To protect Domino view (.nsf) resources with a forms authentication scheme, map the URLs before they are redirected to the forms credential collector.
Follow these steps:
Domino URLS are mapped before redirection to the FCC.
The process of URL normalization modifies URLs from a Domino representation to a URL format used by a typical web browser. The Domino Web Agent relies on the Domino web server APIs to normalize a Domino URL.
During the normalization process, the Domino Server APIs periodically return a URL with a carriage return (0x0D in hex) and/or a line feed character (0x0A in hex) added to the normalized URL. The addition of these characters appears to be related to specific Notes database (.nsf) files and access patterns within these files.
The following example shows a normalized URL with an added carriage return:
If necessary, you can ensure that URLs with Domino resource IDs are not normalized with the following parameter:
Specifies if the CA SiteMinder® Web Agent converts Domino URLs to a URL-friendly name before redirecting them to a Forms Credential Collector.
The MapUrlsForRedirect parameter must also be set to yes for the Domino URLs to be converted.
If the DominoNormalizeUrls parameter is set to no, URLs will not be normalized, even if the MapUrlsForRedirect parameter is set to yes.
Important! If you set the DominoNormalizeUrls parameter to no, you cannot protect individual documents within a Notes database; you can only protect the entire database or subdirectories of the Domino Web server.
Default: Yes
To turn off normalization and ensure that URLs are not altered, set the DominoNormalizeUrls parameter to no.
The Web Agent offers a finer level of granularity for protecting Lotus Notes documents on Domino. The folloiwng parameter controls this protection:
Specifies how a Web Agent handles user requests for protected Lotus Notes documents in a Domino environment. Setting this parameter to yes grants users ReadForm permission only for the requested document.
Default: No
Use the DominoLegacyDocumentSupport parameter to configure the Web Agent to process user-requested actions when accessing Notes documents. This offers a finer granularity of protection on Domino.
Notes documents do not have names. They are saved to the database with a reference to the form used to create them. When a user requests a Notes document, the Domino Web Agent finds the form for that document by converting the request into a URL. This URL includes the original Domino action. If no form is found, then nothing is used.
For example:
"http://server.domain.com/db.nsf?OpenDocument"
in the URL To ensure that the Web Agent performs the user-requested Domino action on the document that is specified in the URL, such as ?OpenDocument or ?EditDocument, set the DominoLegacyDocumentSupport parameter to no.
For example, if the URL request is:
http://www.dominoserver.com/names.nsf/934873094893898778578439588098203985798349?EditDocument
The Domino Agent converts the preceding URL to:
http://www.dominoserver.com/names.nsf/Person?EditDocument
where Person is the name of the form used to create the document identified by the NotesID in the original URL.
To force the Domino Web Agent revert back to its pre-4.6 operation for accessing Notes documents, which means that only the action ?ReadForm is permitted, set this parameter to yes. With the legacy document support enabled, the Domino Agent would convert the URL in the previous example to:
http://www.dominoserver.com/names.nsf/Person?ReadForm
Unlike views and forms, Notes documents do not have names; they are saved to the database with a reference to the form that was used to create the document. If a user is trying to access a document and the Domino Web Agent cannot convert it to a readable name, the Agent uses the name of the form that generated the document to create a URL. This applies only to documents. If there is no original form, the Agent uses the embedded form. If neither apply, the document is protected using the Domino identifier $defaultForm.
For example, if the incoming URL is:
http://www.domino.com/names.nsf/8567489d60034we50938450098?OpenDocument
The Agent uses:
http://www.domino.com/names.nsf/Person?ReadForm
In this example, Person is the name of the document.
The full log-out feature uses a custom log-out page that you create with the following parameter:
Enables the full log-out function by specifying the URI of a custom web page. This custom web page appears to users after they are successfully logged off. Configure this page so that it cannot be stored in a browser cache. Otherwise, a browser could possibly display a log-out page from its cache without logging the user off. If this situation happens, unauthorized users could possibly have an opportunity to assume control of a session.
Note: When the CookiePath parameter is set, the value of the LogOffUri parameter must point to the same cookie path. For example, if the value of your CookiePath parameter is set to example.com, then your LogOffUri must point to example.com/logoff.html
Default: (all agents except the CA SiteMinder Agent for SharePoint r12.0.3.0) No default
Limits: Multiple URI values permitted. Do not use a fully qualified URL.Use a relative URI.
Example:(all agents except the CA SiteMinder Agent for SharePoint r12.0.3.0) /Web pages/logoff.html
Follow these steps:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
Important! Some web browsers do not support meta tags. Use a cache-control HTTP header instead.
The full log-out feature is configured.
A Domino web server acts as the front end to a WebSphere Application Server by providing a filter plug-in that intercepts requests before forwarding them to the WebSphere server.
Suppose you have resources on your Domino server that you not want to protect with CA SiteMinder®. You can still protect those resources with your Domino server instead. To protect these resources, set the following parameter:
Specifies if the Domino server authenticates requests with a Domino user for resources that only the Domino server (not CA SiteMinder®) protects.
If the value of this parameter is yes, the agent passes the Domino user to the Domino server. The Domino server authenticates the user. If the value of this parameter is no (or the parameter is disabled), the agent does not pass the Domino user to the Domino server. The Domino server does not authenticate the user.
Default: Disabled
Follow these steps:
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|