Saturday, January 20, 2007

Success with SSO between WebSEAL and Lotus Domino

IBM has a pretty good document on setting this up. You will need an IBM user ID to access this document which you can find on the TAM support web site at Just search for "domino integration" to find it. There are two available. For some reason IBM refers to them as adapters, but this is misleading I think, because when they mention adapter I think of ITIM adapters. In this case these two items are just PDFs with instructions on how to put Domino behind WebSEAL doing SSO with LTPA. I'm not sure why they call them adapters. But hey whatever. The documentation is pretty good. If you follow these instructions it will work.

There is one key item the document does not mention:

When you create the junction you need to use pdadmin, but you must be on the WebSEAL server to do this. Yes, you can run pdadmin from the Policy Server or even the authorization server, but if you need to create a junction using LTPA then you must be on the WebSEAL server for it to work. Otherwise, you'll just end up with an error ->

DPWWM1318E Cannot create junction
DPWWA1998W Unable to open the LTPA key file for reading

This stumped me for a handful of hours and even IBM Tech Support never mentioned this little tid bit. My friend Ram from the Tivoli Software group said he usually creates junctions from the WebSEAL server anyhow. I guess maybe I just need to pick the right habits to learn.


Anonymous said...

Hey Charles, You've got a nice li'll blog going here.Stumbled on it in my investigations with this problem I am facing at a client end.I've configured SSO between TAM and Domino a few times and it works like a piece of cake,but this client doesnt want to modify the User Name in the Lotus person document :( Is there a way to use some attribute other than the User Name to map the TAM DN? Would really appreciate any pointers you would have.Thought about using TAI, but apparently Domino does not support it.Do update the comments section when you get a chance.Thanks!

Anonymous said...

I was having this exact problem trying to integrate Lotus Connections with Webseal - running the junction commands from each Webseal server did the trick. Thanks!