SiteMinderHow Secrets and Tokens work
Uses 2 databases to generate keys that allow users to move from one network to another after authenticating with a user name and password
Using LDAP Authentication
Configuring Sametime to use LDAP
Select the LDAP option during the installation LDAP Server Name Port Number - Default is 389 Modify the Directory Assistance document in
the Directory Assistance Database (DA.NSF) to specify the DN
Configure the LDAP directory settings from the Sametime administration tool
Configuring Sametime to use LDAP(continued)
What do you do if you didn't choose LDAP during the installation ?
NO LDAP option will be available in the Sametime administration tool
Must be manually configuredCreate an LDAP document in the Directory assistance databaseConfigure the LDAP server settings using a Notes client
Open the Sametime Configuration database (STCONFIG.NSF) Choose Create >Other>LDAP Server
Using SSL to encrypt LDAP connections in Sametime
Sametime makes 5 separate connections to the LDAP server
When authenticating users When resolving user names during login Resolving User and Group names as a
response to 'Add a Person or Group' Browsing directory Getting the content of public groups
Must enable in both Sametime and DA
Using SSL to encrypt LDAP connections in Sametime (continued)
Sametime offers different options for encrypting LDAP connections
Encrypt all dataThe most secure - Encrypts all 5 connections
Encrypt only user passwordsIntermediate level of securityMust modify Sametime.ini as follows:
[Directory]ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1
Can slow server performance
Note
Configuring Sametime Connectivity
Sametime Connectivity
Having trouble with Sametime and your firewall?
You need to know which ports Sametime is using as default
Knowing these ports will help you pass your Sametime Administration certification exam
You also need to know where to change these port settings
Which port settings will affect which Sametime service?
Lesson
Configuring Basic Sametime Ports
Configured in the Server document Internet Web Ports
HTTP Default 80 if Tunneling is enabled - Default 8088
SSL - Default 443 Internet Directory Ports
LDAP - Default 389
Configuring Community Services Ports
Configured in Sametime Administration Listening for connections from other
Sametime ServersDefault 1516
Listening for direct Sametime Client Connections
Default 1533 Listening for HTTP connections
Default 8082Also allows the Sametime to tunnel on port 80
Configuring Meeting Services Ports
Configured in Sametime Administration Listening for connections from other
Sametime Servers or T.120 connectionsDefault 1503
Listening for direct Meeting Room Client Connections
Default 8081 Listening for HTTP connections when direct
Meeting Room Connections failDefault 80 - Used for HTTP tunneling
Configuring Broadcast Services Ports
Configured in Sametime Administration Listening for Real-time Streaming Protocol
(RTSP) call control connections from Sametime Broadcast clients
Default 554Also used for connections from HTTP Proxy servers
Broadcast gateway address for control connections
Uses this port for internal connections - Default 8083Do not change this setting unless absolutely necessary
GOTCHA!
Configuring Broadcast Services Ports (continued)
Time to Live (TTL) should also be configured Specifies how long the multicast traffic will
propagate on the network before being discarded
The farther apart the servers are geographically, the longer the TTL should be
What should the TTL be ?
Decision
Point
Configuring Audio/Video Services Ports
Which port does Sametime use for Audio/Video control connections?
Uses the port setting for the Meeting Room Client - Default 8081
Uses this port for call control functionsListens for call setup connections from H.323 compliant clients
Default Port 1720 Also uses TCP ports 49152 - 65535 for H.245
protocol used by H.323 clients
Configuring Audio/Video Services Ports (continued)
Uses a Dynamic UDP port range for inbound Audio/Video Streams
Default 49252 - 65535Port used to tunnel audio and video streams
If UDP is unavailable, this port is used to tunnel the A/V stream using TCP instead of UDP
Default 8084 Don't try to tunnel everything on port 80
Warning
HTTP Tunneling
One of the best features of Sametime which extends Sametime thru firewalls
The Community, Meeting, and Broadcast services use port 80 to connect to the Community Services Multiplexer (MUX)
The Multiplexer can distinguish between different types of HTTP connection requests
The MUX then creates intraserver connections to pass the data
HTTP Tunneling (continued)
Audio/Video and Tunneling The Audio/Video Control connection requires
either a direct TCPIP or connection through a socks proxy
Default port - 8084 If the Meeting Services connection occurred
using HTTP Tunneling, Audio/Video is not supported !
Tradeoff
Sametime Server Services and ports
Sametime has lots of services ! Each service is an executable file The overview feature of the Sametime
Administration tool lists the appropriate exe file name
What can you do to help troubleshoot connectivity with one of these services on your Sametime Server?
Sametime Server Services and ports (continued)
Launching these services separately in a DOS window will give you excellent debugging information
Disable or stop service in Windows Services if necessary
Find the appropriate exe filename Launch service separately from a command
line
Secret
Authenticating Sametime with other products
Quickplace with Sametime
Configuring Sametime awareness with Quickplace Need to set up multi-server session-based
authentication for the Quickplace server so it shares the authentication token with the Sametime server1.Add these settings to the NOTES.INI file on the Quickplace Server:
NoWebFileSystemACLs=1 h_ScopeUrlInQP=1
Next
Steps
Quickplace with Sametime (continued)
2. Enable session-based authentication in the Domino Directory for the Quickplace Server:
a. Edit the Server document. b. Click the Internet Protocols - Domino Web Engine tab.
c. Next to Session authentication, select multi-server.3. If there is not a Domino Web Server Configuration database on the Quickplace Server, perform the following:
a. Create a database from the Domino Web Server Configuration (5.0) template and give it the file name DOMCFG.NSF.
Quickplace with Sametime (continued)
b. Open the new database. c. Choose Create - Mapping a Login Form. d. In the “Target Database file name” field, enter QUICKPLACE/RESOURCES.NSF. e. In the “Target form name” field, enter QuickPlaceLoginForm.
f. Save the new form.Final steps to configure QP3 with Sametime
a. From Domino Designer, open the database QUICKPLACE/RESOURCES.NSF.
b. Open the QuickPlaceLoginForm. c. Copy the <Computed Value> field from this form to the login form in DOMCFG.NSF.
WebSpherePortal Server with Sametime
Integrating WebSpherePortal Server gives you the ability to add online awareness to any aspect of your portal
Many steps are required to allow these 2 products to integrate properly
Here are some of the most important ones to know
Resource
WebSpherePortal Server with Sametime (continued)
Check the portal environment properties file on the WebSpherePortal server for the following entries
<WASROOT>\lib\app\config\CSEnvironment.properties CS_Server_Domino_Directory.enabled=true CS_Server_Domino_Directory_1.hostname=www.lotus.com
CS_Server_Sametime.enabled=trueCheck these settings on the Domino Server document
On the Basics Tab, fully qualified host name is correct On the Ports Tab, the Net Address of the TCPIP port is the fully qualified host name
On the Internet Protocols Tab, HTTP Sub-tag, the host name field contains the fully qualified host name
WebSpherePortal Server with Sametime (continued)
Domino LDAP specific settings for the portal Users wpsadmin, wpsbind, and wpsadmins need Reader access to the Domino directory (or in a group)
A Domino LDAP configuration document must exist and the LDAP fields list must contain MailFile, Mail Server and http_hostName as available via LDAP
Domino Single Sign On settings Import LTPA token from WebSphere into Web SSO document
Enter same IP domain name in TokenDomain field which was entered in WebSphereAdmin when generating the token
Change the LDAP Realm manually to hostname\:389
WebSpherePortal Server with Sametime (continued)
Ensure hostaddress.xml is correct on WebSphereServer Located at <WASROOT>\PortalServer\app\wps.ear\wps.war\peopleawareness\hostAddress.xml
<?xml version="1.0" encoding="UTF-8" ?><sametime><hostaddress>sametime.sunandson.com</hostaddress><httpPort>80</httpPort></sametime>
Sametime.ini settings on the Sametime server VPS_BYPASS_TRUSTED_IPS=1or
VPS_TRUSTED_IPS= IPAddress,IPAddress,...
Getting Help !
Online Resources
When in doubt, search it out ! Online Help Lotus Developer Domain
http://www.lotus.com/ldd Download Sametime documentation
Sametime Installation GuideSametime Administrator's GuideSametime Audio/Video Guide and more !
Search the forum SearchDomino.com search engine
Your Turn!
Questions? Submit your questions now by clicking on the “Ask a Question” button in the bottom
left corner of your presentation screen.
Thank you!
You can send additional questions to Eli Harris via [email protected].