Issues with TAM and Connections – SOLVED

Issues with TAM and Connections

For those of you that follow me on Twitter you will all know that I have had huge issues with Connections and TAM integration.
I am pleased to report that the issue is now resolved – Instructions below:

Created the transparent junctions as per the info center
Created the ACL defs as per the info center
Created default acl โ€“ connectionsdefaultacl and attached to junctions as per the info center
Created additional acl โ€“ connectionsacl as per the info center

Resources that do not require authentication which should have connectionsacl applied

/activities/images – Information present in the Lotus Connections wiki but not the official IBM Infocenter documentation.
/files/basic/anonymous/atom – Information present in the Lotus Connections wiki but not the official IBM Infocenter documentation.
/files/form/anonymous/atom – Missing from ALL official IBM documentation

Resources that require basic authentication which should have connectionsacl applied

/blogs/blogsapi – Information present in the Lotus Connections wiki but not the official IBM Infocenter documentation.
/blogs/blogsfeed – Information present in the Lotus Connections wiki but not the official IBM Infocenter documentation.
/communities/dsx – Missing from ALL official IBM documentation
/profiles/dsx – Missing from ALL official IBM documentation

Applied the require forms authentication which should have connectionsdefaultacl applied as per the info center
Created dynurl file as per the info center and applied connectionsacl to /blogs/blogsfeed, /blogs/blogsapi
Edited the web seal config added dynurl-allow-large-posts = yes, forms-auth = https or both, use-same-session = yes
Add the filter types as per the info center
Adding FQDN of load balanced TAM server virtual host – web-host-name = tam.your.domain.com
Import the connectionsAdmin user into TAM via the Web Portal Manager or pdadmin – This step is missing from ALL official IBM documentation
Update LC config file
set dynamic host enabled to โ€œtrueโ€ and the href/ssl_href to FQDN of load balanced TAM server virtual host i.e my.city.ac.uk
Ensure that the static href, static ssl_href and interService URLs for all services are pointing at the WebSEAL cluster i.e my.city.ac.uk
Set cusom authenticator to TAMAuthenticator and check timeout settings as per the info center
Configure the Lotus Connections directory service extensions to point to the Tivoli Access Manager server i.e setting the extension hrefs to:
http://tam.your.domain.com/ communities/dsx/ & http://tam.your.domain.com/profiles/dsx/

Lotus Connections applications will attempt to open server to server communications with other Lotus Connections applications via Tivoli Access Manager. If forms-auth has been set to https in the webseald-.conf file, then the signer certificate for WebSEAL client-side SSL communications should be added to the WebSphere trust stores – Missing from ALL official IBM documentation

Add the log out button to the HTTP server rewrite config / http config (depending on the set up)

Big thanks to Stephen Swann for the assist (@stephenjswann) – It is now deployed live and working as expected

Quickr 8.5 Portlets for Portal 6.1.5

The new Quickr 8.5 portlets for Websphere Portal version 6.1.5 have been released and is available via the solutions catalog on the Lotus Greenhouse.

It is very straight forward to set up, download and install the portlet and stick it on a page.
Configure the Places Catalog portlet and give it your

placeCenterServerURL – i.e http://your server name:port
favoritesServiceURL – i.e http://your server name:port/favourites

edit the authentication mode to use SSO or forms
1. Single-Sign-On, which is the recommend method. In order to use this method, Single-Sign-On must be pre-configured between the WebSphere Portal and the Lotus Quickr servers.
2. Form-based login. If Single-sign-On is not possible, the portlet allows the end-user to login to the remote Lotus Quickr server with user name & password. These credentiales are stored securely by the portlet for later use.

When using the portlet in the authenticated mode, a single post-installation step is required:

Using the Integrated Solutions Console (Websphere administrative console), find the “PA_Place_Center” enterprise application, and map the security role “All authenticated users” to all authenticated users.

restart and away you go ..

the only issue I have found with the SSO method of auth is that although my SSO is configured correctly between the portal and quickr servers and the portlet works I see these errors in the log :

[01/07/10 08:33:17:250 BST] 00000067 LTPAServerObj E SECJ0373E: Cannot create credential for the userdue to failed validation of the LTPA token. The exception is com.ibm.ws.security.registry.UnsupportedEntryTypeException: not USER or GROUP

[01/07/10 08:33:17:281 BST] 000000a5 LTPAServerObj E SECJ0374E: The accessID in the token contains the wrong type. It should be either user or group. The exception is com.ibm.ws.security.registry.UnsupportedEntryTypeException: not USER or GROUP

a google search finds an entry going back to WAS 6 for error SECJ0373E

SECJ0374E: The accessID in the token contains the wrong type. It should be either user or group. The exception is {0}.
Explanation This exception is unexpected. The cause is not immediately known.

ahh .. nice then ๐Ÿ™‚ But it is working and is on our proof on concept / integration environment box, so we can start testing it in anger now ..

Big props to Mr Dave Hay (IBM Legend) for tipping me off that it is available. I will get some screen shots up on the dilftechnical website asap