connect 2013 - making ibm traveler high available: extending and securing the network

© 2013 IBM Corporation

SHOW101Making IBM Traveler High Available – Part 2:Extending And Securing The NetworkRené Winkelmeyer | midpoints GmbHDetlev Pöttgen | midpoints GmbH

2 © 2013 IBM Corporation

About us

René Winkelmeyer

Senior Consultant at midpoints GmbHIBM Advanced Business Partner from Germanyhttp://www.midpoints.de

Specialized in RCP development, XPagesdevelopment and building mobile infrastructures

IBM Design Partner for Notes/Domino Next and Mobile

OpenNTF Contributor─ File Navigator (http://filenavigator.openntf.org)

─ Generic NSF View Widget for IBM Connections


About us

Detlev Pöttgen

Co-Founder and CTO of midpoints GmbHIBM Advanced Business Partner from Germanyhttp://www.midpoints.de

Specialized in Domino & IMC Administration andbuilding mobile infrastructures

IBM Design Partner for Notes/Domino Next and Mobile


How to get in touch with us?

René─ Mail: [email protected] / [email protected]

─ Blog: http://www.midpoints.de / http://blog.winkelmeyer.com

─ Skype: muenzpraeger

─ Twitter: muenzpraeger

─ LinkedIn: http://de.linkedin.com/in/muenzpraeger

─ XING: https://www.xing.com/profile/Rene_Winkelmeyer

─ Slideshare: http://www.slideshare.net/muenzpraeger

─ G+: http://www.winkelmeyer.com/+

Detlev─ Mail: [email protected]

─ Blog: http://www.netzgoetter.de

─ Twitter: netzgoetter

─ LinkedIn: http://de.linkedin.com/in/netzgoetter

─ XING: https://www.xing.com/profile/Detlev_Poettgen


Legal first!

This slide presentation may contain the following copyrighted, trademarked and/or restricted terms:

─ IBM® DB2®, IBM® Domino®, IBM® Notes®, IBM® WebSphere®, Microsoft® Windows®, Linux®


Agenda High Availability in the context of IBM Notes Traveler

Using IBM WebSphere Edge Components as Load Balancer

Using IBM Mobile Connect as Reverse Proxy

Additional Notes

Q & A





Additional Notes

Q & A


High Availability in the context of IBM Notes Traveler


High Availability in the context of IBM Notes Traveler

See SHOW100 for this.





Additional Notes

Q & A


Agenda – Using WebSphere Edge Components What is WebSphere Edge Components?

Preparing the environment – Operating System, DNS, Software

Installation of IBM Installation Manager

Installation of IBM WebSphere Edge Components

Configuration of IBM WebSphere Edge Components Load Balancing

Configuration of the backend IBM Notes Traveler servers


What is WebSphere Edge Components?

IBM WebSphere Edge Components is a set of networking tools. The set contains─ Network Dispatcher (aka Load Balancer), optional with Content Distribution

─ Caching Proxy

In this session we'll use the Load Balancing component.


What is WebSphere Edge Components?


Preparing the environment – Operating System

The demo system runs a newly fresh installed CentOS 6.3 64bit.

The installation and administration is done in graphical mode. A console mode is also available, but we are preferring a GUI for demoing purposes.


Preparing the environment – DNS

The IP-based communication between all components is based on DNS (Domain Name System).

When talking about DNS I assume that you're running a real DNS server in your company.

For the demo system all used DNS names are mapped via the Linux hosts files.─ Edge: mobile-edge.curi0.us / edge1.curi0.us / edge2.curi0.us

─ Traveler: traveler1.curi0.us / traveler2.curi0.us


Preparing the environment – DNS (locals hosts editing)

Open your favorite shell and open the the local hosts file using a text editor like “vi” or “vim” (depends on how hardcore you're)


Preparing the environment – DNS (locals hosts editing)

Change the settings as needed for your environment. Use “i” as key to start inserting text.

Save the modifications using the key combination “ESC” and then “wq!” (== save and close)

Check the modifications using ping


Preparing the environment – Software

For the installation of the IBM WebSphere Edge Components you have to download the appropriate package from the IBM Passport Advantage website.

The following packages/part numbers are available for the WebSphere Network Deployment of the Edge Components Load Balancer:

─ CI3HKML (Part 1/3)

─ CI3HLML (Part 2/3)

─ CI3HMML (Part 3/3)

Save the package to /tmp/downloads/ibm/was_edge


Preparing the environment – Software

In addition you'll need the IBM Installation Manager (former Rational Installation Manager) to install the WebSphere Edge Components.

As we're installing V8.5 of the Edge Components you'll need to use the most current IBM Installation Manager 1.6.1.

─ Download can be found here:http://www-947.ibm.com/support/entry/portal/Recommended_fix/Software/Rational/IBM_Installation_Manager

http://www-947.ibm.com/support/entry/portal/Recommended_fix/Software/Rational/IBM_Installation_Manager




Preparing the environment –Download of IBM Installation Manager

Following the previous shown link you'll be directed to a list of available download links. Click on the link for the “Installation Manager and Packaging Utility download links”



On the newly shown website you'll a list of available versions. Click the link for the “Installation Manager” in the most current (in our case 1.6.1) version.



Now select the link (FC) for your operating system.



You'll be redirected to the Fix Central. Select the package and click “Continue” to proceed.



Now you can download the installation package. Save it in /tmp/downloads/ibm/installation_manager.



Login as user “root” and start the File Browser (Nautilus in our case)



Navigate to the directory /tmp/downloads/ibm/installation_manager and start the installation with a double click on the install executable



Proceed with “Next”



Accept the license terms and proceed with “Next”.



Leave the installation directory as defined and proceed with “Next”.



Proceed with “Install” to start the installation of the IBM Installation Manager.



Finish the installation with “Restart Installation Manager”.


Installation of WebSphere Edge Components

The IBM Installation Manager allows to install, update or remove IBM products. As we're installing a new product select “Install”.



The IBM Installation Manager can install software from varying repositories:─ Local files

─ HTTP site

─ Passport Advantage

As we don't want to rely on an internet connection we'll use a local file repository. The next slides are showing how to setup a new one.



Selecte the “Repositories” link.



Now select “Repositories” in the left menu and then “Add Repository...” on the right side.



This will show an empty file dialog. Select “Browse” to open the file manager.



Navigate to the directory /tmp/downloads/ibm/was_edge/disk1. Select the file “diskTag.inf” and confirm the selection with “OK”.



Confirm the selection with “OK”.



Press “Test Connections” to verify the successful setup of the repository.



You'll see this dialog if all repositories have been verified. Close the dialog with “OK”.



Close the preferences with “OK”.



Closing the preferences will automatically launch the installation/selection dialog for the available software.



Proceed with “Next”.



Accept the license terms and proceed with “Next”.



As it's a new installation of the IBM Installation Manager some shared resources need to be installed. Leave the directory settings as they are and proceed with “Next”.



If needed you can select more languages. Proceed with “Next”.



Leave the predefined selection (no Metric Server) and proceed with “Next”.



Start the installation with a click on “Install”.



We want to start directly, so click on finish (that'll start the Load Balancer Administration Console).


Configuration of WebSphere Edge Components Load Balancing

The automatic startup lauches the Load Balancer configuration GUI.



Select “Dispatcher” in the left menu tree.



Make a right click on “Dispatcher” and select “Start Configuration Wizard”. That'll start the configuration dialog.



Check the preconditions – the setup won't work if you don't respect them.



As we're on Linux => start the server. You won't get a direct feedback!



Check if the local hostname is correct and proceed with a click on “Update Configuration & Continue”.



Add the Cluster name. It needs to be equal to the URL which the clients are using, in our case “mobile-edge.curi0.us”. Proceed with “Update Configuration & Continue”.



Check if the cluster has been added successfully. Then proceed with “Next”.



Now we need to set the port which will be used by the clients. The default is set to “80”.



Change the value to “443” as we'll run HTTPS. Proceed with “Update Configuration & Continue”.



Check if the port has been added successfully. Proceed with “Next”.



Now we need to add the server names of the used backend servers (here: the Traveler servers). Click on “Add a server”.



Enter the first server name, in our case “traveler1.curi0.us”. Proceed with “Next”.



Check if the server name has been added successfully. Click on “Add a server” to add the second server.



Enter the second server name, in our case “traveler2.curi0.us”. Proceed with “Next”.



Check if the server name has been added successfully. Click on “Update Configuration & Continue” to proceed.



We need to start an Advisor as we want the Traveler servers to be monitored. Enter “HTTPS” as the Advisor name and proceed with “Update Configuration & Continue”.



Check if the Advisor has been started successfully. Proceed with “Next”.



The cluster's IP address needs to be set on the backend servers. Select your operating system (here: Linux) and click on “View Loopback Instructions” to show the instructions.



Excursion / Repeat – read it often:─ To work properly the cluster's IP address needs to be added to the local loopback adapter of the

application servers.

─ To work properly the cluster's IP address needs to be added to the local loopback adapter of the application servers.




That means: add the Edge servers IP address to the local loopback adapter of each Traveler server.



Read the configuration settings (better: write them down). Click “Exit” to close the information dialog.



Done – the Edge server is ready. Click on “Exit” to proceed.



Close the confirmation dialog with “Yes”.



Right click on “Dispatcher” and select “Connect to Host...” to see the configured Load Balancer.



You now can see, configure and manage the Load Balancer. Done!

8 2 © 20 1 3 IBM Corporation









As previous stated you'll have to add the WebSphere Edge's cluster address to each (repeat: each) backend server.





Additional Notes

Q & A


Agenda – Using IBM Mobile Connect What is IBM Mobile Connect?


Installation of DB2

Installation of IBM Mobile Connect

Configuration of IBM Mobile Connect Connection Profiles

Configuring Domino LDAP and SSL

Configuring IBM Mobile Connect SSL

Configuring IBM Mobile Connect HTTP Access Services

Configuring Domino-SSO via LTPA-Token

Configuring IBM Notes Traveler


Agenda What is IBM Mobile Connect?


Installation of DB2









What is IBM Mobile Connect?



Connection Manager (server-side)─ Software that runs on the server and controls access to enterprise resources Support for IP and

non-IP network protocols

─ Mobile Network Connections (MNC) for combinations of public/private networks

Distributed Administration (“Gatekeeper”)─ Java based administrator console that can run on various platforms Policy Management is an

integral part of Administration

Mobility Client (client-side)─ Software that runs on the mobile device and interfaces to Connection Manager Mobility Client

authenticates and establishes VPN with Connection Manager Includes toolkit for creating network-aware applications

HTTP Access (client-less)─ HTTP access services provide a SSL secured tunnel for HTTP communication to any HTTP

Version 1.1 application




Installation of DB2










The session's demo installation of IBM DB2 and IBM Mobile Connect runs on SUSE Linux Enterprise Server (SLES) 11.

All components (IBM DB2®, IBM Mobile Connect®, IBM Domino®) are running for demo purposes on the same machine – for a production environment it is highly recommended to install the components on separate machines.

All DNS settings are referring to the same physical IP. You should use your companies DNS.

The demo system doesn't use a firewall as all communication happens locally.


Preparing the environment – Operating System

The demo system runs a newly fresh installed SUSE Linux Enterprise Server (SLES) 11.

The installation of DB2 requires an installed X-Windows system like KDE or Gnome (the last one is used here).

Furthermore you need a working Korn Shell (ksh) on the Linux system. It is required by the IBM Mobile Connect installation.


Preparing the environment – DNS

The IP-based communication between all components is based on DNS (Domain Name System).

When talking about DNS we assume that you're running a real DNS server in your company.

For the demo system all used DNS names are mapped to the local IP address via the Linux hosts file.

─ DB2: db2-imc.curi0.us

─ IBM Mobile Connect: imc1.curi0.us

─ Traveler: traveler1.curi0.us / traveler2.curi0.us

─ External Single URL: mobile.curi0.us

Never ever give the local loopback adapter (127.0.0.1) an alias! That will lead to errors during the installation process!


Preparing the environment – DNS (local hosts editing)

Open your favorite shell (like the Gnome Terminal).

Open the local hosts file using a text editor like “vi”.


Preparing the environment – DNS (local hosts editing)

Modify the name settings for the used DNS names (key “i” for inserting).

Save the modifications using the key combination “ESC” and then “wq!” (== save and close).

Check the modifications using ping.

127.0.0.1 localhost192.168.100.50 imc1.curi0.us imc1192.168.100.50 db2-imc.curi0.us 192.168.100.51 traveler1.curi0.us192.168.100.52 traveler2.curi0.us192.168.100.50 mobile.curi0.us


Preparing the environment – DNS (local name resolving)

The server needs to be able to to resolve it's simple name. If the machines name is “imc1.curi0.us” the name “imc1” needs to be pinged.

If that's not possible the installations of DB2 and IBM Mobile Connect won't work!


Preparing the environment – Software (DB2)

First you need DB2 (any edition, we're using DB2 Express-C 10.1.2).

You can download DB2 Express-C via this URL.http://www-01.ibm.com/software/data/db2/express/download.html

Choose the package which is appropriate for the used operating system – in our case for Linux x86 - 64 Bit.

Save the package to /root/install/db2


Preparing the environment – Software (IBM Mobile Connect)

Then download the two IBM Mobile Connect installation packages from Passport Advantage.

The product numbers are “CID7DML_connection_manager.tar” and “CID79ML_Gatekeeper.tar”

Save the package to /root/install/imc


Preparing the environment – Software (Domino & Traveler)

Besides DB2 and IBM Mobile Connect you'll need one or two running IBM Domino servers and two or more IBM Notes Traveler server. We're not describing here how to setup Domino and Traveler – that was part of SHOW100.




Installation of DB2









Installation of DB2

Logon to the Linux system as user “root”

Open your favorite shell (like the “Gnome Terminal”)


Installation of DB2

Change to the directory “/root/install/db2”

Unpack the downloaded DB2 installation package using “tar” (you may use the additional “v” parameter for getting a verbose output of the unpacking)


Installation of DB2

Switch to the extracted DB2 installation folder expc.

Launch the db2setup (please remember: you need X-Window for this!)


Installation of DB2

The startup screen (aka “DB2 Setup Launchpad”) shows up.


Installation of DB2

Choose “Install a product” and select “Install New”.


Installation of DB2

Click “Next” to step over to the License Agreement Dialog.


Installation of DB2

Click “Next” to step over to the License Agreement Dialog. After you've read and accepted it (click the radio button) click on “Next” to proceed.


Installation of DB2

Select “Custom” as the installation type and proceed with “Next”.


Installation of DB2

Save the installation details in a response file (good practice!) and proceed with “Next”.


Installation of DB2

Deselect “Getting started” from the feature list and proceed with “Next” (that will accept the default installation location “/opt/ibm/db2/V10.1”).


Installation of DB2

Optional: choose an additional language (we don't prefer any other language then English, even as we're German) and proceed with “Next”.


Installation of DB2

Leave the default value for the location of the DB2 Information center and proceed with “Next”.


Installation of DB2

Enter the credentials for the DB2 administrator “dasusr1” and proceed with “Next”. This step will setup a new Linux user including home directory.


Installation of DB2

Leave the default value to create a new DB2 instance and proceed with “Next”.


Installation of DB2

Enter the credentials for the DB2 instance owner “db2inst1” and proceed with “Next”. This step will setup a new Linux user including home directory.


Installation of DB2

Enter the credentials for the DB2 fenced user “db2fenc1” and proceed with “Next”. This step will setup a new Linux user including home directory.


Installation of DB2

Create a TCP/IP configuration for DB2 to allow access from external hosts on port 50001. Leave the autostart checkbox as it is and proceed with “Next”.


Installation of DB2

Optional: Setup notifications from DB2. As we don't need it here deselect it and proceed with “Next”.


Installation of DB2

Check the setup instructions in the setup dialog and finish the installation with “Finish”.


Installation of DB2

You'll see a progress dialog during the installation process in a separate window.


Installation of DB2

Done!


Installation of DB2

You can validate the successful installation in various ways─ Check the installation log located in /tmp/db2setup.log

─ Login to DB2 with the db2inst1 user

─ Run the DB2 validation tool




Installation of DB2







Configuring Notes Traveler


Installation of IBM Mobile Connect – Connection Manager





Change to the directory “/root/install/imc”

Unpack the downloaded IBM Mobile Connect installation package of the Connection Manager using “tar”.



Display the extracted content using “ls”. There are two files:

./linux-gw-x86_64-image.tar.gz

./linux-gw-x86-image.tar.gz

If you are running a 64-Bit Linux, then you should extract the linux-gw-x86_64-image using “tar”.



Switch to the inst.images Subfolder

First you need to setup the IBM Mobile Connect Connection Manager. For that issue the command “./install_wg” from within the sub-directory.



Specify if you want to start the IBM Mobile Connect Connection Manager at system startup. This setting defaults to “yes” (it is recommended to keep this setting).



The IBM Mobile Connect Connection Manager is installed within /opt/ibm/ConnectionManager.

Important: Ensure that the service “xinetd” is running on the machine on which the IBM Mobile Connect Connection Manager is installed.

Done!


Installation of IBM Mobile Connect – Gatekeeper





Change to the directory “/root/install/imc”

Unpack the downloaded IBM Mobile Connect installation package of the Gatekeeper using “tar”.



Change to the directory “/root/install/imc/pkglinux”

If IBM Java JRE 7.0.2 isn't installed you need to install it. The needed installation file is located within the extracted pkglinux subfolder.



Now proceed with the installation of the IBM Mobile Connect Gatekeeper.



The IBM Mobile Connect Gatekeeper is installed within the directory /opt/ibm/Gatekeeper.The installation also adds symbolic links within /usr/bin for the IBM Mobile Connect Gatekeeper binaries.

Done!



Yes, we're running on Linux. But you have to restart the server. ;-)




Installation of DB2









Configuration of IBM Mobile Connect

The whole configuration of IBM Mobile Connect is done through the IBM Mobile Connect Gatekeeper.

Logon as the Linux user “root”.

Open your favorite console (i. e. the “Gnome Terminal”).



Start the IBM Mobile Connect Gatekeeper through issuing the command “wgcfg” from the shell. That will start the application in the X-Window system.


Configuration of IBM Mobile Connect - Login profile

At the very first startup IBM Mobile Connect has no configuration. You'll see an empty login screen with no selection values for the so called “Login profile”.



The IBM Mobile Connect Gatekeeper automatically prompts a dialog for the creation of new Login profiles. In our case we're setting up a “non-secure” Login profile through clicking on “Add Profile...”.



In the “Add Login Profile” dialog we have to add two values─ The Login profile name, which is the descriptive name for this profile. For the sake of simplicity

we're using the simple host name of the IBM Mobile Connect server.

─ The host name we want to connect to.

─ The port, which defaults to 9555, could be changed if needed. For our setup we don't need that.

Finish the dialog through clicking the “OK” button.



You'll see now the newly added profile in the Login Profile Details list.

Close the dialog with “OK”.


Configuration of IBM Mobile Connect - Logging in

Now select the profile “imc1” within the Login profile dropdown dialog.

Additionally you have to enter the administrators credentials. For that use the default login credentials which are available after any IBM Mobile Connect installation.

─ User: gkadmin

─ Password: gk4admin (Default)

Confirm the selection and credentials through clicking “Log In”.


Configuration of IBM Mobile Connect - Logging in

“Accept” the upcoming license dialog to proceed.


Configuration of IBM Mobile Connect – First Setup

Two Dialog Boxes will be opened. Close the Gatekeeper Help Window to start the configuration.



As we're using DB2 as the backend for IBM Mobile Connect you have to select “An ODBC-compliant relational database”. Proceed with “Next”.



In the upcoming dialog you have to enter the name of the DB2 instance and the according home folder:

─ DB2 instance name: wgdb

─ DB2 instance home folder: /home/wgdb




Now enter the administrative settings for this new DB2 database.─ Database name: wgdata

─ Database management ID: db2inst1 (we're using the existing standard DB2 administrator)



We may use the local path, but to have a real world scenario we're “remotely” connecting to the DB2 instance.




In the upcoming dialog you have to enter a base distinguished name (X.500 format) under which the configuration data will be stored. This name is case-sensitive!

─ Base distinguished name: o=midpoints (your organization name, we will use midpoints here)

Additionally you have to define how the data will be stored. Use the same data storage as it is used for the session data.




Now you have to define if administrators should be able to remotely connect to the IBM Mobile Connect Connection Manager. It's recommended to allow this as it makes administrators life somewhat easier.

─ Remote administrators may login with the user “gkadmin”.

Dependant on the internal security policies an SSL based connection to the IBM Mobile Connect Gatekeeper could be enforced. Here it's not needed so leave the default selection (==disabled).



Now enable the logging of all administrative actions and proceed with “Next”.



The last wizard screen confirms that all settings for the initial setup of this IBM Mobile Connect Connection Manager have been setup. Proceed the setup through clicking “Finish”.

The IBM Mobile Connect Gatekeeper now setups the database and the initial IBM Mobile Connect Connection Manager resources. This may take a while.




Installation of DB2









Configuring Domino authentication

Authentication profiles in IBM Mobile Connect could be setup to use LDAP binding for HTTP access services and connection profiles.

IBM Domino may serve as a Directory Service provider for LDAP so we're going to leverage that built-in functionality.

As mentioned in the prerequisites we're running a newly fresh installed IBM Domino server without any special configuration. The following slides will show the steps which are needed to setup IBM Domino as a LDAP Directory provider.


Configuring Domino authentication – LDAP setup

At first you have to create a technical user which will be used by IBM Mobile Connect to make authenticated LDAP lookups.

As this technical user doesn't need to have a Notes id file it is sufficient to create a new person document with HTTP password.



Open the Domino Directory of the IBM Domino Server and switch to the “Peoples” view.

Use the action button “Add Person” to create a new person document.



Enter a first and a last name for the user. Adding a hierarchical full name is recommended as a good practice. And please honor the IBM Domino naming conventions!

─ First name: &lmc

─ Last name: &ldaplookup

─ Full name: &lmc &ldaplookup/tech/midpoints



The technical user needs a HTTP password. For that click on the “Enter Password” button which is located on the “Basics” tab.

In the upcoming dialog box enter the password “ld4pl00kup” and confirm with the “OK” button.



Check if the HTTP password has been added to the person document. The hashed value should be visible.

Now save the created person document with the “Save & Close” button.



Switch to the “All Server Documents” view in the Domino Directory. Here open the servers document.



You need to ensure that the previously created technical user has read access to the Domino Directory.

For that we're changing to the “Security” tab and check the “Access server” field. Allowing all users listed in trusted directories is sufficient.



Now set up the LDAP configuration for this server. The needed configuration can be found within “Ports” => “Internet Ports” => “Directory”.



From a security point of perspective you should disallow non-SSL LDAP access and disable anonymous LDAP access.



Save the modified server document with the “Save & Close” button.



Create a new Program document for making sure that the LDAP task runs at server startup .

Go to the “Programs” view of the Domino Directory and create a new Program document through clicking the “Add Program” button.



In the newly created document set the values to startup the LDAP task at server startup

─ Program name: LDAP

─ Enabled/disabled: At server startup only

Click “Save & Close” to save the Program document.


Configuring Domino authentication – SSL setup

As you've setup SSL-based usage of the LDAP Directory server you now need to create SSL KeyRings for the Domino server.

There are two kinds of certificates which can be used for that:─ Certificates which are signed by an official SSL Certification Authority

─ Self-signed certificates

For the internal usage it is sufficient to use a self-signed certificate.

The creation of such a self-signed certificate can be done by using the “Server Certificate Admin” Database.



Press CTRL+N in the IBM Lotus Notes client opens the “New Application” dialog.─ Create the database locally.

─ Enter a descriptive title and file name.

─ Select a Domino server (the template isn'tavailable on a Notes client.

─ Select the “Show advanced templates”checkbox.

─ Scroll down to “Server Certificate Admin”and click “OK”.



Close the “About this database” tab (1) and go to the Server Certificate Admins tab (2).



Choose the “Create Key Ring with Self-Certified Certifcate” menu entry.



Now you need to enter some values in the upcoming form.

At first the file name and the password. It's a good practice to use the DNS host name as file name, because that helps to distinguish if the Domino server uses more than one SSL configuration.



Second you need to enter the certificate details which will be used to create the certificates hierarchical name.

─ Important: The common name of the certificate must be equal to the DNS name of the server.

Last but not least you have to click the button “Create Key Ring with Self-Certified Certificate” which is located at the bottom of the form.



The certificate creation process creates two files within the root of the Notes clients data directory.

─ KeyRing file: selfcert-traveler1.kyr

─ Stash file: selfcert-traveler1.sth

Copy both files from the Notes clients data directory into the data directory of the Domino server.

The next step will be to setup SSL on the Domino server.



We're switching to the “All Server Documents” view in the Domino Directory. Here we're opening the servers document.



The configuration settings for SSL can be found within “Ports” => “Internet Ports” .

The “SSL key file name” must match the file name of the created keyring.



The configuration settings for SSL can be found within “Ports” => “Internet Ports” .

Enable the HTTP-SSL Port – and disable the HTTP-Port!



Now you need to start the LDAP and HTTP tasks to activate SSL for the Domino server.

For that use this commands via the Domino console:─ Starting the LDAP task: load ldap

─ Starting the HTTP task: load http




Installation of DB2









Configuring IBM Mobile Connect SSL The IBM Mobile Connect Connection Manager could be setup to use SSL in

various ways. For example we can use SSL for LDAP binding or for HTTP Access Services.

SSL configuration for IBM Mobile Connect is done by using the “IBM Key Management” Tool which is contained in each IBM Mobile Connect installation. The tools creates keyfiles in which the certificate public keys are stored. Those keyfiles will be assigned to the corresponding IBM Mobile Connect Gatekeeper resources.

The format of the keyfiles is “Cryptographic Message Syntax” (CMS).

For a production environment it is highly recommended to use certificates from official Certificate Authorities. In our setup we're creating and using self-signed certificates.


Configuration IBM Mobile Connect SSL





Change to the directory “/opt/ibm/Gatekeeper”

Start the “IBM Key Management” tool from the console.



You'll see the empty screen of the IBM Key Management tool.



Now you need to create a new key database file. For that select “Key Database File” => “New”.



As the format needs to be “Cryptographic Message Syntax” you have to select “CMS” as the key database type.

Choose a file name of your choice. It is recommended to choose an easy recognizable file name.



Enter the password “passw0rd” (or a password of your choice). As a stash file is needed by IBM Mobile Connect you have to select the option “Stash the password to a file?”. Finish the process with “OK”.



Select “Personal Certificates” from the dropdown dialog.

Then select “New Self-Signed...” to create a new self-signed certificate.



Enter the values for the self-signed certificate. You need to ensure, that the common name equals the external DNS name of the IBM Mobile Connect server.



In the “Personal Certificates” section you'll see now the created certificate. The * character indicates that it is a self-signed certificate.



Select “Key Database File” from the action menu and click “Exit” to close the “IBM Key Management” tool.



If needed the login credentials for the super-user “gkadmin” may be changed at this point. You don't need that for this setup, so we proceed with “No”.



The setup process now proceeds with the setup of a new Connection Manager. Click “Next” to start the setup.



Entering a unique identifier for this Connection Manager configuration. Using the full qualified hostname is a good practice at this point.

─ Connection manager identifier: imc.curi0.us




The next screen displays the primary organizational unit. As it's a new configuration there is (currently) nothing to do. Proceed with “Next”.



The setup of the first Connection Manager can now be finished. Click “Finish” to proceed. The process may take some time.



The Connection Manager is now created. Next we get asked, if we need a HTTP Access Service. We need this one for IBM Notes Traveler, so choose “Yes”.



The external URL (the so called Service URL) the IMC-HTTP Service should listen to is https://mobile.curi0.us.


https://mobile.curi0.us/

https://mobile.curi0.us/



The Application server URL are the internal Traveler Server hostnames, using this syntax:

TRAVELER https://traveler1.curi0.us,TRAVELER https://traveler2.curi0.us

The Authentication Profile and SSO will be configured later.



Choose “Finish” to create the HTTP Access Service.



The setup process now asks, if we want to setup a Mobile Access Service. That's needed if you want to use IMC as a VPN Gateway.

We only want to use the HTTP Access Service as a Secure Reverse Proxy for connecting IBM Notes Traveler. So choose “No”.



We are using LDAP for User authentication. So will need no further Connection Manager Accounts. Click “No” to proceed.



We would like to start the Connection Manager, so choose “Yes”



The Connection Manager will start after choosing “OK”.



We are done!

The Connection Manager is now up and running. To see what's configured using the Setup Wizard switch from the Gatekeeper “Tasks”-Navigator to the “Resources”-Navigator



The “Resources” section shows the contents of the previously setup IBM Mobile Connect Connection Manager (Node “imc1.curi0.us”).

At the bottom of the “Mobile Connect” tree you'll see the created “http service”.



You start and stop the Connection using the Gatekeeper Client.For that select the name “imc1.curi0.us”, make a right-click and choose “Shutdown”. The shutdown needs to be confirmed.



You'll get a confirmation dialog for the shutdown.



To check the successful shutdown right-click on the connections name and select “Properties”.



The right pane shows the properties of the Connection Manager. Scroll down on the “Gateway” tab and check the state.



To start the connection select the name “imc1.curi0.us” with a right-click and choose “Startup”.

You'll get a confirmation dialog for the startup then.



As the previously opened property dialog doesn't refresh the Connection Manager state automatically you need to close and reopen it.

Click on the upper right marked “x” of the property dialog to close it.



Right-click the connections name and select “Properties”.



Scroll down on the “Gateway” tab and check the state. It must be “running”.




Installation of DB2









Configuring IBM Mobile Connect - HTTP Access Services

Now you'll setup a HTTP Access Service which will be used to authenticate via the previously configured Domino LDAP. Furthermore the service will be used to forward the data packets to the IBM Notes Traveler server.

Containing steps of this procedure are─ Setup of a Directory Server Resource

─ Setup of an Authentication Profile Resource

─ Setup of a HTTP Access Service Resources

─ Securing the HTTP Access Service with a SSL certificate

─ Setup of IBM Mobile Connect Single Sign-On (SSO)

─ Creation and export of a LTPA key file

─ Import of the LTPA key file into Domino



The whole configuration of IBM Mobile Connect is done through the IBM Mobile Connect Gatekeeper.

Logon as the Linux user “root”.

Open your favorite console (i. e. the “Gnome Terminal”).



Start the IBM Mobile Connect Gatekeeper through issuing the command “wgcfg” from the shell. That will start the application in the X-Window system.



Right-click on the top-level resource entry and choose “Add resource” => “Directory Server”.



Enter a descriptive name as the common name for this Directory server.

Enter the hostname for the remote directory server.



Set the default base distinguished name which should be used for LDAP lookups. Leave that one empty if you don't want to restrict LDAP lookups for only special organizations. Proceed with “Next”.



In the next wizard screen you have to enter the LDAP setting according to the Domino LDAP setup.

First you have to set the used port. Default is 389 (unencrypted).As you've configured LDAP over SSL on port 636 you need to enable “Use secure connection” and point IMC to the Key-Database, which contains the public keys of your Root CA used for your Domino SSL Server Key.



Furthermore you have to enter the filepath and name of the key database file which you've created with the “IBM Key Manager” tool.

─ Key database: /opt/ibm/ConnectionManager/imc-mobile.kdb

─ Stash file: /opt/ibm/ConnectionManager/imc-mobile.sth



Then you have to enter the username and password of the previously setup technical user.

─ Name: cn=&lmc &ldaplookup,ou=tech,o=midpoints

─ Password: ld4pl00kup




Select the primary organizational unit (o=midpoints) and click “Finish” to end the setup of the Directory server.



You'll now see a new “Directory services server definition” within the menu tree.



If you have to change the LDAP configuration, you can double click the “Directory services server definition” entry within the menu tree. Select your configured LDAP Server and press “Properties”.

This is an optional information and mentioned for further re-configuration!



Now you'll setup an Authentication Profile. This profile defines how IBM Mobile Connect checks and validates users credentials.

Right-click the main menu item and select “Add Resource” => “Authentication Profile” => “LDAP-bind Authentication”.



In the first wizard form you have to enter a common name for this profile, an optional description and the passcode policy. Leave all other fields empty.

─ Unrestricted Policy defines that there is no limit for false entered passwords.




Now select the Directory server which you've setup. For this installation you're using the “uid” as key field for identifying a user.

Leave the other fields as they are and proceed with “Next”.



As Single-Sign-On for Domino should be used you have to enable the creation of a LTPA token.

Leave the other fields as they are and proceed with “Next”.



Select the primary organizational unit (o=midpoints) and click “Finish” to end the setup of the Authentication Profile.



You'll now see a new “Authentication profile” within the menu tree.



Now it's time to configure the HTTP Access Service Resource which has been created initially.

Such a resource is responsible for forwarding inbound data traffic – after successful authentication – to a backend system (in our case Domino/Traveler).

The new IBM Mobile Connect Version 6.1.5 is able to assign a single inbound URL to one HTTP Access Service. The HTTP Access Service can forward the request to multiple HTTP backend systems like Traveler, iNotes, Connections, Sametime or a Domino based web application (i. e. XPages).

You can setup additional HTTP Services, but then you'll need additional DNS hostnames, SSL certificates and IP adresses.



First we open our initially created HTTP Service Profile by double-clicking the “http-service0” entry in the navigator.



The Service tab

Check if the “Service URL” is configured.This Service URL will be used on a device to connect to Traveler.

Enter the directory and file name of the key database and the stash file we created earlier.

─ Key database: /opt/ibm/ConnectionManager/imc-mobile.kdb

─ Stash file: /opt/ibm/ConnectionManager/imc-mobile.sth



The Server tab

The “Application server URL” defines thebackend systems to which requests aregetting forwarded.

─ The systems are separated by comma.

─ There are keywords to define the typeof the used backend system:TRAVELER, CONNECTIONS, SAMETIMEINOTES

For every Traveler Server in our HA Pool, weneed to add an entry:

TRAVELER https://traveler1.curi0.us,TRAVELER https://traveler2.curi0.us



The Server tab

The Scheduling algorithm defines how load balancing and failover take place.

We will setup an “Active / Passive failover”where traveler1.curi0.us will be the definedas the active server.



The Mode tab

Switch to the “Mode” tab and change the credential challenge type from “Mobile Connect forms challenge” to “HTTP 401 basic authorization challenge”.

As Authentification Profile choose ourconfigured “Auth LDAP Traveler1” Profile.



The IBM Mobility tab

By enabling the “IBM Notes Traveler integration” checkbox IBM Mobile Connect knows that requests to

/traveler or /servlet/traveler

are Traveler specific and will forward theserequests to the defined TRAVELER servers.

Save your changes to the HTTP Service byusing the “Apply” and “OK” Button.

You have to stop and restart the HTTP Service.



The last setup step within IBM Mobile Connect Gatekeeper is now to create the LTPA token for Single-Sign-On between IBM Mobile Connect and the backend servers.

For that you'll have to open the created Authentication Profile (double-click the entry).



Double-click the entry of the profile within the list in the right pane.

Then switch to the “LTPA/SSO” tab.



Define the settings for the LTPA/SSO connection.



Now select the creation of new LTPA keys and enter the password “ltp4p4ssw0rd” (the password should have 6-32 characters). This key will be imported into Domino later on.

Finish the creation with “Apply” (NOT “OK”).



After the creation of the LTPA keys (you won't get a confirmation dialog) you'll have to export them. Select “Export to keyfile” and enter the directory path including the file name.

─ LTPA export keyfile name: /opt/ibm/ConnectionManager/ltpa.token

Click “OK” to start the export.




Installation of DB2









Configuring Domino-SSO via LTPA token

Now you'll have to import the created LTPA token into the Domino Directory for enabling Single-Sign-On between the IBM Mobile Connect Server and IBM Domino.

Switch to the “All Server Documents” view in the Domino Directory and click the button “Web\Create Web SSO Configuration”.



Now enter a name for this token configuration, your organization, the supported DNS names and the Domino server which should use this token.



Proceed now with importing the LTPA token. For that you have to click the button “Keys...” and select “Import WebSphere LTPA Keys”.

Enter the directory and file name of the LTPA token and confirm with “OK”.

Save and close the Notes document.



Goto “Internet Protocols...” => “Domino Web Engine”. Change the session authentication type to “Multiple Servers (SSO)” and select the created SSO configuration.

Save and close the document.

Restart the server.




Installation of DB2










You've already completed 99% of the needed configuration.─ Setting up HTTPS on the IBM Domino Server

─ Enabling Single-Sign-On between IBM Mobile Connect and IBM Domino

The last step to complete this setup now is configuring IBM Notes Traveler.



Switch to the “IBM Notes Traveler” tab.

Enter the full qualified internet host name of the IBM Mobile Connect server + “/traveler” as the external URL.

Save and close the Notes document.

Finished!





Additional Notes

Q & A


Additional Notes

We only scratched the surface of both products.

You can built real cool environments with them─ High Availability

─ Authentication

─ For a range of ICS products

Just imagine...


Additional Notes





Additional Notes

Q & A


Q & A Now and here

─ Get the mic!

Later─ Via any social media – see contact details at the beginning of this slide deck.

(Updated) Slides will be on our blogs and on SlideShare.


Legal disclaimer

© IBM Corporation 2013. All Rights Reserved.

The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

connect 2013 - making ibm traveler high available: extending and securing the network

Technology

ibm corporation

ibm domino

ibm db2

ibm connections2

load balancerusing ibm

context of ibm notes

ibm traveler high available

ibm passport advantage