Sie sind auf Seite 1von 9

Enabling secure, remote access

to IBM Lotus iNotes using IBM


Lotus Mobile Connect
Level: Intermediate D
John Kari (jkari@us.ibm.com), Senior Software Engineer, IBM
14 Oct 2008
Learn how the IBM® Lotus® Mobile Connect clientless option can be used in conjunction with IBM Lotus
iNotes™ to gain secure, remote access to enterprise iNotes servers from devices (handhelds, laptops,
workstations) requiring access outside the bounds of their corporate intranet.

This article is intended for IBM Lotus iNotes customers who want secure, remote access to enterprise Lotus
iNotes servers from devices such as personal digital assistants (PDAs), laptops, or workstations that require
access outside the bounds of their corporate intranet. You can accomplish this in two ways with Lotus Mobile
Connect. H
Lotus Mobile Connect provides a full client/server-based virtual private network (VPN) solution, for which the de
Lotus Mobile Connect client is installed on various supported user platforms. For HTTP-based applications (for Tw
example, Lotus iNotes), Lotus Mobile Connect also provides a clientless option that does not require that any
additional software is installed on the user's device; instead, it provides secure authentication through a
browser-based logon (see figure 1). R
This article explains how the Lotus Mobile Connect clientless option is used in conjunction with Lotus iNotes.

Figure 1. Lotus Mobile Connect clientless option with Lotus iNotes

Why Lotus Mobile Connect?


Lotus Mobile Connect provides a Federal Information Processing Standards (FIPS) 140-2 certified platform containing
sockets layer (SSL) / transport-level security (TLS) ciphers and industry-standard authentication mechanisms. The L
clientless option, that is, Lotus Mobile Connect HTTP access services, uses the same strong authentication and encry
full VPN client. HTTP access services can be configured to run simultaneously with full VPN sessions, providing a mul
access solution with a small footprint, allowing IT administrators to control the breadth of access per user.
The Lotus Mobile Connect management console, Gatekeeper, provides access to all configuration options and full con
authentication methods, security restrictions, and enterprise destinations.
How does it work?
Lotus Mobile Connect HTTP access services secure communications by forcing remote HTTP-based applications to co
standard SSL/TLS technology. SSL/TLS ciphers are configurable and can be restricted to FIPS 140-2 certified algorith
certificate validation is also available, to add an additional layer of trust to the session.
After secure communications have been established, the Connection Manager sends a form-based challenge to the r
prompting for user credentials. Credential information is x-www-url-encoded and sent over the secure connection us
operation. The HTTP access services decode the information and validate it using a configurable authentication meth
Upon successful validation, the HTTP access service builds a token and sends it to the remote application using the H
operational model. The cookie contains a Lotus Mobile Connect-specific encrypted token and has the secure and sess
remote client is then expected to include the cookie containing the token in all future connect requests.
Now that the token is present in the HTTP flows, the HTTP access service opens a connection to an enterprise host a
and forth, similar to an SSL/TLS gateway.
What it's not
Lotus Mobile Connect Connection Manager's clientless support is not an HTTP proxy. It does not cache any content n
information contained in the body of the HTTP data flow. It is not an optimizer, compressor, or token reducer, and it
browser's cache. Because a secure session cookie is used, users must be sure to exit the browser session when they
application session.

Back to top
Why Lotus iNotes?
Lotus iNotes is a Web-based application that provides access to Lotus Notes mail and personal information managem
from a standard Web browser. Because browsers use HTTP as the primary transport, this application can leverage Lo
clientless option to gain access to the mail databases located within the corporate intranet from a supported browser
Lotus iNotes, previously known as IBM Lotus Domino® Web Access, supports three different usage modes. Full mod
feature set and is intended to be used when bandwidth is not a concern. It is the preferred mode to use from dedica
high-speed network connection to the mail server. In Lotus Domino releases earlier than version 8.0.1, full mode wa
includes the following major functional areas:

• Welcome page (a customizable home page)


• Mail
• Calendar
• Contacts
• To-do
• Notebook

Lotus iNotes also supports both Lotus Notes-style and S/MIME encryption and a cache-scrubbing capability for certai
conjunction with a Lotus Sametime® server, it offers integrated instant messaging and presence awareness. Lotus iN
near-full-featured offline capability and local archiving using Domino Off-Line Services (DOLS). When deployed with
Unified Communications offering, it also provides various unified communications features.
Lite mode, which premiered with Lotus Domino 8.0.1, is a feature-reduced version that's been optimized for bandwid
environments. Its initial release supports only the Mail function and some limited access to Calendar data using a sid
provides a rich user experience that leverages the latest Asynchronous JavaScript™ and XML (AJAX) techniques. The
even more consistent with the Lotus Notes rich client offering.
Ultralite mode was introduced in Lotus Domino 8.0.2 and is designed for browsers on the latest narrow-width mobile
release supports the Apple iPhone and iPod Touch devices. The UI fully abides by Apple's recommended guidelines fo
Ultralite mode leverages the least amount of script and is designed to function from script-disabled browsers.

Back to top
Architecture
Let's examine the architecture of the two product components involved here, Lotus Mobile Connect and Lotus iNotes
Lotus Mobile Connect HTTP access services
Connection Manager's HTTP access services provide an SSL/TLS gateway function for HTTP communications from an
client data stream, such as a Web browser. The connection provides access to Web-based services and content in th
requiring the presence of a VPN client. The session is secured by use of SSL/TLS and can be restricted to permit con
specified hosts or address ranges.
The HTTP access services is a subsystem within Lotus Mobile Connect that is responsible for applying set configuratio
connection requests and data traffic. This subsystem is responsible for enforcing security, validating access, generati
and relaying traffic to the intended enterprise-located servers.
SSL/TLS
Connection Manager's HTTP access services use SSL or TLS when communicating with the browser or client applicati
version 3 of the SSL protocol are supported, and the following algorithms are supported:

• Public key algorithms


o RSA (1024-, 768-, or 512-bit keys)
• Symmetric key algorithms
o DES (56-bit key)
o Triple DES (168-bit key)
o RC4 (40-, 56-, or 128-bit keys)
• Message authentication codes
o SHA-1
o MD5

X.509 certificates can provide authentication for the SSL/TLS communications. These certificates, along with root ce
other party's certificate, are stored in a key database that is installed with Connection Manager. The Connection Man
configure the source of this database, using the Gatekeeper administration console. The administrator can also confi
certificates and client-side certificates, using the administration interface of the SSL toolkit, IBM Key Management.
Lotus Mobile Connect supports restricting the SSL/TLS ciphers to those that are FIPS 140-2 approved and supports d
requests that support only SSL/TLS version 2 ciphers.
Authentication
The HTTP access services authenticate each secure HTTP connection, checking the data stream for valid user creden
configurable form-based challenge is issued to prompt for a valid user ID and password. This function uses authentic
algorithms available to all components of Lotus Mobile Connect.
Authentication methods are resource containers defining how Lotus Mobile Connect challenges for and validates rem
Lotus Mobile Connect supports methods for validating credentials with the following:

• LDAP V3-compliant directory servers


• RADIUS protocol servers
• RSA Secure ID including next-token support
• X.509 certificate exchange
• Lotus Mobile Connect system user accounts

For more information on authentication methods, refer to the Administrator's guide in the Lotus Mobile Connect Info
Single Sign-On (SSO)
HTTP access services can enable SSO through Lightweight Third Party Authentication (LTPA). LTPA provides a mecha
authentication information in a token that is generated when users are successfully authenticated with Connection M
encrypted and signed by use of a password and a public/private key pair, stored in an HTTP cookie, and included in a
configured SSO domain.
The LTPA keys are shared with other LTPA-enabled servers within the same domain, so the servers can validate the t
user requests instead of challenging the user. LTPA tokens include a configurable expiration timestamp; after the tok
authentication challenge is issued.
The LTPA token is used in place of the Lotus Mobile Connect-specific token and is sent to the HTTP client application
cookie, using the Set-Cookie directive. HTTP clients include this token in all future HTTP requests.
HTTP access services resource
The HTTP access services resource contains information telling Lotus Mobile Connect how to authenticate users and
the back-end server. Each HTTP access services resource can send traffic to a single application server or proxy. The
configuring access to multiple backend application servers:

• Use a transcoding reverse proxy. This option allows a reverse proxy to route traffic to the appropriate destin
information contained in the target URL.
• Assign different listen ports to each HTTP access services resource definition. Since each HTTP access servic
configured to send traffic to a different back-end server or proxy, configure each service to listen on a differ
know this port and to add it to the URL request, for example, https://inotes.xyz.com:12345.
• Use multiple Internet protocol addresses. The HTTP access services configuration includes the ability to bind
specific IP address. This way, there can be multiple HTTP access services resources listening on the same se
is necessary for applications that expect to use standard HTTP ports 80 and 443. The URL to the user simply
host names, for example, https://inotes1.example.com, https://inotes2.example.com.

Configurable form-based challenge


The challenge page has three configurable sections: a title bar, Message of the Day, and a Copyright section (see fig
are configured by use of the HTML files loaded by the Connection Manager and are stored in the appropriate locale-r

Figure 2. Challenge page


When you enter a user ID and password and click the Login button, the browser generates a URL-encoded POST ope
entered fields along with hidden fields containing information about the session.
It's possible for HTTP-based applications to answer the challenge without the need to display the page to the user. Y
the Lotus Mobile Connect challenge by querying the Server token in the HTTP header.
Lotus iNotes
Lotus iNotes is installed as part of a Lotus Domino server installation, as long as the option Lotus iNotes is not desel
custom installation. For more details about installing and configuring Lotus iNotes, consult the Lotus Domino Adminis

Back to top
Configuration
Enabling access to Lotus iNotes using HTTP access services requires architecture decisions and configuration steps fo
This section describes options and requirements for each of the components.
Lotus iNotes
For each of the Lotus iNotes servers accessed by Lotus Mobile Connect, the internal network address or host name a
required to properly configure the Lotus Mobile Connect HTTP access service. If you want an encrypted pipe between
Lotus Mobile Connect servers, you need to import a certificate in PKCS12 format for each of the Lotus iNotes servers
for Lotus Mobile Connect.
Lotus Mobile Connect
Configuring Lotus Mobile Connect involves setting up authentication methods and defining one or more instances of
service resource. This section includes screen captures taken from the Lotus Mobile Connect management console G
Authentication methods
For the purposes of this example, only the LDAP-bind method is profiled. For additional information on this and othe
see Lotus Mobile Connect Version 6.1.2 Administrator's Guide in the Lotus Mobile Connect documentation. See Resou
For LDAP-bind methods, the first step is to define a resource containing information on how to access an LDAP V3-co
service:

1. Using Gatekeeper, right-click a top-level folder such as System or Default Resources, and select Add resourc
The window in figure 3 displays.

Figure 3. Specifying a directory server


o In the Common name field, enter the free-form name of the resource.
o In the Host name or IP address field, enter the host name or IP address of the directory server.
o In the Base distinguished name field, enter the base search suffix for finding user accounts.
2. Click Next; the window in figure 4 displays.

Figure 4. Second screen for adding a directory server

o In the Port number of service field, enter the port number that the directory service is listening on.
o The Administrator's distinguished name (DN) field is optional and is required if the directory service
anonymous bind and lookup operations.
o You must enter your password in the Enter the password field if the administrator DN is set.
o The Use secure connection section requires the use of SSL/TLS when connecting to the directory se
authentication functions. (NOTE: when this option is not enabled, user credentials can be sent in cl
Lotus Mobile Connect Connection Manager and directory services server.)
 In the File name of key database field, enter PKCS12 kdb file to validate certificate authorit
directory server is using a self-signed certificate, the certificate needs to be exported in PKC
imported into the kdb file to pass verification checks.)
 In the File name of stash password field, enter the PKCS12 kdb stash file that contains pas
kdb file.
 In the Secure port field, enter the port number that the directory service is listening on for
The default port number for LDAP is 636.
3. Define an LDAP-bind authentication method that uses the directory services resource defined in the previou
right-click the same top-level container as you did in the previous step, and select Add Resource - Authentic
bind authentication. The window shown in figure 5 opens.

Figure 5. Defining the LDAP- bind authentication method

o Do not select the Request Windows credentials field; it applies only to Mobility Client sessions.
o In the Common name field, enter the free-form text string that represents the resource.
o In the Description field, enter the free-form text string that describes the method.
o In the Backup authentication profile field, select the backup authentication method to try if this met
server connectivity issues.
o The Password Policy, Challenge string, Include realm, and Default realm fields are all not applicable
4. Click Next; the window shown in figure 6 displays.

Figure 6. Specifying the directory server from which to authenticate clients

o In the Directory Server field, select the directory server defined in the previous step.
o In the User key field, enter the attribute used in the attribute=value search string, where the value
User ID from the credential challenge presented to the remote user. The default value is mail.
o The LDAP attribute used for lock status field is optional. This value is the attribute name that the Co
to query the directory server, after a log-in fails to determine if a user account is locked. If the Conn
determines that the account has been locked, a specific error message is sent to the remote user in
o The Additional search criteria field specifies a text string to use in LDAP search filters as defined in R
used in conjunction with the User key field. For example, when the value of the User key field is ma
field is (employeeStatus=active), the search string becomes a logical operation of the user's email a
employee status, for example, (&(mail=user@xyz.com)(employeeStatus=active)).
o The Maximum number of processing threads field shows the number of threads used to perform LD
operations. This value depends on your particular user model. Because LDAP lookups can take 300
generally a good idea to enable multiple threads to allow simultaneous lookups to occur.
o The Restricted session filters field is not applicable.
5. Click Next; the window shown in figure 7 displays.

Figure 7. Specifying whether Connection Manager uses LTPA and SSO

o Select the Enable LTPA option to enable LTPA token generation for use in SSO.
o In the LTPA Token Lifetime field, enter the length of time in minutes that the token is valid.
o Select the Enable SSO option.
o In the SSO Domain field, enter the DNS domain within which the SSO is applied.
o Select the Enable SSO over SSL connections only option only in connections using the SSL/TLS tran
o In the Service port to include in LTPA token field, specify the port number to use in the LTPA token i
secure communications between Lotus Mobile Connect and the enterprise application server.

Also, note that the following attributes are available through the Properties panels after resource creation:

• Automatically create accounts for new users. The Lotus Mobile Connect Connection Manager requires pseud
accounts to store certain Lotus Mobile Connect-only attributes. This attribute determines if these pseudo-rec
a user to log in or if Lotus Mobile Connect creates the pseudo-record on first login. Requiring pseudo-record
security measure.
• Perform additional DN validation. This feature, which requires LDAP group membership, allows Lotus Mobile
user's membership in a specific group before allowing access.
• Directory server. This feature validates group membership against a different directory server definition.
• Search attribute. This attribute is used to pair with the users DN when performing the group validation.
• Syntax / filter. This feature is the definition of the search filter for group validation. This setting must be in L
See Gatekeeper tip help for more information.
• Maximum idle time. Idle time authentication waits for a response before timing out and trying a backup met
• Timeout for authentication. This value specifies the time to wait for authentication challenge responses befo
session.
HTTP access service resources
Follow these steps to add an HTTP access service request:

1. To add an HTTP access service resource, right-click the Connection Manager resource, and select Add - HTTP
window shown in figure 8 displays.

Figure 8. Adding an HTTP access service

o In the Service URL field, enter the text string matching the URL contained in the certificate used to
o In the TCP Port to listen on field, enter the TCP port that the service is listening on for access reque
SSL default of 443.
o In the Description field, enter the free-form text description of the service.
o In the Current state field, select the state of the service. Active state means the Connection Manage
service; defined is equivalent to down, in which case the Connection Manager does not start the ser
unreachable.
2. Click Next; the window shown in figure 9 displays.

Figure 9. Specifying operational mode of the HTTP access service

o In the HTTP Proxy address field, enter the host name or IP address of a reverse proxy or application
authenticated traffic.
o In the HTTP Proxy port field, enter the TCP port proxy or application server to forward authenticated
o Select the Require SSL to proxy option to require SSL/TLS between the Lotus Mobile Connect serve
application server.
o In the Authentication Profile field, enter the authentication method to use to validate remote user c
o If the SSO Domain option is set, this value overrides what is set in the authentication method. If it
authentication method properties are used.
3. Click Next; the window shown in figure 10 displays.

Figure 10. Specifying the maximum number of threads and idle time

o In the Maximum number of processing threads field, enter the number of simultaneous processing t
simultaneous sessions and number of processors are considerations for setting this value. The recom
two-processor system with 1000 simultaneous sessions is 5.
o In the Maximum idle time field, enter the maximum time that a session can be idle before the Conn
the session's authentication token, forcing the client to re-authorize.
o Select the Bind port to a specific address option to configure the service to be bound to a specific In
doing this binding, multiple HTTP access services resources can be configured to listen on the same
for different back-end servers to be used based on the Internet address of the initial request. Multip
assigned to a single network interface using IP aliasing.
o In the Address to bind to field, enter the Internet address or host name to bind the service to.

Back to top
Conclusion
Today's work force is becoming increasingly mobile. Enterprises need to extend the reach of email and PIM applicatio
browser access through both enterprise-provided and publically available mobile devices, laptops, and workstations.
Lotus iNotes as a Web-based application and Lotus Mobile Connect for secure remote access provides Lotus Notes cu
feature- and security-rich solution for meeting this critical business need.

Das könnte Ihnen auch gefallen