290 Enterprise Business Portals with IBM Tivoli Access Manager
Since there is not a comparable plug-in available for Domino as there is for
WebSphere Application Server and Access Manager, the access control
database in Domino is left in place. Access Manager handles the coarse-grained
decisions on the Is this user allowed to contact the Domino server? level.
In other respects, this solution fully utilizes the existing security architecture. No
additional components or services need to be installed.
11.5 Implementation architecture
As all employee mail is located on Domino servers, the Lotus Domino Mail
Server is the logical way to allow Web-based access to e-mail for employees.
The Access Manager base architecture, created for the WebSphere Application
Server integration, can handle the business needs and security implications of
opening Lotus Domino for Web-based access without the need for further
customization. For Lotus Domino integration, the following things need to be
򐂰 Providing single sign-on
There are two different approaches to provide a single sign-on solution, which
are discussed in 11.5.1, Global sign-on (GSO) approach on page 290, and
11.5.2, Dummy password approach on page 294. For this project, the
dummy password method was selected, due to easier maintenance and
better performance implications.
򐂰 Delegating access control
As stated in the requirements, Lotus Domino has its own access control lists
already in place and there remains the need to manage them for Notes
client-based access. Therefore, Access Manager should be configured to
only pass on requests from users allowed to access Domino, with more
fine-grained control residing on the Domino server.
11.5.1 Global sign-on (GSO) approach
This approach uses the global sign-on feature of Access Manager to allow a
mapping of user names and passwords between Access Manager WebSEAL
and back-end servers.
In this section we discuss the implications of the GSO method particular to this
scenario. To get a broader and more detailed understanding on the GSO
method, see the
Tivoli Access Manager for e-Business WebSEAL
Administration Guide Version 3.9,
GC23-4682, and Chapter 5, Authentication
and delegation with Access Manager on page 97.
Chapter 11. Web mail integration 291
Let us assume that your Access Manager user name/password combination is
pduser1/pdpass1, and your Lotus Domino Internet user name/password
combination is lnuser1/lnpass1.
Every time pduser1 requests a page from Lotus Domino, Access Manager
realizes that the Domino junction is a GSO junction, and it retrieves pduser1s
user name and password for the Domino GSO resource by consolidating its user
directory (in this case, LDAP). It sends this credential (lnuser1/lnpass1) to the
Domino server in the basic authentication header.
For a simple representation of GSOs operation, see Figure 11-1.
Figure 11-1 A simple GSO example
To implement this solution, follow these steps:
1. Configure a GSO junction and add it as a GSO resource to Access Manager.
2. Create a script that will copy the Domino user names as GSO mappings for
respective Access Manager users.
3. Find out all the Domino passwords and add them as GSO mappings to the
respective Access Manager users. Alternatively, create a script that rewrites
the password in Domino and the Access Manager GSO mapping to be the
Authenticated HTTP request
Query LDAP for
user's Notes
userID and
Returned page
Reply with
user's Notes
userID and
HTTP request with Notes userID
and password
Returned page

Get Enterprise Business Portals with IBM Tivoli Access Manager now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.