Click here to load reader

SSO FileNet Sg247675

  • View
    198

  • Download
    11

Embed Size (px)

Text of SSO FileNet Sg247675

Front cover

Single Sign-On Solutions for IBM FileNet P8Using IBM Tivoli and WebSphere Security TechnologyBusiness context discussion on SSO in an Enterprise Content Management solution Overview of SSO architecture and deployment models Complete hands-on SSO configurations for P8 V4.0

Axel Buecker Simon Canning Jay Devaney Guillermo Rios Satoshi Takahashi

ibm.com/redbooks

International Technical Support Organization Single Sign-On Solutions for IBM FileNet P8 Using IBM Tivoli and WebSphere Security Technology June 2009

SG24-7675-00

Note: Before using this information and the product it supports, read the information in Notices on page vii.

First Edition (June 2009) This edition applies to Version 4.0 of IBM FileNet P8. We point out the individual versions of the different products used in the single sign-on scenarios in their respective chapters. Copyright International Business Machines Corporation 2009. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ContentsNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix A word of caution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Part 1. Architecture and design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1. Business context for single sign-on in an Enterprise Content Management environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 What single sign-on is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1.1 Three classes of single sign-on. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Benefits of a single sign-on solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Single sign-on and Enterprise Content Management . . . . . . . . . . . . . . . . . 7 1.3.1 The ECM point of view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3.2 P8 authentication overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.3.3 P8 authorization overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.3.4 SOA identity propagation overview . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 2. Single sign-on architecture and component design . . . . . . . . 15 2.1 IBM FileNet P8 architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.1.1 Architecture of an IBM FileNet P8 system . . . . . . . . . . . . . . . . . . . . 16 2.1.2 Content Engine architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.3 Process Engine architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.1.4 Directory service integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.1.5 Java based client authentication through JAAS . . . . . . . . . . . . . . . . 22 2.1.6 Web service based client authentication through WS-Security. . . . . 25 2.1.7 Application Engine authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.1.8 Process Engine authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2 Simple Protected GSSAPI Negotiation Mechanism architecture overview 35 2.2.1 What SPNEGO is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.2.2 How SPNEGO works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.3 Tivoli Access Manager architecture overview . . . . . . . . . . . . . . . . . . . . . . 39 2.3.1 Basic architecture of Tivoli Access Manager for e-business . . . . . . . 40 2.3.2 Providing single sign-on functionality . . . . . . . . . . . . . . . . . . . . . . . . 41 2.3.3 Access Manager single sign-on flow . . . . . . . . . . . . . . . . . . . . . . . . . 43

Copyright IBM Corp. 2009. All rights reserved.

iii

2.4 Tivoli Federated Identity Manager architecture overview . . . . . . . . . . . . . 45 2.4.1 Trust Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.4.2 Identity propagation patterns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Part 2. Technical single sign-on implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Chapter 3. Customer overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.1 Company profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.1.1 Geographic distribution of GCBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.1.2 GCBI marketplace position . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.2 Current IT architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.2.1 Overview of the GCBI network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.2.2 Current Filenet P8 infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.2.3 Windows server and desktop environment . . . . . . . . . . . . . . . . . . . . 60 3.3 Corporate business vision and objectives . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.4 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.5 Functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.6 Solution approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.7 Non-functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.8 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Chapter 4. Single sign-on using Tivoli Access Manager for e-business . 67 4.1 Customer requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 4.2 Step-by-step configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 4.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4.2.2 Tivoli Access Manager for e-business configuration . . . . . . . . . . . . . 74 4.2.3 Configure Access Manager Java runtime . . . . . . . . . . . . . . . . . . . . . 79 4.2.4 Enable the TAI++ interceptor on WebSphere Application Server . . . 83 4.2.5 Verify the TAI++ interceptor function. . . . . . . . . . . . . . . . . . . . . . . . . 90 4.2.6 Deploy the P8 AE application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 4.2.7 Additional configuration steps for SPNEGO authentication . . . . . . 118 4.3 Integration test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Chapter 5. Single sign-on using SPNEGO . . . . . . . . . . . . . . . . . . . . . . . . 127 5.1 GCBI user experience improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 5.2 Step-by-step configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 5.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 5.2.2 Creating a Kerberos service principal and keytab file . . . . . . . . . . . 130 5.2.3 Creating the Kerberos configuration file . . . . . . . . . . . . . . . . . . . . . 133 5.2.4 Configure the SPNEGO TAI interceptor . . . . . . . . . . . . . . . . . . . . . 136 5.2.5 Configure SPNEGO TAI interceptor on JVM . . . . . . . . . . . . . . . . . 141

iv

Single Sign-On Solutions for IBM FileNet P8 Using IBM Tivoli and WebSphere Security Technology

5.2.6 Configure the Web browsers to support SPNEGO . . . . . . . . . . . . . 153 5.2.7 Quick test for SPNEGO single sign-on . . . . . . . . . . . . . . . . . . . . . . 155 5.2.8 Troubleshooting SPNEGO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 5.2.9 Deploy the FileNet P8 Application Engine . . . . . . . . . . . . . . . . . . . 162 5.2.10 Integration test for P8 AE and SPNEGO. . . . . . . . . . . . . . . . . . . . 178 Chapter 6. Single sign-on using Tivoli Federated Identity Manager . . . 181 6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 6.1.1 Partners involved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 6.1.2 Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 6.1.3 Prerequisites and assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 6.2 IBM FileNet P8 and Federated Identity Manager solution. . . . . . . . . . . . 185 6.3 Solution components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 6.3.1 Sample Web service client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 6.3.2 Federated Identity Manager FileNet Interceptor . . . . . . . . . . .

Search related