This section contains the following topics:
Configure the Domino Web Agent
Configure Domino-Specific Agent Functions
Coordinate SiteMinder and Domino Authentication
Control Access to Lotus Notes Documents
Enable a Domino Agent to Collect Credentials for Authentication
Specify User Directories for Domino
Use a Domino Agent with a WebSphere Application Server
Force Domino Server to Authenticate Unprotected SiteMinder Resources
Use an Anonymous SiteMinder Authentication Scheme with Domino
The Domino Application Server is a messaging and Web application platform that offers secure access for Lotus Notes clients. The Domino Web Agent protects only the HTTP interface of the Domino Application Server, controlling access to HTML, JAVA, CGI, and other Web resources, such as Notes served over the web. It does not protect the Notes server.
The following illustration shows how the Domino Web Agent integrates with the Domino server.
Domino stores data in groups of Notes databases. Resources in a Notes database can be a variety of objects, such as documents, views, forms, and navigators. These objects can include text, video, graphics, and audio content.
Notes objects are opened using a URL. To make Notes objects available for the Web, Domino dynamically creates Web pages from the objects in the Notes database. In the case of database views, Domino also creates URL links to the documents in a view. The dynamic creation of pages from the Notes database provides users with the most current information.
Access to resources on a Domino server is based on the URL. Domino servers use a specific URL syntax.
Domino servers can interpret standard URLs, such as one shown in the following example:
http://www.example.com/index.html
Domino URL commands can use the following syntax:
http://host/database.nsf/Domino_object?Action_Argument
Indicates the DNS entry or IP address of the server.
Specifies the database file name with the path relative to the notes \data directory or the database Replica ID.
Specifies the object in the database, for example, a view, document, form, or navigator.
Identifies the operation that performed on the Notes object. For example: ?OpenDatabase, ?OpenView, ?OpenDocument, ?OpenForm, ?ReadForm, ?EditDocument. If no action is specified in the URL, the default is used.
Default: ?Open.
Defines how the Domino server delivers an object. For example, if the action and argument is?OpenView&Expand=5, this argument specifies the number of rows displayed in an expanded format.
The following example shows a URL to access a view in a Notes database named financials.nsf:
http://www.example.com/financials.nsf/reports?OpenView
One of the Notes database conventions is to create aliases for objects. For example, the alias might identify a resource by its Notes ID or Replica ID instead of the object name. Using aliases makes programming easier for developers because the names of the Notes resources can change without requiring code changes.
The following Domino URLs access the same resource though the resource is identified by its aliases:
Regardless of how a resource is identified, the Domino Web Agent converts all Domino naming conventions into a standard URL based on the name of the database resource. This simplifies data entry into the SiteMinder policy store.
For example, the following Domino URLs are pointing to the people view in the names.nsf database. The database and view are referred to by Replica ID and Notes ID:
The Domino Web Agent converts these URLs to a standard URL, as follows:
The following illustration shows the conversion of aliases to a named object.
Unlike views and forms, Notes documents do not have names; they are saved to the database with a reference to the form that was used to create the document. If a user is trying to access a document and the Domino Web Agent cannot convert it to a readable name, the Agent uses the name of the form that generated the document to create a URL. This applies only to documents. If there is no original form, the Agent uses the embedded form. If neither apply, the document is protected using the Domino identifier $defaultForm.
For example, if the incoming URL is:
http://www.domino.com/names.nsf/8567489d60034we50938450098?OpenDocument
The Agent uses:
http://www.domino.com/names.nsf/Person?ReadForm
In this example, Person is the name of the document.
The Domino Web Agent uses all the standard Web Agent settings to do the following:
You can configure these centrally at the Policy Server or locally in the Agent configuration file.
In addition to the standard functions, there are Domino-specific parameters you can set.
In addition to the standard Web Agent settings, there are specific Domino configuration parameters that you can set only for the Domino Web Agent. These settings determine how Domino authenticates and authorizes a user with SiteMinder. You can configure these settings centrally in the Agent Configuration Object on the Policy Server or locally in the Agent configuration file on the web server.
Note: The Domino Web Agent does not support the auditing feature used to track user activity.
The Domino server must authenticate and authorize users even if SiteMinder has already gone through this process. SiteMinder works with Domino’s authentication process by providing the Domino server with a user identity that is also configured in the Domino Directory, which is the list of users and their privileges. The Domino server uses this identity to authenticate and authorize the user for access to database resources.
Note: A user name must be resolved unambiguously, or else the Domino Agent denies the authentication request. This may require some adjustments in your user directory.
The Domino Web Agent identifies the user to the Domino server as one of the following:
To determine which identity the Domino Web Agent uses when communicating with the Domino server, you configure the following parameters:
Determines which name to pass to the domino server for server authentication.
Identifies a user who has access to all resources on the Domino server.
Identifies a user with default access to the Notes database, which means this person has general access privileges.
Note: You can configure the DominoSuperUser and DominoDefaultUser locally, in the Agent configuration file, or centrally, in the Agent Configuration Object. In the Agent configuration file, these settings have encrypted values. In the Agent Configuration Object, you have the choice of encrypting these values or leaving them in plain text.
To have SiteMinder (and not Domino) authenticate users, set the SkipDominoAuth parameter to yes.
With SkipDominoAuth set to yes and a Super User defined, SiteMinder first identifies and authorizes the user. The Domino Web Agent then identifies that user to the Domino Server as the Super User. As a Super User, the user has access to any resource on the Domino server, assuming the user has the appropriate ACLs.
You should also set SkipDominoAuth parameter to yes when users are not stored in the Domino Directory because Domino will not have an identity to use for authorization privileges.
If you set SkipDominoAuth to no, Domino authenticates users on its own using the actual user name or the default user name.
The following table shows how the setting of the SkipDominoAuth parameter affects how the user is identified.
|
SkipDominoAuth Value |
Identified to the Domino Server As |
Notes |
|---|---|---|
|
yes |
Super User |
Super User must be defined in the Domino Directory |
|
no |
Actual User |
User must be in the Domino Directory |
|
no |
Default User |
User must be in the Domino Directory |
|
no |
Super User |
The requested resource is automatically authorized, meaning that no authentication challenge will be presented to the user |
A Domino Super User is a user who has access to all resources on the Domino server. If your Web site or portal is designed with SiteMinder in mind, you are securing resources and applications by implementing SiteMinder policies. As a result, the Domino server does not have to restrict user access based on its own security. In this case, users can be identified as the Super User for Domino’s authentication purposes.
To identify the user as the Super User, you enable the SkipDominoAuth parameter and specify a value for the DominoSuperUser parameter. This action makes sure that SiteMinder and not Domino authenticates users. The user that you specify must also be in the Domino Directory.
If a user is defined in the Domino Directory, Domino authenticates that user with their user name. However, if the user is not in the Domino Directory, and they have been authenticated by SiteMinder against another user directory, then the Domino Web Agent identifies that user to the Domino server as the DominoDefaultUser.
The default user has default access to the Notes database, which means this person should have general access privileges such as Domino’s depositor, reader, or author level of access, configured in ACLs.
For the Domino Agent to use this value, set the SkipDominoAuth parameter to no.
There may be some Notes databases that do not require protection from SiteMinder. Resources that are not protected by SiteMinder are not authenticated as the default Domino user. Instead, the Domino server prompts users for their credentials (if anonymous access is disabled).
To modify the DominoDefaultUser and DominoSuperUser parameters, do one of the following:
You can modify the DominoDefaultUser and DominoSuperUser settings in the Agent Configuration Object. You can choose whether the values are encrypted or in plain text.
Note: For more information, see the Policy Server documentation.
In the Agent configuration file, the DominoDefaultUser and DominoSuperUser values must be encrypted. Consequently, you have to modify these values using the encryptkey tool.
Important! Do not edit these settings directly in the Agent configuration file.
To set or change the value of DominoSuperUser or DominoDefaultUser in the Agent configuration file
/$HOME/ca/SiteMinder/Web Agent/bin
C:\Program Files\ca\SiteMinder Web Agent\Bin
encryptkey -path path_to_Agent_config_file
-dominoSuperUser new_value
encryptkey -path path_to_Agent_config_file
-dominoDefaultUser new_value
For example:
encryptkey -path "c:\program files\ca\SiteMinder Web Agent\Bin\Lotus Domino5\webagent.conf"
-dominoSuperUser admin
Note: The path to the Agent configuration file must contain the file name, such as, webagent.conf. Also, if any value in the path contains spaces, the entire path must be surrounded by quotation marks.
Note: The encryptkey tool is not provided as a part of the SiteMinder Web Agent kit. However, the tool remains useful to Domino users who can manipulate it to generate encrypted DominoSuperUser settings for local configuration. You can contact Support to download a copy of this tool.
|
Copyright © 2012 CA.
All rights reserved.
|
|