IBM Connections and SPNEGO - AES256 and logout button
I’m right in a IBM Connections migration project for a large swiss customer and there I had to enable SPNEGO SSO with strong AES256 encryption.
First I tried standard way (described here in the Connections Knowledge center and even better here by Dave Hay) and of course SSO failed 😉
After debugging I found out that it fails because the standard Java policy files do not support strong encryption.
So whenever you want to have SPNEGO with strong encryption go to this site, download the unrestricted SDK JCE policy files for Java 6 and copy them to all your WAS servers.
This customer had a requirement that a user logout should even work with enabled SPNEGO SSO. This can be done with some URL rewriting on the HTTP server as described by my good friend Sjaak in the Connections forum.
In this special case I had to change the rewriting of the logout button to the app login pages because restricted access to IBM Connections was enabled. Just use following rules to enable the logout button for SPNEGO SSO:
_ #Logout Button for SPNEGO_
RewriteRule ^/activities/ibm_security_logout$ /activities/auth/login.jsp [noescape,R,L,NC]
RewriteRule ^/blogs/ibm_security_logout$ /blogs/login [noescape,R,L,NC]
RewriteRule ^/communities/ibm_security_logout$ /communities/login [noescape,R,L,NC]
RewriteRule ^/dogear/ibm_security_logout$ /dogear/login [noescape,R,L,NC]
RewriteRule ^/files/ibm_security_logout$ /files/login [noescape,R,L,NC]
RewriteRule ^/forums/ibm_security_logout$ /forums/auth/login [noescape,R,L,NC]
RewriteRule ^/homepage/ibm_security_logout$ /homepage/login [noescape,R,L,NC]
RewriteRule ^/metrics/ibm_security_logout$ /metrics/login [noescape,R,L,NC]
RewriteRule ^/moderation/ibm_security_logout$ /moderation/login [noescape,R,L,NC]
RewriteRule ^/news/ibm_security_logout$ /news/login [noescape,R,L,NC]
RewriteRule ^/profiles/ibm_security_logout$ /profiles/login [noescape,R,L,NC]
RewriteRule ^/search/ibm_security_logout$ /search/login [noescape,R,L,NC]
RewriteRule ^/wikis/ibm_security_logout$ /wikis/login [noescape,R,L,NC]
PS: Or use this shorter version (kindly provided by Christoph Stoettner) which sends all logouts to the homepage login site:
RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteCond %{QUERY_STRING} !logoutExitPage=http://hostname
RewriteRule /(.*)/ibm_security_logout(.*) /$1/ibm_security_logout?logoutExitPage=http://connections-fqdn/homepage/login/ [noescape,L,R]