Collaboration For Business Console 9.8 - User Management Configuration

As an Administrator, you can configure system properties, export or import user management settings, and configure LDAP server for Collaboration.

Prerequisite

  • The User management configuration functional privilege is assigned to you.
  • You have allowed pop-ups for the pages of Administration.

Customizing System Configuration #

You can customize your system configuration to meet your requirements at runtime without having to restart the system.

To customize system configuration

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Select User management settings or Document storage.
  4. Select the relevant entry that is not locked and click   Edit.
  5. Make the changes in the Edit dialog. If you want to load a specific file in the configuration, you can upload the file in the Upload configuration file dialog.

Deleting System Property #

You can delete the value of an individual property of your system configuration.

To delete a system property

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Select User management settings or Document storage.
  4. Select the relevant entry that is not locked and click Delete.

Exporting and Importing User Management Settings #

Exporting User Management Settings #

You can export user management settings in order to import and use these settings in any tenants or installations.

To export user management settings

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Click Configuration.
  4. Click User management settings.
  5. Click  Export. You can save the configuration file for further use at the relevant location.

Importing User Management Settings #

You can import and use the user management settings in tenant or installations.

To import the user management settings

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Click Configuration.
  4. Click User management settings.
  5. Click  Import.
  6. In the Import configuration file dialog, navigate to the location where you want to save the configuration file, and save it. The new configuration is active immediately and no system restart is required.

Configuring Collaboration for LDAP Server Operations #

To configure Collaboration for LDAP server operations

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Click Configuration.
  4. Click User management settings.
  5. Select an LDAP connection from the list.
  6. Double-click and selelct the property you want to edit.
  7. Edit the property.
  8. After you complete all the required propertry settings, set the value of the com.aris.umc.ldap.active property to true.
  9. If you want to upload a configuration, ensure that you have not enabled any pop-up blockers in the browser, and upload a file.
  10. Configure the URL for the LDAP system in the com.aris.umc.ldap.url property. For example, set to ldap:hqgc.mycompany.com:3168.
  11. If required, configure the path to the automatic backup system, if this backup system is used for your LDAP system, and the backup system automatically takes up the function of the original system. Set this property:
com.aris.umc.ldap.backup.url=<//Backup system URL//>

12. If you saved users or user groups in subdirectories, configure the following:

**com.aris.umc.ldap.user.searchpath**=<//Path to users//>

com.ARIS.umc.ldap.group.searchpath=<//Path to user groups//>

13. If you want to enable the function of following referrals of users to other directories, configure the following:

com.aris.umc.ldap.referral=follow

14. If you want to avoid the above behavior, configure as follows:

com.aris.umc.ldap.referral=ignore

If you leave this entry blank, referrals are not followed.

15. If you want to ensure that the import of LDAP users is carried out despite of any errors that might occur (such as names are redundant), define the following:

com.aris.umc.ldap.sync.skipOnFault = true

Note: The system performance is significantly affected if you enable this option.

Configuring Secure Communication between Collaboration and LDAP Server #

If you want to encrypt the communication between Collaboration and the LDAP server, enable one of these options:

  • STARTTLS

This transforms a connection that was originally untrusted into an encrypted connection without using a specific port.

  • SSL

The connection between Collaboration and the LDAP server is established using a specific port.

 Prerequisite

  • The LDAP server has a valid SSL certificate and LDAP is activated.
  • Administration trusts the LDAP server (the SSL certificate of the LDAP server or the certification authority is stored in the JRE database of trustworthy certificates). 

To use STARTTLS to configure an encrypted communication between Collaboration and the LDAP server

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Click Configuration.
  4. Click User management settings.
  5. Locate the following strings and configure:
com.aris.umc.ldap.url=ldaps://<//myldapserver//>:<//myport//>//

com.ARIS.umc.ldap.ssl=true

com.ARIS.umc.ldap.ssl.mode=starttls


  6. Collaboration must trust the LDAP server used. Therefore, we recommend that you use the LDAP server with a certificate signed by a public certification authority. If your certificate is signed by a public certification authority and stored in the list of trustworthy certificates of your JRE, you do not need to configure anything else.  7. Self-signed certificates must be manually installed and entered in the list of your JRE. Import a self-signed certificate into your ARIS Design Server JRE (for example, …server/jre).

keytool.exe -importcert -file <//mycertificate//> -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

To use SSL to connect Collaboration and the LDAP server

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Click Configuration.
  4. Click User management settings.
  5. Select an LDAP connection from the list.
  6. Locate the following string and configure:
com.aris.umc.ldap.url=ldap://<//myldapserver//>:<//myport//>//

com.ARIS.umc.ldap.ssl=true

com.ARIS.umc.ldap.ssl.mode=ssl


  7. Collaboration must trust the LDAP server used. Therefore, we recommend that you use the LDAP server with a certificate signed by a public certification authority. If your certificate is signed by a public certification authority and stored in the list of trustworthy certificates of your JRE, you do not need to configure anything else.  8. Self-signed certificates must be manually installed and entered in the list of your JRE. Import a self-signed certificate into your ARIS Design Server JRE (for example, …server/jre).

keytool.exe -importcert -file <//mycertificate//> -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

Authorizing Login Only for LDAP Users #

To enable only LDAP users to log in to Collaboration

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Click Configuration.
  4. Click User management settings.
  5. Select an LDAP connection from the list.
  6. Locate and configure com.aris.umc.ldap.auth.only to true.

Only the following users will be allowed to log in to Collaboration:

  • LDAP users
  • System
  • Superuser
  • Arisservice
  • Guest

Configuring Single Sign-On #

If you are using MS Active Directory Domain Services, you can configure SSO (single sign-on). SSO enables users to work with all Collaboration components as soon as they are logged in to the domain. Separate login to Collaboration components is not required.

Single sign-on in Collaboration is based on Kerberos. Kerberos is a network authentication protocol enabling nodes to communicate in an invisible network and securely make their identity known to each other. Kerberos is the recommended method for user authentication in MS Windows networks. In addition, it is widely used in UNIX operating systems and is designed for use in all major platforms.

Please contact your LDAP administrator for configuring Kerberos.

Prerequisites for Server #

  • Users have a valid login for Microsoft Active Directory Domain Services.
  • Administration authentication performed through LDAP.
  • Microsoft Active Directory Domain Services supports Kerberos-based authentication (default) and the Service Principal Name of the Collaboration server has the following format:
HTTP/<//host name//>

For example,

HTTP/mypc01.my.domain.com

Prerequisites for Client #

  • Client and server computers are connected with the same MS Active Directory Domain Services.
  • The browser used is configured to support Kerberos-based authentication.

Configuring Single Sign-On on Server #

To configure single sign-on on server

  1. Log in to Collaboration Cloud Controller as Administrator.
  2. Select Administration.
  3. Click Configuration.
  4. Click User management settings.
  5. Select Kerberos from the list.
  6. To activate SSO, locate and configure com.aris.umc.kerberos.active as true.
  7. Locate com.aris.umc.kerberos.config, click and upload the Kerberos configuration.

If you do not have a Kerberos configuration file, create one, name it (for example, krb5.conf), add the following lines, adjust the configuration to meet your requirements, and upload the file.

[libdefaults]

default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5

default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5

permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5


  8. Locate the  com.ARIS.umc.kerberos.servicePrincipalName property and configure it to the user name of the technical user in use as provided by the administrator.

For example, if the Service Principal Name in the keytab is mypc01@MY.DOMAIN.COM, the values of the com.aris.umc.kerberos.servicePrincipalName property must contain the Service Principal Name exactly as specified in the keytab file.

  9. Locate the com.aris.umc.kerberos.realm  property and configure the realm for the Kerberos service. Enter the fully qualified domain name in uppercase letters. For example, MYDOMAIN.COM. 

10. Locate the com.aris.umc.kerberos.kdc property and configure the fully qualified name of the KDC to be used. 

11.  (Optional) Locate and configure the debug mode for the Kerberos operations:

com.aris.umc.kerberos.debug=true

The debug output of the program is saved in the system.out file of the respective program. The system.out file is located in the <Collaboration installation directory>/work_umcadmin_m/base/logs directory .

Kerberos Configuration Example #

com.aris.umc.kerberos.active=true

com.ARIS.umc.kerberos.servicePrincipalName=mypc01

com.aris.umc.kerberos.realm=MY.DOMAIN.COM

com.aris.umc.kerberos.kdc=mykdc01.my.domain.com

com.ARIS.umc.kerberos.debug=false

Configuring Single Sign-On on Client #

Configure the browser settings to allow SSO. SSO has been tested with the following browsers:

  • Microsoft Internet Explorer (version 6 or higher)
  • Firefox

You need to first empty the Kerberos ticket cache of each client in order to avoid obsolete tickets if Microsoft Active Directory Domain Services were changed. Delete the Kerberos ticket cache by executing the command klist.exe purge. You can also just log off the client computer from the domain and log it back in if the purge program is not available on the client computer.

 Microsoft Internet Explorer

To configure Kerberos in Internet Explorer

  1. Start Microsoft Internet Explorer.
  2. Click Tools > Internet Options.
  3. Activate the Security tab and click Local Intranet.
  4. Click Sites, and select Advanced.
  5. Add the URL of the Collaboration server that was configured for SSO. Add the DNS host name and the IP address of the Collaboration server.
  6. Disable the Require server verification (https:) for all sites in this zone check box.
  7. Click Close.
  8. Select OK.
  9. Click Custom level and make sure that no user-defined settings affect your new settings.
  10. Locate the User Authentication section. Verify whether the Automatic logon only in Intranet zone option is enabled.
  11. Click OK.
  12. Close and restart Microsoft Internet Explorer. 

Mozilla Firefox

In Mozilla Firefox, you can define trustworthy sites via the computer name, IP address, or a combination of both. You can use wildcards.

To configure Kerberos in Mozilla Firefox

  1. Start Mozilla Firefox.
  2. Type about:config in the address box and press Enter. Confirm a message, if required.
  3. Type network.negotiate in the Search box and press Enter.
  4. Double-click network.negotiate-auth.trusted-uris.
  5. Type the computer name or the IP address of the Collaboration server that you configured for SSO, and click OK.
  6. Close and restart Mozilla Firefox.

If you prefer to use encryption stronger than AES 128bit and if this encryption is allowed in your country, replace the JCE Policy file of the JDK of your Collaboration server with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html). This allows unlimited key length.

If you cannot replace the Policy files but still want to use SSO, you need to execute a procedure allowed by the JDK for encrypting Kerberos tickets (such as, AES 128bit).

Google Chrome

Your administrator can activate Kerberos by configuring a comma-separated list of allowed URLs via the whitelist of the authentication server.

Apple Safari (for Mac OS X)

Apple Safari supports Kerberos and does not require any additional configuration. Apple Macintosh X operating systems support the Kerberos standard that was developed by the Massachusetts Institute of Technology (MIT). For single sign-on, Apple Macintosh computers need to be connected to the same MS Active Directory that the Collaboration server is connected to.

See also: #