Connect 2013 show101 making ibm traveler high available_part2_extending and securing the network

© 2013 IBM Corporation
SHOW101
Making IBM Traveler High Available –
Part 2:
Extending And Securing The Network
René Winkelmeyer | midpoints GmbH
Detlev Pöttgen | midpoints GmbH

2 © 2013 IBM Corporation
About us
 René Winkelmeyer
 Senior Consultant at midpoints GmbH
IBM Advanced Business Partner from Germany
http://www.midpoints.de
 Specialized in RCP development, XPages
development and building mobile infrastructures
 IBM Design Partner for Notes/Domino Next and Mobile
 OpenNTF Contributor
─ File Navigator (http://filenavigator.openntf.org)
─ Generic NSF View Widget for IBM Connections

About us
 Detlev Pöttgen
 Co-Founder and CTO of midpoints GmbH
IBM Advanced Business Partner from Germany
http://www.midpoints.de
 Specialized in Domino & IMC Administration and
building mobile infrastructures
 IBM Design Partner for Notes/Domino Next and Mobile

How to get in touch with us?
 René
─ Mail: rene.winkelmeyer@midpoints.de / mail@winkelmeyer.com
─ Blog: http://www.midpoints.de / http://blog.winkelmeyer.com
─ Skype: muenzpraeger
─ Twitter: muenzpraeger
─ LinkedIn: http://de.linkedin.com/in/muenzpraeger
─ XING: https://www.xing.com/profile/Rene_Winkelmeyer
─ Slideshare: http://www.slideshare.net/muenzpraeger
─ G+: http://www.winkelmeyer.com/+
 Detlev
─ Mail: detlev.poettgen@midpoints.de
─ Blog: http://www.netzgoetter.de
─ Twitter: netzgoetter
─ LinkedIn: http://de.linkedin.com/in/netzgoetter
─ XING: https://www.xing.com/profile/Detlev_Poettgen

Legal first!
 This slide presentation may contain the following copyrighted, trademarked
and/or restricted terms:
─ IBM® DB2®, IBM® Domino®, IBM® Notes®, IBM® WebSphere®, Microsoft® Windows®,
Linux®

Agenda
 High Availability in the context of IBM Notes Traveler
 Using IBM WebSphere Edge Components as Load Balancer
 Using IBM Mobile Connect as Reverse Proxy
 Additional Notes
 Q & A

Agenda
 Q & A

High Availability in the context of IBM Notes Traveler

High Availability in the context of IBM Notes Traveler
 See SHOW100 for this.

Agenda
 Q & A

Agenda – Using WebSphere Edge Components
 What is WebSphere Edge Components?
 Preparing the environment – Operating System, DNS, Software
 Installation of IBM Installation Manager
 Installation of IBM WebSphere Edge Components
 Configuration of IBM WebSphere Edge Components Load Balancing
 Configuration of the backend IBM Notes Traveler servers

What is WebSphere Edge Components?
 IBM WebSphere Edge Components is a set of networking tools. The set contains
─ Network Dispatcher (aka Load Balancer), optional with Content Distribution
─ Caching Proxy
 In this session we'll use the Load Balancing component.

What is WebSphere Edge Components?

Preparing the environment – Operating System
 The demo system runs a newly fresh installed CentOS 6.3 64bit.
 The installation and administration is done in graphical mode. A console mode is
also available, but we are preferring a GUI for demoing purposes.

Preparing the environment – DNS
 The IP-based communication between all components is based on DNS
(Domain Name System).
 When talking about DNS I assume that you're running a real DNS server in your
company.
 For the demo system all used DNS names are mapped via the Linux hosts files.
─ Edge: mobile-edge.curi0.us / edge1.curi0.us / edge2.curi0.us
─ Traveler: traveler1.curi0.us / traveler2.curi0.us

Preparing the environment – DNS (locals hosts editing)
 Open your favorite shell and open the the local hosts file using a text editor like
“vi” or “vim” (depends on how hardcore you're)

Preparing the environment – DNS (locals hosts editing)
 Change the settings as needed for your environment. Use “i” as key to start
inserting text.
 Save the modifications using the key combination “ESC” and then “wq!” (== save
and close)
 Check the modifications using ping

Preparing the environment – Software
 For the installation of the IBM WebSphere Edge Components you have to
download the appropriate package from the IBM Passport Advantage website.
 The following packages/part numbers are available for the WebSphere Network
Deployment of the Edge Components Load Balancer:
─ CI3HKML (Part 1/3)
─ CI3HLML (Part 2/3)
─ CI3HMML (Part 3/3)
 Save the package to /tmp/downloads/ibm/was_edge

Preparing the environment – Software
 In addition you'll need the IBM Installation Manager (former Rational Installation
Manager) to install the WebSphere Edge Components.
 As we're installing V8.5 of the Edge Components you'll need to use the most
current IBM Installation Manager 1.6.1.
─ Download can be found here:
http://www-
947.ibm.com/support/entry/portal/Recommended_fix/Software/Rational/IBM_Installation_Manag
er

Preparing the environment –
Download of IBM Installation Manager
 Following the previous shown link you'll be directed to a list of available
download links. Click on the link for the “Installation Manager and Packaging
Utility download links”

 On the newly shown website you'll a list of available versions. Click the link for
the “Installation Manager” in the most current (in our case 1.6.1) version.

 Now select the link (FC) for your operating system.

 You'll be redirected to the Fix Central. Select the package and click “Continue” to
proceed.

 Now you can download the installation package. Save it in
/tmp/downloads/ibm/installation_manager.

Installation of IBM Installation Manager
 Login as user “root” and start the File Browser (Nautilus in our case)

 Navigate to the directory /tmp/downloads/ibm/installation_manager and start the
installation with a double click on the install executable

 Proceed with “Next”

 Accept the license terms and proceed with “Next”.

 Leave the installation directory as defined and proceed with “Next”.

 Proceed with “Install” to start the installation of the IBM Installation Manager.

 Finish the installation with “Restart Installation Manager”.

Installation of WebSphere Edge Components
 The IBM Installation Manager allows to install, update or remove IBM products.
As we're installing a new product select “Install”.

 The IBM Installation Manager can install software from varying repositories:
─ Local files
─ HTTP site
─ Passport Advantage
 As we don't want to rely on an internet connection we'll use a local file repository.
The next slides are showing how to setup a new one.

 Selecte the “Repositories” link.

 Now select “Repositories” in the left menu and then “Add Repository...” on the
right side.

 This will show an empty file dialog. Select “Browse” to open the file manager.

 Navigate to the directory /tmp/downloads/ibm/was_edge/disk1. Select the file
“diskTag.inf” and confirm the selection with “OK”.

 Confirm the selection with “OK”.

 Press “Test Connections” to verify the successful setup of the repository.

 You'll see this dialog if all repositories have been verified. Close the dialog with
“OK”.

 Close the preferences with “OK”.

 Closing the preferences will automatically launch the installation/selection dialog
for the available software.

 Proceed with “Next”.

 Accept the license terms and proceed with “Next”.

 As it's a new installation of the IBM Installation Manager some shared resources
need to be installed. Leave the directory settings as they are and proceed with
“Next”.

 If needed you can select more languages. Proceed with “Next”.

 Leave the predefined selection (no Metric Server) and proceed with “Next”.

 Start the installation with a click on “Install”.

 We want to start directly, so click on finish (that'll start the Load Balancer
Administration Console).

Configuration of WebSphere Edge Components Load Balancing
 The automatic startup lauches the Load Balancer configuration GUI.

 Select “Dispatcher” in the left menu tree.

 Make a right click on “Dispatcher” and select “Start Configuration Wizard”. That'll
start the configuration dialog.

 Check the preconditions – the setup won't work if you don't respect them.

 As we're on Linux => start the server. You won't get a direct feedback!

 Check if the local hostname is correct and proceed with a click on “Update
Configuration & Continue”.

 Add the Cluster name. It needs to be equal to the URL which the clients are
using, in our case “mobile-edge.curi0.us”. Proceed with “Update Configuration &
Continue”.

 Check if the cluster has been added successfully. Then proceed with “Next”.

 Now we need to set the port which will be used by the clients. The default is set
to “80”.

 Change the value to “443” as we'll run HTTPS. Proceed with “Update
Configuration & Continue”.

 Check if the port has been added successfully. Proceed with “Next”.

 Now we need to add the server names of the used backend servers (here: the
Traveler servers). Click on “Add a server”.

 Enter the first server name, in our case “traveler1.curi0.us”. Proceed with “Next”.

 Check if the server name has been added successfully. Click on “Add a server”
to add the second server.

 Enter the second server name, in our case “traveler2.curi0.us”. Proceed with
“Next”.

 Check if the server name has been added successfully. Click on “Update
Configuration & Continue” to proceed.

 We need to start an Advisor as we want the Traveler servers to be monitored.
Enter “HTTPS” as the Advisor name and proceed with “Update Configuration &
Continue”.

 Check if the Advisor has been started successfully. Proceed with “Next”.

 The cluster's IP address needs to be set on the backend servers. Select your
operating system (here: Linux) and click on “View Loopback Instructions” to show
the instructions.

 Excursion / Repeat – read it often:
─ To work properly the cluster's IP address needs to be added to the local loopback adapter of the
application servers.
 That means: add the Edge servers IP address to the local loopback adapter of
each Traveler server.

 Read the configuration settings (better: write them down). Click “Exit” to close the
information dialog.

 Done – the Edge server is ready. Click on “Exit” to proceed.

 Close the confirmation dialog with “Yes”.

 Right click on “Dispatcher” and select “Connect to Host...” to see the configured
Load Balancer.

 You now can see, configure and manage the Load Balancer. Done!

82 © 20 1 3 IBM Corporation

Configuration of the backend IBM Notes Traveler servers
 As previous stated you'll have to add the WebSphere Edge's cluster address to
each (repeat: each) backend server.

Agenda
 Q & A

Agenda – Using IBM Mobile Connect
 What is IBM Mobile Connect?
 Installation of DB2
 Installation of IBM Mobile Connect
 Configuration of IBM Mobile Connect Connection Profiles
 Configuring Domino LDAP and SSL
 Configuring IBM Mobile Connect SSL
 Configuring IBM Mobile Connect HTTP Access Services
 Configuring Domino-SSO via LTPA-Token
 Configuring IBM Notes Traveler

Agenda

What is IBM Mobile Connect?

 Connection Manager (server-side)
─ Software that runs on the server and controls access to enterprise resources Support for IP and
non-IP network protocols
─ Mobile Network Connections (MNC) for combinations of public/private networks
 Distributed Administration (“Gatekeeper”)
─ Java based administrator console that can run on various platforms Policy Management is an
integral part of Administration
 Mobility Client (client-side)
─ Software that runs on the mobile device and interfaces to Connection Manager Mobility Client
authenticates and establishes VPN with Connection Manager Includes toolkit for creating
network-aware applications
 HTTP Access (client-less)
─ HTTP access services provide a SSL secured tunnel for HTTP communication to any HTTP
Version 1.1 application

Agenda

Preparing the environment – Operating System, DNS, Software
 The session's demo installation of IBM DB2 and IBM Mobile Connect runs on
SUSE Linux Enterprise Server (SLES) 11.
 All components (IBM DB2®, IBM Mobile Connect®, IBM Domino®) are running
for demo purposes on the same machine – for a production environment it is
highly recommended to install the components on separate machines.
 All DNS settings are referring to the same physical IP. You should use your
companies DNS.
 The demo system doesn't use a firewall as all communication happens locally.

Preparing the environment – Operating System
 The demo system runs a newly fresh installed SUSE Linux Enterprise Server
(SLES) 11.
 The installation of DB2 requires an installed X-Windows system like KDE or
Gnome (the last one is used here).
 Furthermore you need a working Korn Shell (ksh) on the Linux system. It is
required by the IBM Mobile Connect installation.

Preparing the environment – DNS
 The IP-based communication between all components is based on DNS
(Domain Name System).
 When talking about DNS we assume that you're running a real DNS server in
your company.
 For the demo system all used DNS names are mapped to the local IP address
via the Linux hosts file.
─ DB2: db2-imc.curi0.us
─ IBM Mobile Connect: imc1.curi0.us
─ Traveler: traveler1.curi0.us / traveler2.curi0.us
─ External Single URL: mobile.curi0.us
 Never ever give the local loopback adapter (127.0.0.1) an alias! That will lead to
errors during the installation process!

Preparing the environment – DNS (local hosts editing)
 Open your favorite shell (like the Gnome Terminal).
 Open the local hosts file using a text editor like “vi”.

Preparing the environment – DNS (local hosts editing)
 Modify the name settings for the used DNS names (key “i” for inserting).
 Save the modifications using the key combination “ESC” and then “wq!” (== save
and close).
 Check the modifications using ping.
127.0.0.1 localhost
192.168.100.50 imc1.curi0.us imc1
192.168.100.50 db2-imc.curi0.us
192.168.100.51 traveler1.curi0.us
192.168.100.52 traveler2.curi0.us
192.168.100.50 mobile.curi0.us

Preparing the environment – DNS (local name resolving)
 The server needs to be able to to resolve it's simple name. If the machines name
is “imc1.curi0.us” the name “imc1” needs to be pinged.
 If that's not possible the installations of DB2 and IBM Mobile Connect won't work!

Preparing the environment – Software (DB2)
 First you need DB2 (any edition, we're using DB2 Express-C 10.1.2).
 You can download DB2 Express-C via this URL.
http://www-01.ibm.com/software/data/db2/express/download.html
 Choose the package which is appropriate for the used operating system – in our
case for Linux x86 - 64 Bit.
 Save the package to /root/install/db2

Preparing the environment – Software (IBM Mobile Connect)
 Then download the two IBM Mobile Connect installation packages from Passport
Advantage.
 The product numbers are
“CID7DML_connection_manager.tar” and
“CID79ML_Gatekeeper.tar”
 Save the package to /root/install/imc

Preparing the environment – Software (Domino & Traveler)
 Besides DB2 and IBM Mobile Connect you'll need one or two running IBM
Domino servers and two or more IBM Notes Traveler server. We're not
describing here how to setup Domino and Traveler – that was part of SHOW100.

Agenda

Installation of DB2
 Logon to the Linux system as user “root”
 Open your favorite shell (like the “Gnome Terminal”)

Installation of DB2
 Change to the directory “/root/install/db2”
 Unpack the downloaded DB2 installation package using “tar” (you may use the
additional “v” parameter for getting a verbose output of the unpacking)

Installation of DB2
 Switch to the extracted DB2 installation folder expc.
 Launch the db2setup (please remember: you need X-Window for this!)

Installation of DB2
 The startup screen (aka “DB2 Setup Launchpad”) shows up.

Installation of DB2
 Choose “Install a product” and select “Install New”.

Installation of DB2
 Click “Next” to step over to the License Agreement Dialog.

Installation of DB2
 Click “Next” to step over to the License Agreement Dialog. After you've read and
accepted it (click the radio button) click on “Next” to proceed.

Installation of DB2
 Select “Custom” as the installation type and proceed with “Next”.

Installation of DB2
 Save the installation details in a response file (good practice!) and proceed with
“Next”.

Installation of DB2
 Deselect “Getting started” from the feature list and proceed with “Next” (that will
accept the default installation location “/opt/ibm/db2/V10.1”).

Installation of DB2
 Optional: choose an additional language (we don't prefer any other language
then English, even as we're German) and proceed with “Next”.

Installation of DB2
 Leave the default value for the location of the DB2 Information center and
proceed with “Next”.

Installation of DB2
 Enter the credentials for the DB2 administrator “dasusr1” and proceed with
“Next”. This step will setup a new Linux user including home directory.

Installation of DB2
 Leave the default value to create a new DB2 instance and proceed with “Next”.

Installation of DB2
 Enter the credentials for the DB2 instance owner “db2inst1” and proceed with

Installation of DB2
 Enter the credentials for the DB2 fenced user “db2fenc1” and proceed with

Installation of DB2
 Create a TCP/IP configuration for DB2 to allow access from external hosts on
port 50001. Leave the autostart checkbox as it is and proceed with “Next”.

Installation of DB2
 Optional: Setup notifications from DB2. As we don't need it here deselect it and
proceed with “Next”.

Installation of DB2
 Check the setup instructions in the setup dialog and finish the installation with
“Finish”.

Installation of DB2
 You'll see a progress dialog during the installation process in a separate window.

Installation of DB2
 Done!

Installation of DB2
 You can validate the successful installation in various ways
─ Check the installation log located in /tmp/db2setup.log
─ Login to DB2 with the db2inst1 user
─ Run the DB2 validation tool

Agenda
 Configuring Notes Traveler

Installation of IBM Mobile Connect – Connection Manager

 Change to the directory “/root/install/imc”
 Unpack the downloaded IBM Mobile Connect installation package of the
Connection Manager using “tar”.

 Display the extracted content using “ls”. There are two files:
./linux-gw-x86_64-image.tar.gz
./linux-gw-x86-image.tar.gz
 If you are running a 64-Bit Linux, then you should extract the linux-gw-x86_64-
image using “tar”.

 Switch to the inst.images Subfolder
 First you need to setup the IBM Mobile Connect Connection Manager. For that
issue the command “./install_wg” from within the sub-directory.

 Specify if you want to start the IBM Mobile Connect Connection Manager at
system startup. This setting defaults to “yes” (it is recommended to keep this
setting).

 The IBM Mobile Connect Connection Manager is installed within
/opt/ibm/ConnectionManager.
 Important: Ensure that the service “xinetd” is running on the machine on which
the IBM Mobile Connect Connection Manager is installed.
 Done!

Installation of IBM Mobile Connect – Gatekeeper

 Change to the directory “/root/install/imc”
 Unpack the downloaded IBM Mobile Connect installation package of the
Gatekeeper using “tar”.

 Change to the directory “/root/install/imc/pkglinux”
 If IBM Java JRE 7.0.2 isn't installed you need to install it. The needed installation
file is located within the extracted pkglinux subfolder.

 Now proceed with the installation of the IBM Mobile Connect Gatekeeper.

 The IBM Mobile Connect Gatekeeper is installed within the directory
/opt/ibm/Gatekeeper.
The installation also adds symbolic links within /usr/bin for the IBM Mobile
Connect Gatekeeper binaries.
 Done!

 Yes, we're running on Linux. But you have to restart the server. ;-)

Agenda

Configuration of IBM Mobile Connect
 The whole configuration of IBM Mobile Connect is done through the IBM Mobile
Connect Gatekeeper.
 Logon as the Linux user “root”.
 Open your favorite console (i. e. the “Gnome Terminal”).

 Start the IBM Mobile Connect Gatekeeper through issuing the command “wgcfg”
from the shell. That will start the application in the X-Window system.

Configuration of IBM Mobile Connect - Login profile
 At the very first startup IBM Mobile Connect has no configuration. You'll see an
empty login screen with no selection values for the so called “Login profile”.

 The IBM Mobile Connect Gatekeeper automatically prompts a dialog for the
creation of new Login profiles. In our case we're setting up a “non-secure” Login
profile through clicking on “Add Profile...”.

 In the “Add Login Profile” dialog we have to add two values
─ The Login profile name, which is the descriptive name for this profile. For the sake of simplicity
we're using the simple host name of the IBM Mobile Connect server.
─ The host name we want to connect to.
─ The port, which defaults to 9555, could be changed if needed. For our setup we don't need that.
 Finish the dialog through clicking the “OK” button.

 You'll see now the newly added profile in the Login Profile Details list.
 Close the dialog with “OK”.

Configuration of IBM Mobile Connect - Logging in
 Now select the profile “imc1” within the Login profile dropdown dialog.
 Additionally you have to enter the administrators credentials. For that use the
default login credentials which are available after any IBM Mobile Connect
installation.
─ User: gkadmin
─ Password: gk4admin (Default)
 Confirm the selection and credentials through clicking “Log In”.

Configuration of IBM Mobile Connect - Logging in
 “Accept” the upcoming license dialog to proceed.

Configuration of IBM Mobile Connect – First Setup
 Two Dialog Boxes will be opened. Close the Gatekeeper Help Window to start
the configuration.

 As we're using DB2 as the backend for IBM Mobile Connect you have to select
“An ODBC-compliant relational database”. Proceed with “Next”.

 In the upcoming dialog you have to enter the name of the DB2 instance and the
according home folder:
─ DB2 instance name: wgdb
─ DB2 instance home folder: /home/wgdb

 Now enter the administrative settings for this new DB2 database.
─ Database name: wgdata
─ Database management ID: db2inst1 (we're using the existing standard DB2 administrator)

 We may use the local path, but to have a real world scenario we're “remotely”
connecting to the DB2 instance.

 In the upcoming dialog you have to enter a base distinguished name (X.500
format) under which the configuration data will be stored. This name is case-
sensitive!
─ Base distinguished name: o=midpoints (your organization name, we will use midpoints here)
 Additionally you have to define how the data will be stored. Use the same data
storage as it is used for the session data.

 Now you have to define if administrators should be able to remotely connect to
the IBM Mobile Connect Connection Manager. It's recommended to allow this as
it makes administrators life somewhat easier.
─ Remote administrators may login with the user “gkadmin”.
 Dependant on the internal security policies an SSL based connection to the IBM
Mobile Connect Gatekeeper could be enforced. Here it's not needed so leave the
default selection (==disabled).

 Now enable the logging of all administrative actions and proceed with “Next”.

 The last wizard screen confirms that all settings for the initial setup of this IBM
Mobile Connect Connection Manager have been setup. Proceed the setup
through clicking “Finish”.
 The IBM Mobile Connect Gatekeeper now setups the database and the initial
IBM Mobile Connect Connection Manager resources. This may take a while.

Agenda

Configuring Domino authentication
 Authentication profiles in IBM Mobile Connect could be setup to use LDAP
binding for HTTP access services and connection profiles.
 IBM Domino may serve as a Directory Service provider for LDAP so we're going
to leverage that built-in functionality.
 As mentioned in the prerequisites we're running a newly fresh installed IBM
Domino server without any special configuration. The following slides will show
the steps which are needed to setup IBM Domino as a LDAP Directory provider.

Configuring Domino authentication – LDAP setup
 At first you have to create a technical user which will be used by IBM Mobile
Connect to make authenticated LDAP lookups.
 As this technical user doesn't need to have a Notes id file it is sufficient to create
a new person document with HTTP password.

 Open the Domino Directory of the IBM Domino Server and switch to the
“Peoples” view.
 Use the action button “Add Person” to create a new person document.

 Enter a first and a last name for the user. Adding a hierarchical full name is
recommended as a good practice. And please honor the IBM Domino naming
conventions!
─ First name: &lmc
─ Last name: &ldaplookup
─ Full name: &lmc &ldaplookup/tech/midpoints

 The technical user needs a HTTP password. For that click on the “Enter
Password” button which is located on the “Basics” tab.
 In the upcoming dialog box enter the password “ld4pl00kup” and confirm with the
“OK” button.

 Check if the HTTP password has been added to the person document. The
hashed value should be visible.
 Now save the created person document with the “Save & Close” button.

 Switch to the “All Server Documents” view in the Domino Directory. Here open
the servers document.

 You need to ensure that the previously created technical user has read access to
the Domino Directory.
 For that we're changing to the “Security” tab and check the “Access server” field.
Allowing all users listed in trusted directories is sufficient.

 Now set up the LDAP configuration for this server. The needed configuration can
be found within “Ports” => “Internet Ports” => “Directory”.

 From a security point of perspective you should disallow non-SSL LDAP access
and disable anonymous LDAP access.

 Save the modified server document with the “Save & Close” button.

 Create a new Program document for making sure that the LDAP task runs at
server startup .
 Go to the “Programs” view of the Domino Directory and create a new Program
document through clicking the “Add Program” button.

 In the newly created document set the values to startup the LDAP task at server
startup
─ Program name: LDAP
─ Enabled/disabled: At server startup only
 Click “Save & Close” to save the Program document.

Configuring Domino authentication – SSL setup
 As you've setup SSL-based usage of the LDAP Directory server you now need to
create SSL KeyRings for the Domino server.
 There are two kinds of certificates which can be used for that:
─ Certificates which are signed by an official SSL Certification Authority
─ Self-signed certificates
 For the internal usage it is sufficient to use a self-signed certificate.
 The creation of such a self-signed certificate can be done by using the “Server
Certificate Admin” Database.

 Press CTRL+N in the IBM Lotus Notes client opens the “New Application” dialog.
─ Create the database locally.
─ Enter a descriptive title and file name.
─ Select a Domino server (the template isn't
available on a Notes client.
─ Select the “Show advanced templates”
checkbox.
─ Scroll down to “Server Certificate Admin”
and click “OK”.

 Close the “About this database” tab (1) and go to the Server Certificate Admins
tab (2).

 Choose the “Create Key Ring with Self-Certified Certifcate” menu entry.

 Now you need to enter some values in the upcoming form.
 At first the file name and the password. It's a good practice to use the DNS host
name as file name, because that helps to distinguish if the Domino server uses
more than one SSL configuration.

 Second you need to enter the certificate details which will be used to create the
certificates hierarchical name.
─ Important: The common name of the certificate must be equal to the DNS name of the server.
 Last but not least you have to click the button “Create Key Ring with Self-Certified
Certificate” which is located at the bottom of the form.

 The certificate creation process creates two files within the root of the Notes
clients data directory.
─ KeyRing file: selfcert-traveler1.kyr
─ Stash file: selfcert-traveler1.sth
 Copy both files from the Notes clients data directory into the data directory of the
Domino server.
 The next step will be to setup SSL on the Domino server.

 We're switching to the “All Server Documents” view in the Domino Directory.
Here we're opening the servers document.

 The configuration settings for SSL can be found within “Ports” => “Internet
Ports” .
 The “SSL key file name” must match the file name of the created keyring.

 The configuration settings for SSL can be found within “Ports” => “Internet
Ports” .
 Enable the HTTP-SSL Port – and disable the HTTP-Port!

 Now you need to start the LDAP and HTTP tasks to activate SSL for the Domino
server.
 For that use this commands via the Domino console:
─ Starting the LDAP task: load ldap
─ Starting the HTTP task: load http

Agenda

Configuring IBM Mobile Connect SSL
 The IBM Mobile Connect Connection Manager could be setup to use SSL in
various ways. For example we can use SSL for LDAP binding or for HTTP
Access Services.
 SSL configuration for IBM Mobile Connect is done by using the “IBM Key
Management” Tool which is contained in each IBM Mobile Connect installation.
The tools creates keyfiles in which the certificate public keys are stored. Those
keyfiles will be assigned to the corresponding IBM Mobile Connect Gatekeeper
resources.
 The format of the keyfiles is “Cryptographic Message Syntax” (CMS).
 For a production environment it is highly recommended to use certificates from
official Certificate Authorities. In our setup we're creating and using self-signed
certificates.

Configuration IBM Mobile Connect SSL

 Change to the directory “/opt/ibm/Gatekeeper”
 Start the “IBM Key Management” tool from the console.

 You'll see the empty screen of the IBM Key Management tool.

 Now you need to create a new key database file. For that select “Key Database
File” => “New”.

 As the format needs to be “Cryptographic Message Syntax” you have to select
“CMS” as the key database type.
 Choose a file name of your choice. It is recommended to choose an easy
recognizable file name.

 Enter the password “passw0rd” (or a password of your choice). As a stash file is
needed by IBM Mobile Connect you have to select the option “Stash the
password to a file?”. Finish the process with “OK”.

 Select “Personal Certificates” from the dropdown dialog.
 Then select “New Self-Signed...” to create a new self-signed certificate.

 Enter the values for the self-signed certificate. You need to ensure, that the
common name equals the external DNS name of the IBM Mobile Connect server.

 In the “Personal Certificates” section you'll see now the created certificate. The *
character indicates that it is a self-signed certificate.

 Select “Key Database File” from the action menu and click “Exit” to close the
“IBM Key Management” tool.

 If needed the login credentials for the super-user “gkadmin” may be changed at
this point. You don't need that for this setup, so we proceed with “No”.

 The setup process now proceeds with the setup of a new Connection Manager.
Click “Next” to start the setup.

 Entering a unique identifier for this Connection Manager configuration. Using the
full qualified hostname is a good practice at this point.
─ Connection manager identifier: imc.curi0.us

 The next screen displays the primary organizational unit. As it's a new
configuration there is (currently) nothing to do. Proceed with “Next”.

 The setup of the first Connection Manager can now be finished. Click “Finish” to
proceed. The process may take some time.

 The Connection Manager is now created. Next we get asked, if we need a HTTP
Access Service. We need this one for IBM Notes Traveler, so choose “Yes”.

 The external URL (the so called Service URL) the IMC-HTTP Service should
listen to is https://mobile.curi0.us.

 The Application server URL are the internal Traveler Server hostnames, using
this syntax:
TRAVELER https://traveler1.curi0.us,TRAVELER https://traveler2.curi0.us
 The Authentication Profile and SSO will be configured later.

 Choose “Finish” to create the HTTP Access Service.

 The setup process now asks, if we want to setup a Mobile Access Service. That's
needed if you want to use IMC as a VPN Gateway.
We only want to use the HTTP Access Service as a Secure Reverse Proxy for
connecting IBM Notes Traveler. So choose “No”.

 We are using LDAP for User authentication. So will need no further Connection
Manager Accounts. Click “No” to proceed.

 We would like to start the Connection Manager, so choose “Yes”

 The Connection Manager will start after choosing “OK”.

 We are done!
 The Connection Manager is now up and running. To see what's configured using
the Setup Wizard switch from the Gatekeeper “Tasks”-Navigator to the
“Resources”-Navigator

 The “Resources” section shows the contents of the previously setup IBM Mobile
Connect Connection Manager (Node “imc1.curi0.us”).
 At the bottom of the “Mobile Connect” tree you'll see the created “http service”.

 You start and stop the Connection using the Gatekeeper Client.
For that select the name “imc1.curi0.us”, make a right-click and choose
“Shutdown”. The shutdown needs to be confirmed.

 You'll get a confirmation dialog for the shutdown.

 To check the successful shutdown right-click on the connections name and
select “Properties”.

 The right pane shows the properties of the Connection Manager. Scroll down on
the “Gateway” tab and check the state.

 To start the connection select the name “imc1.curi0.us” with a right-click and
choose “Startup”.
 You'll get a confirmation dialog for the startup then.

 As the previously opened property dialog doesn't refresh the Connection
Manager state automatically you need to close and reopen it.
 Click on the upper right marked “x” of the property dialog to close it.

 Right-click the connections name and select “Properties”.

 Scroll down on the “Gateway” tab and check the state. It must be “running”.

Agenda

Configuring IBM Mobile Connect - HTTP Access Services
 Now you'll setup a HTTP Access Service which will be used to authenticate via
the previously configured Domino LDAP. Furthermore the service will be used to
forward the data packets to the IBM Notes Traveler server.
 Containing steps of this procedure are
─ Setup of a Directory Server Resource
─ Setup of an Authentication Profile Resource
─ Setup of a HTTP Access Service Resources
─ Securing the HTTP Access Service with a SSL certificate
─ Setup of IBM Mobile Connect Single Sign-On (SSO)
─ Creation and export of a LTPA key file
─ Import of the LTPA key file into Domino

 The whole configuration of IBM Mobile Connect is done through the IBM Mobile
Connect Gatekeeper.
 Logon as the Linux user “root”.
 Open your favorite console (i. e. the “Gnome Terminal”).

 Start the IBM Mobile Connect Gatekeeper through issuing the command “wgcfg”
from the shell. That will start the application in the X-Window system.

 Right-click on the top-level resource entry and choose “Add resource” =>
“Directory Server”.

 Enter a descriptive name as the common name for this Directory server.
 Enter the hostname for the remote directory server.

 Set the default base distinguished name which should be used for LDAP
lookups. Leave that one empty if you don't want to restrict LDAP lookups for only
special organizations. Proceed with “Next”.

 In the next wizard screen you have to enter the LDAP setting according to the
Domino LDAP setup.
 First you have to set the used port. Default is 389 (unencrypted).
As you've configured LDAP over SSL on port 636 you need to enable “Use
secure connection” and point IMC to the Key-Database, which contains the
public keys of your Root CA used for your Domino SSL Server Key.

 Furthermore you have to enter the filepath and name of the key database file
which you've created with the “IBM Key Manager” tool.
─ Key database: /opt/ibm/ConnectionManager/imc-mobile.kdb
─ Stash file: /opt/ibm/ConnectionManager/imc-mobile.sth

 Then you have to enter the username and password of the previously setup
technical user.
─ Name: cn=&lmc &ldaplookup,ou=tech,o=midpoints
─ Password: ld4pl00kup

 Select the primary organizational unit (o=midpoints) and click “Finish” to end the
setup of the Directory server.

 You'll now see a new “Directory services server definition” within the menu tree.

 If you have to change the LDAP configuration, you can double click the
“Directory services server definition” entry within the menu tree. Select your
configured LDAP Server and press “Properties”.
This is an optional information and mentioned for further re-configuration!

 Now you'll setup an Authentication Profile. This profile defines how IBM Mobile
Connect checks and validates users credentials.
 Right-click the main menu item and select “Add Resource” => “Authentication
Profile” => “LDAP-bind Authentication”.

 In the first wizard form you have to enter a common name for this profile, an
optional description and the passcode policy. Leave all other fields empty.
─ Unrestricted Policy defines that there is no limit for false entered passwords.

 Now select the Directory server which you've setup. For this installation you're
using the “uid” as key field for identifying a user.
 Leave the other fields as they are and proceed with “Next”.

 As Single-Sign-On for Domino should be used you have to enable the creation of
a LTPA token.
 Leave the other fields as they are and proceed with “Next”.

 Select the primary organizational unit (o=midpoints) and click “Finish” to end the
setup of the Authentication Profile.

 You'll now see a new “Authentication profile” within the menu tree.

 Now it's time to configure the HTTP Access Service Resource which has been
created initially.
Such a resource is responsible for forwarding inbound data traffic – after
successful authentication – to a backend system (in our case Domino/Traveler).
The new IBM Mobile Connect Version 6.1.5 is able to assign a single inbound
URL to one HTTP Access Service. The HTTP Access Service can forward the
request to multiple HTTP backend systems like Traveler, iNotes, Connections,
Sametime or a Domino based web application (i. e. XPages).
 You can setup additional HTTP Services, but then you'll need additional DNS
hostnames, SSL certificates and IP adresses.

 First we open our initially created HTTP Service Profile by double-clicking the
“http-service0” entry in the navigator.

The Service tab
 Check if the “Service URL” is configured.
This Service URL will be used on a device
to connect to Traveler.
 Enter the directory and file name of the key
database and the stash file we created earlier.
─ Key database:
/opt/ibm/ConnectionManager/imc-mobile.kdb
─ Stash file:
/opt/ibm/ConnectionManager/imc-mobile.sth

The Server tab
 The “Application server URL” defines the
backend systems to which requests are
getting forwarded.
─ The systems are separated by comma.
─ There are keywords to define the type
of the used backend system:
TRAVELER, CONNECTIONS, SAMETIME
INOTES
 For every Traveler Server in our HA Pool, we
need to add an entry:
TRAVELER https://traveler1.curi0.us,
TRAVELER https://traveler2.curi0.us

The Server tab
 The Scheduling algorithm defines how
load balancing and failover take place.
 We will setup an “Active / Passive failover”
where traveler1.curi0.us will be the defined
as the active server.

The Mode tab
 Switch to the “Mode” tab and change the
credential challenge type from
“Mobile Connect forms challenge” to
“HTTP 401 basic authorization challenge”.
 As Authentification Profile choose our
configured “Auth LDAP Traveler1” Profile.

The IBM Mobility tab
 By enabling the “IBM Notes Traveler integration”
checkbox IBM Mobile Connect knows that
requests to
/traveler or /servlet/traveler
are Traveler specific and will forward these
requests to the defined TRAVELER servers.
 Save your changes to the HTTP Service by
using the “Apply” and “OK” Button.
 You have to stop and restart the HTTP Service.

 The last setup step within IBM Mobile Connect Gatekeeper is now to create the
LTPA token for Single-Sign-On between IBM Mobile Connect and the backend
servers.
 For that you'll have to open the created Authentication Profile (double-click the
entry).

 Double-click the entry of the profile within the list in the right pane.
 Then switch to the “LTPA/SSO” tab.

 Define the settings for the LTPA/SSO connection.

 Now select the creation of new LTPA keys and enter the password
“ltp4p4ssw0rd” (the password should have 6-32 characters). This key will be
imported into Domino later on.
 Finish the creation with “Apply” (NOT “OK”).

 After the creation of the LTPA keys (you won't get a confirmation dialog) you'll
have to export them. Select “Export to keyfile” and enter the directory path
including the file name.
─ LTPA export keyfile name: /opt/ibm/ConnectionManager/ltpa.token
 Click “OK” to start the export.

Agenda

Configuring Domino-SSO via LTPA token
 Now you'll have to import the created LTPA token into the Domino Directory for
enabling Single-Sign-On between the IBM Mobile Connect Server and IBM
Domino.
 Switch to the “All Server Documents” view in the Domino Directory and click the
button “WebCreate Web SSO Configuration”.

 Now enter a name for this token configuration, your organization, the supported
DNS names and the Domino server which should use this token.

 Proceed now with importing the LTPA token. For that you have to click the button
“Keys...” and select “Import WebSphere LTPA Keys”.
 Enter the directory and file name of the LTPA token and confirm with “OK”.
 Save and close the Notes document.

 Goto “Internet Protocols...” => “Domino Web Engine”. Change the session
authentication type to “Multiple Servers (SSO)” and select the created SSO
configuration.
 Save and close the document.
 Restart the server.

Agenda

Configuring IBM Notes Traveler
 You've already completed 99% of the needed configuration.
─ Setting up HTTPS on the IBM Domino Server
─ Enabling Single-Sign-On between IBM Mobile Connect and IBM Domino
 The last step to complete this setup now is configuring IBM Notes Traveler.

 Switch to the “IBM Notes Traveler” tab.
 Enter the full qualified internet host name of the IBM Mobile Connect server +
“/traveler” as the external URL.
 Save and close the Notes document.
 Finished!

Agenda
 Q & A

Additional Notes
 We only scratched the surface of both products.
 You can built real cool environments with them
─ High Availability
─ Authentication
─ For a range of ICS products
 Just imagine...

Additional Notes

Agenda
 Q & A

Q & A
 Now and here
─ Get the mic!
 Later
─ Via any social media – see contact details at the beginning of this slide deck.
 (Updated) Slides will be on our blogs and on SlideShare.

Legal disclaimer
© IBM Corporation 2013. All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it
is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM
shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the
effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in
this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other
results.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

Connect 2013 show101 making ibm traveler high available_part2_extending and securing the network

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (11)

Similaire à Connect 2013 show101 making ibm traveler high available_part2_extending and securing the network

Similaire à Connect 2013 show101 making ibm traveler high available_part2_extending and securing the network (20)

Plus de a8us

Plus de a8us (18)

Dernier

Dernier (20)

Connect 2013 show101 making ibm traveler high available_part2_extending and securing the network