BP201 Creating Your Own Connections Confection - Getting The Flavour Right

BP201: Creating Your Own
Connections Confection -
Getting The Flavour Right
Gabriella Davis
Technical Director - The Turtle Partnership
gabriella@turtlepartnership.com

Let’s talk about me for a minute
▪ Admin of all things and especially quite
complicated things where the fun is
– Working with security , healthchecks, single sign on,
design and deployment of Domino, ST, Connections
and things that they talk to
▪ Stubborn and relentless problem solver
▪ Lives in London about half of the time
▪ gabriella@turtlepartnership.com
▪ twitter: gabturtle

Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional
technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT
SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF
OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they
may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational
purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory
requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will
ensure that the customer is in compliance with any law.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com, BrassRing®, Connections™, Domino®, Global Business Services®, Global Technology Services®, SmartCloud®, Social Business®, Kenexa®, Notes®, PartnerWorld®, Prove It!®,
PureSystems®, Sametime®, Verse™, Watson™, WebSphere®, Worklight®, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names
might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Connections - The Whole Picture

Designing Your User Experience
CREATING AND
SHARING CONTENT
TAGGING, LIKES &
@MENTIONS
CLIENT ACCESS:
BROWSER
DESKTOP APPLICATION
MOBILE
LEARNING ABOUT
PEOPLE, WHO THEY
ARE, WHAT THEY DO
DOCUMENT
MANAGEMENT
AUDIENCE & NETWORK
EXTERNAL USER BEHAVIOUR

Architecture Decisions
USERS VS
CONCURRENT USERS PUBLIC ACCESS AND
SECURITY
FILE AND DATA
STORAGE
SEPARATING
COMPONENTS
BUILD NOW / ADD
LATER?

ALWAYS HAVE BOTH STAGING AND PRODUCTION ENVIRONMENTS

Design For Growth
Clusters can be duplicated
Not everything needs to be clustered but everything should have the potential for clustering without
needing a rebuild
Avoid backing yourself into a corner with single points of failure
Data is accessed from the database server and from a shared data location

It’s All About Content - Companies Run On Content
Tags
Video
KPI
Processes
WEB2.0
Proposals
Projects
PH
O
TO
S
Video
Wikis
Places
Blogs
Tasks
✤ Companies generate and need to use
and retain a lot of data, much of it
unstructured
✤ To do this they use Enterprise Content
Management
✤ this is not the same as a Content
Management System

Sharing A Collective Memory
✤ Information needs context
✤ Why was it generated?
✤ What was it used for?
✤ Who worked on it?
✤ Is it still true?

Avoiding Reinvention
WHY NOT JUST
SHARE IT?
IS IT WHAT YOU
NEED?DOES CONTENT
ALREADY EXIST?
RE-USEREVIEWSEARCH

▪ Always most recent
▪ Always validated
▪ Always in context
Always The Right Information

▪ Approvals
▪ Reviews
▪ Auditing
▪ Compliance
Control & Confidence

Searching
Files & Folder Metadata Document
Types
Tagging
✤ People /
Unstructured
✤ Process /
Structured
Finding Things

Files Application
▪ Standard Connections application (default install)
▪ Each user has their own “Library” where they can upload and share files
▪ Each file can be shared

CCM / Filenet
DEP MGR
+ FILENET
FILENETCONNECTIONS
WAS
DB STORE

It’s A Customised Connections-Specific Integrated Install
CCM Isn’t Pure Filenet

1. Websphere
Application Server
2. Deployment Manager
Server
3. Filenet Installers
1. Websphere
Application Server
2. Filenet J2EE
Applications
1. Database Server
2. FNCGD & FNOS
Databases
Connections
Data Share
(NFS)
Filenet Server
DB Server
Storage
CCM Libraries
SSO
Standalone Filenet
External Libraries

EditLive
Advanced
editing, table
management, inline
images

EditLive Install
▪ Custom installer downloadable from IBM
▪ Simple application install
▪ Enabled for everyone or for users by role
▪ J2EE application maps to a WebSphere
server
▪ you can use an existing server

FileViewer
Server 2
Conversion Server
Mandatory
Windows OS
IBM Connections
Server 1
File Viewer Extension Plugin
File Viewer Server
Windows or Linux
Connections Data Share
(moved to NFS share)
Viewer Data Share

Server 2
Server 3
IBM Docs Server
Mandatory
Linux OS
Conversion Server
Mandatory
Windows OS
IBM Connections
Server 1
IBM Docs Extension Plug-In File Viewer Extension Plugin
Server 4
IBM Docs Proxy
Optional
Linux OS
File Viewer Server
Windows or Linux
Connections Data Share
(moved to NFS share)
Viewer Data Share
IBMM Docs Data
NFS Share

Cognos
Cognos BI Cognos
Transformer
Cognos &
Metrics DB
Cognos & Metrics
J2EE Apps
Connections
Reporting

Cognos BI
Cognos Transformer
Websphere
Application Server
Metrics J2EE Application
Cognos J2EE
Application
Database Server
Cognos DB
Metrics DB
The
metrics application
logs to the Metrics DB.
This DB can (and is) used
by other 3rd party
analytical tools

Forms Experience Builder
Polls & Surveys
Installs on
WebSphere Server(s)
Requires
DB2
Installs on
every server
in the chosen
cluster

Websphere Application
Server
Forms Experience Builder
FEB J2EE Application
Database
Server
FEB DB

How Does Connections Mail Work?
Deployment
Manager
IBM Connections
Mail Installed
Connections
Application
Server
Connections
Application
Server
HTTP
Interface to Mail
(iNotes in the case of
Domino)
Domino
Server1
Domino
Server2
Domino
Server3
Or Exchange

Configuring Sametime With Connections
▪ Two choices
▪ Each user runs the Sametime standalone client
▪ Enable the Connections server to connect to the Sametime Proxy Server
using a web interface
▪ There are no Sametime applications installed under Connections

Sametime Meetings In Connections
All communication is through the Sametime Proxy
Server - a web interface to Sametime Services

What Can An External Person Do?
▪ Be a full member of a Community that allows external users
▪ Share Files with others as well as Download files shared with you
▪ See Activity Streams that they are invited into
▪ Edit Their Profile
▪ View business cards of anyone who has shared content with them

What Can’t An External Person Do?
▪ See Any Public Content
▪ Create a community
▪ Follow people
▪ See or search the company directory
▪ Use type-ahead to find people
▪ See recommended content or people
▪ Access the Profiles menu
▪ Access other user profiles
▪ See @Mentions for them

Negotiation
known as NTLM or Kerberos in Active Directory
GSSAPI
Mechanism

SPNEGO EXAMPLE FOR WEBSPHERE
1 2 3 4 5
ACTIVE
DIRECTORY
GENERATES
SPNEGO
TOKEN
USER TRIES TO
ACCESS
CONNECTIONS
BROWSER
SENDS
SPNEGO
TOKEN TO
WEBSPHERE
ALONG WITH
USER NAME
WEBSPHERE
CONTACTS
ACTIVE
DIRECTORY TO
VALIDATE
TOKEN AND
RETRIEVE THE
USER’S NAME
STEPS
USER LOGS
INTO
WINDOWS

SETTING UP SPNEGO
Set up a SPN for the IHS and Connections application servers in Active
Directory
Use a dedicated account that you use to start WebSphere as a service
Run setspn -a http://<ihs hostname> <accountnamerunningwas>
If AD isn’t the LDAP being used then the LDAP entry should be updated with
the AD name
e.g for Domino update person documents with AD name appended to
FullName (and optional others like krbPrincipalName and LTPA User Name)

WHY NOT SPNEGO
It requires Active Directory
It requires users to login to Active Directory
It requires Microsoft Supported browsers*
It requires a Windows client for the users*
It requires a Windows platform*
It doesn’t work at all if the user is remotely connecting and not logging into Active
Directory
It has a very specific use case 
 
* all these asterisks mean there are ways to extend to other platforms often using 3rd
party
addons

Assertion
Markup
Language
SAML is a protocol and process for exchanging
authorisation and authentication data for a user between
services and servers
Security

IdP (Identity Provider)
Sp (Service Provider)

No Passwords….. 
To Compromise 
To Expire 
Once a user has authenticated
with the IdP they won’t be asked
again

SAML Example

1 2 3 4 5
USER
ATTEMPTS TO
LOG IN TO A
WEBSITE
USER IS
REDIRECTED TO
IDENTITY
PROVIDER
IDENTITY PROVIDER
REQUESTS
AUTHENTICATION OR (IF
USER IS LOGGED IN)
RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL
SITE WITH SAML
ASSERTION
ATTACHED
ORIGINAL SITE USES
ITS SAML SERVICE
PROVIDER TO
CONFIRM SAML
ASSERTION AND
GRANT ACCESS
STEPS

Definitions
▪ IdP - Identity Provider (SSO)
– ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)
• SAML 2.0 only
• can be combined with SPNEGO
• Enhances Integrated Windows Authentication (IWA)
– TFIM (Tivoli Federated Identity Manager)
• SAML 1.1 and 2.0

definitions
▪ SP - Service Provider
– IBM WebSphere
• By extension some applications installed under WebSphere
– IBM Domino (web federated login)
– IBM Notes (requires ID Vault) (notes federated login)

More Definitions
▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via
XML based assertions 
▪ Assertions have three roles
– Authentication
– Authorisation
– Retrieving Attributes

An IdP can
service many service providers
A SP can be connected to
several IdPs
An IdP can
use a variety of authentication
methods including multi factor

Setting Up SAML
▪ Choose your IdP if you don’t already have one
– which fits best in your business
▪ Build the IdP
▪ Configure the SP
▪ Sounds easy doesn’t it?
– It’s really not easy by any means but it is worth the investment in time

SAML Support In Connections
▪ WebSphere supports SAML but that doesn’t mean all applications run under WebSphere
support it
▪ Where SAML is configured for authentication and can’t be used by an external application,
WebSphere can generate a LTPA token
▪ FileNet / CCM does not support SAML
▪ Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with
LTPA
▪ Connections Mail, Desktop and Mobile applications cannot use SAML
▪ Browser access to the rest of the Connections applications (homepage, profiles, activities,
communities etc) is supported

IBM PreApproval Process - SAML Isn’t Supported Without It
▪ SAML integration with IBM Connections is supported in specific circumstances
▪ WebSphere supports SAML but that doesn’t mean all applications that run under
WebSphere do
▪ Specific configuration instructions and fixes are only available from IBM Support once pre-
approval has been completed
▪ The pre-approval process is a questionnaire that must be completed and submitted to IBM
so support can evaluate if your environment can be supported
– IBM will also advise the best deployment for SAML to meet your needs
– There is no one size fits all solution

Configuring SAML With IBM Connections
▪ There are two methods for configuring SAML with IBM Connections
▪ For both the IdP (Identity Provider) tested are ADFS and TFIM
– Those are the IdP’s publicly documented for WebSphere
– That’s not to say other IdP wouldn’t be supported if accepted for pre-approval
▪ WebSphere acts as a SP (service provider) and configuration is completed in the cell
under Global Security
– This means SAML instructions are applied to all applications in the cell
▪ SAML can be deployed using WebSphere’s default authenticator or using SAML
redirection
– Using default authenticator gives more scope for external applications
– IBM will advise the best deployment based on your completed questionnaire

Where To From Here?
▪ Who are your users
▪ Where are your users
▪ What do they want to do
▪ Clouds vs On Premises
▪ Simplify Architecture But Build for Growth
▪ Have a Plan

Questions?
▪ Gab Davis - Technical Director
▪ The Turtle Partnership
▪ gabriella@turtlepartnership.com
▪ GabriellaDavis on Skype
▪ gabturtle on twitter

Engage Online
▪ SocialBiz User Group socialbizug.org
– Join the epicenter of Notes and Collaboration user groups
▪ Social Business Insights blog ibm.com/blogs/socialbusiness
– Read and engage with our bloggers
▪ Follow us on Twitter
– @IBMConnect and @IBMSocialBiz
▪ LinkedIn http://bit.ly/SBComm
– Participate in the IBM Social Business group on LinkedIn
▪ Facebook https://www.facebook.com/IBMConnected
– Like IBM Social Business on Facebook

BP201 Creating Your Own Connections Confection - Getting The Flavour Right

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to BP201 Creating Your Own Connections Confection - Getting The Flavour Right (20)

More from Gabriella Davis (20)

Recently uploaded (20)

BP201 Creating Your Own Connections Confection - Getting The Flavour Right