An IBM Proof of Technology

IBM Software Group
IBM FileNet P8
Configuring Tivoli Access
Manager (TAM), SiteMinder, and
Kerberos Single Sign-On (SSO)
for Business Process Framework
(BPF) 4.1
Technical Notice
Version 1.2
March 2011
© 2009 IBM Corporation
Revision Log
Version
Date
History
1.0
2/23/2009
This is the original version of the document.
Updated to include procedures for
1.1
5/5/2009

SiteMinder with WebSphere

TAM with WebLogic

Kerberos with WebLogic
Procedural corrections:
1.2
3/24/2011

Added a step to create a folder called containerSecure.d

Modified the filter and security constraint definitions.
Contents
INTRODUCTION ............................................................................................................................................5
ABSTRACT .......................................................................................................................................................... 5
AUDIENCE ........................................................................................................................................................... 5
TYPOGRAPHICAL CONVENTIONS ........................................................................................................................ 5
SECTION 1: CONFIGURE TIVOLI ACCESS MANAGER (TAM) SSO................................................7
INTRODUCTION .................................................................................................................................................... 7
PREREQUISITES .................................................................................................................................................. 8
OVERVIEW OF THE CONFIGURATION PROCESS ................................................................................................. 9
PROCEDURE ....................................................................................................................................................... 9
UPDATE THE BPF WEB.XML FILE ........................................................................................................ 9
(WEBLOGIC ONLY) UPDATE THE BPF WEBLOGIC.XML FILE ............................................................ 15
MODIFY THE BP8EXTTASKS.XML FILE.............................................................................................. 15
REDEPLOY THE BPF WEB APPLICATION .......................................................................................... 16
(WAS ONLY) CONFIGURE THE WAS SECURITY M APPINGS ............................................................ 16
MODIFY THE WORKPLACE CONFIGURATION FILES ........................................................................... 16
(WAS ONLY) UPDATE THE SECURITY CONSTRAINTS IN THE WORKPLACE WEB.XML FILE ............ 18
(WAS ONLY) REDEPLOY THE WORKPLACE APPLICATION .............................................................. 19
RESTART THE WORKPLACE APPLICATION ........................................................................................ 19
RESTART THE BPF WEB APPLICATION ............................................................................................ 19
SECTION 2: CONFIGURE SITEMINDER SSO ......................................................................................20
INTRODUCTION .................................................................................................................................................. 20
PREREQUISITES ................................................................................................................................................ 21
OVERVIEW OF THE CONFIGURATION PROCESS ............................................................................................... 22
PROCEDURE ..................................................................................................................................................... 22
UPDATE THE BPF WEB.XML FILE ...................................................................................................... 22
(WEBLOGIC ONLY) UPDATE THE BPF WEBLOGIC.XML FILE ............................................................ 28
MODIFY THE BP8EXTTASKS.XML FILE.............................................................................................. 28
REDEPLOY THE BPF WEB APPLICATION .......................................................................................... 29
(WAS ONLY) CONFIGURE THE WAS SECURITY M APPINGS ............................................................ 29
MODIFY THE WORKPLACE CONFIGURATION FILES ........................................................................... 29
(WAS ONLY) UPDATE THE SECURITY CONSTRAINTS IN THE WORKPLACE WEB.XML FILE ............ 31
(WAS ONLY) REDEPLOY THE WORKPLACE APPLICATION .............................................................. 31
RESTART THE WORKPLACE APPLICATION ........................................................................................ 31
RESTART THE BPF WEB APPLICATION ............................................................................................ 32
SECTION 3: CONFIGURE KERBEROS SSO ........................................................................................33
INTRODUCTION .................................................................................................................................................. 33
PREREQUISITES ................................................................................................................................................ 34
Contents
Page 3
OVERVIEW OF THE CONFIGURATION PROCESS ............................................................................................... 34
PROCEDURE ..................................................................................................................................................... 35
UPDATE THE BPF WEB.XML FILE ...................................................................................................... 35
(WEBLOGIC ONLY) UPDATE THE BPF WEBLOGIC.XML FILE ............................................................ 40
MODIFY THE BP8EXTTASKS.XML FILE.............................................................................................. 40
REDEPLOY THE BPF WEB APPLICATION .......................................................................................... 41
(WAS ONLY) CONFIGURE THE WAS SECURITY M APPINGS ............................................................ 41
MODIFY THE WORKPLACE CONFIGURATION FILES ........................................................................... 41
(WAS ONLY) UPDATE THE SECURITY CONSTRAINTS IN THE WORKPLACE WEB.XML FILE ............ 43
(WAS ONLY) REDEPLOY THE WORKPLACE APPLICATION .............................................................. 44
RESTART THE WORKPLACE APPLICATION ........................................................................................ 44
RESTART THE BPF WEB APPLICATION ............................................................................................ 44
Contents
Page 4
Introduction
Abstract
This Technical Notice provides procedural information on how to configure BPF 4.1 with three
single sign-on (SSO) technologies: Tivoli® Access Manager (TAM), Kerberos, and SiteMinder.
Each type of SSO configuration is described in a separate section.
Audience
This Technical Notice is intended for support personnel who install and configure BPF
environments.
Typographical conventions
This Technical Notice uses the following typographical conventions.
Convention
Usage
Example
Text to be inserted by
the user.
Add <url-pattern>/Bp8ViewActions.jsp</urlpattern> to the <security-constraint> section of
the Workplace web.xml file
Interface controls
Ensure that the All Authenticated? check box is
selected.
Folder names that can
vary based on
installation
Store this copy outside the Workplace
Installed folder folder.
File names and paths
Update the BPF web.xml file
Monospace
Code and XML
samples
</parameter NAME=’ut’>
...
</parameter>
<>
(Angle brackets)
XML tags
Copy the following <filter> elements into the file.
Bold
Italic
Introduction
Page 5
Introduction
Page 6
Section 1
Section 1: Configure Tivoli Access Manager (TAM) SSO
Introduction
This section describes how to configure BPF 4.1 for use in an SSO environment with Tivoli Access
Manager (TAM) and either WebSphere® Application Server (WAS) or WebLogic Application
Server.
For clarity, the examples in this section assume that the environment being configured has two
servers that are configured as follows.
SSO Server: vmad.msad.ibm.com
Component
Type and Minimum Software Levels
Operating System
Windows 2003 SP2
LDAP Server
Windows Active Directory
Application Server
WebSphere 6.1 or WebLogic 8.1
Content Engine 4.0.1-006
Process Engine 4.0.3-000.004
FileNet P8 Components
Application Engine 4.0.1-005
BPF 4.1-002
eForms 4.0.1-005 (optional)
Workplace URL
http://tamvm.msad.ibm.com/filenet/Workplace
BPF URL
http://tamvm.msad.ibm.com/filenet/bpf
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 7
SSO-TAM Server: tamvm.msad.ibm.com
Component
Type and Minimum Software Levels
Operating System
Windows 2003 SP2
TAM Version
6.1
TAM Policy Server
TAM Policy Proxy Server
TAM Components
TAM Authorization Server
TAM WebSEAL
TAM Web Portal Manager
Prerequisites
Before you begin configuring BPF 4.1, ensure that the following preparatory tasks have been
completed:
1. BPF 4.1.0-002 is installed and functioning correctly with WebSphere 6.1 or WebLogic 8.1.
For information on installing BPF 4.1, refer to the BPF 4.1 Installation Guide.
2. TAM 6.1 is installed and functioning correctly.
On the TAM server make sure the following services are started:
o
Access Manager Authorization Server
o
Access Manager Auto-Start Service
o
Access Manager Policy Proxy Server
o
Access Manager Policy Server
o
Access Manager WebSEAL-default
3. Workplace is configured for use with TAM SSO.
To validate that Workplace is configured correctly, ensure
o
You are not prompted to log in when accessing Workplace.
o
You can access the appropriate pages and documents.
For information on installing Workplace for use with SSO, refer to the FileNet P8 Platform
Installation and Upgrade Guide.
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 8
Overview of the Configuration Process
To configure BPF for use with TAM SSO, perform the following tasks. For detailed instructions
for performing these tasks, see Procedure.
1. Update the BPF web.xml file to

Add filters.

Configure security constraints.
2. (WebLogic only) Update the BPF weblogic.xml file.
3. Modify the BPF Bp8ExtTasks.xml file to comment out the user token parameter.
4. Redeploy the BPF Web application.
5. (WAS only) Configure the WebSphere security mappings.
6. Update the BPF URL in the following Workplace configuration files:

Actions.xml

Infopages.xml
7. Update the security constraints section of the Workplace web.xml file.(Only in WAS)
8. (WAS only) Redeploy the Workplace application.
9. Restart the Workplace application.
10. Restart the BPF Web application.
After the configuration steps are complete, verify that the SSO configuration is working correctly
by initiating the BPF Web application and ensuring that

You are not prompted to log in when accessing the application.

You can access the inbaskets.
Procedure
Update the BPF web.xml File
The BPF web.xml file is in the folder
BPF Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR or WAR file, modify
the web.xml file, and then rebundle the EAR or WAR file.
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 9
To update the BPF web.xml file, complete the following steps:
1. Make a backup copy of the web.xml file and store this copy outside the BPF Installed
folder folder.
2. Create a folder named BPF Installed folder\containerSecured.
3. Copy the Return.jsp file from Workplace Installed
folder\containerSecured to BPF Installed folder\containerSecured.
4. Modify the BPF web.xml file to define the filters and the security constraints as follows:
a. Copy the following <filter> elements into the file. Place the <filter> elements after the
<context-param> element and before the <listener> and <servlet> elements.
<filter>
<filter-name>ContainerBasedFilter</filter-name>
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.ContainerBasedFilter
</filter-class>


<init-param>
<param-name>challengeProxyEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>challengeProxyURI</param-name>
<param-value>containerSecured/Return.jsp</param-value>
</init-param>
<init-param>
<param-name>perimeterChallengeMode</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ssoProxyContextPath</param-name>
<param-value>/filenet/bpf</param-value>
</init-param>
<init-param>
<param-name>ssoProxyHost</param-name>
<param-value>tamvm.msad.ibm.com</param-value>
</init-param>
<init-param>
<param-name>ssoProxyPort</param-name>
<param-value>80</param-value>
</init-param>
<init-param>
<param-name>ssoProxySSLPort</param-name>
<param-value>443</param-value>
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 10
</init-param>
</filter>
<filter>
<filter-name>AE PreprocessorFilter</filter-name>
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.PreprocessorFilter
</filter-class>
<init-param>
<param-name>challenge</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>exclude</param-name>
<param-value>
/css/*,
/img/*,
/js/*,
/UI-INF/*,
/Bp8Error.jsp
</param-value>
</init-param>
</filter>
<filter>
<filter-name>AE PostprocessorFilter</filter-name>
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.PostprocessorFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>AE PreprocessorFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ContainerBasedFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>AE PostprocessorFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
b. In the <filter> element ContainerBasedFilter, modify the values of the following
parameters so that BPF will generate URLs that refer to the TAM server instead of to the
server on which BPF is located:

ssoProxyContextPath

ssoProxyHost

ssoProxyPort
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 11

ssoProxySSLPort
Set the parameter values according to the environment settings as follows:

Set the ssoProxyHost, ssoProxyPort, and ssoProxySSLPort
parameters to the values used for these parameters in the Workplace web.xml file
for the <filter> element ContainerBasedFilter. The Workplace web.xml
file is located in the Workplace Deployed folder\WEB-INF folder.

The ssoProxyContextPath parameter consists of two parts: the junction
name and the deployed application name. For example, if the junction name is
filenet and the deployed application name is BPF, the value for the
ssoProxyContextPath parameter is
/filenet/BPF
Set the ssoProxyContextPath parameter to use the same junction name as
Workplace followed by the name of the deployed BPF web application.
Refer to the ssoProxyContextPath parameter setting in the Workplace
Deployed folder\WEB-INF\web.xml file to determine the correct
junction name.
After you configure BPF with TAM SSO, the BPF URL should be
http://ssoProxyHost/ssoProxyContextPath
c. Copy the following <security-constraint>, <login-config>, and <security-role> elements
after the <welcome-file-list> element.
WAS Example
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>/containerSecured/*</url-pattern>
<url-pattern>/</url-pattern>
<url-pattern>/Bp8Admin.jsp</url-pattern>
<url-pattern>/Bp8AttachIFrameEntry.jsp</url-pattern>
<url-pattern>/Bp8Bootstrap.jsp</url-pattern>
<url-pattern>/Bp8BulkIFrameEntry.jsp</url-pattern>
<url-pattern>/Bp8Calendar.jsp</url-pattern>
<url-pattern>/Bp8CloseWindow.jsp</url-pattern>
<url-pattern>/Bp8Default.jsp</url-pattern>
<url-pattern>/Bp8Dialog.jsp</url-pattern>
<url-pattern>/Bp8Editor.jsp</url-pattern>
<url-pattern>/Bp8Error.jsp</url-pattern>
<url-pattern>/Bp8ExecuteOperation.jsp</url-pattern>
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 12
<url-pattern>/Bp8InitialError.jsp</url-pattern>
<url-pattern>/Bp8Main.jsp</url-pattern>
<url-pattern>/Bp8ModeWindow.jsp</url-pattern>
<url-pattern>/Bp8PrintPreview.jsp</url-pattern>
<url-pattern>/Bp8RemoteCallSingIn.jsp</url-pattern>
<url-pattern>/Bp8SampleHelp.jsp</url-pattern>
<url-pattern>/Bp8SignIn.jsp</url-pattern>
<url-pattern>/Bp8SignOut.jsp</url-pattern>
<url-pattern>/Bp8Start.jsp</url-pattern>
<url-pattern>/Bp8ViewerDocs.jsp</url-pattern>
<url-pattern>/Bp8ViewerFrameset.jsp</url-pattern>
<url-pattern>/Bp8ViewerModule.jsp</url-pattern>
<url-pattern>/Bp8WPDefaultAnswer.jsp</url-pattern>
<url-pattern>/Confirmation.jsp</url-pattern>
<url-pattern>/ExtCommand.jsp</url-pattern>
<url-pattern>/IntegrationWebBasedHelp.jsp</url-pattern>
<url-pattern>/Lookup.jsp</url-pattern>
<url-pattern>/OpenLayoutPopUp.jsp</url-pattern>
<url-pattern>/RegisterModulePopUp.jsp</url-pattern>
<url-pattern>/RegisterZoneStylePopUp.jsp</url-pattern>
<url-pattern>/responseResult.jsp</url-pattern>
<url-pattern>/SaveLayoutPopUp.jsp</url-pattern>
<url-pattern>/ToolRedirect.jsp</url-pattern>
<url-pattern>/UserPreferences.jsp</url-pattern>
<url-pattern>/UserPrefs.jsp</url-pattern>
<url-pattern>/ViewAssignedRolesPopUp.jsp</url-pattern>
<url-pattern>/WcmCloseWindow.jsp</url-pattern>
<url-pattern>/inc/Bp8Header.jsp</url-pattern>
<url-pattern>/inc/Bp8InitHead.jsp</url-pattern>
<url-pattern>
/plugins/tabs/attachment/Bp8AttachmentsTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/attachment/ui/Bp8AttachmentsTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/Bp8DocumentForm.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/NoCaseAttached.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/ui/Bp8DocumentForm.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/table/TableTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/table/ui/TableTab.jsp
</url-pattern>
<url-pattern>/plugins/tools/*</url-pattern>
<url-pattern>/UI-INF/*</url-pattern>
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 13
<url-pattern>/addDocument/*</url-pattern>
<url-pattern>/picklistLookup/*</url-pattern>
<url-pattern>/upload/*</url-pattern>
<url-pattern>/downloadProxy</url-pattern>
<url-pattern>/uploadProxy</url-pattern>
<url-pattern>/setBp8Credentials/*</url-pattern>
<url-pattern>/dispatchAction/*</url-pattern>
<url-pattern>/createCase/*</url-pattern>
<url-pattern>/saveTableTab</url-pattern>
<url-pattern>/wpcommandquery/*</url-pattern>
<url-pattern>/reactivateCase/*</url-pattern>
<url-pattern>/Bp8IntegrationServlet</url-pattern>
<url-pattern>/BpfFormServlet</url-pattern>
<url-pattern>/getFormTemplate/*</url-pattern>
<url-pattern>/formCallback/*</url-pattern>
<url-pattern>/setCredentials</url-pattern>
<url-pattern>/Bp8DesignerServlet</url-pattern>
<url-pattern>/Bp8CaseOperation</url-pattern>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>All Authenticated users</description>
<role-name>All Authenticated</role-name>
</auth-constraint>
<user-data-constraint>
<description>User data constraints</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role id="SecurityRole_1">
<description>All Authenticated Users Role.</description>
<role-name>All Authenticated</role-name>
</security-role>
WebLogic Example
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>/containerSecured/*</url-pattern>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>All Authenticated users</description>
<role-name>smgroup</role-name>
</auth-constraint>
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 14
<user-data-constraint>
<description>User data constraints</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role id="SecurityRole_1">
<description>All Authenticated Users Role.</description>
<role-name>smgroup</role-name>
</security-role>
Note: The security-role role name in the BPF web.xml must be the same as the one in the
Workplace web.xml.
(WebLogic Only) Update the BPF weblogic.xml file
The BPF weblogic.xml file is in the folder
BPF Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR or WAR file, modify
the weblogic.xml file, and then rebundle the EAR or WAR file.
Update the weblogic.xml file to define the role name as shown in the following example:
<security-role-assignment>
<role-name>role name</role-name>
<externally-defined/>
</security-role-assignment>
The same role name should be used in the following files:

BPF weblogic.xml

BPF web.xml

Workplace weblogic.xml

Workplace web.xml
Note: The sample BPF web.xml file provided in the “Update the BPF web.xml File” section, the
role name has the value smgroup.
Modify the Bp8ExtTasks.xml File
The BPF Bp8ExtTasks.xml file is located in the folder
BPF Installed folder\WEB-INF
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 15
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR or WAR file, modify
the Bp8ExtTasks.xml file, and then rebundle the EAR or WAR file.
To update the BPF Bp8ExtTasks.xml file, complete the following steps:
1. Make a backup copy of the Bp8ExtTasks.xml file and store this copy outside the BPF
Installed folder folder.
2. Comment out the following section in each of the <TASK NAME=…> category entries. By
default, there are 12 of these entries.
</parameter NAME=’ut’>
<VALUE>(%USERTOKENS%)</VALUE>
</parameter>
Redeploy the BPF Web Application
After you modify the web.xml and Bp8ExtTasks.xml files, redeploy the BPF Web
application.
(WAS Only) Configure the WAS Security Mappings
To configure the Security role to user/group mapping, perform the following steps:
1. Log in to the WebSphere Administrator Console.
2. Select Applications > Enterprise Applications > name of deployed BPF application.
3. Click Security role to user/group mapping.
4. Ensure the All Authenticated? check box is selected.
5. Click OK and save the changes.
Modify the Workplace Configuration Files
Modify the following Workplace configuration files:

Actions.xml
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 16

Infopages.xml
The default location for these files is

Windows: Program Files\FileNet\Config\AE

Unix:
/opt/FileNet/Config/AE
Update the Actions.xml File
In the Actions.xml file, change the BPF URL identified in the <setting key> tag to the URL
that refers to the TAM server.
Example
Assume that the BPF application was initially deployed on a server called vmad and that the URL
for this server appears in the Actions.xml file as follows:
<setting key=”url”>
http://vmad:9080/bpf/Bp8IntegrationServlet?_commandId=9000&obj
ectStoreName={OBJECT_STORE_NAME}&id={OBJECT_ID}&objectType
={OBJECT_TYPE}&timeZone={TIME_ZONE}
</setting>
If the TAM server is tamvm.msad.ibm.com and, after you configure BPF with TAM SSO, the
BPF URL is http://tamvm.msad.ibm.com/filenet/bpf, you would change the setting key tag in the
Actions.xml file as follows:
<setting key=”url”>
http://tamvm.msad.ibm.com/filenet/bpf/Bp8IntegrationServlet?_comma
ndId=9000&objectStoreName={OBJECT_STORE_NAME}&id={OBJECT_I
D}&objectType={OBJECT_TYPE}&timeZone={TIME_ZONE}
</setting>
Update the Infopages.xml File
In the Infopages.xml file, change the BPF URL in the <setting key> tag to the URL that refers
to the TAM server.
Example
Assume that the BPF application was initially deployed on a server called vmad and that the URL
for this server appears in the Infopages.xml as follows:
<setting key=”url”>
http://vmad:9080/bpf/Bp8IntegrationServlet?_commandId=9000
</setting>
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 17
If the TAM server is tamvm.msad.ibm.com and, after you configure BPF with TAM SSO, the
BPF URL is http://tamvm.msad.ibm.com/filenet/bpf, you would change the setting key tag in the
Infopages.xml file as follows:
<setting key=”url”>
http://tamvm.msad.ibm.com/filenet/bpf/Bp8IntegrationServlet?_comma
ndId=9000
</setting>
(WAS Only) Update the Security Constraints in the Workplace web.xml File
The Workplace web.xml file is located in following folder:
Workplace Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR or WAR file, modify
the web.xml file, and then rebundle the EAR or WAR file.
To update the Workplace web.xml file, complete the following steps:
1. Make a backup copy of the Workplace web.xml file and store this copy outside the
Workplace Installed folder folder.
2. Add <url-pattern>/Bp8ViewActions.jsp</url-pattern> to the <security-constraint> section
of the Workplace web.xml file as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>
/containerSecured/*
</url-pattern>
<!- Uncomment this section if all resources that require credentials
must be secured in order to obtain a secured Thread. If using
WebSphere, this section must be uncommented. - ->
<url-pattern>/</url-pattern>
<url-pattern>/Bp8ViewActions.jsp</url-pattern>
<url-pattern>/author/*</url-pattern>
<url-pattern>/Browse.jsp</url-pattern>
<url-pattern>/eprocess/*</url-pattern>
<url-pattern>/Favorites.jsp</url-pattern>
<url-pattern>/GetPortalSitePreferences.jsp</url-pattern>
<url-pattern>/GetUserInformation.jsp</url-pattern>
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 18
(WAS Only) Redeploy the Workplace Application
After you modify the Actions.xml, Infopages.xml and Workplace web.xml file, you need to
redeploy the Workplace application.
Restart the Workplace Application
Restart the Workplace application and verify you can log in to Workplace.
Restart the BPF Web Application
Stop and restart the BPF application, and then verify that you can

Access the BPF Web application without being prompted to log in.

Access all the appropriate inbaskets.
From the same client that is configured to access the Workplace web application, use the new TAM
server URL to access the application; for example
http://tamvm.msad.ibm.com/filenet/bpf
Section 1: Configure Tivoli Access Manager (TAM) SSO
Page 19
Section 2
Section 2: Configure SiteMinder SSO
Introduction
This section describes how to configure BPF 4.1 for use in an SSO environment with SiteMinder
and either WebSphere Application Server (WAS) or WebLogic Application Server.
For clarity, the examples in this section assume that the environment being configured has servers
configured as follows.
Domain Server and Proxy Web Server: dc7.netegrity.vafn.com
Component
Type and Minimum Software Levels
Operating System
Windows 2003 SP2
LDAP Server
Windows Active Directory
SiteMinder Policy Server: plserver.netegrity.vafn.com
Component
Type and Minimum Software Levels
Operating System
Windows 2003 SP2
SiteMinder
Netegrity Policy Server
CE and PE Server: cepe7wl.netegrity.vafn.com
Component
Type and Minimum Software Levels
Operating System
Windows 2003 SP2
Section 2: Configure SiteMinder SSO
Page 20
Component
Type and Minimum Software Levels
Application Server
WAS 6.1 or WebLogic 8.1
FileNet P8 Components
Content Engine 4.0.1-006
Process Engine 4.0.3-000.004
AE and BPF Server: ae7wl.netegrity.vafn.com
Component
Type and Minimum Software Levels
Operating System
Windows 2003 SP2
Application Server
WAS 6.1 or WebLogic 8.1
Application Engine 4.0.1-005
FileNet P8 Components
BPF 4.1-002
eForms 4.0.1-005 (optional)
Workplace URL
http://dc7.netegrity.vafn.com/fn/Workplace
BPF URL
http://dc7.netegrity.vafn.com/fn/bpf
Prerequisites
Before you begin configuring BPF 4.1, ensure that the following prerequisite tasks have been
completed:
1.
BPF 4.1.0-002 is installed and functioning correctly with either WAS 6.1 or WebLogic 8.1.
For information on installing BPF 4.1, refer to the BPF 4.1 Installation Guide.
2.
Workplace has been configured for use with SiteMinder SSO.
To validate Workplace has been configured correctly, ensure
o
You are directed to the CA page to log in when accessing Workplace.
o
You can access the appropriate pages and documents.
For information on installing Workplace for use with SSO, refer to the FileNet P8 Platform
Installation and Upgrade Guide.
Section 2: Configure SiteMinder SSO
Page 21
Overview of the Configuration Process
To configure BPF for use with SiteMinder SSO, perform the following tasks. For detailed
instructions, see Procedure.
1. Update the BPF web.xml file to

Add filters.

Configure security constraints.
2. (WebLogic only) Update the BPF weblogic.xml file.
3. Modify the BPF Bp8ExtTasks.xml file to comment out the user token parameter.
4. Redeploy the BPF Web application.
5. (WAS only) Configure the WebSphere security mappings.
6. Update the BPF URL in the following Workplace configuration files:

Actions.xml

Infopages.xml
7. (WAS only) Update the security constraints section of the Workplace web.xml file.
8. (WAS only) Redeploy
9. Restart the Workplace application.
10. Restart the BPF Web application.
After the configuration steps are complete, verify that the SSO configuration is working correctly
by initiating the BPF Web application and ensuring that

You are directed to the CA page to log in when accessing the application.

You can access the inbaskets.

You can view a case attachment without being prompted to log in to Workplace.
Procedure
Update the BPF web.xml File
The BPF web.xml file is in the folder
BPF Installed folder\WEB-INF
Section 2: Configure SiteMinder SSO
Page 22
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR file or WAR file,
modify the web.xml, then rebundle the EAR file or WAR file.
To update the BPF web.xml file, complete the following steps:
1. Make a backup copy of the web.xml file and store this copy outside the BPF Installed
folder folder.
2. Create a folder named BPF Installed folder\containerSecured.
3. Copy the Return.jsp file from Workplace Installed
folder\containerSecured to BPF Installed folder\containerSecured.
4. Modify the BPF web.xml file to define the filters and the security constraints as follows:
a. Copy the following <filter> elements into the file. Place the <filter> elements after the
<context-param> element and before the <listener> and <servlet> elements.
<filter>
<filter-name>ContainerBasedFilter</filter-name>
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.ContainerBasedFilter
</filter-class>


<init-param>
<param-name>challengeProxyEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>challengeProxyURI</param-name>
<param-value>containerSecured/Return.jsp</param-value>
</init-param>
<init-param>
<param-name>perimeterChallengeMode</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ssoProxyContextPath</param-name>
<param-value>/fn/bpf</param-value>
</init-param>
<init-param>
<param-name>ssoProxyHost</param-name>
<param-value>dc7.netegrity.vafn.com</param-value>
</init-param>
<init-param>
<param-name>ssoProxyPort</param-name>
<param-value>80</param-value>
</init-param>
Section 2: Configure SiteMinder SSO
Page 23
<init-param>
<param-name>ssoProxySSLPort</param-name>
<param-value>443</param-value>
</init-param>
</filter>
<filter>
<filter-name>AE PreprocessorFilter</filter-name>
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.PreprocessorFilter
</filter-class>
<init-param>
<param-name>challenge</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>exclude</param-name>
<param-value>
/css/*,
/img/*,
/js/*,
/UI-INF/*,
/Bp8Error.jsp
</param-value>
</init-param>
</filter>
<filter>
<filter-name>AE PostprocessorFilter</filter-name>
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.PostprocessorFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>AE PreprocessorFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ContainerBasedFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>AE PostprocessorFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
b. In the <filter> element ContainerBasedFilter, modify the values of the following
parameters so that BPF will generate URLs that refer to the SiteMinder server instead of to
the server on which BPF is located:

ssoProxyContextPath

ssoProxyHost
Section 2: Configure SiteMinder SSO
Page 24

ssoProxyPort

ssoProxySSLPort
Set the parameter values according to the environment settings as follows:

Set the ssoProxyHost, ssoProxyPort, and ssoProxySSLPort parameters to
the values used for these parameters in the Workplace web.xml file for the <filter>
element ContainerBasedFilter. The Workplace web.xml file is located in the
Workplace Deployed folder\WEB-INF folder.

If the ssoProxyContextPath parameter in the Workplace Deployed
folder\WEB-INF\web.xml file is set to /filenet/Workplace, set the value for this
parameter as follows in the BPF web.xml file:
/filenet/name of deployed BPF application
By default, the name of the deployed BPF application is bpf.
After you configure BPF with SiteMinder SSO, the BPF URL should be
http://ssoProxyHost/ssoProxyContextPath
c. Copy the following <security-constraint>, <login-config>, and <security-role> elements
after the <welcome-file-list> element.
WAS Example
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>/containerSecured/*</url-pattern>
<url-pattern>/</url-pattern>
<url-pattern>/Bp8Admin.jsp</url-pattern>
<url-pattern>/Bp8AttachIFrameEntry.jsp</url-pattern>
<url-pattern>/Bp8Bootstrap.jsp</url-pattern>
<url-pattern>/Bp8BulkIFrameEntry.jsp</url-pattern>
<url-pattern>/Bp8Calendar.jsp</url-pattern>
<url-pattern>/Bp8CloseWindow.jsp</url-pattern>
<url-pattern>/Bp8Default.jsp</url-pattern>
<url-pattern>/Bp8Dialog.jsp</url-pattern>
<url-pattern>/Bp8Editor.jsp</url-pattern>
<url-pattern>/Bp8Error.jsp</url-pattern>
<url-pattern>/Bp8ExecuteOperation.jsp</url-pattern>
<url-pattern>/Bp8InitialError.jsp</url-pattern>
<url-pattern>/Bp8Main.jsp</url-pattern>
<url-pattern>/Bp8ModeWindow.jsp</url-pattern>
<url-pattern>/Bp8PrintPreview.jsp</url-pattern>
Section 2: Configure SiteMinder SSO
Page 25
<url-pattern>/Bp8RemoteCallSingIn.jsp</url-pattern>
<url-pattern>/Bp8SampleHelp.jsp</url-pattern>
<url-pattern>/Bp8SignIn.jsp</url-pattern>
<url-pattern>/Bp8SignOut.jsp</url-pattern>
<url-pattern>/Bp8Start.jsp</url-pattern>
<url-pattern>/Bp8ViewerDocs.jsp</url-pattern>
<url-pattern>/Bp8ViewerFrameset.jsp</url-pattern>
<url-pattern>/Bp8ViewerModule.jsp</url-pattern>
<url-pattern>/Bp8WPDefaultAnswer.jsp</url-pattern>
<url-pattern>/Confirmation.jsp</url-pattern>
<url-pattern>/ExtCommand.jsp</url-pattern>
<url-pattern>/IntegrationWebBasedHelp.jsp</url-pattern>
<url-pattern>/Lookup.jsp</url-pattern>
<url-pattern>/OpenLayoutPopUp.jsp</url-pattern>
<url-pattern>/RegisterModulePopUp.jsp</url-pattern>
<url-pattern>/RegisterZoneStylePopUp.jsp</url-pattern>
<url-pattern>/responseResult.jsp</url-pattern>
<url-pattern>/SaveLayoutPopUp.jsp</url-pattern>
<url-pattern>/ToolRedirect.jsp</url-pattern>
<url-pattern>/UserPreferences.jsp</url-pattern>
<url-pattern>/UserPrefs.jsp</url-pattern>
<url-pattern>/ViewAssignedRolesPopUp.jsp</url-pattern>
<url-pattern>/WcmCloseWindow.jsp</url-pattern>
<url-pattern>/inc/Bp8Header.jsp</url-pattern>
<url-pattern>/inc/Bp8InitHead.jsp</url-pattern>
<url-pattern>
/plugins/tabs/attachment/Bp8AttachmentsTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/attachment/ui/Bp8AttachmentsTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/Bp8DocumentForm.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/NoCaseAttached.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/ui/Bp8DocumentForm.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/table/TableTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/table/ui/TableTab.jsp
</url-pattern>
<url-pattern>/plugins/tools/*</url-pattern>
<url-pattern>/UI-INF/*</url-pattern>
<url-pattern>/addDocument/*</url-pattern>
<url-pattern>/picklistLookup/*</url-pattern>
<url-pattern>/upload/*</url-pattern>
<url-pattern>/downloadProxy</url-pattern>
Section 2: Configure SiteMinder SSO
Page 26
<url-pattern>/uploadProxy</url-pattern>
<url-pattern>/setBp8Credentials/*</url-pattern>
<url-pattern>/dispatchAction/*</url-pattern>
<url-pattern>/createCase/*</url-pattern>
<url-pattern>/saveTableTab</url-pattern>
<url-pattern>/wpcommandquery/*</url-pattern>
<url-pattern>/reactivateCase/*</url-pattern>
<url-pattern>/Bp8IntegrationServlet</url-pattern>
<url-pattern>/BpfFormServlet</url-pattern>
<url-pattern>/getFormTemplate/*</url-pattern>
<url-pattern>/formCallback/*</url-pattern>
<url-pattern>/setCredentials</url-pattern>
<url-pattern>/Bp8DesignerServlet</url-pattern>
<url-pattern>/Bp8CaseOperation</url-pattern>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>All Authenticated users</description>
<role-name>All Authenticated</role-name>
</auth-constraint>
<user-data-constraint>
<description>User data constraints</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role id="SecurityRole_1">
<description>All Authenticated Users Role.</description>
<role-name>All Authenticated</role-name>
</security-role>
WebLogic Example
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>/containerSecured/*</url-pattern>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>All Authenticated users</description>
<role-name>smgroup</role-name>
</auth-constraint>
<user-data-constraint>
<description>User data constraints</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Section 2: Configure SiteMinder SSO
Page 27
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role id="SecurityRole_1">
<description>All Authenticated Users Role.</description>
<role-name>smgroup</role-name>
</security-role>
Note: The security-role role name in the BPF web.xml must be the same as the one in the
Workplace web.xml.
(WebLogic Only) Update the BPF weblogic.xml file
The BPF weblogic.xml file is in the folder
BPF Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR file or WAR file,
modify the weblogic.xml file, then rebundle the EAR file or WAR file.
Update the weblogic.xml file to define the role name as shown in the following example:
<security-role-assignment>
<role-name>role name</role-name>
<externally-defined/>
</security-role-assignment>
The same role name should be used in the following files:

BPF weblogic.xml

BPF web.xml

Workplace weblogic.xml

Workplace web.xml
Note: The sample BPF web.xml file provided in the “Update the BPF web.xml File” section, the
role name has the value smgroup.
Modify the Bp8ExtTasks.xml File
The BPF Bp8ExtTasks.xml file is located in
BPF Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR file or WAR file,
modify the Bp8ExtTasks.xml file, then rebundle the EAR file or WAR file.
To update the BPF Bp8ExtTasks.xml file, complete the following steps:
Section 2: Configure SiteMinder SSO
Page 28
1. Make a backup copy of the Bp8ExtTasks.xml file and store this copy outside the BPF
Installed folder folder.
2. Comment out the following section in each of the <TASK NAME=…> category entries. By
default, there are 12 of these entries.
</parameter NAME=’ut’>
<VALUE>(%USERTOKENS%)</VALUE>
</parameter>
Redeploy the BPF Web Application
After you modify the web.xml and Bp8ExtTasks.xml files, redeploy the BPF Web
application.
(WAS Only) Configure the WAS Security Mappings
To configure the Security role to user/group mapping, perform the following steps:
1. Log in to the WebSphere Administrator Console.
2. Select Applications > Enterprise Applications > name of deployed BPF application.
3. Click Security role to user/group mapping.
4. Ensure the All Authenticated? check box is selected.
5. Click OK and save the changes.
Modify the Workplace Configuration Files
Modify the following Workplace configuration files:

Actions.xml

Infopages.xml
The default location for these files is
Windows:
Program Files\FileNet\Config\AE
Section 2: Configure SiteMinder SSO
Page 29
Unix:
/opt/FileNet/Config/AE
Update the Actions.xml File
In the Actions.xml file, change the BPF URL identified in the setting key tag to the URL that
refers to the SiteMinder Proxy server.
Example
Assume that the BPF application was initially deployed on a server called
ae7wl.netegrity.vafn.com and that the URL for this server appears in the Actions.xml file as
follows:
<setting key=”url”>
http://ae7wl.netegrity.vafn.com:7001/bpf/Bp8IntegrationServlet?_co
mmandId=9000&objectStoreName={OBJECT_STORE_NAME}&id={OBJEC
T_ID}&objectType={OBJECT_TYPE}&timeZone={TIME_ZONE}
</setting>
If the SiteMinder server is dc7.netegrity.vafn.com and, after you configure BPF with SiteMinder
SSO, the BPF URL is http://dc7.netegrity.vafn.com/fn/bpf, you would change the setting key tag in
the Actions.xml file as follows:
<setting key=”url”>
http://dc7.netegrity.vafn.com/fn/bpf/Bp8IntegrationServlet?_comman
dId=9000&objectStoreName={OBJECT_STORE_NAME}&id={OBJECT_ID
}&objectType={OBJECT_TYPE}&timeZone={TIME_ZONE}
</setting>
Update the Infopages.xml File
In the Infopages.xml file, change the BPF URL identified in the setting key tag to the URL
that refers to the SiteMinder Proxy server.
Example
Assume that the BPF application was initially deployed on a server called
ae7wl.netegrity.vafn.com and that the URL for this server appears in the Infopages.xml file
as follows:
<setting key=”url”>
http://ae7wl.netegrity.vafn.com:7001/bpf/Bp8IntegrationServlet?_co
mmandId=9000
</setting>
If the SiteMinder server is dc7.netegrity.vafn.com and, after you configure BPF with SiteMinder
SSO, the BPF URL is http://dc7.netegrity.vafn.com/fn/bpf, you would change the setting key tag in
the Infopages.xml file as follows:
<setting key=”url”>
http://dc7.netegrity.vafn.com/fn/bpf/Bp8IntegrationServlet?_comman
Section 2: Configure SiteMinder SSO
Page 30
dId=9000
</setting>
(WAS Only) Update the Security Constraints in the Workplace web.xml File
The Workplace web.xml file is located in following folder:
Workplace Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR or WAR file, modify
the web.xml file, and then rebundle the EAR or WAR file.
To update the Workplace web.xml file, complete the following steps:
1. Make a backup copy of the Workplace web.xml file and store this copy outside the
Workplace Installed folder folder.
2. Add <url-pattern>/Bp8ViewActions.jsp</url-pattern> to the <security-constraint> section
of the Workplace web.xml file as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>
/containerSecured/*
</url-pattern>
<!- Uncomment this section if all resources that require credentials
must be secured in order to obtain a secured Thread. If using
WebSphere, this section must be uncommented. - ->
<url-pattern>/</url-pattern>
<url-pattern>/Bp8ViewActions.jsp</url-pattern>
<url-pattern>/author/*</url-pattern>
<url-pattern>/Browse.jsp</url-pattern>
<url-pattern>/eprocess/*</url-pattern>
<url-pattern>/Favorites.jsp</url-pattern>
<url-pattern>/GetPortalSitePreferences.jsp</url-pattern>
<url-pattern>/GetUserInformation.jsp</url-pattern>
(WAS Only) Redeploy the Workplace Application
After you modify the Actions.xml, Infopages.xml and Workplace web.xml file, you need to
redeploy the Workplace application.
Restart the Workplace Application
Restart the Workplace application and verify you can log in to Workplace.
Section 2: Configure SiteMinder SSO
Page 31
Restart the BPF Web Application
Stop and restart the BPF application, and then verify that you

Are directed to the CA page to log in when accessing the application

Can access all the appropriate inbaskets

Can view a case attachment without being prompted to log in to Workplace
From the same client that is configured to access the Workplace web application, use the new
SiteMinder server URL to access the application; for example
http://dc7.netegrity.vafn.com/fn/bpf
Section 2: Configure SiteMinder SSO
Page 32
Section 3
Section 3: Configure Kerberos SSO
Introduction
This section describes how to configure BPF 4.1 for use in an SSO environment with Kerberos and
either WebSphere Application Server (WAS) or WebLogic Application Server.
For clarity, the examples in this section assume that the environment being configured has two
servers configured as follows.
SSO Server: vmad.msad.ibm.com
Component
Type and Minimum Software Level
Operating System
Windows 2003 SP2
LDAP Server
Windows Active Directory
Application Server
WebSphere 6.1 or WebLogic 8.1
Content Engine 4.0.1-006
Process Engine 4.0.3-000.004
FileNet P8 Components
Application Engine 4.0.1-005
BPF 4.1-002
eForms 4.0.1-005 (optional)
SSO Client: krbvm.msad.ibm.com
Component
Type and Minimum Software Level
Operating System
Windows 2003 SP2
Section 3: Configure Kerberos SSO
Page 33
Component
Type and Minimum Software Level
Workplace URL
http://vmad.msad.ibm.com:9080/Workplace
BPF URL
http://vmad.msad.ibm.com:9080/bpf
Prerequisites
Before you begin configuring BPF 4.1, ensure that the following prerequisite tasks have been
completed:
1. BPF 4.1.0-002 is installed and functioning correctly with WebSphere 6.1 or WebLogic 8.1.
For information on installing BPF 4.1, refer to the BPF 4.1 Installation Guide.
2. Workplace has been configured for use with Kerberos SSO.
To validate Workplace has been configured correctly, ensure

You are not prompted to log in when accessing Workplace.

You can access the appropriate pages and documents.
For information on installing Workplace for use with SSO, refer to the FileNet P8 Platform
Installation and Upgrade Guide.
Overview of the Configuration Process
To configuring BPF for use with Kerberos SSO, perform the following tasks. For detailed
instructions, see Procedure.
1. Update the BPF web.xml file to

Add filters.

Configure security constraints.
2. (WebLogic only) Update the BPF weblogic.xml file.
3. Modify the BPF Bp8ExtTasks.xml file to comment out the user token parameter.
4. Redeploy the BPF Web application.
5. (WAS only) Configure the WebSphere security mappings.
6. Update the BPF URL in the following Workplace configuration files:

Actions.xml
Section 3: Configure Kerberos SSO
Page 34

Infopages.xml
7. (WAS only) Update the security constraints section of the Workplace web.xml file.
8. (WAS only) Redeploy the Workplace application.
9. Restart the Workplace application.
10. Restart the BPF Web application.
After the configuration steps are complete, verify that the SSO configuration is working correctly
by initiating the BPF Web application and ensuring that

You are not prompted to log in when accessing the application.

You can access the inbaskets.
Procedure
Update the BPF web.xml file
The BPF web.xml file is in the folder
BPF Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR or WAR file, modify
the web.xml file, and then rebundle the EAR or WAR file.
To update the BPF web.xml file, complete the following steps:
1. Make a backup copy of the web.xml file and store this copy outside the BPF Installed
folder folder.
2. Create a folder named BPF Installed folder\containerSecured.
3. Copy the Return.jsp file from Workplace Installed
folder\containerSecured to BPF Installed folder\containerSecured.
4. Modify the BPF web.xml file to define the filters and the security constraints as follows:
a. Copy the following <filter> elements into the file. Place the <filter> elements after the
<context-param> element and before the <listener> and <servlet> elements.
<filter>
<filter-name>ContainerBasedFilter</filter-name>
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.ContainerBasedFilter
</filter-class>


<init-param>
<param-name>challengeProxyEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>challengeProxyURI</param-name>
<param-value>containerSecured/Return.jsp</param-value>
</init-param>
<init-param>
<param-name>perimeterChallengeMode</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>ssoProxyContextPath</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>ssoProxyHost</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>ssoProxyPort</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>ssoProxySSLPort</param-name>
<param-value></param-value>
</init-param>
</filter>
<filter>
<filter-name>AE PreprocessorFilter</filter-name>
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.PreprocessorFilter
</filter-class>
<init-param>
<param-name>challenge</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>exclude</param-name>
<param-value>
/css/*,
/img/*,
/js/*,
/UI-INF/*,
/Bp8Error.jsp
</param-value>
</init-param>
</filter>
<filter>
<filter-name>AE PostprocessorFilter</filter-name>
Section 3: Configure Kerberos SSO
Page 36
<filter-class>
com.filenet.ae.toolkit.server.servlet.filter.PostprocessorFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>AE PreprocessorFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ContainerBasedFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>AE PostprocessorFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Note: In the <filter> element ContainerBasedFilter, leave the values for the
following parameters blank to ensure that the BPF URL is used rather than the URL for the
Proxy server.

ssoProxyContextPath

ssoProxyHost

ssoProxyPort

ssoProxySSLPort
b. Copy the following <security-constraint>, <login-config>, and <security-role> elements
after the <welcome-file-list> element.
WAS Example
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>/containerSecured/*</url-pattern>
<url-pattern>/</url-pattern>
<url-pattern>/Bp8Admin.jsp</url-pattern>
<url-pattern>/Bp8AttachIFrameEntry.jsp</url-pattern>
<url-pattern>/Bp8Bootstrap.jsp</url-pattern>
<url-pattern>/Bp8BulkIFrameEntry.jsp</url-pattern>
<url-pattern>/Bp8Calendar.jsp</url-pattern>
<url-pattern>/Bp8CloseWindow.jsp</url-pattern>
<url-pattern>/Bp8Default.jsp</url-pattern>
<url-pattern>/Bp8Dialog.jsp</url-pattern>
<url-pattern>/Bp8Editor.jsp</url-pattern>
Section 3: Configure Kerberos SSO
Page 37
<url-pattern>/Bp8Error.jsp</url-pattern>
<url-pattern>/Bp8ExecuteOperation.jsp</url-pattern>
<url-pattern>/Bp8InitialError.jsp</url-pattern>
<url-pattern>/Bp8Main.jsp</url-pattern>
<url-pattern>/Bp8ModeWindow.jsp</url-pattern>
<url-pattern>/Bp8PrintPreview.jsp</url-pattern>
<url-pattern>/Bp8RemoteCallSingIn.jsp</url-pattern>
<url-pattern>/Bp8SampleHelp.jsp</url-pattern>
<url-pattern>/Bp8SignIn.jsp</url-pattern>
<url-pattern>/Bp8SignOut.jsp</url-pattern>
<url-pattern>/Bp8Start.jsp</url-pattern>
<url-pattern>/Bp8ViewerDocs.jsp</url-pattern>
<url-pattern>/Bp8ViewerFrameset.jsp</url-pattern>
<url-pattern>/Bp8ViewerModule.jsp</url-pattern>
<url-pattern>/Bp8WPDefaultAnswer.jsp</url-pattern>
<url-pattern>/Confirmation.jsp</url-pattern>
<url-pattern>/ExtCommand.jsp</url-pattern>
<url-pattern>/IntegrationWebBasedHelp.jsp</url-pattern>
<url-pattern>/Lookup.jsp</url-pattern>
<url-pattern>/OpenLayoutPopUp.jsp</url-pattern>
<url-pattern>/RegisterModulePopUp.jsp</url-pattern>
<url-pattern>/RegisterZoneStylePopUp.jsp</url-pattern>
<url-pattern>/responseResult.jsp</url-pattern>
<url-pattern>/SaveLayoutPopUp.jsp</url-pattern>
<url-pattern>/ToolRedirect.jsp</url-pattern>
<url-pattern>/UserPreferences.jsp</url-pattern>
<url-pattern>/UserPrefs.jsp</url-pattern>
<url-pattern>/ViewAssignedRolesPopUp.jsp</url-pattern>
<url-pattern>/WcmCloseWindow.jsp</url-pattern>
<url-pattern>/inc/Bp8Header.jsp</url-pattern>
<url-pattern>/inc/Bp8InitHead.jsp</url-pattern>
<url-pattern>
/plugins/tabs/attachment/Bp8AttachmentsTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/attachment/ui/Bp8AttachmentsTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/Bp8DocumentForm.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/NoCaseAttached.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/eForms/ui/Bp8DocumentForm.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/table/TableTab.jsp
</url-pattern>
<url-pattern>
/plugins/tabs/table/ui/TableTab.jsp
</url-pattern>
Section 3: Configure Kerberos SSO
Page 38
<url-pattern>/plugins/tools/*</url-pattern>
<url-pattern>/UI-INF/*</url-pattern>
<url-pattern>/addDocument/*</url-pattern>
<url-pattern>/picklistLookup/*</url-pattern>
<url-pattern>/upload/*</url-pattern>
<url-pattern>/downloadProxy</url-pattern>
<url-pattern>/uploadProxy</url-pattern>
<url-pattern>/setBp8Credentials/*</url-pattern>
<url-pattern>/dispatchAction/*</url-pattern>
<url-pattern>/createCase/*</url-pattern>
<url-pattern>/saveTableTab</url-pattern>
<url-pattern>/wpcommandquery/*</url-pattern>
<url-pattern>/reactivateCase/*</url-pattern>
<url-pattern>/Bp8IntegrationServlet</url-pattern>
<url-pattern>/BpfFormServlet</url-pattern>
<url-pattern>/getFormTemplate/*</url-pattern>
<url-pattern>/formCallback/*</url-pattern>
<url-pattern>/setCredentials</url-pattern>
<url-pattern>/Bp8DesignerServlet</url-pattern>
<url-pattern>/Bp8CaseOperation</url-pattern>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>All Authenticated users</description>
<role-name>All Authenticated</role-name>
</auth-constraint>
<user-data-constraint>
<description>User data constraints</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role id="SecurityRole_1">
<description>All Authenticated Users Role.</description>
<role-name>All Authenticated</role-name>
</security-role>
WebLogic Example
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>/containerSecured/*</url-pattern>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>All Authenticated users</description>
<role-name>smgroup</role-name>
Section 3: Configure Kerberos SSO
Page 39
</auth-constraint>
<user-data-constraint>
<description>User data constraints</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role id="SecurityRole_1">
<description>All Authenticated Users Role.</description>
<role-name>smgroup</role-name>
</security-role>
Note: The security-roles role name in the BPF web.xml should be the same as the one in the
Workplace web.xml.
(WebLogic Only) Update the BPF weblogic.xml file
The BPF weblogic.xml file is in the folder
BPF Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR file or WAR file,
modify the weblogic.xml file, then rebundle the EAR file or WAR file.
Update the weblogic.xml file to define the role name as shown in the following example:
<security-role-assignment>
<role-name>role name</role-name>
<externally-defined/>
</security-role-assignment>
The same role name should be used in the following files:

BPF weblogic.xml

BPF web.xml

Workplace weblogic.xml

Workplace web.xml
Note that in the sample BPF web.xml file provided in the “Update the BPF web.xml File” section,
the role name has the value smgroup.
Modify the Bp8ExtTasks.xml File
The BPF Bp8ExtTasks.xml file is located in the folder
BPF Installed folder\WEB-INF
Section 3: Configure Kerberos SSO
Page 40
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR or WAR file, modify
the Bp8ExtTasks.xml file, and then rebundle the EAR or WAR file.
To update the BPF Bp8ExtTasks.xml file, complete the following steps:
1. Make a backup copy of the Bp8ExtTasks.xml file and store this copy outside the BPF
Installed folder folder.
2. Comment out the following section in each of the <TASK NAME=…> category entries. By
default, there are 12 of these entries.
</parameter NAME=’ut’>
<VALUE>(%USERTOKENS%)</VALUE>
</parameter>
Redeploy the BPF Web Application
After you modify the web.xml and Bp8ExtTasks.xml file, redeploy the BPF Web
application.
(WAS Only) Configure the WAS Security Mappings
To configure the Security role to user/group mapping, perform the following steps:
1. Log in to the WebSphere Administrator Console.
2. Select Applications > Enterprise Applications > name of deployed BPF application.
3. Click Security role to user/group mapping.
4. Ensure the All Authenticated? check box is selected.
5. Click OK and save the changes.
Modify the Workplace Configuration Files
Modify the following Workplace configuration files:

Actions.xml
Section 3: Configure Kerberos SSO
Page 41

Infopages.xml
The default location for these files is
Windows:
Program Files\FileNet\Config\AE
Unix:
/opt/FileNet/Config/AE
Update the Actions.xml File
In the Actions.xml file, change the BPF URL identified in the setting key tag to the URL that
refers to the Kerberos server.
Example
Assume that the BPF application was initially deployed on a server called vmad and that the URL
for this server appears in the Actions.xml file as follows:
<setting key=”url”>
http://vmad:9080/bpf/Bp8IntegrationServlet?_commandId=9000&obj
ectStoreName={OBJECT_STORE_NAME}&id={OBJECT_ID}&objectType
={OBJECT_TYPE}&timeZone={TIME_ZONE}
</setting>
If the SSO server is vmad.msad.ibm.com and, after you configure BPF with Kerberos SSO, the
BPF URL is http://vmad.msad.ibm.com/filenet/bpf, change the setting key tag in the
Actions.xml file as follows:
<setting key=”url”>
http://vmad.msad.ibm.com:9080/bpf/Bp8IntegrationServlet?_commandId
=9000&objectStoreName={OBJECT_STORE_NAME}&id={OBJECT_ID}&a
mp;objectType={OBJECT_TYPE}&timeZone={TIME_ZONE}
</setting>
Update the Infopages.xml File
In the Infopages.xml file, change the BPF URL in the setting key tag to the URL that refers to
the TAM server.
Example
Assume that the BPF application was initially deployed on a server called vmad and that the URL
for this server appears in the Infopages.xml as follows:
<setting key=”url”>
http://vmad:9080/bpf/Bp8IntegrationServlet?_commandId=9000
</setting>
Section 3: Configure Kerberos SSO
Page 42
If the SSO server is vmad.msad.ibm.com and, after you configure BPF with SSO, the BPF URL is
http://vmad.msad.ibm.com/filenet/bpf, change the setting key tag in the Infopages.xml file as
follows:
<setting key=”url”>
http://vmad.msad.ibm.com:9080/bpf/Bp8IntegrationServlet?_commandId
=9000
</setting>
(WAS Only) Update the Security Constraints in the Workplace web.xml File
The Workplace web.xml file is located in following folder:
Workplace Installed folder\WEB-INF
Note: If BPF is installed as an EAR file or a WAR file, unbundle the EAR or WAR file, modify
the web.xml file, and then rebundle the EAR or WAR file.
To update the Workplace web.xml file, complete the following steps:
1. Make a backup copy of the Workplace web.xml file and store this copy outside the
Workplace Installed folder folder.
2. Add <url-pattern>/Bp8ViewActions.jsp</url-pattern> to the <security-constraint> section
of the Workplace web.xml file as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>
Define the container secured resource
</description>
<url-pattern>
/containerSecured/*
</url-pattern>
<!- Uncomment this section if all resources that require credentials
must be secured in order to obtain a secured Thread. If using
WebSphere, this section must be uncommented. - ->
<url-pattern>/</url-pattern>
<url-pattern>/Bp8ViewActions.jsp</url-pattern>
<url-pattern>/author/*</url-pattern>
<url-pattern>/Browse.jsp</url-pattern>
<url-pattern>/eprocess/*</url-pattern>
<url-pattern>/Favorites.jsp</url-pattern>
<url-pattern>/GetPortalSitePreferences.jsp</url-pattern>
<url-pattern>/GetUserInformation.jsp</url-pattern>
Section 3: Configure Kerberos SSO
Page 43
(WAS Only) Redeploy the Workplace Application
After you modify the Actions.xml, Infopages.xml and Workplace web.xml file, you need to
redeploy the Workplace application.
Restart the Workplace Application
Restart the Workplace application and verify you can log in to Workplace.
Restart the BPF Web Application
Stop and restart the BPF application, and then verify that you can

Access the BPF Web application without being prompted to log in.

Access all the appropriate inbaskets.
From the same client that is configured to access the Workplace web application, use the new
Kerberos server URL to access the application; for example:
http://vmad.msad.ibm.com:9080/bpf
Section 3: Configure Kerberos SSO
Page 44

Download Report

An IBM Proof of Technology

Paperzz.com

Your Paperzz