SSO via Content Navigator

[jeffs42885]

Greetings all,

Just wondering if anyone has used Security User exits in regards to getting SSO running for CMOD using Content Navigator. This is a new requirement for our latest project. I am not familiar with ODWEK  /  ICN programming and I am wondering if anyone has tips or even sample code.

[Justin Derrick]

Just bumping this thread as I too have a need for ICN with SSO & CMOD.

-JD.

[Alessandro Perucchi]

Hello,

I've done it, and you need the following skills:

- C programming (because you need to write the security user exit)
- ICN / WAS / CMOD Knowledge

If you want I can send you the documentation I've made.
This is without any warranty that it will work. I've done it in Linux and it was working for my small proof of concept.
I cannot give any support, except best effort.

If that's good enough for you, then I'll send them to you via PM.

Yours sincerely,
Alessandro

[amit.agnihotri]

Hi Alessandro,

I am trying to use security user exit program to customize login.
As per the IBM guide, I compiled the vanilla code and copied it to /usr/lpp/ars/bin/exits directory.
And updated ars.ini, then restarted the server.

But I was not able to start the server. The log gives error:
CMODD,07/02/15 01:19:44,0,ARSSOCKD,,2,160,Unable to load module >/usr/lpp/ars/bin/exits/arsusec<. The return code is 8  Srvr->

Can you please help with it.
Also can you please share the documentation, it will help a lot in setting up the process.

[Justin Derrick]

One problem I've had in the past is that CMOD requires code to be compiled as a 64-bit binary/library.  Check to ensure that your compiler options are correct to produce 64-bit output.

Good luck!

-JD.

[Alessandro Perucchi]

Hi Amit,

I will not share this documentation ever again.

It was shared once without my will, and now, apparently there is some pressure from a customer to IBM to do some correction on my code, which was given without any support at all and without garantee...
I don't want that something like that happens again, and I am quite pissed.

What I can tell you is that what is written in the IBM website is not much, but enough to do it.
Even if I am working at IBM, I have NO access to internal information concerning CMOD. It means I needed to found out with the exact same documentation that you have as a customer how to do it.
It took me 4-5 days in order to have a first working prototype.
You need to know C, and how to decrypt LTPA token in order to check if the LTPA token is still valid or not.
Concerning LTPA token decryption, I had at that time absolutely no idea how to do it, so most of the 4-5 days was searching for documentation and trying to make it work....

More than that I will not say anymore, you can say thank you to the customer who did that, and the person who gave that documentation to them.
I only see that sometimes something done with pure intention can backfire... and I was burned.

[Justin Derrick]

And just to back up Alessandro -- IBM Lab Services does this sort of work, and has pre-existing code that is officially supported.

When I couldn't make proper use of Alessandro's code (different platform), and the customer didn't have an internal resource to do the work, we (successfully) pushed the customer to engage  IBM Lab Services to implement, customize, and support their User Security Exit.

It's not fair to demand support and education and customizations for a quick hack that was distributed as sample code.

-JD.