1 / 44

Sametime Security and Authentication

Sametime Security and Authentication. Eli M. Harris. Collaboration. What We'll Cover . Understanding Sametime Security Methods Using Domino Authentication Using LDAP Authentication Configuring Sametime Connectivity Authenticating Sametime with other Products.

libitha
Download Presentation

Sametime Security and Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sametime Security and Authentication Eli M. Harris Collaboration

  2. What We'll Cover ... • Understanding Sametime Security Methods • Using Domino Authentication • Using LDAP Authentication • Configuring Sametime Connectivity • Authenticating Sametime with other Products

  3. Understanding Sametime Security Methods

  4. Anonymous access • Recommended for intranet access only • Allows anyone to access the Sametime server and databases • With or without a person document in the Sametime directory • Authenticated access • User name and password verified in a known directory before access is granted User Identification

  5. Don't Forget • Database ACL rules also apply • Anonymous entry in the ACL • Default Entry applies to all authenticated users if not found in ACL • Maximum Internet Name and Password access setting • Server document Internet port settings • Name and password required: Yes/No • Anonymous access permitted: Yes/No Standard Domino Security

  6. Lightweight Directory Access Protocol (LDAP) is an defined TCP/IP protocol for accessing directory services • Examples of public LDAP servers Bigfoot Four11 SwitchBoard • Sametime must be configured to operate as a client to an LDAP server Using an LDAP Directory

  7. Using an LDAP Directory (continued) • For more information on using an LDAP directory in Domino • Go to http://www.e-promag.com • Article #2724 • Using LDAP in Domino • By Chris Miller Resource See also: Beyond the Basics of LDAP (Chris Miller)

  8. Directory Assistance • Used to extend client authentication and name lookups to secondary Domino directories and to LDAP directories • Extended Directory Catalog • Allows you to aggregate directory information from several different Domino directories Managing Multiple Authentication Sources

  9. Can you see the directories cascaded in the Domino Administrator under People and Groups ? • Possible causes of failure Cross Certification Insufficient access to the Target Directory ACL • You can also setup a location using the Sametime server as the home server and attempt to address an e-mail message Managing Multiple Authentication Sources (continued)

  10. How do you troubleshoot Sametime Authentication ? • Can the user login using the Sametime Connect client? • Can the user login using the Sametime Meeting Room client ? • Can the user login to another database unrelated to Sametime (such as names.nsf) via HTTP ? • These answers can help find the issue Troubleshooting Authentication

  11. Using Domino Authentication

  12. Default authentication method for Sametime 3 • How Domino Single Sign-on works • Creates an LTPA token when a user is authenticated • This token is stored in the user's browser as a cookie • When the user tries to access restricted areas, the token is presented and appropriate access is granted Domino Single Sign-on

  13. Issue • Things to know about LTPA Tokens • Requires the user to have cookies enabled in their browser • Users must enter a fully qualified domain name of the Sametime server Example: Sametime.sunandson.com, not Sametime • The same LTPA token can be used to authenticate when the user accesses other servers in the same DNS domain during a single browser session LTPA Tokens

  14. Using the Secrets and Tokens Authentication system • Way of improving security at the authentication level, as opposed to encryption or other levels • Enhances security in the following areas Sametime enabled databases deployed on a Domino server Multiple Sametime servers in a Domino domain Sametime Secrets and Tokens Authentication System

  15. Required for use of 3rd party authentication systems that use the Domino Directory Services API (DSAPI) • For example, Netegrity SiteMinder • How Secrets and Tokens work • Uses 2 databases to generate keys that allow users to move from one network to another after authenticating with a user name and password Sametime Secrets and Tokens Authentication System (continued)

  16. Using LDAP Authentication

  17. Select the LDAP option during the installation • LDAP Server Name • Port Number - Default is 389 • Modify the Directory Assistance document in the Directory Assistance Database (DA.NSF) to specify the DN • Configure the LDAP directory settings from the Sametime administration tool Configuring Sametime to use LDAP

  18. What do you do if you didn't choose LDAP during the installation ? • NO LDAP option will be available in the Sametime administration tool • Must be manually configured Create an LDAP document in the Directory assistance database Configure the LDAP server settings using a Notes client • Open the Sametime Configuration database (STCONFIG.NSF) • Choose Create >Other>LDAP Server Configuring Sametime to use LDAP (continued)

  19. Sametime makes 5 separate connections to the LDAP server • When authenticating users • When resolving user names during login • Resolving User and Group names as a response to 'Add a Person or Group' • Browsing directory • Getting the content of public groups • Must enable in both Sametime and DA Using SSL to encrypt LDAP connections in Sametime

  20. Note • Sametime offers different options for encrypting LDAP connections • Encrypt all data The most secure - Encrypts all 5 connections • Encrypt only user passwords Intermediate level of security Must modify Sametime.ini as follows: • [Directory]ST_DB_LDAP_SSL_ONLY_FOR_PASSWORDS=1 • Can slow server performance Using SSL to encrypt LDAP connections in Sametime (continued)

  21. Configuring Sametime Connectivity

  22. Lesson • Having trouble with Sametime and your firewall? • You need to know which ports Sametime is using as default Knowing these ports will help you pass your Sametime Administration certification exam • You also need to know where to change these port settings Which port settings will affect which Sametime service? Sametime Connectivity

  23. Configured in the Server document • Internet Web Ports HTTP • Default 80 • if Tunneling is enabled - Default 8088 SSL - Default 443 • Internet Directory Ports LDAP - Default 389 Configuring Basic Sametime Ports

  24. Configured in Sametime Administration • Listening for connections from other Sametime Servers Default 1516 • Listening for direct Sametime Client Connections Default 1533 • Listening for HTTP connections Default 8082 Also allows the Sametime to tunnel on port 80 Configuring Community Services Ports

  25. Configured in Sametime Administration • Listening for connections from other Sametime Servers or T.120 connections Default 1503 • Listening for direct Meeting Room Client Connections Default 8081 • Listening for HTTP connections when direct Meeting Room Connections fail Default 80 - Used for HTTP tunneling Configuring Meeting Services Ports

  26. GOTCHA! • Configured in Sametime Administration • Listening for Real-time Streaming Protocol (RTSP) call control connections from Sametime Broadcast clients Default 554 Also used for connections from HTTP Proxy servers • Broadcast gateway address for control connections Uses this port for internal connections - Default 8083 Do not change this setting unless absolutely necessary Configuring Broadcast Services Ports

  27. Decision Point • Time to Live (TTL) should also be configured • Specifies how long the multicast traffic will propagate on the network before being discarded • The farther apart the servers are geographically, the longer the TTL should be What should the TTL be ? Configuring Broadcast Services Ports (continued)

  28. Which port does Sametime use for Audio/Video control connections? • Uses the port setting for the Meeting Room Client - Default 8081 • Uses this port for call control functions • Listens for call setup connections from H.323 compliant clients • Default Port 1720 • Also uses TCP ports 49152 - 65535 for H.245 protocol used by H.323 clients Configuring Audio/Video Services Ports

  29. Warning • Uses a Dynamic UDP port range for inbound Audio/Video Streams • Default 49252 - 65535 • Port used to tunnel audio and video streams • If UDP is unavailable, this port is used to tunnel the A/V stream using TCP instead of UDP • Default 8084 • Don't try to tunnel everything on port 80 Configuring Audio/Video Services Ports (continued)

  30. One of the best features of Sametime which extends Sametime thru firewalls • The Community, Meeting, and Broadcast services use port 80 to connect to the Community Services Multiplexer (MUX) • The Multiplexer can distinguish between different types of HTTP connection requests • The MUX then creates intraserver connections to pass the data HTTP Tunneling

  31. Tradeoff • Audio/Video and Tunneling • The Audio/Video Control connection requires either a direct TCPIP or connection through a socks proxy • Default port - 8084 • If the Meeting Services connection occurred using HTTP Tunneling, Audio/Video is not supported ! HTTP Tunneling (continued)

  32. Sametime has lots of services ! • Each service is an executable file • The overview feature of the Sametime Administration tool lists the appropriate exe file name • What can you do to help troubleshoot connectivity with one of these services on your Sametime Server? Sametime Server Services and ports

  33. Secret • Launching these services separately in a DOS window will give you excellent debugging information • Disable or stop service in Windows Services if necessary • Find the appropriate exe filename • Launch service separately from a command line Sametime Server Services and ports (continued)

  34. Authenticating Sametime with other products

  35. Next Steps • Configuring Sametime awareness with Quickplace • Need to set up multi-server session-based authentication for the Quickplace server so it shares the authentication token with the Sametime server • Add these settings to the NOTES.INI file on the Quickplace Server: • NoWebFileSystemACLs=1 • h_ScopeUrlInQP=1 Quickplace with Sametime

  36. 2. Enable session-based authentication in the Domino Directory for the Quickplace Server: • a. Edit the Server document. • b. Click the Internet Protocols - Domino Web Engine tab. • c. Next to Session authentication, select multi-server. 3. If there is not a Domino Web Server Configuration database on the Quickplace Server, perform the following: • a. Create a database from the Domino Web Server Configuration (5.0) template and give it the file name DOMCFG.NSF. Quickplace with Sametime (continued)

  37. b. Open the new database. • c. Choose Create - Mapping a Login Form. • d. In the “Target Database file name” field, enter • QUICKPLACE/RESOURCES.NSF. • e. In the “Target form name” field, enter QuickPlaceLoginForm. • f. Save the new form. Final steps to configure QP3 with Sametime • a. From Domino Designer, open the database QUICKPLACE/RESOURCES.NSF. • b. Open the QuickPlaceLoginForm. • c. Copy the <Computed Value> field from this form to the login form in DOMCFG.NSF. Quickplace with Sametime (continued)

  38. Resource • Integrating WebSpherePortal Server gives you the ability to add online awareness to any aspect of your portal • Many steps are required to allow these 2 products to integrate properly • Here are some of the most important ones to know WebSpherePortal Server with Sametime

  39. Check the portal environment properties file on the WebSpherePortal server for the following entries • <WASROOT>\lib\app\config\CSEnvironment.properties • CS_Server_Domino_Directory.enabled=true • CS_Server_Domino_Directory_1.hostname=www.lotus.com • CS_Server_Sametime.enabled=true Check these settings on the Domino Server document • On the Basics Tab, fully qualified host name is correct • On the Ports Tab, the Net Address of the TCPIP port is the fully qualified host name • On the Internet Protocols Tab, HTTP Sub-tag, the host name field contains the fully qualified host name WebSpherePortal Server with Sametime (continued)

  40. Domino LDAP specific settings for the portal • Users wpsadmin, wpsbind, and wpsadmins need Reader access to the Domino directory (or in a group) • A Domino LDAP configuration document must exist and the LDAP fields list must contain MailFile, Mail Server and http_hostName as available via LDAP Domino Single Sign On settings • Import LTPA token from WebSphere into Web SSO document • Enter same IP domain name in TokenDomain field which was entered in WebSphereAdmin when generating the token • Change the LDAP Realm manually to hostname\:389 WebSpherePortal Server with Sametime (continued)

  41. Ensure hostaddress.xml is correct on WebSphereServer • Located at <WASROOT>\PortalServer\app\wps.ear\wps.war\peopleawareness\hostAddress.xml • <?xml version="1.0" encoding="UTF-8" ?><sametime><hostaddress>sametime.sunandson.com</hostaddress><httpPort>80</httpPort></sametime> Sametime.ini settings on the Sametime server • VPS_BYPASS_TRUSTED_IPS=1or • VPS_TRUSTED_IPS= IPAddress,IPAddress,... WebSpherePortal Server with Sametime (continued)

  42. Getting Help !

  43. When in doubt, search it out ! • Online Help • Lotus Developer Domain http://www.lotus.com/ldd • Download Sametime documentation Sametime Installation Guide Sametime Administrator's Guide Sametime Audio/Video Guide and more ! • Search the forum • SearchDomino.com search engine Online Resources

  44. Questions? Submit your questions now by clicking on the “Ask a Question” button in the bottom left corner of your presentation screen. Your Turn! Thank you! You can send additional questions to Eli Harris via editor@searchdomino.com.

More Related