04/28/2016 Why am I keeping this ?This is obsolete like hell
04/17/2013 APPU—–NOTE THIS IS OUTDATED INFORMATION BUT SETUP WISE IT WILL HELP.
IF YOU ARE ON A UPDATE LEVEL 9 AND UP YOUR EXPERIENCES WILL GREATLY BE IMPRESSED
IF YOU ARE A NOVICE TO INTEGRATED WINDOWS AUTHENTICATION (IF YOU RUN LIVELINK IN WINDOWS IIS AND USE AD FOR THAT)LEARN THAT FROM THE WEB AND UNDERSTAND THAT LIVELINK USES THAT UNDER THE COVERS(OSCRIPT CODE IN DIRECTORY SERVICES MODULE) TO GRANT YOU SINGLE SIGN ON.I AM YET TO TRY MY HANDS ON JAVA BASED OTDS(RCS) BASED DIRECTORY SERVICES
Many users who know me from my contributions ask me to write code that helps with their livelink problems.In many cases it is very new programmers who get assigned to write these.They expect almost without success to find snippets of livelink webservice code thru google etc.I have not frankly understood programmer hurry like this but when you program it does not hurt to put a rational outline on what you are trying to do.In any case OT official dom is very notorious for non hand holding.In fact when I first started writing Dr Lapi I seriously doubt if there was a working sample of lapi code you could find in the web.Now that they have started to tell people not to use LAPI they need to put a lot of working examples as a livelink implementation can become very complicated over years of use and maturity.Also customization can alter ways of its working.
SSO or single sign on is not impersonation in livelink.If you have a ID in livelink with System Admin privileges it is very easy to gain access to livelink and do things as another user.While that sounds very insecure the actions are all audited.It is available in Unix,MS and many other applications hence impersonation is nothing to be considered as lowly.However I take exception when you advertise impersonation as SSO.
SSO is mostly applied to a company Intranet.When people and computers need to be managed they would employ a directory server which usually understands the LDAP protocol.In MS centred organization you would hear as Active Directory,in novell it is NDS,in IBM it may be a Domino or is it Tivoli? server,in SUN /ORACLE places it could be their ldap server.When you sign into a domain held computer unbeknownst to you you have established a trust between your device and the company network.So any other application need to trust you for what you are.that is proper SSO.In web application when you hit a IWA enabled website your browser exchanges a 401 challenge which when successful will populate certain environment variables the famous one REMOTE_USER.In a proper livelink SSO exchange we take that env variable and sign you in.In the livelink database such a user would be called a ‘Externally Authenticated’ user.
Well here’s how I got my CS10 Update 6 VM working with SSO code.I write a long word document detailing my challenges but this is the best short way I can give to the community.My research material is uploaded in the communities web site.In retrospect OT is expecting you to use the OTDS java web server maybe to get applications to integrate.That is when you hear terms such as RCS etc.
- I configured otdsintegration to use webserver authentication.Meaning otdsintegration oscript module allows you a radio button to do web server authentication.I did not configure OTDS(RCS) as I do not have a domain and AD in my VM.
- I made the IIS VD for livelink IWA
- I checked whether I could login as my domain user in my case my user called ‘Administrator’ I verified what admin.testargs passed in to me
- I downloaded old directory services code and installed it luckily there was aversion for CS10.I had to because the otdsintegration module gets you web authentication but not web services authentication.
- I put my computer on IPv4 to first test it
- I made these changes to my opentext.ini
- #REM when you install directory services module you can get this ospace
#REM when IPV6 is installed the crazy looking things is a oscript bug and its defeat by me found thru builder
CGIHosts=::ffff:127.0.0.1,fe80::2d54:a6cb:b5d2:b145%11 I think the code is looking for socket.pPeeraddress
- which is the address of the client in fact they should not do that but in IPv4 it is all OK
#REM127.0.0.1 is added by livelink code but the computers IPv4 address
- the Web.Config changed for NTLM for the livelink webservices application
CLIENT CODE C# SETUP
- App.Config reflected to the same NTLM auth as in Web.Config
- Added System.IO
- That is about it.
Client stack traces are almost impossible to understand unless you understood livelink code.Since I understood it and was able to understand what they were doing I am providing this.Your setup could vary I have no clue.
Link 1-Interested programmers could see my setup for CS10U6 here—
Link2-The C# solution containing a basic piece of code Kyle Swidrowich Created which I repurposed 🙂
Link3-Livelink Web.Config tthat you have to do for webservices
Link4-My experience when Livelink was 9.7.1wanted to write SSO code
2 thoughts on “Single Sign On and Content Web Services for a livelink server”
Great stuff, thanks for sharing as always, Appu. admin.testargs is a hidden gem of a RH, I found it via one of your KC discussions and found it to be immensely useful for troubleshooting.
Thanks whenever I embark on a livelink SSO thing I use a simple asp or aspx file that I find on the web to spit out environment variables.Many people forget after all the web server is responsible for some of the things that are being talked here.With the OTDS in place IMHO what OT is doing is to provide to the customer a one stop solution which can be configured albeit by a livelink admin/installer who if they can understand what is being said will work out of the box.I don’t think the Directory Servics oscript module will continue especially now since you don’t need that module to do web server authentication at least for bowsr based users.