Configuring the WebSphere Application Server to use TAI

Configure the IBM® WebSphere® Application Server hosting an IBM Sametime® server to use Trust Association Interceptors (TAI) with SiteMinder.

About this task

This task applies to a WebSphere Application Server where one of the following Sametime servers is installed:
  • Sametime Advanced Server
  • Sametime Proxy Server
  • Sametime Meeting Server

Procedure

  1. On the computer hosting the deployment manager for the Sametime server, log in as root on Linux™, or as the Windows™ administrator.

    Typically the deployment manager is the Sametime System Console.

  2. Copy the smagent.properties file from the Application Server Agent (ASA) installation /opt/smwasasa/conf directory to the IBM WebSphere Application Server Profile properties directory.

    For example,

    Windows: c:\program files\IBM\websphere\appserver\profiles\profile1\properties

    Linux: /opt/IBM/WebSphere/AppServer/profiles/STPAppProfile/properties

  3. Copy the smagent.properties file from the ASA installation /opt/smwasasa/conf directory to the dmgrprofile.
  4. Ensure that your system path includes a path to the Application Server Agent's (ASA) bin directory. On Microsoft™ Windows, the bin directory is typically c:\smwasasa\bin. On Linux, set the path by entering this command:

    #export PATH=$PATH:/opt/smwasasa/bin:/opt/smwasasa/conf

  5. From the Integrated Solutions Console on the WebSphere Administration Server, complete these steps:
    1. Click Security > Global Security > Expand Web and SIP security > Trust Association.
    2. Select Enable Trust Association and click Apply.
    3. Click Interceptors and delete those you do not require.
    4. On the Interceptors page, click New.
    5. Enter this SiteMinder ASA class name next to Interceptor Classname and click Apply:

      com.netegrity.siteminder.websphere.auth.SmTrustAssociationInterceptor

    6. Save the changes to the master configuration by clicking Save on the next two screens.
    7. Log out of the Administration Console.
  6. Restart the WebSphere Application Server.
  7. From the Integrated Solutions Console on the WebSphere Administration Server, complete these steps:
    1. Click Security > Global Security > Expand Web and SIP Security > General Settings .
    2. Select the Authenticate only when the URI is protected option, and then click OK.
    3. Click Security > Global Security > Custom Properties. Click New.
    4. Add this setting:

      Name: com.ibm.websphere.security.performTAIForUnprotectedURI

      Value true

    5. Click Security > Global Security.
    6. Select the Enable administrative security and the Enable application security options.
    7. Click Security > Global Security > Expand Web and SIP Security > Single sign-on (SSO).
    8. Select the Enabled option.
    9. In the Domain name field, specify the domain name. Click OK.
    10. Click Security > Global Security > Available realm definitions > Federated repositories.
    11. Click Configure > Manage repositories, and then click Add.
    12. Click Security > Global Security > Available realm definitions.
    13. Select Federated repositories and click Configure.
    14. Click Add Base Entry to Realm.
    15. Specify the details for LDAP.
    16. Click Security > Global Security > Available realm definitions.
    17. Select Federated repositories and click Configure.
    18. Change the realm name to point to the LDAP server you are using.
    19. Save the changes you made.
    20. Click Security > Global Security > Available realm definitions:Federated repositiories, and click Set as current.
  8. The security configuration is enabled or modified in a Network Deployment environment. Complete these steps so that all the processes in this environment have the same security run-time settings:
    1. Verify that all nodes are synchronized with these security configuration changes before stopping these processes.
    2. If any node agents are currently stopped, manually enter a syncNode command before starting that node agent.
    3. Stop all of the processes in the cell, including the deployment manager, node agents, and application servers.
    4. Restart all of the processes in the cell, restart the deployment manager and node agents first, then application servers.
  9. Follow these instructions to set up SSO: Enabling SSO.
  10. Enable SSO for SiteMinder by completing these steps:
    1. Click Enterprise Applications > SametimeProxy > Security role to user/group mapping.
    2. Map the AllUsers role to All Authenticated in Application's Realm.
    3. Click OK.