Preparing Your Enterprise for IBM SmartCloud for Social Business Martin Hill Sujay D Kumar Pallavi Singh Maurice Teeuwe Note: This PDF document is the original text from Preparing Your Enterprise for IBM SmartCloud for Social Business hosted in the online wiki site. Always refer to the online version for the latest updates. Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Meet the authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi Become an author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Stay connected to IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Chapter 1. Introduction to IBM SmartCloud for Social Business . . . . . . . . 1 1.1 Objective of this IBM Redbooks guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Why should you move to a cloud environment? . . . . . . . . . . . . . . . . . . . . . 1 1.3 What is a social business? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3.1 IBM SmartCloud for Social Business . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4 IBM SmartCloud for Social Business Portfolio . . . . . . . . . . . . . . . . . . . . . . 5 1.4.1 Technologies available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4.2 Package and bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4.3 Onboarding services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4.4 IBM Social Business Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Chapter 2. IBM SmartCloud for Social Business architecture . . . . . . . . . . 9 2.1 Network Accelerator Technology for IBM SmartCloud for Social Business11 2.1.1 Network Accelerator Technology for IBM SmartCloud for Social Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 Client access methods for IBM SmartCloud for Social Business . . . . . . . 12 2.2.1 Client access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 3. Deployment options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.1 Cloud deployment options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.1.1 The public cloud deployment model . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.1.2 The private (dedicated) cloud deployment model . . . . . . . . . . . . . . . 16 3.1.3 The hybrid cloud deployment model . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2 IBM SmartCloud for Social Business deployment models . . . . . . . . . . . . 17 3.2.1 IBM SmartCloud for Social Business Service Only . . . . . . . . . . . . . . 17 3.2.2 IBM SmartCloud for Social Business Hybrid . . . . . . . . . . . . . . . . . . . 18 Chapter 4. Privacy, security, and governance . . . . . . . . . . . . . . . . . . . . . . 23 4.1 People and identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.1.1 Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.1.2 IBM SmartCloud Collaboration for Government . . . . . . . . . . . . . . . . 34 4.2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 © Copyright IBM Corp. 2014. All rights reserved. i Chapter 5. Networks and firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Chapter 6. Synchronizing directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 6.1 SmartCloud Notes deployment options. . . . . . . . . . . . . . . . . . . . . . . . . . . 42 6.1.1 Setting up the SmartCloud Notes Hybrid configuration. . . . . . . . . . . 43 6.1.2 Next Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 6.2 IBM SmartCloud iNotes directory synchronization . . . . . . . . . . . . . . . . . . 55 6.2.1 IBM SmartCloud Integration and Migration site . . . . . . . . . . . . . . . . 57 6.2.2 Automating LDIF file transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Chapter 7. User Provisioning, Journaling, and mail data migrations . . . 61 7.1 Customizing your environment to integrate with the cloud . . . . . . . . . . . . 62 7.1.1 Integration site options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 7.1.2 Enabling your enterprise integration server . . . . . . . . . . . . . . . . . . . 63 7.1.3 Bulk User Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 7.1.4 Integration site throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 7.2 Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 7.2.1 Journaling file name and output . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 7.2.2 Enabling the SmartCloud Notes journaling service . . . . . . . . . . . . . . 73 7.3 Mail data migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 7.3.1 Migration options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 7.3.2 The user experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Chapter 8. Application integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 8.1 Developing and integrating existing applications into the IBM SmartCloud environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 8.1.1 Integration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 8.1.2 IBM SmartCloud for Social Business integration capabilities . . . . . . 78 8.1.3 Extension framework and User Interface (UI)extensions . . . . . . . . . 80 8.1.4 Action link extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 8.1.5 Supported extension points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 8.1.6 Steps to Setting extensions manually . . . . . . . . . . . . . . . . . . . . . . . . 82 8.1.7 Steps to set Extension definitions and import them using JavaScript Object Notation (JSON) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 8.1.8 OAuth for API access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 8.2 Social Business Development Toolkit and SDK . . . . . . . . . . . . . . . . . . . . 88 8.2.1 How to obtain the Social Business Toolkit SDK . . . . . . . . . . . . . . . . 89 8.2.2 Social Business Toolkit SDK installation and configuration . . . . . . . 90 8.2.3 Tools to aid development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 8.2.4 Social Business Toolkit API Explorer . . . . . . . . . . . . . . . . . . . . . . . . 90 8.2.5 API reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 8.3 IBM SmartCloud for Social Business APIs . . . . . . . . . . . . . . . . . . . . . . . . 92 8.3.1 Categories of APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 8.3.2 API standards supported. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 ii Preparing Your Enterprise for IBM SmartCloud for Social Business 8.3.3 Examples of various APIs by category . . . . . . . . . . . . . . . . . . . . . . . 93 8.3.4 Java script API services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 8.3.5 Key concepts of Java API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Chapter 9. Federated identity management integration . . . . . . . . . . . . . . 97 9.1 What is a federated identity?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 9.1.1 Who initiates the process? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 9.2 What is SAML? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 9.2.1 Why SAML? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 9.2.2 Identity federation types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 9.2.3 User types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 9.3 What you should be aware of . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 9.4 Preparing for federated identity management . . . . . . . . . . . . . . . . . . . . . 104 9.5 Enabling federated identity management . . . . . . . . . . . . . . . . . . . . . . . . 104 9.6 Project steps and readiness checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Chapter 10. Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 10.1 Implementing a new IBM stand alone (Service Only) SmartCloud for Social Business Trial environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 10.1.1 Scenario overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 10.1.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 10.2 Implementing an IBM SmartCloud Notes environment with an existing IT Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 10.2.1 Scenario overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 10.2.2 Setting up the SmartCloud Notes Hybrid configuration. . . . . . . . . 135 10.2.3 SmartCloud Notes Hybrid setup . . . . . . . . . . . . . . . . . . . . . . . . . . 136 10.2.4 Mail Managed Replica. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 10.2.5 Manual transition of on-premises IBM Domino user account(s) into SmartCloud Notes without data transfer . . . . . . . . . . . . . . . . . . . . . 151 10.2.6 Batch transition of multiple user accounts from on-premises IBM Domino user accounts into SmartCloud Notes without data transfer . . 158 10.3 Implementing a user management solution using Active Directory with an IBM SmartCloud for Social Business environment within an existing IT Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 10.3.1 Extending user identity management from AD to the IBM SmartCloud for Social Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 10.3.2 The scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Appendix A. Installing the Social Business Toolkit SDK development environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 A.1 Installing the Social Business Toolkit SDK . . . . . . . . . . . . . . . . . . . . . . . 174 A.2 Register OAuth applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 A.3 Configuring the Social Business Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . 176 Contents iii A.4 A.5 A.6 A.7 A.8 Configuring the TrustedExternalApplication role for the WidgetContainer177 Preparing Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Importing the SBT SDK projects into the Eclipse IDE. . . . . . . . . . . . . . . 180 Configuring Tomcat in the Eclipse IDE . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Verifying the Social Business Toolkit development environment installation 184 Appendix B. Example SmartCloud Notes Integration options . . . . . . . . 191 B.1 SmartCloud Notes integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 B.2 Example SmartCloud Notes Integration option - Crossware Mail Signatures 192 Crossware Mail Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 B.3 Example SmartCloud Notes Integration option - OnTime Group Calendar . 195 OnTime® Group Calendar for IBM SmartCloud Notes . . . . . . . . . . . . . . . 195 B.4 Example SmartCloud Notes Integration option - Riva / Salesforce CRM 198 Riva CRM Integration for IBM SmartCloud Notes . . . . . . . . . . . . . . . . . . . 198 Did you know?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Business value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 What Riva syncs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Appendix C. Example SmartCloud - Websphere Portal integration . . . . 203 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 iv Preparing Your Enterprise for IBM SmartCloud for Social Business Preface Meet the authors This book is produced by a team of specialists from around the world. Martin Hill is an IBM accredited Senior IT specialist working in the IBM UK Mobile Enterprise Services (MES) team. He joined IBM in 1994 and spent over 12 years working with Lotus Notes/Domino and associated products as an Email Messaging and Collaboration specialist, before moving into his current MES role. He now works with IBM's clients helping them to implement a wide range of enterprise mobility related products & services as part of IBM’s MobileFirst offering. Sujay D Kumar is a IBM Expert Level Certified IT Specialist and has over 17 years of experience in implementing ECM and BPM Solutions for many customers. He has worked at IBM for 8 years. His areas of expertise include Business Process Manager, Case Management, IBM Connections, FileNet Content Manager, Solution architecture, and solution design. Sujay has a Bachelors and a Masters degrees in Mechanical Engineering. Pallavi Singh is a Senior Accredited IT Specialist. She works on the IBM Notes client, supporting various customers deploy and solve issues on On-Premise & Cloud. Prior to this assignment she has worked on other Lotus products such as Lotus Workplace, WebSphere Portal, and Lotus Quickr. Also, for a year, she has worked on the IBM Optim Performance Manager. Pallavi has an accumulated experience of 13 years, the last eleven years have been with the IBM India Software Labs. She holds a masters degree in Computer Applications. In her spare time, Pallavi gets involved with Community Service. She is an alumni of the prestigious IBM Corporate Service Corps program. © Copyright IBM Corp. 2014. All rights reserved. v Maurice Teeuwe is the European Technical Sales leader for the IBM Connections Suite on Cloud, he has been IBM IT Specialist Certified and has worked to deploy the IBM Collaboration Cloud offerings at customers since day one. Originally started working at IBM in 1999 and spent over seven years working with Lotus Notes/Domino and associated products as an Email Messaging and Collaboration specialist inside a global organization which contained about 120.000 users. In 2005 Maurice started to work for IBM Software Group Services providing services for Lotus in many areas (of which one was customer mail data to cloud migration and transition projects in the Benelux). Whei-Jen Chen is a Project Leader at the International Technical Support Organization, San Jose Center. She has extensive experience in application development, database design and modeling, and DB2® system administration. Whei-Jen is an IBM Certified Solutions Expert in Data Management, and an IBM Certified IT Specialist Acknowledgements The authors express their deep gratitude for the help they received from Marshall Lamb, Chief Architect of IBM SmartCloud for Social Business Platform. Marshall provided the team content direction and technical consultation along the development of this book. We wish to acknowledge a special thank you to the following sponsors and key stakeholders from the IBM Collaboration Solution Development, Product Management, and IBM Collaboration Solution IDC Teams: Amanda Bauman: Everyone Writes and IDC Wikis Program Manager Marshall Lamb: STSM, Chief Architect, SmartCloud for Social Business Platform Rebecca Buisan: Director of Product Management and Marketing, IBM Social Business Cloud Karin Cross-Smith: Offering Manager , IBM Collaboration Solutions Dave Durazzano: Program Director, IBM Social Business Cloud Additionally, we wish to thank the following members for their technical help and contributions to this IBM Redbooks guide: vi Preparing Your Enterprise for IBM SmartCloud for Social Business Bryan Osenbach: Senior Software Engineer, IBM SmartCloud for Social Business Michel FA Wigbers: TDI Specialist, IBM Connections Niklas Heidloff: Application Development Community Advocate, IBM Collaboration Solutions Daniel Charles:Product Manager. IBM SmartCloud for Social Business Peter Janzen: Senior Product Manager. Notes/Domino Application Development David Bell: Senior Solution Architect - IBM SmartCloud for Social Business Architecture & Strategy Dave Kern: STSM, and Global ICS Security Architect Nikolay Vlasov: IT Specialist - Social and Collaboration Solutions Architect Enio Rubens Basso: IT Specialist , IBM Collaboration Solutions Per Andersen: Managing Director, Crossware Company Mikkel Flindt Heisterberg: Chief Technology Officer, IntraVision Trevor Poapst: VP Marketing and Sales, Riva CRM Integration Stefan Schmitt: Architect/Development Lead Smarter Workforce Template, IBM Become an author Join us for a two- to six-week residency program! Share your knowledge with peers in the industry and learn from others. Help create content about specific products or solutions, while getting hands-on experience with leading-edge technologies. You will have the opportunity to team with IBM technical professionals, Business Partners, and Clients. Your efforts will help increase product acceptance and customer satisfaction. As a bonus, you will develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at: http://www.ibm.com/redbooks/residencies.html Preface vii Comments welcome Your comments are important to us! We want the content in this wiki and all our wikis to be as helpful as possible. Provide us your comments in one of the following ways: Use the commenting feature with in the wiki. Login and add comments, located at the bottom of each page. Provide feedback in the Web form located at: http://www-12.lotus.com/ldd/doc/cct/nextgen.nsf/feedback?OpenForm Stay connected to IBM Redbooks Find us on Facebook: http://www.facebook.com/IBMRedbooks Follow us on Twitter: http://twitter.com/ibmredbooks Look for us on LinkedIn: http://www.linkedin.com/groups?home=&gid=2130806 Explore new Redbooks publications, residencies, and workshops with the IBM Redbooks weekly newsletter: https://www.redbooks.ibm.com/Redbooks.nsf/subscribe?OpenForm Stay current on recent Redbooks publications with RSS Feeds: http://www.redbooks.ibm.com/rss.html viii Preparing Your Enterprise for IBM SmartCloud for Social Business 1 Chapter 1. Introduction to IBM SmartCloud for Social Business 1.1 Objective of this IBM Redbooks guide The objective of this guide is to introduce IBM SmartCloud for Social Business, describe the benefits that adopting it can bring, and how to implement it in your own environment. Also included in this guide is a worked scenario that details the journey of an example client who takes in moving from a traditional, fully on premise IT infrastructure, to adopting a SmartCloud for Social Business implementation. This scenario helps illustrate the steps involved, the different implementation options available, and the capabilities of the different components that are included in the SmartCloud for Social Business portfolio. You can use this guide as a reference for learning more about the IBM SmartCloud for Social Business offering, and a guide on how to migrate your own IT environment and services to IBM SmartCloud. 1.2 Why should you move to a cloud environment? Cloud can broadly be defined as IT services delivered through the internet, typically encompassing both infrastructure and software. There are actually three different models of cloud computing: Infrastructure as a Service (IaaS): In this model, the cloud provides just the computing infrastructure, such as the servers, storage, and networks. It does not include any operating systems or applications so you have to install and manage these yourself, and any applications or services that you want to run on the cloud provided infrastructure. © Copyright IBM Corp. 2014. All rights reserved. 1 Platform as a Service (PaaS): In this model, the cloud provides the computing infrastructure plus the operating system and any associated middleware required to run and manage that infrastructure. This means that everything is provided by the cloud apart from any applications that you want to use. Software as a Service (SaaS): In this model, the infrastructure, platform, and application software are all provided by the cloud. This means that the entire computing “stack” is provided and managed for you, and all you have to do is actually use the applications included with the cloud service you chose. 2 Preparing Your Enterprise for IBM SmartCloud for Social Business All three of these cloud computing models have now matured to a point where they can be considered mainstream technology. The first step of the IBM SmartCloud for Social Business journey is to understand and appreciate the benefits of moving some or all of your IT services to the cloud. Although the exact benefits of doing so will vary for each implementation, depending on which cloud based services are utilized and how they are integrated into the wider IT strategy, some of the key benefits are as follows: Flexibility: Cloud services can easily and quickly be scaled both up and down to meet changing business requirements. This means you can have the exactly hardware capacity and software capability as and when you need it, without long lead times. Cost Efficient: As you can scale the hardware and software up and down to meet your requirements, it also means you only have to pay for exactly what you need. Per user, per month payment plans (also known as pay as you go) provide predictable expenses and negate the need for significant upfront investment in infrastructure, software and additional IT support staff/skills. Hardware and Software Currency: As both the hardware and software in a cloud environment is provided as a managed service, they are both kept up to date on your behalf by the cloud provider. This means you no longer need to implement complex and costly upgrade projects to ensure the currency of your IT services. Accessibility & Mobility: As cloud based services are accessed over a (secure) internet connection, they are inherently mobile and users can potentially access their IT services from wherever they have access to an internet connection. This enables you to easily mobilize more of your IT services and business functions. Availability & Disaster Recovery: Cloud hosting infrastructures are designed to be inherently highly available and often include multiple sites with automatic failover and data synchronization. Moving your IT services into the cloud means you are able to take advantage of these functions without the need to implement them yourself. 1.3 What is a social business? Social business is a people centric approach to business. It involves connecting networks of customers, partners, employees and removing the traditional boundaries between them to enable better collaboration. Key to this is the use of social networking technology, applied securely in the enterprise space, to communicate with people both inside and outside the company. The use of business analytics tools can then derive insights from these connections and use those insights to improve business functions. A social business is more than just a set of tools though. It is also a new strategic approach to shaping business culture, executive leadership and corporate strategy which changes the way an organization works together. Becoming a social business can help an organization benefit from deeper customer relationships, generate new ideas faster, improve expertise identification and enable a more connected, effective, and mobile workforce. Chapter 1. Introduction to IBM SmartCloud for Social Business 3 The following figure illustrates a social business using social collaboration tools and techniques to remove traditional barriers and help people work together more effectively. Further information on what it means to be a social business, the benefits of becoming one, real world examples, and access to demos can be found on the IBM Social Business web site here. This solution briefing document also describes what it means to become a social business in more detail. There is also an IBM social business YouTube channel available here that contains a range of video content on the subject of social business. 1.3.1 IBM SmartCloud for Social Business IBM SmartCloud for Social Business uses a Software as a Service (SaaS) cloud computing model to provide a portfolio of online services that easily enable the adoption social business practices. By leveraging cloud computing, the associated costs and complexity of transforming to a social business are significantly reduced. Cloud is a cost efficient IT delivery model that is perfect for Social Business tools as it easily allows an enterprise to extend beyond the firewall and enable employees to collaborate with each other, customers and suppliers. The following figure shows how IBM SmartCloud for Social Business combines the benefits of both social business and cloud delivered services. 4 Preparing Your Enterprise for IBM SmartCloud for Social Business IBM is a recognized leader in social collaboration technology for the enterprise and has an award winning track record for delivering security rich services in the cloud, making SmartCloud for social business the perfect combination. It enables businesses to take advantage of a cloud platform with flexible delivery models to reduce costs and implementation times. More details about how to transform your business with cloud based social technologies are available in this solution briefing document. 1.4 IBM SmartCloud for Social Business Portfolio IBM SmartCloud for Social Business combines a range of web conferencing, collaboration and messaging tools into a single integrated cloud based service. Being cloud based means it is flexible, allowing you chose exactly which components you want to use, and extensible so that you can add additional components as and when you need them. 1.4.1 Technologies available IBM SmartCloud for Social Business comprises following technologies and capabilities: IBM SmartCloud Engage provides collaboration tools including a personal dashboard, file sharing, communities, activities, blogs, wikis, forums, and instant messaging. More details on SmartCloud Engage can be found in this datasheet. Online meetings, including audio conferencing, with desktop and application sharing, chat, and polling. Enterprise class email and calendar with options for web based access (through IBM SmartCloud iNotes), desktop based access (through IBM SmartCloud Notes), and mobile based access (through IBM Notes Traveler) – all with spam and anti-virus protection. More details can be found in this datasheet on IBM SmartCloud iNotes and this datasheet on IBM SmartCloud Notes. IBM SmartCloud Docs office suite provides document editors for collaboratively authoring word processor, spreadsheet, and presentation documents. More details about IBM SmartCloud Docs can be found in this datasheet. Mobile apps for accessing files, participating in online meetings, chatting with contacts, and synching email and calendar whilst on the move. Supported on BlackBerry, iOS, and Android devices. More details on the benefits of business mobility and how it is achieved with IBM SmartCloud for Social Business can be found in this solution briefing document. IBM SmartCloud Archive Essentials provides an integrated email archiving and retention service. More details about Archive Essentials can be found in this solution briefing document. A range of deployments options from 100% cloud based to hybrid configurations that support integration between existing on premise deployments and selected services in the cloud. Enterprise class security, compliant with SAS 70 Type II, SSAE 16, ISO 27001, and Safe Harbor standards. More details about how IBM delivers cloud security can be found in this whitepaper. Optional support for BlackBerry mobile device synchronization. 25 GB of email storage and 5 GB of document storage as standard, with the option to increase document storage further in 1 GB increments. 99%+ Service Levels. Chapter 1. Introduction to IBM SmartCloud for Social Business 5 Three levels of technical support available. More details of the different levels of support are available on the IBM SmartCloud for Social Business website here. Supported in twenty two different languages. 1.4.2 Package and bundles IBM SmartCloud for Social Business is available in three different packages, each comprised of a different bundle of tools: Engage Advanced provides the full suite of tools required to become a social business along with cloud based email and consists of: – The IBM SmartCloud Engage collaboration suite. – Web Meetings with integrated application sharing and instant messaging. – Email and Calendar, including IBM Notes Traveler for mobile access. – IBM SmartCloud Docs office productivity application suite. – Mobile Application support for accessing web meetings and the Engage collaboration suite. Engage Standard provides a reduced suite of tools focused on collaboration and meetings and consists of: – The IBM SmartCloud Engage collaboration suite. – Web Meetings with integrated application sharing and instant messaging. – IBM SmartCloud Docs office productivity application suite. – Mobile Application support for accessing web meetings and the Engage collaboration suite. Connections provides just the basic tools for enabling social business and consists of: – The IBM SmartCloud Engage collaboration suite. – Mobile Application support for accessing web meetings and the Engage collaboration suite. The above packages can also be supplemented with the following optional add-ons to enable them to be tailored to meet specific requirements: IBM SmartCloud Docs office productivity application suite. Web Meeting Audio Conferencing via Voice Over IP (VOIP). IBM Notes Traveler for mobile access to IBM Notes email and calendar. Archive Essentials, to provide a comprehensive email archiving solution for IBM Notes. BlackBerry support, to enable synchronization with BlackBerry mobile devices. Storage Upgrade, available in 1GB increments for document and file storage. The following table summarizes which add-ons are included with or available for which package: 6 Preparing Your Enterprise for IBM SmartCloud for Social Business Alternatively, it is also possible to subscribe to the following IBM SmartCloud for Social Business services on a stand alone basis rather than through any of the packages. The stand-alone services can still be combined with the above optional add-ons for further customization: Web Meetings with integrated application sharing and instant messaging. IBM SmartCloud Notes for email, calendar, and instant messaging with support for access by a full, feature rich, IBM Notes Client and web based emails access as well. IBM SmartCloud Notes also supports integration with an existing on premise IBM Notes environment via a hybrid configuration. IBM iNotes web based email and calendar service. More details of the different packages, add-ons and stand-alone services are available on the IBM SmartCloud for Social Business website here. 1.4.3 Onboarding services IBM also offers the following range of additional services to help manage transition and migration to the cloud: Fresh Start provides self-serve tooling for customers who want to migrate their own data. Jump Start provides guided migration and training for customers who would like help planning and configuring their cloud environment. Weekend Jam provides a fast track migration option for customers who want to move quickly. White Glove provides comprehensive migration planning, setup, and execution. More details of the Onboarding services are available on the IBM SmartCloud for Social Business website here. 1.4.4 IBM Social Business Toolkit IBM also provides a free tool kit that enables you to develop your own applications and business processes that integrate with the IBM SmartCloud for Social Business and leverage the functionality it provides. It includes its own Application Programming Interface (API) with a supporting API Explorer tool, detailed documentation and sample applications. Chapter 1. Introduction to IBM SmartCloud for Social Business 7 The following figure shows how the IBM SmartCloud for Social Business Toolkit can be used to integrate different applications, services and business processes together. More details about the Toolkit are available on the IBM SmartCloud for Social Business website here. 8 Preparing Your Enterprise for IBM SmartCloud for Social Business 2 Chapter 2. IBM SmartCloud for Social Business architecture It is important to understand the various touch points of the IBM SmartCloud for Social Business in the system architecture. The following figure outlines the various architectural components. SmartCloud for Social Business is provided using the Software-as-a-Service (SaaS) model, which saves the enterprise the expense of added hardware and software on premises. For clarification, the SaaS model delivers business applications and services and the underpinnings necessary to run those applications and services. The figure above shows that various teams and individuals within the enterprise and business, including the customers, and partners can work together and share information using SmartCloud for Social Business services. This figure also shows that the various business applications can interact with SmartCloud for Social Business to share data and business rules. IBM's SmartCloud Architecture provides a secure way to work beyond the enterprise firewall. SmartCloud for Social Business prefers corporate firewalls be configured using host names, not IP addresses. © Copyright IBM Corp. 2014. All rights reserved. 9 SmartCloud for Social Business provides robust security features, drawing on the IBM’s portfolio with delivering security-rich business-ready services. SmartCloud for Social Business provides comprehensive policies on privacy and client data protection. The pillars of SmartCloud for Social Business security features are: Security-rich infrastructure. Having security built into the base, ensuring a secure environment, starting from the hardware up through the middleware and into the applications. Policy enforcement points provide application security. The ability to customize the user security policy allows the enterprise to apply the security standards to the environment. This ability ensures better control of corporate security options. Information protection through governance, tools, technology, and personnel is vital to creating a secure environment in SmartCloud for Social Business. Synchronizing directories is essential so that SaaS providers could be provisioned with enterprise users, SmartCloud for Social Business facilitates essential user lifecycle management by providing for: On/off boarding of users. User Bulk provisioning and updates. Users can be provisioned either through Admin UI within SmartCloud for Social Business, or in bulk using an SFTP transfer and a CSV file. The SmartCloud for Social Business services supports the following key areas: Collaboration – SmartCloud Engage is a web collaboration and business networking suite of services including on-line meeting services, file store and share capabilities, instant messaging, and other services. – SmartCloud Connections is a collaboration environment that includes services such as profiles, activities, files, and instant messaging. Email – SmartCloud Notes is a full-featured, security-rich email service designed for business and delivered by IBM. Users are able to access the service directly over the internet in by way of the Notes client, the SmartCloud Notes web browser, or both. – SmartCloud iNotes is an online webmail service featuring the essential email, calendaring, and contact capabilities. Web conferencing SmartCloud Meetings is a full-featured online meeting service that has integrated web, voice, and video conferencing features. SmartCloud Events provides an online event management service including registration, promotion, post-event follow-up tools, and more. This chapter discusses the following topics: Overview of the IBM SmartCloud for Social Business architecture Network accelerator technology for IBM SmartCloud for Social Business Client access methods for IBM SmartCloud for Social Business 10 Preparing Your Enterprise for IBM SmartCloud for Social Business 2.1 Network Accelerator Technology for IBM SmartCloud for Social Business 2.1.1 Network Accelerator Technology for IBM SmartCloud for Social Business This section provides an overview of the IBM SmartCloud for Social Business architecture with emphasis on the Akamai Web Accelerator Technology and its approach to enabling businesses and end-users to gain a superior software as a service (SaaS) experience. IBM SmartCloud for Social Business leverages the Acceleration (Akamai) Network technology as part of its improved SaaS and web user experience. Acceleration networks achieve this by optimizing the route between the user's workstation and the service. Network accelerator architecture The current implementation of Acceleration network technology takes advantage of an acceleration network with more than 75,000 edge servers. The key benefits include more consistent and reliable application performance and routing. The numerous edge servers offer access points closer to the various locations from which our users access the services, meaning, they will have a consistent user experience from almost any location. Additionally, this highly available network infrastructure protects systems from single server/service failure while providing a more reliable performance experience. The following figure shows the Network Accelerator architecture. The key advantages of using this technology for SmartCloud for Social Business are: Overall improvement of the end-user experience Employing fast route determination and caching to speed network data transfer Network entry points (points of presence) typically world wide Some of the important characteristics which can be gauged from the architecture are: Avoiding internet traffic congestion: The direct route between the origin server and the Akamai edger servers might be congested because of internet traffic. By using Sure Route for Performance, one can overcome this problem by identifying alternate routes that are more optimal. Chapter 2. IBM SmartCloud for Social Business architecture 11 Optimizing TCP configuration: Akamai is able to optimize TCP connection windows, tune TCP time-outs, and maximize the use of persistent connections to maximize the throughput between Akamai edge servers and the origin server. Caching content: Most static content such as images, videos, and zip files can be cached. By caching these objects on the edge server closer to the end users, Akamai can reduce the number of round trips to retrieve static content from the origin server. Pre-fetching content: Akamai provides intelligent pre-fetching so that it can deliver all embedded content in an HTML page to the end user with the fastest response time possible.When the end user's browser requests the embedded content, it is already waiting for the user, in memory, at the nearby edge server because Akamai has requested the content slightly in advance of the actual browser request. Accelerating time to transmit content: Akamai can compress the content on the edge servers using gzip before sending it to the client. This decreases the time it will take to transmit the content. Objects larger than 10KB can benefit from Last Mile Acceleration. The following figure illustrates the Point of Presence (PoP). The network entry point is determined at the time of DNS name resolution. 2.2 Client access methods for IBM SmartCloud for Social Business 2.2.1 Client access methods As the needs of social business and information access become explosively expanded, access to information and portability are increasingly required. Today, more and more devices are connecting to the network. 12 Preparing Your Enterprise for IBM SmartCloud for Social Business The following is a list of client access methods which are able to tap into the full gamut of social business features offered by IBM SmartCloud for Social business: All popular desktop browsers are supported – Microsoft®Internet ExplorerTM – Mozilla FirefoxTM – Apple®SafariTM Mobile devices and applications Meetings: – Apple iPhoneTM and iPadTM – Google AndroidTM – BlackBerry iNotes – any IMAP capable mobile email application Notes – – – – – Apple iPhone and iPad Google Android BlackBerry Windows Mobile Nokia SymbianTM Chapter 2. IBM SmartCloud for Social Business architecture 13 14 Preparing Your Enterprise for IBM SmartCloud for Social Business 3 Chapter 3. Deployment options 3.1 Cloud deployment options As well as the different cloud computing models (IaaS, PaaS and SaaS, as described in section 1.0), there are also three different cloud deployment options to consider: A public cloud deployment model. A private cloud deployment model. A hybrid cloud deployment model. All of the different cloud computing models (IaaS, PaaS and SaaS) are available in all three these deployment models. For example, it is possible to have a IaaS public cloud, a IaaS private cloud, or a PaaS private cloud, and so on. The following sections describe each of the cloud deployment options in more detail and how IBM SmartCloud for Social Business relates to them. 3.1.1 The public cloud deployment model The public cloud model is the one most commonly associated with “cloud computing” and is based on the premise of the entire computing infrastructure being provided by the cloud over the public internet. In this model, the underlying cloud infrastructure is shared by the cloud vendor between multiple clients, using a multi-tenanted approach. It is important to note that the data hosted in a public cloud is not publicly accessible, as access to the data is controlled through a user authentication. Nor can users of one company hosted in the public cloud view any information about users of another company within that public cloud. The public part of the name refers to the location of the cloud infrastructure itself, which is accessed through the public internet, rather than being hosted behind an organization’s firewalls on a private network. Advantages of the public cloud deployment model Some of the main advantages of using a public cloud deployment model are as follows: Cost effective: The use of shared infrastructure enables the cloud vendor to achieve greater economies of scales which should translate to cheaper prices. © Copyright IBM Corp. 2014. All rights reserved. 15 Scalability: As they are hosted on shared infrastructure, it is quick and easy to both increase and decrease the amount of resources you are using, to fit changing requirements. No Up front costs: As the entire IT infrastructure is provided by the cloud vendor, you do no need to make any up front capital investment in hardware or software. Flexible charging: Most public cloud vendors allow utility style charging that enable you pay for just the services you are using, often on hourly, daily, weekly or monthly charging intervals. This is often referred to as “pay as you go”. Use cases of the public cloud deployment model The characteristics of the public cloud deployment model mean they are a good fit for the following types of use cases: Computing at the best possible price point: If price is the single most important factor, then a public cloud is always going to be cheaper than the alternatives. So if you want to do cloud on a budget, go with a public cloud. Variable work loads: Due to the ease with which the environment can be scaled up and down, public clouds are ideal for environments with frequently changing capacity requirements. Test and development: The low cost and speed of deployment make public cloud ideal for hosting test and development infrastructures. 3.1.2 The private (dedicated) cloud deployment model The private cloud deployment model uses many of the principals of the public cloud, but the cloud hosting infrastructure is owned and managed by the organization rather than the cloud vendor. This enables much greater control of the cloud infrastructure, including network access, which is behind the organization’s network firewalls. This means the environment is no longer accessed over public networks or exposed externally and the physical location of the hosting infrastructure is within data center owned by the organization. This enables improved security, retained data ownership and control over physical data placement, all of which can important for highly sensitive data and regulatory compliance. Advantages of the private cloud deployment model The main advantages of using a private cloud deployment model are as follows: It is cloud computing, but with greater control and security. It delivers many of the benefits of a public cloud, but without the associated security and data ownership concerns. These benefits can still include cost because, although a private cloud is normally more expensive than a public cloud, it should still be cheaper than using a traditional IT deployment model. Less public network dependency. As the private cloud infrastructure is located on the internal network, the majority of the access to it will be via the internal network as well. This can have network latency and resilience advantages. Use cases of the private cloud deployment model The characteristics of the private cloud deployment model mean they are a good fit for the following types of use cases: Environments that have strict security, data privacy or compliance requirements, especially those with specific government or regulatory needs. Whenever ownership or placement of data is a concern. In a private cloud model, the data remains inside the organization. 16 Preparing Your Enterprise for IBM SmartCloud for Social Business Specific high availability (HA) and disaster recovery (DR) requirements. As in a private cloud model you are responsible for designing and building the underlying hosting infrastructure, it allows you to do so in a way that meets any specific HA / DR requirements you have that are not available from a public cloud vendor. 3.1.3 The hybrid cloud deployment model The hybrid cloud deployment model uses a combination of both public and private clouds to construct a blended cloud infrastructure to realize the benefits of both. This means that the organization has some of its IT infrastructure in house (on a private cloud) and some it externally (on a public cloud). To be a fully hybrid cloud, there also needs be some kind of connection or data flow between the private and public elements of it. Otherwise it is actually just two discreet cloud infrastructures with one being private and the other being public. A true hybrid cloud therefore combines the public and private components together in a holistic way. Typically, to the end users though, the difference between the public and private parts of the cloud is transparent. Advantages of the hybrid cloud deployment model The advantage of using a hybrid cloud deployment model is that it combines all of the benefits of both the public and private cloud deployment models. It, therefore, enables an organization to leverage the best of what both can offer. Use Cases of the Hybrid Cloud Deployment Model The characteristics of the hybrid cloud deployment model mean they are a good fit for the following types of use cases: Any organization that has a mix of business critical and sensitive data (which can be hosted using a private cloud) and non of business critical and sensitive data (which can be hosted using a public cloud). Any organization that has a requirement for both onsite IT infrastructure (that is, a private cloud) but can also utilize remotely hosted IT infrastructure (that is, a public cloud). 3.2 IBM SmartCloud for Social Business deployment models IBM SmartCloud for Social Business can be implemented in a public cloud deployments model, referred to as Service Only, or in a hybrid deployment model. Both are described in more detail in the following sections. 3.2.1 IBM SmartCloud for Social Business Service Only In an IBM SmartCloud Service only deployment, the entire Infrastructure is hosted in the SmartCloud environment, which means there is no integration with any infrastructure on an organization’s internal (private) network. This makes it very quick and easy to deploy, and is ideal for organizations that do not have any existing “on premises” infrastructure that they need to integrate with. IBM SmartCloud Notes Service Only deployment When IBM SmartCloud Notes is deployed in a service only configuration, a brand new email environment is created. This means that users will receive a new email account and associated ID and there is no migration of data from any legacy email infrastructure. They do however retain their existing internet email address, so that they can continue to receive email Chapter 3. Deployment options 17 to their new SmartCloud Notes based account using the same internet email address as they previously have. A service only model deployment of IBM SmartCloud Notes still allows for full “rich client” connectivity from the organizations private network, such as an IBM Notes client running from an end user’s workstation. Alternatively, light weight access is also available through web browsers, located either internally or externally to the organizations private network, or through mobile device using IBM Notes Traveler. The following figure shows a typical IBM SmartCloud Notes Service Only deployment: Some of the advantages of the Service Only deployment model for IBM SmartCloud Notes include: Very short deployment times; it is possible to have a brand new IBM SmartCloud Notes environment created and available for use in a matter of minutes. Little or no IBM Notes and Domino administration skills are required as the SmartCloud Notes infrastructure is largely administrated on your behalf. No on premises server infrastructure is required. 3.2.2 IBM SmartCloud for Social Business Hybrid In an IBM SmartCloud Hybrid deployment, the public cloud hosted services are configured to connect to services hosted in an organizations internal (private) network. These internally hosted services could be hosted on a private cloud, or a traditional on-premise hosting infrastructure located on an organization’s internal (private) network. The key point is that in a hybrid configuration, the IBM SmartCloud for Social Business can integrate and communicate 18 Preparing Your Enterprise for IBM SmartCloud for Social Business directly with services hosted anywhere ‘on premises’ in an organizations private network zone. Examples of how a Hybrid deployment of SmartCloud for Social Business can be used include: Integrate existing on premises based IBM Notes and Domino applications with IBM SmartCloud Notes email. Using an on premises POP3 or IMAP email client to access IBM SmartCloud based email. Using an IBM Sametime rich client on an on premises desktop with the IBM SmartCloud Sametime service. Integrate other on premise enterprise applications with IBM SmartCloud services using the IBM SmartCloud for Social Business tool kit. Corporate directory and single sign on synchronization with the IBM SmartCloud to enable users to utilize their existing corporate login credentials to access SmartCloud based services. IBM SmartCloud Notes Hybrid deployment When IBM SmartCloud Notes is deployed in a hybrid configuration, it is configured to integrate with an organizations existing (on premises) IBM Notes and Domino environment. The IBM SmartCloud and on premises components are configured as one seamless IBM Notes and Domino environment, including full IBM Domino Directory synchronization. This deployment model is ideal for organizations that already have a mature IBM Notes and Domino environment as it enables certain components of it to be migrated to the IBM SmartCloud but still retain any critical or difficult to migrate components on premises. The following figure shows a basic IBM SmartCloud Notes hybrid deployment: Chapter 3. Deployment options 19 One of the main advantages of a hybrid deployment allows an organization to realize the benefits of an IBM Notes and Domino cloud based service, without having to migrate their entire IBM Notes and Domino environment to do so. So for example the email component could be moved to the cloud, but the application component (which is typically harder to migrate) could be retained, or migrated at a later date. A hybrid deployment of IBM SmartCloud Notes also has additional advantages over the Service Only deployment model for organizations that have an existing IBM Notes and Domino infrastructure: IBM SmartCloud Notes (in a hybrid configuration) can be a cheaper and easier solution for either expanding the capacity of the existing IBM Notes and Domino environment or for server consolidations. Data can be migrated from the existing on premises components to the new IBM SmartCloud components. The IBM Notes and Domino Certifier and cross certificate configuration is retained. Users retain their existing IBM Notes IDs and identities. Existing IBM Notes and Domino applications can be retained on premises and integrated with IBM SmartCloud Notes. More advanced administration, configuration and customization of the IBM Notes and Domino service is supported. The hybrid deployment model for IBM SmartCloud Notes also supports high availability configurations for Lotus Notes and Domino environments that require it. However it should be noted that IBM SmartCloud Notes hosted components are already highly available, at the hosting layer, due to the underlying infrastructure of the IBM SmartCloud. The high availability configuration of the hybrid deployment model relates to eliminating single points of failure in the on premises components that provide integration with the IBM SmartCloud Notes service. 20 Preparing Your Enterprise for IBM SmartCloud for Social Business The following figure shows a high availability hybrid deployment of IBM SmartCloud Notes: More information about the IBM SmartCloud Notes can be found on the IBM SmartCloud for Social Business website and in this Whitepaper. Chapter 3. Deployment options 21 22 Preparing Your Enterprise for IBM SmartCloud for Social Business 4 Chapter 4. Privacy, security, and governance Cloud technology increases its status as a critical and essential commodity year after year. Every consumer and every enterprise around the globe are adopting the cloud to beat competitors to provide a highly scalable, dynamic, easy to manage, and yet secure infrastructure. The adoption of cloud may increase manifold only when the understanding and trust for the cloud expand. After movement to the cloud, organizations have no direct control over their assets on cloud. The data and operations are handed over to the cloud provider. Hence, the organizations would like to understand how the data is stored and protected, how their data will be shielded from security threats, how the security is implemented and managed. With this understanding, organizations can establish a better trust relationship with the cloud service provider. The security of IBM cloud solution is based on the IBM security framework. IBM takes a holistic view of security and provides a risk-based approach to security for all its offerings. © Copyright IBM Corp. 2014. All rights reserved. 23 In this chapter, we describe how IBM, based on the IBM security framework, addresses security for it’s cloud offering, IBM SmartCloud for Social Business. Security governance, risk and compliance Governance, risk, and compliance are one of the major concerns cited by organizations when it comes to security in the cloud. Because the control lies in the provider, the governance for security lies with the provider. Organizations are concerned about how the compliance requirements are met and how the risks are managed. IBM SmartCloud® for Social Business addresses all these concerns in all its offerings. IBM, as a provider, understands the needs of the organization. The IBM Online Collaboration Services has a dedicated security organization, which understands and evaluates the organization’s requirements and designs the security architecture and compliance management technologies. To assist transparency, IBM aligns its approach to recognized industry standards such as FISMA, FIPS, and so on. IBM regularly submits the policies, standards, and processes to both internal audits and external certifications. IBM has a comprehensive Service Organization Controls (SOC) reporting program also. IBM SmartCloud® for Social Business offerings are covered by numerous security assurance activities throughout the entire lifecycle. IBM performs quarterly security reviews of all the systems and infrastructure. Rational AppScan testing checks for common web exposures such as cross site scripting, cross site request forgery, and SQL injection. Manual ethical hacking supplements the expertise in the AppScan tool set and targets the unique application and infrastructure configuration. IBM compliance programs mandate periodic self assessments and production scanning and reporting of compliance posture. Privacy reviews help to ensure customer data protection. IBM’s comprehensive policies on privacy and client data protection can be found at: http://www.ibm.com/privacy/us/en/. 24 Preparing Your Enterprise for IBM SmartCloud for Social Business 4.1 People and identity Organizations must make sure that authorized users in their enterprise and supply chain must have access to data, tools, and applications that they need and whenever they need it. At the same time, they must ensure that they block unauthorized access. This can be achieved by adopting a least privilege model and a strong federated identity management. IBM SmartCloud® for Social Business ensures that the user’s access privileges are appropriate and secure access mechanisms are in place by following the user governance model. The users can be added only by an administrator. While creating users, the role should be specified which controls what the user needs to know and access. The passwords also follow basic guidelines regarding the length, characters, and so on. Also, the requirement of changing the password at first login can be specified. Users can click Forgot password? to have their password reset. This link resets the organization password, but does not necessarily reset the mail password. Chapter 4. Privacy, security, and governance 25 The existing users can be regularly managed by the administrator by the user interface (UI) as shown in the figure below. The administrator can resend invitation, reset password, delete users, and so on. Administrators and Administrator assistants can reset passwords by clicking the arrow next to a user listed in User Accounts and selecting Reset Password. Administrator assistants can reset the login password for a user but cannot reset IBM® Lotus Notes® passwords. Administrators can reset both the login passwords and the IBM Notes passwords. The following figure shows the UI window for managing existing users. 26 Preparing Your Enterprise for IBM SmartCloud for Social Business Administrators can enable security settings to enforce password expirations through System Settings → Security. When a user logs in with an expired password, they are prompted to reset that password. The following figure shows the security settings for password window. Federated identity management Federated identity management is an important aspect of cloud security. It should be deployed to securely exchange identity information when bridging cloud environments. It ensures a system of identity confidence is implemented to prevent identity spoofing. Federated identity management is handled by a single sign-on (SSO) service that is available for all cloud-based services in IBM SmartCloud for Social Business. If you enable federated identity management, users who are logged on to your system can use the cloud-based services without having to log on again. The IBM SmartCloud for Social Business products rely on SAML to provide the SSO services. In this implementation, your organization is the identity provider, and IBM SmartCloud® for Social Business is the service provider. You can use either SAML 1.1 or SAML 2.0. Before your organization decides to implement a federated identity management system, you need to understand the various flow models that exists and the different types of federated identity management. Models of federated identity management Two flow models exist in federated identity management: Identity provider initiated model (IdP-initiated) Service provider initiated model (SP-initiated) Normally, the SP-initiated flow model is not available in SAML 1.1 because SAML 1.1 does not support Identity Provider Discovery Profile. However, IBM SmartCloud for Social Business uses a hybrid version of SP-initiated that allows both SAML 1.1 and SAML 2.0. As a result, Identity Provider Discovery Profile is not required by IBM SmartCloud for Social Business, and is not implemented. Chapter 4. Privacy, security, and governance 27 IBM SmartCloud® for Social Business implements the Browser/POST profile that is used in SAML 1.1 and is compatible with the Web Browser SSO profile in SAML 2.0. Other profiles are not supported at this time. The following outlines describe these two flows: IdP-initiated 1. The user gains access to your intranet through your organization's authentication mechanism. 2. The user navigates to a web page on your intranet that contains a link to an IBM SmartCloud for Social Business product such as Engage or IBM Connections. 3. The user clicks the link. 4. The SSO process is initiated. A SAML assertion is sent to the IBM SmartCloud for Social Business endpoint through HTTP POST. If the user has a valid account, access is granted. 5. The user interacts with IBM SmartCloud for Social Business. SP-initiated hybrid 1. The user navigates to the IBM SmartCloud for Social Business login page. 2. The user clicks Use My Organization’s Login. 3. The user enters the email address that is associated with the user’s account. 28 Preparing Your Enterprise for IBM SmartCloud for Social Business 4. IBM SmartCloud for Social Business looks up the email address and then redirects the user to your organization’s authentication mechanism. 5. The flow continues from Step 4 of the IdP-initiated model. Types of federated identity management In IBM SmartCloud for Social Business, four types of federated identity management are available: Non-federated Federated Modified Partial By default, all users in your organization are assigned the Non-federated type unless you enable one of the other types. Non-federated The login for SmartCloud for Social Business is independent of, and separate from, your organization’s login procedure. Users must log on to IBM SmartCloud for Social Business to use the cloud-based services. The Non-federated type is the default type, and is the simplest and easiest type to set up because it requires no action on your part. Federated Users must authenticate with your organization before they can access the cloud-based services. Users do not have a user name or password on IBM SmartCloud for Social Business. If they go to the IBM SmartCloud for Social Business login page, they must click Use My Organization's Login. The Federated type applies to all users in your organization. The Federated type is convenient for your users who normally work from the office. They can log on to your system and use IBM SmartCloud for Social Business without needing a separate username and password combination. However, if any of your users work from home or work while traveling, your directory servers must be accessible from the Internet. Also, because your users do not have a separate login for IBM SmartCloud for Social Business, services such as chat and POP/IMAP are not available. If you choose the Federated type, you must implement the SP-initiated flow model. Modified Users have the option of authenticating with your organization before accessing the cloud-based services, or using their SmartCloud for Social Business user name and password to log on to SmartCloud for Social Business. The Modified type applies to all users in your organization. The Modified type allows your users to access IBM SmartCloud for Social Business from the Internet, but you do not need to make your directory servers accessible from the Internet. Your users can use the single sign-on services when they are in the office, and the IBM SmartCloud for Social Business login when they are outside the office. Partial Each user in your organization is assigned one of the previously listed types: Non-federated, Federated, or Modified. If you do not specify a type for a particular user, the user is assigned the Non-federated type. Use the Partial type if you have one group of users who normally work in the office, and another group of users who normally work from home or who travel frequently. For example, Chapter 4. Privacy, security, and governance 29 the office workers can be assigned the Federated type, and the traveling sales team can be assigned the Modified type. You can also use the Partial type to group users by the services that are available to them. Users with the Federated type do not have access to chat or POP/IMAP, but users of the Modified type do have access to chat and POP/IMAP. If you choose the Partial type, you must implement the SP-initiated flow model to support users with the Federated type. After one of the federation types is implemented, you can change to one of the other types by contacting your customer services representative. The customer services representative will advise you on the process. If you are using the Partial type, you can change individual users from one type to another without the need to contact your customer services representative. Hence, having understood the flows and various types of federated identity management, assess your organization needs and contact an IBM services representative to help you prepare and enable federated identity management system. 4.1.1 Data Most organizations cite data as the most important security concern when it comes to cloud. The concerns revolve around data storage, access control, compliance and audit requirements, the business issues around data theft, notification requirements, and the damage to brand value. IBM SmartCloud® for Social Business helps us deal with all these concerns. There are several data centers across the globe and expanding year after year. With security a top priority for most organizations today, IBM designed IBM SmartCloud® for Social Business offerings for enterprise-grade operations. IBM SmartCloud® for Social Business does not mind your content and data or leverage your user interface to deliver online advertisements. You can download or remove content, data, and files from the service. As our customer, you should be comfortable knowing where your data is stored. Our service does not fragment customer data across locations, and we tell you in which of our data centers your content is stored. The data storage can be in any of the data centers based on the organizations’ proximity to the data center. Data storage for each offering on IBM SmartCloud® for Social Business is defined at the subscription level. See the figure below. 30 Preparing Your Enterprise for IBM SmartCloud for Social Business Multitenancy refers to a software architecture where a single instance of the software runs on a server, serving multiple client-organizations (tenants). Multitenancy contrasts with multi-instance architectures where separate software instances (or hardware systems) operate on behalf of different client organizations. With a multitenant architecture, a software application is designed to virtually partition its data and configuration, and each client organization works with a customized virtual application. The multi-tenant architecture can be achieved with SmartCloud for Social Business through policies. By default, members in your organization are not listed in the Organization Directory. This means that those users are not visible to members of other organizations. Chapter 4. Privacy, security, and governance 31 Administrators can have all users publicly listed in the directory, have only specific users listed publicly, or allow each user to decide whether they want to be publicly listed. If you are not visible to the directory, then you are not listed when searched for by users outside of your organization. If you are listed in the directory then other users external to your organization can find you and add you to their network. There are three types of private settings: User Choice: This allows your users to decide whether they are listed in the directory. Listing them makes them searchable to users outside of your organization. All Private: This is selected by default. All Private prevents your users from being found by users external to your organization. All Private with Exceptions: Control which users are listed in the directory. Only those users you list in Exceptions are visible to users external to your organization. Any user not listed in Exceptions is considered a private user and will not be visible in the directory. When you select this option, a list of exceptions is created. This list contains the names of the users you select to make public when you add their name in Exceptions. This field does not represent the current list of exceptions. It represents only the users you are adding to the already existing list of exceptions. To see the list of users who are already an exception, click View all exceptions. To overwrite the existing users who are already listed as an exception, select Only allow the users currently listed in Exceptions to be displayed in the directory. Any users previously selected as exceptions are removed from the directory. Then add any user you intend to be a public user in Exceptions. This list replaces any current list of exceptions. 32 Preparing Your Enterprise for IBM SmartCloud for Social Business Data encryption and the management of the encryption keys is of vital importance irrespective of whether the data is idle or in transit. IBM SmartCloud for Social Business provide encryption capabilities for each of the offerings. As for instance, SmartCloud Notes supports both Notes and S/MIME signatures. The SmartCloud Notes can be accessed through various clients – desktop, web browser, and mobiles. The email is encrypted irrespective of what Notes client is being used. All SMTP and NRPC email is scanned for viruses and spam. Additionally, the Notes client has a strong in-built mechanism known as Execution Control List(ECL) which controls the active content in email. If accessed through the web browser, the cache control policies take care that no email information is left behind in the browser cache. Data retention also is a critical aspect when it comes to cloud. IBM SmartCloud Archive Essentials is a cloud-based solution for archiving, compliance, and e-discovery integrated with IBM SmartCloud Notes services. It has a security-rich environment where the data can be stored and accessed for quick and easy insight. However, all the access is recorded and accessible through the detailed audit reports. Data auditing is an extremely essential requirement in the cloud. SmartCloud for Social Business provides a mechanism to share files outside of your organization. It also allows you to invite guests to view and download your files, attend meetings, and so on. But is really important to monitor the user activity, both within the organization and outside the organization. The administrator can monitor the user activity in the organization by using the “Journaling” feature. The journal is a record of the user activity on your company account. It includes date, time, and user information about events such as logon attempts, password changes, and start times of online meetings. Approximately every 24 hours, the journal service produces several journal files, one for each component of IBM SmartCloud for Social Business. Each file is compressed using gzip and then made available through FTPs on the IBM SmartCloud® for Social Business integration and migration site. After seven days on the site, the files are removed. Each compressed file contains a plain text file that is in a highly readable format. The format is consistent and regular so that the text files can be programmatically parsed. Apart from the detailed journal files for each component of the IBM SmartCloud for Social Business, the administrator can generate and view reports of the files that have been downloaded by users outside the organization between a specific period of time by using the “File Download History” option. Chapter 4. Privacy, security, and governance 33 The user and the administrator can also generate reports for the meetings. 4.1.2 IBM SmartCloud Collaboration for Government Similar to other organizations, Government agencies are under constant pressure to improve delivery of their services and simultaneously drive down the costs. Additionally, being a government agency, it has to take care of the government grade security and regulatory compliance. IBM provides a dedicated cloud for government agencies, best suited to take care of its collaboration needs and the security needs. It is based on the subscription model, thus, allowing instant scalability at any point of time. IBM SmartCloud Social Collaboration for Government is compliant with Federal Information Security Management Act (FISMA) guidelines, is hosted in the IBM Federal Data Center, and is available for all United States government entities at the federal level. 4.2 Applications Application development in the cloud is similar to their on-premise counterparts. However, design aspects, especially security methodology, must be taken care when it comes to cloud. The cloud service is accessible through APIs. These APIs must be secured by adopting Oauth, the open standard for authorization. As soon as the user accesses the application, it is redirected to the login page. The user must enter the user name and password. Upon successful login, the user is provided with a token. The token then calls the API. The token has a validity period. Hence, the access is applicable until the token expires. 34 Preparing Your Enterprise for IBM SmartCloud for Social Business The administrator has the controlled access to enable the access of third-party applications to the users. Additionally, IBM leverages the Rational AppScan to perform testing checks for common web exposures such as cross site scripting, cross site request forgery, and SQL injection. Manual ethical hacking supplements the expertise in the AppScan tool set and targets the unique application and infrastructure configuration The system development lifecycle includes code reviews, code control, and accountability. Processes are in place that ensure application and infrastructure reviews at the corporate level. All the components of IBM SmartCloud® for Social Business have application level access. Safe defaults within the component ensure user security awareness without intrusiveness. For example, the Upload Files window has access disabled by default in the “Share with” field. See the figure below. Chapter 4. Privacy, security, and governance 35 36 Preparing Your Enterprise for IBM SmartCloud for Social Business 5 Chapter 5. Networks and firewall IBM SmartCloud for Social Business has a highly secure infrastructure in place to provide cloud resiliency and data security. It provides the customers with confidence that information, either active or in a dormant state, is adequately protected. In an IBM SmartCloud for Social Business environment, the network security is provided by high performance, state-of the-art firewalls. The firewalls are designed in a multi-level topology to provide enhanced network protection. The authentication is done at the yellow zone layer. When the authentication is completed successfully at the yellow zone layer, access is allowed to enter the Green Zone. The following figure shows the secure architecture implemented at each layer: © Copyright IBM Corp. 2014. All rights reserved. 37 The firewall restricts access from systems that have direct external connection and those which contain confidential data or configuration data. The firewall applies specific restriction of traffic between specified filter ports and addresses. The firewall does not allow direct access from external interfaces into the restricted network zones. All the inbound and outbound traffic is allowed through specified ports and services. For details, refer to Cheat Sheet for Firewall settings. As an IBM SmartCloud for Social Business administrator, you provide user security by having user credentials and federated identity. However, it is possible that the user credentials might be stolen or phished. To resolve this concern, as an administrator, you can provide an additional layer of access security by restricting IPs. In this case, the attacker would need to authenticate to IBM SmartCloud for Social Business from within your network before they could access user credentials. To specify an IP address or a range of IP addresses, as an administrator user, perform the following steps. 1. Click Admin → Manage Organization. 2. Go to System Settings → Security. 3. Specify the IP address ranges in the section highlighted in the following figure. This mechanism protects your organization against others stealing user credentials. However, this method has some restrictions: Users access IBM SmartCloud for Social Business from a mobile device: For example, BlackBerry users must authenticate through a BlackBerry Enterprise Server (BES) which authenticates both the mobile device and the user. Because the IP address for the authenticated user is that of the BES server, IP address restrictions can block IBM SmartCloud for Social Business access, depending on the range specified. You can however use VPN tools on the mobile device to route traffic using the company network, in which case, IP address restrictions are valid. SMTP, POP, and iMAP protocols are not supported for IP address restrictions. 38 Preparing Your Enterprise for IBM SmartCloud for Social Business If your company uses these protocols when accessing IBM SmartCloud for Social Business, IP address restrictions will not be applied. IBM SmartCloud for Social Business provides a multi-tenant service. Most of the services use the network accelerator technology to cater to the needs of thousands of users distributed all over the world. The network accelerator relies on dynamic IPs, in which case, applying the IP address restrictions is not recommended. Hence, if a network accelerator technology is used, IBM SmartCloud for Social Business recommends that the corporate firewalls use the DNS. Apart from providing multi-layer defense approach, IBM also provides realtime antivirus support services on demand scanning capabilities for the SmartCloud for Social Business environment. IBM uses a robust commercial antivirus product which is deployed not only on the system servers but within the application to provide immediate real time scanning on file storage and sharing. Vulnerability scanning is performed on the network and servers, and there are regular independent application and infrastructure reviews. IBM performs regular testing checks using IBM Rational AppScan for common web exposures such as cross site scripting (XSS), cross site request forgery (CSRF), and SQL injection. IBM also has a dedicated security organization working across all the IBM SmartCloud for Social Business services that provides security management activities surrounding the network, infrastructure, applications, and supporting services. It also has responsibilities within the system development lifecycle, which includes application and service product security requirements development, code security, security feature development, and security testing activities. Specific security design reviews are conducted by the cross-IBM SmartCloud for Social Business security organization. All code updates undergo the strict lifecycle from design to deployment phase. All the code is subjected to extensive peer review and is approved by a development architect before being merged into the code base. Each update is associated with an escalated problem report or approved work item. All code updates are tested and verified. Code updates are rolled up into a full system build in preparation for deployment. After internal system verification testing, the development team stages the build for handoff to operations staff on a designated server. Operations staff does not have access to source code, but they do have the ability to deploy the system to staging and testing for another round of system verification testing. The system update is deployed in production only after those tests are successful. Chapter 5. Networks and firewall 39 40 Preparing Your Enterprise for IBM SmartCloud for Social Business 6 Chapter 6. Synchronizing directories The IBM SmartCloud for Social Business offers many ways to integrate with your enterprise. Although synchronizing directories is not a requirement for a cloud (known as “Service Only”) offering, synchronizing directories can be of great value to extend the on-premise enterprise environment into the IBM SmartCloud for Social Business. Extending your environment into a cloud solution is also known as a hybrid configuration. More and more companies are opting for hybrid environments where some of their users and services are deployed into the IBM SmartCloud for Social Business public cloud and some remain on-premise, or where some work is performed in the cloud (i.e. mail) and some is performed in the on-premise environment (i.e. applications). These hybrid deployments, whether an interim stage or end goal, are defined based on the projected cost savings and the business needs of the users. Identity management forms the basis for maintaining these user populations and provisioning them for various services they are to be entitled to. Separately managing on-premise and IBM SmartCloud for Social Business users in a hybrid environment can be costly, but many enterprises choose it because they have business requirements to maintain a portion of their business on-premise. They then require the ability to integrate an existing or evolving on-premise identity management system with the provisioning of IBM SmartCloud for Social Business users to preserve cost savings. The IBM SmartCloud for Social Business supports two ways of directory synchronization (integration): 6.1, “SmartCloud Notes deployment options” on page 42. 6.2, “IBM SmartCloud iNotes directory synchronization” on page 55. © Copyright IBM Corp. 2014. All rights reserved. 41 IBM SmartCloud iNotes is a stand-alone light weight webmail (POP3 and IMAP) offering, which is different from the on-premises webmail version of IBM Domino (Web Access) webmail. IBM SmartCloud Notes offers a rich webmail experience through the web browser or IBM Notes client. 6.1 SmartCloud Notes deployment options SmartCloud Notes is available in two flavors: SmartCloud Notes Service Only SmartCloud Notes Hybrid SmartCloud Notes Service Only is intended for cloud usage only and does not support directory synchronization to your infrastructure. SmartCloud Notes Hybrid supports directory synchronization with your infrastructure by setting up the hybrid configuration. The SmartCloud Notes Hybrid configuration integrates at IBM Domino level with your organization. The benefits of using this solution include: You to have directory synchronization. The hybrid solution extends your existing IBM Domino Domains into a cloud solution. This ensures that you stay in control of your current security model in your IBM Domino environment. All certificates and ID files will be staying the way they are today. The hybrid configuration makes sure that you can provision users in the cloud or on premises without losing any functionality. The hybrid setup provides a seamless integration solution regardless where your users are registered. You will be able to use Free and Busy time lookups in all directions for both calendaring and resource reservations. 42 Preparing Your Enterprise for IBM SmartCloud for Social Business The hybrid solution provides you with the initial step to migrate email data into the IBM SmartCloud Notes environment. The following diagram shows a simplified layout of the SmartCloud Notes Hybrid architecture: An informative reference document is the Transitioning to IBM SmartCloud Notes whitepaper. This document details: configuration, deployment approach, and hybrid environments for existing and new IBM Domino customers. 6.1.1 Setting up the SmartCloud Notes Hybrid configuration Network Connectivity and preparation To successfully use directory synchronization, you must set up the SmartCloud Notes Hybrid configuration. To make the setup a success, you must prepare your network and open up specific ports on your firewalls. The following table shows what is necessary for a SmartCloud Notes Hybrid deployment: Chapter 6. Synchronizing directories 43 Port Source Target Description 1352 outgoing Notes Clients notes.ce.collabserv.com or notes.jp.collabserv.com or notes.na.collabserv.com Mail File Access for replication, sending and receiving of email. 1352 outgoing All Domino Servers notes.ce.collabserv.com or notes.jp.collabserv.com or notes.na.collabserv.com Free and Busy time lookups for cloud based users and NRPC Mail routing from on premises users. 1352 incoming Domino Pass thru Servers (DMZ) All Domino Servers NRPC Mail routing from cloud based users, directory synchronization from SCN directory sync servers to on-premises directory sync servers and Free & Busy time lookups from cloud based users to on prem. 1352 outgoing Domino Pass thru Servers (DMZ) notes.ce.collabserv.com or notes.jp.collabserv.com or notes.na.collabserv.com NRPC Mail routing and directory synchronization to SCN servers and to cloud based users. 1352 incoming Domino Pass thru Servers (DMZ) notes.ce.collabserv.com or notes.jp.collabserv.com or notes.na.collabserv.com NRPC Mail routing from cloud based users, directory synchronization from SCN directory sync servers to on-premises directory sync servers and Free & Busy time lookups from cloud based users to on prem. To benefit from the SmartCloud accelerated network, use DNS names. An IP address range may be used; however, the range will be large and is subject to change. Contact support if an IP range must be used in a situation where your firewalls are not able to support DNS names. For a more complete table, check Cheat Sheet: Firewall Settings for IBM SmartCloud Engage Advanced. In the following sections, we walk you through the steps to establish directory synchronization and set up a SmartCloud Notes Hybrid environment. SmartCloud Notes Hybrid setup To set up a SmartCloud Notes Hybrid environment, first, log in to the IBM SmartCloud for Social Business and complete the following: 1. On the right hand top click Admin → Manage Organization. Administrative privileges are required. 44 Preparing Your Enterprise for IBM SmartCloud for Social Business 2. Click IBMSmartCloud Notes on the left hand menu. Then click Account Settings. Selecting Hybrid You are now asked to select or deselect the option to set up your account in the hybrid configuration. This is a critical step in the set up process. Chapter 6. Synchronizing directories 45 If you select to set up a hybrid environment and want to use a Service Only configuration later on, you need IBM support staff to clean up your cloud environment. This can take several working days and all information will be lost. To take the advantage of a hybrid environment and directory synchronization, select (tick mark) the Hybrid Environment option, click Set Up My Account, and click Continue to progress to the hybrid configuration steps. Pre-configuration test tool To help those who will use an existing Lotus Domino environment, IBM SmartCloud for Social Business offers a Pre-configuration test tool to assist you with identifying that all prerequisites met, such as server software versions, configuration items and tasks that are running on servers. To run the Pre-configuration test tool, make sure that you have started a supported version of the IBM Notes Administrator Client and have administrative access to both your corporate Domino Domain and Pass Thru Domino Domain. Check for supported IBM Notes Client versions here. Use these steps to install and start the Pre-configuration Test tool: 1. Download the Pre-configuration Test Tool from the menu on the left hand side to verify your environment. 2. Run the tool from your download location and have it opened in IBM Notes. The following figure shows the first window of the Notes Hybrid Pre-configuration test tool. 46 Preparing Your Enterprise for IBM SmartCloud for Social Business In the Test Options section, you see the option to skip the group scan. If you have large numbers of groups in your Domino Directory, the actual group scan might take a considerable amount of time before the test completes. The group scan checks for duplicated groups among all directories and checks for specific SmartCloud Notes group names that cannot be used. For example, these names are reserved for the service and cannot be used as group name: LLNServers LLNMailHubs Names that begin with “Certifiers_ “or “SAAS” In this window, you can change anything and try out the configuration you want to evaluate. Adding or removing Directories, Adding or Removing Servers, you have options for testing or evaluation. The tool provides you with a summary report of issues found that must be resolved before being able to use the hybrid configuration. Note: Resolve all issues that are highlighted in the report. Directory Sync Servers Configure the directory sync server from the menu: 1. Go to Admin → Manage Organization → IBM SmartCloud Notes → Directory Sync Server, click Add Domino Directory: 2. The most important step for the directory synchronization setup is this Directory Sync Server Configuration page: Chapter 6. Synchronizing directories 47 You must provide a minimum of one directory server name with one Address Book (Domino Directory database file name and path). This directory is from where you can provision users. If you want to use an additional (secondary for high availability or disaster recovery) IBM Domino server, you must specify that in the “Optional: Secondary directory server name” field. 3. Click Save to save the configuration changes. 4. You must rerun the SmartCloud Notes Domain Configuration Tool to activate these settings inside the on premises configuration. You can add multiple directories by clicking Add Domino Directory. With this option, you can also add directories where you do not want to provision users from, for example, directories for mail addressing (Directory Assistance) purposes. Make sure that you always select the Do not use this Domino Directory for user provisioning option when adding Extended Directory Catalogs to the configuration. 48 Preparing Your Enterprise for IBM SmartCloud for Social Business For more details about what information exactly is synchronized and in what direction (or actual directory requirements), see Administering SmartCloud Notes: Hybrid Environment. Mail Routing hosts In this step, you define your mail routing host. This system should be an IBM Domino server that can route email within your domain or to any connecting domains (because your architecture can consist of multiple Domino domains). At least one server is required. For high available and disaster recovery scenarios, set up two systems. You can use the existing ones. More than two servers are not possible. It is an option to use different Domino Domains for mail routing. Mail Server Base Name naming In this step, you choose a base name for the servers that IBM will set up for you in the SmartCloud Notes environment. A good naming convention is to use the goal of the server in its name. Some examples are: Mail, System, CloudServer (or CS), MailServer, CloudMailServer or just “Server”. Avoid using location names or service names as the server base name. Avoid using numbers because IBM will append numbers to the base name and finally provision your virtual servers. Depending on the amount of users that you are provisioning and IBM administration of the environment, your organization will see several virtual servers created for you. Chapter 6. Synchronizing directories 49 You will see a short indication that your account is being enabled. At this time, the service attempts to run the initial directory synchronization and receive the address books that you specified in the Directory Sync Server setup step. Depending on the size of the address books and your network connection, this task usually takes between 1-48 hours. Note that you will see lots of red colored labels when you click the Run Tests button in the Configuration Test area: That is not a problem to worry about at this stage. It makes sense that most of the checks can only be completed once the service has a copy of the address books and the information for these tests is available from those address books. Domain Configuration tool Before the initial Directory Sync task can complete, you must configure the on-premises Domino Directories and servers by using the Domain Configuration tool. You can download this tool from the IBM SmartCloud Notes service. Similar to the Pre Configuration Test tool, once downloaded, the Domain Configuration tool is opened in the Lotus Domino Administration client. The difference is that you cannot “try out” any servers or directories as you do with the Pre Configuration Test tool, the settings are now fixed. You do have the “Skip group scan” option. To download the tool, Click Domain Configuration Tool on the left hand menu and accept the terms, click Continue, open the downloaded file. Click Begin pre-configuration test. 50 Preparing Your Enterprise for IBM SmartCloud for Social Business If all is correct, the tool shows some informational messages such as “No problems found”. Notifications such as “-systemname- must be at least version” are only applicable if you have not upgraded your systems to the required SmartCloud Notes supported versions. To check the supported versions, see Version requirements for on-premises Domino servers of the product documentation. To provide you with an overview of the required changes in your local address book, Click Begin configuration report. This action does not make any changes yet, but shows you what changes will need to be made (by the tool itself in the next step). To make the required changes to server, location, connection, and group documents click Configure servers. When all the changes have been performed you will receive a “Configuration is complete” notification. From this point on forward SmartCloud Notes systems should be able to start reading your Domino Directory and you could see Domino connections coming in from the newly created servers. Go to the Domino live console (for your on-premises pass-thru,- or directory synchronization server) to see it in action. Internet Domain verification After the initial directory synchronization has completed you will see that you can now start verifying (at least one) Internet Domain. Environments with multiple domains do not all need to be verified. You should only verify the domains that users are assigned within their person document (are used for mail routing). If you have domains solely for web hosting services without mail routing for users, you will not need to verify those domains. In addition, if you have the following domains: magiccloud.com, orlando.magiccloud.com, and amsterdam.magiccloud.com, you would only need to validate the top level domain magiccloud.com. The subdomains will be validated automatically once the top level domain has been verified. The IBM SmartCloud Notes service determines the SMTP Internet domains from the global SMTP domain documents in the directory. As in the service only configuration, it is essential to prove to the IBM SmartCloud Notes service that you are indeed the rightful owner of the domain you entered. A unique key is generated for each domain that is used to populate a CNAME record in the DNS zone for the domain. After the CNAME record is entered, the IBM SmartCloud Notes service queries the public DNS service for existence of this CNAME record, which can only be entered by the owner or registrar managing the DNS zone. Note Chapter 6. Synchronizing directories 51 the this process might take a couple of hours as global DNS replication must take place before the service can notice your addition of the CNAME record in the DNS zone. See this example for a non verified domain and an in progress domain: You will see the CNAME record that must be created after you clicked Verify Ownership. For more information please visit the Verifying Internet domains page on the wiki. Click Verify Ownership to start validating your domain. Domain verification can take up to 48 hours, although usually it takes much less time. If after 48 hours domain verification has not completed, click Restart Verification. Restarting verification generates a new unique key and you must then replace the old key with the new key in the CNAME record. Only restart verification if 48 hours have passed since you clicked begin verification. After a domain is verified, you can remove the CNAME record you created. Issuing the vault trust certificate To have all user IDs harvested into the SmartCloud ID Vault, you must set up the ID Vault Trust before using SmartCloud Notes. The steps to perform are found here: 1. From the Configuration Tab in the Notes Administration Client go to (Left hand side) → Security → ID Vaults and highlight the existing ID Vault Document. 2. Click Manage… followed by the Next button 3. Select the Add or remove organizations that trust the vault task and click Next. 4. Click the Add or Remove button. This will open the Trusted Vault Organizations dialog. 5. From the list of Available organizations, select the organizations or organizational units to which the SmartCloud Notes users belong and click Add. 6. Click OK and Next. 7. Verify the actions to be performed and click Configure. 8. Click Browse to select the organizational certifier, and then click OK. 9. Enter the certifier password, and click OK. 10. In the “You have successfully completed the management of the Notes ID vault” window, click Done. 52 Preparing Your Enterprise for IBM SmartCloud for Social Business 11. To verify that the Vault Trust Certificate was issued, locate it on the Configuration tab by expanding Security → Certificates → Certificates, and then expanding Vault Trust Certificates. For more details about these steps, see Exercise 1.14: Issuing vault trust certificate. Validating the setup When this configuration is complete, the IBM SmartCloud Notes service can then initiate a series of tests that validate the configuration and synchronization of directory content. To start the configuration test, click Run Tests under the Configuration Test menu item. The following figure shows test 1 of 6: The following figure shows test 2 of 6: Chapter 6. Synchronizing directories 53 The following figure shows test 3 of 6: This error message is not a concern because this is an example of an initial deployment phase of the hybrid configuration where no ID File could have been uploaded to the environment. The following figure shows test 4 of 6: The following figure shows test 5 of 6: The following figure shows test 6 of 6: At this step the hybrid configuration is successful and your Directory Integration with SmartCloud Notes is complete. 54 Preparing Your Enterprise for IBM SmartCloud for Social Business When test 5 or 6 does not show the green tick marks, verify that your systems are up and running and reachable from the internet as defined in the network firewall table. If you are certain all is running correctly, contact SmartCloud support. 6.1.2 Next Steps Know how to administrate Make sure you are aware of the content from the Administering SmartCloud Notes: Hybrid Environment documentation. In addition, IBM suggests you to go through the Hybrid IBM SmartCloud Notes course. Mail Managed Replica Before you start to provision users to the SmartCloud Notes service, make sure you have the Mail Managed Replica feature enabled for every user that will start using SmartCloud Notes with a Notes Client. As a best practice, make sure it is also enabled for webmail only users as they might use a Notes Client at a later stage. More information on the Mail Managed Replica (MMR) feature can be found here: Managed Replicas Explained At a minimum make sure you have set the following parameters in the notes.ini of the IBM Notes Clients: CacheMail=3 (Create the managed replica if a local replica does not already exist.) OutgoingMailSendThreshold=1 (Set the mail threshold to 1. This means every time a new message is deposited in the local mailbox it will immediately be sent to the server.) ReplicateOnNewMail=1 (Replicate new mail from the server every time we detect new mail has been delivered. This is crucial in keeping the cache "up to date") User Management Make sure you are familiar with the procedures to Provisioning users in SmartCloud Notes Hybrid or any of these other common tasks: Resetting web login passwords Resetting passwords for Notes IDs Changing a Notes user name 6.2 IBM SmartCloud iNotes directory synchronization Directory synchronization for SmartCloud iNotes is achieved by setting up an on-premises integration client and uploading a LDAP Data Interchange Format (LDIF) file to the SmartCloud Enterprise Integration Site as shown in the figure below. The blue line marked components are key components to this integration solution. Chapter 6. Synchronizing directories 55 The integration client is a computer system (can be a virtual machine) that connects to your IBM Domino Directory, Microsoft Active Directory, Tivoli Directory Server, or any other LDAP source. The integration client can be an administrative workstation that just creates the LDIF file or it can be a full function server that hosts IBM Security Directory Integrator to read changes from the corporate directory automatically. The IBM Softlayer cloud can host the integration client with both setup types, removing the need for additional hardware costs and risks of hardware failure. The connection from the Directory Source can be established by running Tivoli Directory Integrator (TDI) software with a specific assembly line (AL) that creates the LDIF change file. The TDI AL needs to be able to detect the changes in the directory and then create the LDIF change file once a change has occurred. You must create the LDIF change file according to the IBM SmartCloud Integration Site naming convention as shown in the following figure: For more information, see the Creating directory integration change files wiki section. The following are examples of LDIF change files: Add a new user (for addressing lookups, not provisioning): DN: cn=Joe Smith,ou=Development,o=Acme changeType: add 56 Preparing Your Enterprise for IBM SmartCloud for Social Business objectClass: inetOrgPerson displayName: Joe Smith mail: joe.smith@acme.com givenName: Joe sn: Smith telephoneNumber: 999 123-9876 Delete a user: DN: cn=Joe Smith,ou=Quality Assurance,o=Acme changeType: delete Modify or add a phone number: DN: cn=Joe Smith,ou=Marketing,o=Acme changeType: modify add: telephoneNumber telephoneNumber: 111 222-3333 More examples about the LDIF files, see the IBM SmartCloud for Social Business documentation. 6.2.1 IBM SmartCloud Integration and Migration site The IBM SmartCloud Integration and Migration site is an FTP site that provides you with a landing zone for your directory synchronization files. To obtain your own integration site, contact the IBM SmartCloud Customer Support Group (CSG) by email, asking for the enablement of your corporate integration site. The email should contain, at least, the following information: Company Name Customer ID (Organization Account Settings section of Admin UI > ID for this customer) Administrator Name (sender of the email that is an Admin for this organization) Account name (email address) to be created (functional, non-personal account recommended) for uploading the LDIF change files into the integration site. Make sure that you provide CSG with an non-personal account (for example: integration@yourorganization.com) to prevent services disruption when the administrator leaves your organization or when a personal account is locked out. For more information about integration server enablement, see the Requesting integration server enablement section of the IBM SmartCloud for Social Business documentation. 6.2.2 Automating LDIF file transfer You probably want to automate the upload of LDIF files after the files have been created. There are many software options that support file transfer through FTP. Note that the software must be able to run FTP encrypted transfer with Implicit mode over TLS and the software must be able to accept the IBM security certificate. We see these software options used: Filezilla, Robotask, or WinSCP. But other solutions could work for you as well. Chapter 6. Synchronizing directories 57 In addition, the firewalls must be opened to support ports: 990 and 60000-61000 for passive transfers (pasv). The following table shows the SmartCloud Integration Site firewall rules: Port Source Target Description 990 Integration Client ftp.ce.collabserv.com or ftp.jp.collabserv.com or ftp.na.collabserv.com Implicit FTPS connection 60000 - 61000 Integration Client ftp.ce.collabserv.com or ftp.jp.collabserv.com or ftp.na.collabserv.com pasv connection The figure below shows an example of how to set up FileZilla : After you have a session in place, you must accept the certificate from the Integration Site. The following figure shows the session information details: The figure below shows an example of how to set up WinSCP: 58 Preparing Your Enterprise for IBM SmartCloud for Social Business Knowing this, you understand that IBM takes security serious. You must register to use the integration site. You must provide a specific account that has authority to upload files. You must provide the files in a specific file format with predefined content formatting. You must provide the files over a secure connection that requires you to accept security certificates. Chapter 6. Synchronizing directories 59 60 Preparing Your Enterprise for IBM SmartCloud for Social Business 7 Chapter 7. User Provisioning, Journaling, and mail data migrations IBM SmartCloud for Social Business offers various ways to integrate with your on-premises systems. The following figure shows the integration options that IBM SmartCloud for Social Business offers, including the directory integration as described in Chapter 6, “Synchronizing directories” on page 41. This chapter describes the different options available today to use from the “Enterprise integration and migration site” and provide background information about how your organization can benefit the best way possible. © Copyright IBM Corp. 2014. All rights reserved. 61 7.1 Customizing your environment to integrate with the cloud The IBM SmartCloud for Social Business integration and migration site provides you the ability to administrate your cloud environment. You can use the integration and migration site, similar to the IBM SmartCloud for Social Business Web Administration User Interface (AdminUI), to perform user provisioning actions. The AdminUI allows you to perform account administration activities manually, whereas, the integration and migration site provides you with the option to perform account administration activities in bulk manner. Account administration activities are also described as subscription management or administration. It comes down to the fact that you can administrate your cloud environment with the following example administrative actions: Adding Users (provisioning) or subscriptions Suspending and resuming user subscriptions Updating user meta data such as locations or phone numbers Removing users or their subscriptions Changing subscriptions Changing subscriptions is one of the tasks that gain significant flexibility for your organization in an IBM SmartCloud for Social Business environment. Consider the following subscription management scenario. You, as the account administrator, initially provide a new employee with a mail subscription for communicating with other employees. A month later, this user brings his new iPad device to work and you can assign him the IBM Notes Traveler functionality (subscription) for mobile email with just a couple of mouse clicks. A week later, you introduce the social way of working for your organization and equip every employee with IBM Connections collaboration functionality from the cloud. For our example employee, you simply assign him with the IBM SmartCloud Connections subscription, again in that couple of mouse clicks. You also can change his subscription from IBM SmartCloud Notes and IBM SmartCloud Notes Traveler to a bundle plan, IBM SmartCloud Engage Advanced. IBM SmartCloud Engage Advanced is lower cost compared to the separate components (mail, traveler and connections) and it provides him with even more functionality such as SmartCloud Docs (online document editing) but still includes mobile email. This all, again within the same couple of mouse clicks. Furthermore, you can use this administration flexibility in bulk. You can switch subscriptions around for hundreds of employees at the same time just by using the integration site. Considering that you might have to provision 300 new accounts (no mail migration just providing a new mail environment and, maybe, the meetings component). This task can easily take you more or less 10 hours of work if done manually. With the integration site, you can provision these new user accounts by just uploading a single file, which, can save you 9.5 hours of work. Are you thinking : If I can do it this easily, then someone else can do it just as easily….but then what about the exposure of them potentially removing my accounts or subscriptions? Not to worry, IBM SmartCloud for Social Business is designed with security considerations and has strict procedures and technology in place to prevent any security breach. 7.1.1 Integration site options The SmartCloud for Social Business integration and migration site enables you to integrate user provisioning information from your on-premises administrative environment. 62 Preparing Your Enterprise for IBM SmartCloud for Social Business The integration server supports your use of a hybrid environment – one that uses a combination of on-premises administrative management and cloud-based service and subscription management. The integration server periodically processes data files that you create and upload using a secure file transfer mechanism, to add, modify, and remove user provisioning information. This enables you to continue using your on-premises management systems and periodically upload user information. Integrating initial and changed content from your on-premises administrative environment is facilitated through your organization's subscription to the integration server service and by properly named and formatted change files that you periodically create and upload. In addition, the SmartCloud for Social Business integration and migration site can be used for journaling purposes. The journal is a record of the user activity on your company account. It includes date, time, and user information about events such as logon attempts, password changes, and start times of online meetings. All provided in raw data text files from the individual IBM SmartCloud for Social Business components, such as, activities, announcements, authentication, blogs, Business Support System (BSS), communities, contacts, files, forums, iNotes, notes client sessions, notes mail delivery, meetings, profiles, instant messaging, and theming and wikis. These files can be used for analysis through spreadsheet imports, text parsers or even into IBM Cognos reporting via DB2. 7.1.2 Enabling your enterprise integration server The first step is to ask the IBM Customer Support Group (CSG) to enable the integration and migration site for your organization. When enabled, you see that the IBM SmartCloud for Social Business infrastructure is available, illustrated with blue lines in the following figure: Chapter 7. User Provisioning, Journaling, and mail data migrations 63 Apply for your integration site at CSG using the “Requesting integration server enablement” section of the IBM SmartCloud for Social Business Info Center. Note: When you make the request, make sure that you apply for it using a functional email address (account), for example, cloudintegration@yourcompany.com. This arrangement will prevent potential access issues in the future if you used a personalized login where that person always must be technically involved and could have left your organization. To understand some basic terms when looking at the IBM SmartCloud for Social Business integration and migration site and subscription management, take note of the following definitions: 64 Term Definition User A person with an ability to login to the cloud environment of a particular service provider. Subscriber A user of a service offering. A subscriber can be assigned a seat of a particular subscription, which entitles them to use the associated service offering. Seat A subscription is defined to allow a particular number of subscribers, which can be thought of as seats. A seat is either assigned to a particular subscriber or available for future assignment. A seat can be revoked from a particular subscriber, which makes it available for assignment to another subscriber. Subscription An agreement between a service consumer and a service provider that defines the terms and conditions under which a service consumer can assign the right for a subscriber to use a particular service offering (and hence grant them the entitlements associated with that offering). A subscription can define a particular quota of resources allowed to be consumed in the context of using a service (for example, storage, and bandwidth). A subscription can be a trial (that is, no charge for a limited time), metered (that is, “pay as you go”) and involve a recurring charge (that is, “fixed” monthly or annual charges). Preparing Your Enterprise for IBM SmartCloud for Social Business Term Definition Service offering A specific variant of a service which defines the specific terms (for example, length of agreement, financial obligations, and seat limit) and conditions (for example, usage responsibilities) as well as seats (for example, number of meeting participants, initial storage size for content) that are granted as part of a subscription to that offering. Service provider An organization that provides a service to which a subscriber can be assigned a seat to. Service consumer An organization or person that leverages the services of a service provider. Customer A person or organization that has entered into a financial agreement with a service provider such that they can assign subscribers to subscriptions. 7.1.3 Bulk User Provisioning Bulk User Provisioning is a service that is available through the integration and migration site to create new accounts in the cloud environment. This function does not migrate data and accounts. For data migration, check the migration options section of this document. Bulk User Provisioning saves you time and automate the administration of your cloud subscriptions and subscribers (users). It is achieved by setting up an on-premises integration client and uploading a comma separated values(csv) file to the Enterprise Integration Site as shown in the figure below. The blue line marked components are key parts to this integration solution. The integration client is a computer system (can be a virtual machine) that connects to your IBM Domino Directory, Microsoft Active Directory, Tivoli Directory Server, or any other LDAP source. The integration client can be an administrative workstation that just creates the csv file or it can be a full function server that hosts IBM Security Directory Integrator to read changes from the corporate directory automatically. The IBM Softlayer cloud can host the integration client with both setup types, removing the need for additional hardware costs, and risks of hardware failure. Chapter 7. User Provisioning, Journaling, and mail data migrations 65 The integration and migration site (FTP Server) allows customers upload provisioning files over an authenticated SSL encrypted channel. Customers designate one or more IBM SmartCloud for Social Business users (customer administrators) that are allowed to upload and download files. Each customer is provided with a private drop-off folder that is dedicated to them. Upon successful FTPS authentication, the user's home directory is set to their private sub-folder. Access control is configured on the customer sub-folder to only allow users designated by the customer to access to the files and sub-folders under it. All files are scanned for viruses before stored on disk, so that infected files can be detected and quarantined. The use of SSL, authentication, access control, and anti-virus scanning provides the privacy, integrity, control, and hygiene required to protect sensitive user data. An example of how the connection from an Integration Client to an on-premises Identity system is shown here: This figure lists IBM (formerly Tivoli) Directory Integrator (TDI) as the system that detects changes from the User Repository. There are examples where customers have also connected the TDI system directly with a customer Identity Management solution like Tivoli Identity Manager (TIM). This provides the ability to manage your cloud subscriptions (or subscribers) straight from your Identity Management solution. In 10.2, “Implementing an IBM SmartCloud Notes environment with an existing IT Infrastructure” on page 132 with an existing IT Infrastructure, we provide an example of how to integrate the integration and migration site with an on-premises Microsoft Active Directory system. The csv file You must create the csv file according to the IBM SmartCloud Integration Site naming convention as shown in the following figure: 66 Preparing Your Enterprise for IBM SmartCloud for Social Business For example files, see User provisioning change files. Important to note is that the file must have the first line like this): emailAddress,action,subscriptionId,subscriptionId2,givenName,familyName,language,t imeZone,password,altEmailAddress,notesTemplate,notesDN,assignTo,department,jobTitl e,country,telephone,mobile,fax,address,suppressInvitation,federationType An example file where an update has been submitted to assign a language, location, mail file template, department, role title, country, location and phone numbers is attached to the bottom of this article. Note: The update action cannot be used to supply a new password. A password reset must be done through the AdminUI. For more detailed information about the specific actions inside csv files, see User provisioning and identity management. The table below describes the type of operations that you can encode in the provisioning (csv) file. Operations Semantic Add Creates a new subscriber record in the cloud which includes a login account based on the subscriber's email address along with a self-manageable profile (for example, name, country, contact information, and so on). An add operation results in an email invitation to the subscriber such that they can set their own password, accept terms and conditions, and access the services to which they are entitled to through a subscription seat. In some cases, a one-time password is assigned to the user which they must change after first use. Update Updates a subscriber’s person information. Suspend Disables a subscriber’s ability to login and use services (but does not remove them or revoke subscriptions assigned to them). Resume Enables a suspended subscriber's ability to login and use services (that is, “unsuspend”). Chapter 7. User Provisioning, Journaling, and mail data migrations 67 Operations Semantic Remove Removes a subscriber and revokes all their entitlements. Can either delete all collaboration content relative to the user's current collaboration subscription or reassign it to another subscriber. (Note: Only File and Activity content of a collab subscription is reassignable. Also, reassignment of mail content is not supported at all yet. All other user data is deleted even when assignTo is specified.) AssignSeat Assigns a subscription seat to a subscriber, provisioning all entitlements as defined within the subscription (for example, entitles them to use the features of particular IBM SmartCloud for Social Business offering such as Meetings, Engage, iNotes,). Note that a user can have at most one mail subscription and one collaboration subscription at a time, or a single bundled subscription. ChangeSeat Changes a current collaboration subscription seat assigned to the user to some other collaboration seat subscription. Simply specify the target subscription ID and the integration site will figure out the appropriate current subscription to be changed (this is possible since a subscriber can have only one collaboration subscription at a time). ChangeSeat can be used to change individual mail and collab subscriptions to a bundled subscription. It can also change a bundled subscription to individual mail and collab subscriptions. To do this two target subscriptionIds would be specified. The current and target subscriptions must be compatible. For example, you can change a user subscription from Connections to an Engage. Or, you can change a user that has individual Engage and iNotes seats to a bundled subscription that has both Engage and iNotes. Current compatible change combinations are: Engage <=> Engage Engage <=> Connections Meetings <=> Events Contact the customer support group (CSG) for an up-to-date table of compatible subscriptions. RevokeSeat Revokes a subscription seat assigned to a subscriber, removing all entitlements associated with the subscription. Rather than specifying a particular subscription ID, simply specify “COLLAB”, “MAIL”, or “BUNDLE” in the subscriptionId field to identify the seat to revoke. Can optionally delete all collaboration content relative to a collaboration subscription or reassign to another subscriber (see AssignTo field). (Note: Only File and Activity content of a collab subscription is reassignable. Also, reassignment of mail content is not supported at all yet. All other user data is deleted even when assignTo is specified.) Rename Changes the EmailAddress that uniquely identifies the user (that is, the email used to log-on to the service). Note that this is restricted to users that only have collaboration subscriptions. If a user has a mail subscription an error is returned and the rename is not attempted. ResendInvitation Send an invitation email to allow a user to activate a subscription they have been assigned a seat to. This is typically used when the original invitation was not delivered, lost, or accidentally deleted. This operation can also be used in conjunction with an Add or AssignSeat operation that specifies “SUPPRESS_ALL” for the SupressInvitation field. In this way, a user may be pre-provisioned (without an invitation being sent) and be invited to activate their subscription at a later time. Report files Every time the integration server runs, it produces a report file for each customer who recently uploaded a provisioning change file. The report contains a summary of the 68 Preparing Your Enterprise for IBM SmartCloud for Social Business successful provisioning operations and details about those with errors. This report file can contain the results from multiple input files. (See Trace Files below for a per input file information) The customer can use this report file to verify the intended operations occurred, to correct problems with the provisioning file, and to follow up with a Customer Services Representative (CSR) to resolve unexpected problems. The report file names are generated based on the date and time the processing started for that customer, for example: LLIS_Report_20100820_121003.txt. Reports are stored under the _report sub-folder. The following is an example of an error report file which shows a mix of success and error conditions for the processing of several provisioning change files: 8/18/10 11:32 PM - *** Processing file: llis/acme/foo 8/18/10 11:32 PM ERROR: The file name format is not valid. 8/18/10 11:32 PM - *** Processing file: llis/acme/10049989_sequence 8/18/10 11:32 PM ERROR: The file name format is not valid. 8/18/10 11:32 PM - *** Processing file: llis/acme/20049989_PRV_00000000.csv 8/18/10 11:32 PM ERROR: A failure occurred when processing the CSV entry #1. The error message follows: com.ibm.bss.shim.exceptions.BadRequestException: Email address already exists. 8/18/10 11:32 PM - CSV entries read: 1; BSS entries written: 0; CSV read errors: 0; BSS write errors: 1 8/18/10 11:32 PM - *** Processing file: llis/acme/20049989_PRV_00000001.csv 8/18/10 11:32 PM CSV entries read: 3; BSS entries written: 3; No errors! 8/18/10 11:32 PM - *** Processing file: llis/acme/20049989_PRV_00000002.csv 8/18/10 11:32 PM CSV entries read: 1; BSS entries written: 1; No errors! 8/18/10 11:33 PM - *** Processing file: llis/acme/20049989_PRV_00000006.csv 8/18/10 11:33 PM CSV entries read: 1; BSS entries written: 1; No errors! 8/18/10 11:33 PM - *** Processing file: llis/acme/20049989_PRV_00000007.csv 8/18/10 11:33 PM ERROR: A failure occurred when processing the CSV entry #1. The error message follows: ERROR: Cannot revoke, user does not hold subscription. 8/18/10 11:33 PM - CSV entries read: 1; BSS entries written: 0; CSV read errors: 0; BSS write errors: 1 8/18/10 11:33 PM - *** Processing file: llis/acme/20049989_PRV_00000009.csv 8/18/10 11:33 PM CSV entries read: 1; BSS entries written: 1; No errors! Trace files For each file processed, the integration and migration site produces a corresponding trace file that contains detailed status about each line processed.This trace file is provided to allow customers to do programmatic validation and is created for each file processed. A trace file is written to the same _processed or _error sub-folder the corresponding change file is moved to. The file name for the trace file is generated by appending _trace to the end of the corresponding change file name, for example, 20049989_PRV_00000000_trace.csv. The trace file is written in csv format, with characters encoded in UTF-8. The following fields are included: entryNum,lineNum,resultCode, Where: entryNum is the sequential count of the change entry in the change file Chapter 7. User Provisioning, Journaling, and mail data migrations 69 lineNum is the line number the change entry begins on in the change file resultCode is an integer result code from processing of the operation is the line that was processed in the change file. The following shows an example of the content of a trace file: entryNum,lineNum,resultCode,emailAddress,action,subscriptionId,givenName,familyNam e,language 1,5,0,ju@mailinator.com,Add,85180,John,User,en_US 2,7,0,bw@mailinator.com,Add,,Betty,Williams,fr_FR ... 99,97,1,bad input line In this example, a resultCode of 0 indicates the line processed successfully. If the line did not process successfully, there will be a different result code in this field. Integration site firewalls and download The integration site uses specific ports/sockets for you to connect securely. If your system is behind a firewall, make sure that the firewall is configured to allow connections to port 990 and to the port range 60000 to 61000. Port Source Target Description 990 Integration Client ftp.ce.collabserv.com or ftp.jp.collabserv.com or ftp.na.collabserv.com Implicit FTPS connection 60000 - 61000 Integration Client ftp.ce.collabserv.com or ftp.jp.collabserv.com or ftp.na.collabserv.com pasv connection As an example, to download the journal files, open your FTP client and enter the following connection details: Host (European data center): ftp.ce.collabserv.com Protocol: FTP Port: 990 Encryption: Implicit FTP over TLS User and password: Enter the credentials for the SmartCloud Engage user account that was enabled for access to SmartCloud Engage integration and migration site. – Connect to the FTP site. – Select the local csv files that you want uploaded and upload them. You can see the changes to the users in the AdminUI. Reconnect and download the trace and report files from the trace and report directories if something went wrong (or did not take place) and would require a detailed investigation. 7.1.4 Integration site throttling The integration and migration site infrastructure is used for all organizations (customers) in the service because this is a multi-tenant public cloud solution. For better integration and 70 Preparing Your Enterprise for IBM SmartCloud for Social Business migration site availability to all organizations, IBM sets a few usage limits in the integration and migration site as follows: Maximum processing of 550 lines per hour Maximum of 10.000 lines per day Maximum of 200 lines per file To maximize the solution (not exceed 550 lines per hour), use a maximum of 183 lines per file. 3 * 183 = 549 lines processed per hour. 7.2 Journaling The process of turning on journaling is an identical process to the integration and migration site enablement. Make sure to use a generic account instead of a personal account for Journaling, for example, cloudjournaling@yourcompany.com. Approximately every 24 hours, the journal service produces several journal files, one for each component of IBM SmartCloud for Social Business. Each file is compressed using gzip and then made available through FTPS on the integration and migration site. The files are kept for 7 days. Each compressed file contains a plain text file that is in a human-readable format. The format is consistent in all files so that the text files can be programmatically parsed. Journaling terminology Journal service: The system that assembles the journals into files, compresses them, and makes them available on the integration and migration site. Journal: The journal is a record of events. It is contained in one or more journal files. Journal file: A plain text file that contains the records of the events that users performed. Record: A complete entry in the journal file. It contains the date, time, and other details about an event. Component: A service or feature in SmartCloud for Social Business. For example, Files is a component, and Activities is a component. Event: An action that a user performed on your company account, such as logging in, downloading a file, or changing a password. FTPS: A file transfer protocol that uses Transport Layer Security to provide secure communications on the Internet. Gzip: A file compression utility. Use gunzip to decompress the files. UUID: A universally unique identifier, in hexadecimal format. 7.2.1 Journaling file name and output The name of the compressed file that you download for a component is ..txt.gz. The is the date that the journal was written, in YYYY-MM-DD format. The is the name that is used for the journal file of a component. In most cases, is identical to the actual name of the IBM SmartCloud for Social Business component. For example: 2014-05-06.CONTACT.txt.gz 2014-05-06.ACTIVITIES.txt.gz Chapter 7. User Provisioning, Journaling, and mail data migrations 71 2014-05-06.FILES2.txt.gz 2014-05-06.NOTESMAIL.txt.gz 2014-05-06.NOTES_NRPC_SESSION.txt.gz Syntax All records conform to the following general format: DATE user SUBJECT performed ACTION [ON_OBJECT] [TARGETED_AT] with outcome OUTCOME [reason=REASON] [(EXTRA)] A more detailed view of the format is as follows: DATE user email (id=subscriberId, customerId=customerId) performed ACTION [on object (type=TYPE, id=OBJECTID, name="name", customerId=customerId)] [targeted at (type=TYPE, id=TARGETID, name="name", customerId=customerId)] with outcome OUTCOME [reason=REASON][(EXTRA)] For more information about the Journaling file formats, see here. Example of journaling files: Notes Session Logging: Note: The date / time stamp indicates the GMT time zone (+0000). SmartCloud Notes internal Mail routing: SmartCloud Notes external Mail routing: 72 Preparing Your Enterprise for IBM SmartCloud for Social Business 7.2.2 Enabling the SmartCloud Notes journaling service From SmartCloud Notes, you must select which parts you want to journal using the Administration User Interface of the IBM SmartCloud for Social Business. Go to (right hand top of your browser) Admin → Manage Organization → SmartCloud Notes → Account Settings → Journaling Options and select (tick mark) the component that you want to turn on. Click Save. Firewalls and Download The integration site uses specific ports/sockets for you to connect securely. If your system is behind a firewall, make sure that the firewall is configured to allow connections to port 990 and to the port range 60000 to 61000. Port Source Target Description 990 Integration Client ftp.ce.collabserv.com or ftp.jp.collabserv.com or ftp.na.collabserv.com Implicit FTPS connection 60000 - 61000 Integration Client ftp.ce.collabserv.com or ftp.jp.collabserv.com or ftp.na.collabserv.com pasv connection As an example to download the journal files, open your FTP client and enter the following connection details: Host (North American data center): ftp.na.collabserv.com Protocol: FTP Port: 990 Encryption: Implicit FTP over TLS User and password: Enter the credentials for the SmartCloud Engage user account that was enabled for access to SmartCloud Engage integration and migration site. – Connect to the FTP site. – On the remote site, change to the journal directory. – Select the files that you want and download them. Chapter 7. User Provisioning, Journaling, and mail data migrations 73 7.3 Mail data migration It is not uncommon that customers start to talk about a messaging cloud deployment when they are considering an upgrade or are merging with another company. An organization can just extend their IBM Notes Domino deployment, securing their Return on Investment (ROI) with IBM SmartCloud Notes with the hybrid configuration. IBM SmartCloud Notes in the hybrid configuration provides you with a seamless extension of your IBM Notes Domino environment, respecting your current security model which is unmatched by any other SaaS collaboration provider. This design is a true seamless experience for users. They will not know where their colleagues are working, in cloud or on premises. The following diagram shows a simplified layout of the IBM Connections Mail in cloud Hybrid architecture: This architecture provides you with the ability to quickly register new users in the cloud with new mail boxes and the ability to migrate your own data into the cloud. Carried out by certified resources like IBM Software Group Services or Business Partners (or a mix of both), it is possible to migrate your gigabytes of data to the cloud and save you costs for the administration and maintenance of IBM Domino Mail and Infrastructure Systems on-premises. Because this cloud service is a multi-tenant service, it is very important for IBM to confirm that the data being transitioned into the cloud is secure, safe, and not a threat to other organizations using the cloud services. The “onboarding process” consists of three simple steps (as shown below) that only check the data but not convert the data. A data conversion would impact the data from a legal perspective and this might not be a preferred scenario for your organization. 74 Preparing Your Enterprise for IBM SmartCloud for Social Business Step one is the planning phase of the transition, where we define which user goes into which batch, run an initial analysis to see if you are ready to onboard your users and their data. Step two is the phase where data is staged and data quality checked, followed by the transfer to the data center of your choice. IBM provides you with the ability to choose a data center so you always know where your data actually is located. Step three is the moment in time where you activate the accounts in the cloud. 7.3.1 Migration options IBM SmartCloud Notes provides you with several options to migrate data as shown in the following diagram. Keep in mind that any of these offerings can also be used to move data from competitive platforms such as Microsoft Exchange. Option one (On-Premises Archiving): Do not migrate any data but archive the existing data on a server (on-premises or in the IBM Softlayer cloud), create a cloud account with a new mailbox. This is potentially the solution that requires the least amount of effort. Chapter 7. User Provisioning, Journaling, and mail data migrations 75 Option two (Cloud Archiving): Do not migrate any data but archive the existing data to the Archive Essentials cloud, create a cloud account with a new mailbox. This is a solution that requires a little amount of effort as the administrator must send data to the Archive Essentials Data Center. The benefit of this solution is that the archive solution integrates with the IBM SmartCloud for Social Business straight from the apps menu, making it very accessible for the administrators. Option three (Fresh Start): Do not migrate any data centrally but have the users use an IBM tool that moves Calendar, Contacts, and to-do’s into the new mailbox. It does not move email data. This is a solution that requires no migration effort from the administrators but it does require some user activity (a couple of minutes per user). The administrator must inform the user about how to perform the migration. Option four (Jump Start) Pilot: Migrate all data for twenty to fifty users with a central migration solution. This migration pilot project sets up the hybrid configuration and includes the creation of the staging environment. One migration batch is run for 20-50 users. The effort from the company administrators is about 5 working days, it does not require user migration activities. Option five (Migration Jam): Migrate all data for approximately 500 users with a central migration solution. This migration project is built on top of option four, the pilot project. The effort from the company administrators is potentially a little more than the pilot. This process does not require user migration activities. There is an option to perform a selective migration where, in this example, you migrate 30 days of data. This can be adjusted if you want 60 or 90 days or something else. The involved effort will be the same when you migrate more data, it is the actual time to completion that will be longer. Option six (White glove): This is a project approach where the entire solution is tuned to the specific needs of the organization. It can include any of the previous options, fully mixable. Therefore, you have the flexibility such as a full migration for the management team in the organization and 90 days for some others. This approach is very flexible and depending on your needs, the required effort from the administration teams varies. Therefore it cannot be stated up front what the impact on your administration team will be. To determine what timeframes, costs, and efforts are involved, contact your local IBM Software Group Services representative or an IBM Onboarding Certified Business Partner. 7.3.2 The user experience To have an understanding of the user experience when connecting to SmartCloud Notes, watch this 5 minute movie as an example. 76 Preparing Your Enterprise for IBM SmartCloud for Social Business 8 Chapter 8. Application integration This chapter presents how to leverage the services of IBM SmartCloud for Social Business to make user applications more social. It also explores the various way to easily build applications that can adapt to hybrid environments by leveraging the common development codebase of SmartCloud for Social Business. The information in this chapter can help developers developing applications with SmartCloud for Social Business. This chapter covers the following topics: 8.1, “Developing and integrating existing applications into the IBM SmartCloud environment” on page 78 8.2, “Social Business Development Toolkit and SDK” on page 88 8.3, “IBM SmartCloud for Social Business APIs” on page 92 © Copyright IBM Corp. 2014. All rights reserved. 77 8.1 Developing and integrating existing applications into the IBM SmartCloud environment The IBM Social Business Toolkit is the single source for developing integrations to leverage IBM SmartCloud for Social Business and IBM Connections. The toolkit provides a set of extensible tools and resources for developers who want to incorporate social capabilities into their applications and business processes. 8.1.1 Integration steps Developing an integration with IBM SmartCloud for Social Business consists of these steps: build, test, plan, and release. 1. Building an integrated application Leverage the Social Business Toolkit to build the integrated application. 2. Beta testing the application with a customer Work with one of your customers to test the new social application. 3. Contacting IBM to build a release plan. Work with the IBM SmartCloud for Social Business team to organize a release and support plan. 4. Publicly release the application. Deploy the application to the public and join the social revolution. 8.1.2 IBM SmartCloud for Social Business integration capabilities The following are various capabilities that could be used to integrate with SmartCloud for Social Business. Inside-out integrations – Expand capabilities of IBM SmartCloud for Social Business to include your own offerings. – Extend the IBM SmartCloud for Social Business interface to include jumping off points to your functions. Examples: Skype, eXpresso. – The user interface (UI) extensions in IBM SmartCloud for Social Business allow Administrators to add content to the standard user interface. 78 Preparing Your Enterprise for IBM SmartCloud for Social Business The following figure shows SmartCloud for Social Business interface that includes the start points to your applications. Outside-in integrations: – Expand your offering with IBM SmartCloud for Social Business functionality. – Utilize the functions of IBM SmartCloud for Social Business as an extension of your offerings. – Embed IBM SmartCloud for Social Business files functionality natively in your own application. Examples: SalesForce, Trilog – Leverage the extensive IBM SmartCloud for Social Business API to call the IBM SmartCloud for Social Business Services from your application. Chapter 8. Application integration 79 The following figure shows an example about how the User Experience looks if the Outside-in integrations are implemented. 8.1.3 Extension framework and User Interface (UI)extensions The extension framework along with the UI extensions allow organizations to make their internal applications more collaborative, and these extension points allow administrators to link directly to another cloud or on-premises service or application. It is important to note that these extensions allow users to launch external applications from within the SmartCloud for Social Business UI and also pass information to those applications that are related to the current context. The UI extensions in SmartCloud for Social Business allow you to add content to the standard UI in the form of an Action Link Extension. IBM SmartCloud for Social Business allows UI extensions to show up at predefined locations in the UI. Action extensions support receiving parameters as request parameters on the URL specified for the extension. The extension definitions are defined in the JavaScript Object Notation (JSON) format.This can be done programmatically or through UI. 8.1.4 Action link extensions The Action link extensions enable organizations to create links to other pages and sites that business users need to get to enforce more social collaboration user experience Actions are links to other pages that may or may not be hosted on IBM SmartCloud for Social Business servers. An action can appear as a menu entry or a button. Each link also has an associated icon. (16 x 16 pixels) In the figure below, is an example of how the End-user experience would be if Action link extensions are implemented, where a series of links are provided to the end-user within the SCSB context. 80 Preparing Your Enterprise for IBM SmartCloud for Social Business 8.1.5 Supported extension points The following table summarizes and list the UI Extensions that partners can add and manage so that they show up at predefined locations in the UI. The components that can be extended are called extension points along with the descriptions. Extension point Description contact_record The contact_record extension displays a new link for a contact record in two places: Contact specific context menu Contact details page person_component The person_component extension displays on an IBM SmartCloud for Social Business user's profile page. company_component This is the company's profile page. Sometimes referred to as the partner page. service_menu The service_menu extension point allows a new menu item to show under list of applications in navigation bar. dashboard The dashboard extension allows a new item to display under list of links on the left part of dashboard. file_menu The file_menu extension allows a new file menu to be added for a file. The Files service understands a number of file mimetypes, and this menu can be shown to all those mimetypes, or to a subset of the mimetypes or the format type of files. This extension displays at the following locations: The file drop-down menu in the files listing on a page. The More Actions drop-down menu in the expanded view of a file on a page. A file details page. Chapter 8. Application integration 81 Extension point Description new_file_menu The new_file_menu extension displays a new item in the New drop-down menu in Files. 8.1.6 Steps to Setting extensions manually Always use the IBM SmartCloud for Social Business administration page to define UI extensions for your organization. Only users with the administer role can create UI extensions. Administration → Manage Organization Organization Extensions → Add Extension Use the following steps to define UI extension: 1. In SmartCloud for Social Business, click Administration → Manage Organization. As show in the following figure. 2. In the left navigation area, click Organization Extensions. 3. Click Add Extensions. 4. In the form, in the Service field, select the general area in the UI that you want to extend. 5. In the Extension Point field, select the specific extension point that you want to modify. For information about supported extension points, see Supported extension points above. 6. In the Name field, type the string that you want to display on the menu or button. For consistency with other items, start the name with an action verb such as Edit or Send. 7. In the Description field, optionally type a general description of the UI extension. 8. In the Type field, select Action. Action UI extensions are the only type of extensions that are currently supported in SmartCloud for Social Business. 9. In the Icon URL field, specify the URL to the image that you want to associate with your UI extension. This image is usually your company logo or brand icon. The image cannot be larger than 16 by 16 pixels. 10. In the URL field, type the URL of the web page that you want to link to when users click your menu option or button. 82 Preparing Your Enterprise for IBM SmartCloud for Social Business 11. In the Tool tip field, type the text that you want to display when users hover their cursors over the menu option or button. Tool tips are also known as alternate text and are required for accessibility purposes. 12. Select whether to enable your UI extension. If you are simply testing, do not select this option. 13. Select whether to open the URL that you specified earlier in a new browser window. If selected, use the New Window Features section to specify any customized options that you want for the new window. If you do not select to open the URL in a new window, the browser will redirect to the new URL in the same window. 14. Click Save. 8.1.7 Steps to set Extension definitions and import them using JavaScript Object Notation (JSON) In the event you need to define extensions in a more automated way rather than manual, use the following procedure: When defining multiple user interface (UI) extensions, you can import a JavaScript Object Notation (JSON) extension configuration file instead of defining the extensions individually. The following are steps involved in creating a sample configuration file using JSON, where you can define your extension points and then import the file back into SmartCloud for Social Business. 1. In SmartCloud for Social Business, click Administration → Manage Organization. 2. In the left navigation area, click Organization Extensions. 3. Click Add Extensions. 4. Follow the steps in Defining user interface extensions to define two or more dummy extensions. Be sure to clear the Enable this extension option for each dummy extension that you create. 5. Above the form, click More Actions → Export All. 6. Save the JSON file to your local computer. By default, the file is named Extension.json. A sample file is depicted in the figure below. 7. Edit the JSON file with the set of UI extensions that you want to define. If you exported disabled dummy extensions as described above, be sure to set enabled to true if you want to enable the extensions. 8. Switch back to the Add Extensions page in SmartCloud for Social Business. 9. Above the form, click More Actions → Import. 10. Browse to the JSON file and click Import. Chapter 8. Application integration 83 Example: The following figure shows an sample configuration file setup using JSON. A JSON file like the one below always has two primary parts: keys and values. The "add_sginature_extension" is the name of the extension being created, "type" is the key, and "action" is the value, or it could also be “content”. Apart from the extension object depicted in the example extension configuration file, there are others, some are listed here: app_identifier (Required) The unique identifier for the extension. This identifier is assigned by the SmartCloud for Social Business development team. text (Required) The string or application description of the extension. 84 Preparing Your Enterprise for IBM SmartCloud for Social Business type (Required) The type of extension. The value is either action or content. URL (Required) The URL for the extension. The URL displays in an iframe in the case of content extensions. Variables for request parameters are named as follows ${parameter_name} Note: When a partner application is invoked, the context of the extension is important. Because of this, SmartCloud for Social Business provides a mechanism where the context information is embedded in the URL in the form of extra parameters. An example of this is when the file menu sends the ID as extra bit of information as part of the URL, so that the partner application can then read this information and act on it. icon The URL for the image that displays before action-extension link. required_params The list of parameter names that must be sent to the extension to be displayed. scrolling Specifies scrolling for the iframe. The default setting is auto. enabled (Required) The value specifies whether or not the extension is enabled. This setting is used by SmartCloud for Social Business development team to control which server the extension is deployed on. extends (Required) A list of the extension points that this extension extends. These are identifiers for the pages the extension will appear. Examples of extension points are shown below. new_window This specifies whether or not the link in an action extension type should be opened in a new window. The window.open call is used to open the new window. window_name The second parameter to the window.open call. The new_window field must be set to true. window_features The third parameter to the window.open call. Specifies which features are set for the new window, for example “height=300, width=250?. file_menu This parameter is only applicable for definitions that extend file_menu. The file_menu extension is applied only to objects of the specified MIME type. 8.1.8 OAuth for API access OAuth is an open, freely-implementable and open methodology for API authorization (www.oauth.net). OAuth provides a way for a 3rd-party application to interact with an API on a user's behalf without knowing the user's authentication credentials. The SmartCloud for Social Business Partner Platform mandates that all partner applications make use of OAuth to call SmartCloud for Social Business APIs. SmartCloud for Social Chapter 8. Application integration 85 Business currently supports both OAuth 1.0a and 2.0. OAuth 1.0a is the default version. Note that OAuth 2.0 is not backwards compatible with previous versions of OAuth. For more information, including access to specifications, see the URL: http://oauth.net/. Differences of OAuth 1.0a and OAuth 2.0 The major differences between these two in the context of SmartCloud for Social Business are summarized as follows: Required to register a callback URL:This is important because SmartCloud for Social Business will send confidential and sensitive information such as authorization code to this URL. Consumer Key and Consumer Secret have a new Name and Concept: New name is Client Id and Client Secret. The Client Secret shared with partner apps is no longer encrypted. No more Request Token: The step to obtain a Request Token has been eliminated Removing Encryption: The credentials and other keys like Access Token are simplified by sharing non-encrypted version with the partner apps. There is no more requirement for use of Signatures. Introducing long-lived Refresh Token: The concept of long-lived Refresh Token (3 months by default) is introduced. OAuth 1.0a APIs for web server flow The flow takes place in the following steps: 1. Step 1: Register your application Each application that makes API calls must be registered with IBM SmartCloud for Social Business. The registration is a one-time process. 2. Step 2: Get a request token When the IBM SmartCloud for Social Business resource owner (sometimes referred to as the user) visits the application, the application server sends an API call to the SmartCloud for Social Business server so that it can access content on behalf of the resource owner. 3. Step 3: Obtain authorization Authorization is required to access to content that belongs to IBM SmartCloud for Social Business resource owners. The authorization process is browser based and must be initiated by the resource owner. 4. Step 4: Get the access token In this step, the request token is exchanged for an access token. The access token expires after 10 hours. 5. Step 5: Make the API call Now that the access token has been generated, the final step is to make the actual API call, as shown in the following image. 86 Preparing Your Enterprise for IBM SmartCloud for Social Business OAuth 2.0 APIs for web server flow The OAuth provider in IBM SmartCloud for Social Business defines two endpoints for applications that want to use the OAuth 2.0 web server flow. The OAuth client uses these links to access tokens and authorization during the OAuth flow. To correctly access the endpoints, you must provide the credentials and tokens: AuthorizeUrl_v2=/manage/oauth2/authorize AccessTokenUrl_v2=/manage/oauth2/token The web server flow takes place in the following order: 1. Step 1: Register the application. Each application that makes an API call must be registered with IBM SmartCloud for Social Business. SmartCloud for Social Business registers this new application (called Internal App) and hands out the OAuth credentials. The registration is a one-time process. 2. Step 2: Obtain authorization code. The authorization check is a browser based operation in which resource owners log in and grant application access to their IBM SmartCloud for Social Business data. 3. Step 3: Exchange authorization code for access and refresh tokens. After resource owners are authenticated and granted access, they can exchange the authorization code for an access and a refresh token. Each token is associated with a single user (also called a subscriber) and a single application that wants to access protected resources in IBM SmartCloud for Social Business. 4. Step 4: Use the access token to allow API access. Chapter 8. Application integration 87 Now that the access token is available, you can make the API call. Be sure to include the access token in the authorization header when you invoke the API. 5. Step 5: Get a new access token after the access token has expired. After the original access token expires, resource owners can use their refresh tokens to get a new access token. Using the new access token, they can access the protected resources on IBM SmartCloud for Social Business from the application. The following image shows a graphical view of the OAuth 2.0 web server flow within SmartCloud for Social Business: 8.2 Social Business Development Toolkit and SDK The Social Business Toolkit is a set of extensible tools and resources for developers who want to incorporate social capabilities into their applications and business processes. Social capabilities include features and functionality that tap into the power of social interactions, business networks, community-based problem solving, and more. The Social Business Toolkit is evolving in parallel with the IBM Social Business Framework, a strategic model for a unified work experience across the IBM Collaboration Solutions product portfolio. The Social Business ToolKit SDK (SBTSDK) can be run on Java-based application servers such WebSphere Application Server, WebSphere Portal, IBM Domino, and Apache Tomcat, and it contains and supports the tools and resources as shown in the following figure: 88 Preparing Your Enterprise for IBM SmartCloud for Social Business 8.2.1 How to obtain the Social Business Toolkit SDK To use the SDK in your applications, download and install the SDK from OpenNTF at: http://ibmsbt.openntf.org. The Social Business Toolkit SDK is an OpenNTF project, and is available under the Apache License V2.0. All other aspects of the project, including contributions, defect reports, discussions, feature requests, and reviews are subject to the OpenNTF Terms of Use, available at: http://openntf.org/Internal/home.nsf/dx/Terms_of_Use. A built version is distributed on OpenNTF at: http://ibmsbt.openntf.org. Source code is available at: https://github.com/OpenNTF/SocialSDK Chapter 8. Application integration 89 8.2.2 Social Business Toolkit SDK installation and configuration See Appendix A, “Installing the Social Business Toolkit SDK development environment” on page 173 for the installation and configuration steps of Social Business Toolkit SDK. 8.2.3 Tools to aid development The Social Business Toolkit SDK includes the following tools to help developing social business applications: API Explorer Utility to learn about and experiment with SmartCloud for Social Business API's without writing any code SBT Playground The SBT Playground is a web-based live demonstration of the JavaScript and Java APIs that are exposed by the SDK. The Playground contains a large set of code snippets and examples that you can customize and use in your own applications. SBTK Sample Application Sample Application complete with full source code to see how the toolkit works and get you off to a running start SmartCloud for Social Business Developers Community This community is designed to allow developers to interact and ask questions. This is monitored by SmartCloud development and is frequented by other developers like yourself. SmartCloud for Social Business Wiki Wiki to provided help and support for using and administering SmartCloud for Social Business 8.2.4 Social Business Toolkit API Explorer The Social Business Toolkit API Explorer offers two API explorer environments to help developers quickly understand and try APIs that are available for building social applications: One API Explorer is designed for cloud developers who want to experiment with APIs that are available with IBM SmartCloud for Social Business. The other API Explorer is built specifically for on-premise developers who want to try the IBM Connections APIs that are hosted on IBM Greenhouse. Use the API explorers to make API calls, see the response of those calls, and access the documentation for those APIs - all within a single interface. The goal of the API Explorer is to help developers quickly understand and try APIs that are available in the cloud for building social applications. The API explorer application is hosted on IBM® Greenhouse, but the APIs are wired to the deployed version of SmartCloud for Social Business. Requirements for using the API Explorer To use the API Explorer, you must already have a valid account in the SmartCloud for Social Business environment. The credentials that you specify depend on the authentication type that was set up for your account. For basic authentication, use your ID and password. For 90 Preparing Your Enterprise for IBM SmartCloud for Social Business OAuth 1.0a, use your consumer key and password. For OAuth 2.0, use your client ID and password. Accessing and using the API Explorer Do the following steps to use the API Explorer: 1. Navigate to the API Explorer application on IBM Greenhouse. 2. Click Log in in the top, right corner. 3. In the window, select your SmartCloud for Social Business environment and authentication type, and then provide your credentials. Click Log in. 4. Use the navigation on the right to locate the API call that you want to try. 5. To make an API call using that method, specify values for method parameters, and click Execute API. 6. Click the Response tab to see the response of the API call. 7. For additional documentation about each API, including parameter details, click the Documentation tab. The IBM Greenhouse based API Explorer provides quick overview of SmartCloud for Social Business APIs and Sample Code; allows test and try the APIs with no coding. Use the URL: https://greenhouse.lotus.com/llapiexplorer/ to access the IBM Greenhouse based API Explorer. Chapter 8. Application integration 91 8.2.5 API reference Documentation, samples, and use cases are available to help developers who want to build social applications and learn about SmartCloud for Social Business APIs. The API reference is located in the Social Business Development wiki, but sometimes you are referred to API documentation in other product wikis, for example, the IBM Connections wiki. Note that you can access the documentation in the API Reference directly from the API Explorers described above. 8.3 IBM SmartCloud for Social Business APIs Any application can call SmartCloud for Social Business APIs to use its services. The service APIs allows an application to do something useful and integrate itself with IBM SmartCloud. Although aspects such as authorization are fairly fixed and standard, the service API is where an applications value comes from because innovation, creativity, utility, and how well the application integrates can differentiate it against other applications. The following sections go into these details. The following are some key aspects of IBM SmartCloud for Social Business APIs: APIs are available for developers who are creating applications that integrate social capabilities, features, and functionality OAuth is a protocol that provides a way for a third-party applications to interact with an API on a user’s behalf without knowing the user’s authentication credentials. The SmartCloud for Social Business APIs use the Open Authorization (OAuth) protocol for authentication and authorization. REST APIs are available for most SmartCloud for Social Business Services. Atom publishing protocol is used for most of the APIs SmartCloud for Social Business widely uses Atom in APIs Objects are described as Atom Entries Lists are described as Atom Feeds API's typically return response in standard formats - XML, JSON API's response codes are set depending on whether API call was successful 8.3.1 Categories of APIs The APIs cab be broadly classified and grouped amongst the following categories: Communities API Files CMIS API Meetings API OpenSocial REST APIs – Contacts API – Profiles API 8.3.2 API standards supported The following API standards are supported by the SCSB Service APIs: 92 Preparing Your Enterprise for IBM SmartCloud for Social Business Content Management Interoperability Services (CMIS) APIs : This Standard defines a domain model, Web Services and Restful AtomPub bindings. Mostly Focus is on portability across different content management repositories. Multiple commercial vendors support CMIS standard. SmartCloud for Social Business files APIs conform to CMIS standard (version 1.0) OpenSocial REST API :This is the Common API for social applications across multiple websites. SDK releases helps manage differences between Open Social and XML API’s. SmartCloud for Social Business follows this standard for describing user specific data like the Profile APIs and Contact APIs 8.3.3 Examples of various APIs by category Here is a list of some of the API grouped under their categories: 8.3.4 Java script API services These are JavaScript wrapper (helper) API for IBM Social Platform and collection of reusable JavaScript controls. Uses existing libraries (Dojo, JQuery) under the cover, but exposes a library agnostic API. These could be classified as: High level JavaScript APIs currently cover a subset of following services: – IBM Connections • Activity Streams • Communities • Files • Profiles • Search – IBM SmartCloud • Communities • Files • Profiles Chapter 8. Application integration 93 – UI Grids – These are helpers for constructing reusable UI controls for Connections data. Low level APIs: These are APIs which can be used as utilities (directly or by high level APIs) or to extend SDK. – XML parser, Xpath Engine, JSON and String helper utilities for parsing various data formats – BaseService, BaseEntity, Endpoint – Authenticators (helpers for authentication related tasks) and more. Security • Basic Authentication • Oauth 1.0a • Oauth 2.0 The following figure shows how the JavaScript snippets would be coded and tested using IBM Greenhouse SBT Playground. 8.3.5 Key concepts of Java API Java API has two key concepts: Endpoints, Service, Entity The Endpoints help provide an abstraction around the connection to a service provider and Isolate application code from details of the deployment. Services + Entities Services along with Entities help Isolate application code from details of the Social Platform REST API, these are part of the common pattern across the SDK JavaScript and Java API. 94 Preparing Your Enterprise for IBM SmartCloud for Social Business The following figures shows the Endpoints, Services and Entity at play, demonstrated by using a JavaScript code fragment. Endpoints, Services and Entity at play, demonstrated by using a JavaScript code fragment Chapter 8. Application integration 95 96 Preparing Your Enterprise for IBM SmartCloud for Social Business 9 Chapter 9. Federated identity management integration This section describes the option of integrating an on-premises federated identity management solution with the IBM SmartCloud for Social Business. As shown in the following figure, this option is about integrating an on-premises directory system through SingleSignOn (SSO) using the Security Access Markup Language (SAML) with the IBM SmartCloud for Social Business. © Copyright IBM Corp. 2014. All rights reserved. 97 9.1 What is a federated identity? A federated identity is a general term that encompasses details regarding how two or more organizations want to share identity information. A federated identity implementation usually consists of a single system, the identity provider (IdP), that authenticates a user and then vouches for the user’s identity to other systems which do not have access to the user’s authentication credentials. The federated identity is based on a trust relationship between an identity provider and a service provider. The identity provider owns the user identities, controls the authentication of these identities, and provides identity information. This normally is a directory server on the client’s premises, such as Tivoli or Active Directory. The service provider controls access to services, trusts asserted identity information provided by the identity provider, and provides access based on the asserted identity. This is the IBM SmartCloud for Social Business. The most common use of federated identity is Multi-Domain Single Sign On (MDSSO), or more simply, SSO. In the general case, as a user moves from one domain (web site) to another, the source site provides a token to assert that the user is valid, and the destination site, based on the existence of a previously defined trust relationship with the source, accepts this assertion (after its genuineness is verified) and allows the user access. Consider what is normally used to log in to the IBM SmartCloud for Social Business, your email address and password. Those credentials might be different from your existing systems. Having users now use an email address and password could be a problem for those that have been trained to use their ID/PIN combination. To address this concern, SAML can be used as the intermediary. SAML also provides the ability to specify where the user should go inside IBM SmartCloud for Social Business after login. In the following diagram, you can see that the user authenticates to the company identity provider, then obtains access through the SAML assertion to the user dashboard, and finally to the services itself, all from the same web browser session. 98 Preparing Your Enterprise for IBM SmartCloud for Social Business So, in short, federated identity allows users who are logged on to your company’s system to use the cloud-based services without having to log on again. One of the advantages of the federated identity, is that after a system is certain that a user is who he claims to be, the service provider can, in turn, become an identity provider to other service providers. This allows IBM SmartCloud for Social Business, for example, to provide an assertion of identity that allows users to access the component services within IBM SmartCloud for Social Business regardless of where a service is physically located, or whether it or not it can share the IBM SmartCloud for Social Business domain or, like with the email services, operates using the client’s domain. Any current or future service (including third party services) that might be offered as part of IBM SmartCloud for Social Business can be linked in this manner, allowing users to move between them seamlessly. It does not matter which service the user starts his session with, or how he might move around between services, as long as the first authentication came from the user’s primary identity provider – his or her company. 9.1.1 Who initiates the process? Two flow models exist in federated identity management: IdP-initiated: This is the identity provider initiated model. SP-initiated: This is the service provider initiated model. Normally, the SP-initiated flow model is not available in SAML 1.1 because SAML 1.1 does not support Identity Provider Discovery Profile. However, SmartCloud for Social Business uses a hybrid version of SP-initiated that allows both SAML 1.1 and SAML 2.0. As a result, Identity Provider Discovery Profile is not required by SmartCloud for Social Business, and is not implemented. Chapter 9. Federated identity management integration 99 SmartCloud for Social Business implements the Browser/POST profile that is used in SAML 1.1 and is compatible with the Web Browser SSO profile in SAML 2.0. Other profiles are not supported at this time. The following outlines describe the two flows: IdP-initiated a. The user gains access to your intranet through your organization’s authentication mechanism. b. The user navigates to a web page on your intranet that contains a link to a SmartCloud for Social Business product such as Engage or IBM Connections. c. The user clicks the link. d. The SSO process is initiated. A SAML assertion is sent to the SmartCloud for Social Business endpoint through HTTP POST. If the user has a valid account, access is granted. e. The user interacts with SmartCloud for Social Business. SP-initiated hybrid a. The user navigates to the SmartCloud for Social Business login page. b. The user clicks Use My Organization’s Login. c. The user enters the email address that is associated with the user’s account. d. SmartCloud for Social Business looks up the email address and then redirects the user to your organization’s authentication mechanism. e. The SSO process is initiated. A SAML assertion is sent to the SmartCloud for Social Business endpoint using HTTP POST. If the user has a valid account, access is granted. f. The user interacts with SmartCloud for Social Business. The two step (SP-initiated hybrid) SSO process from a user perspective is shown here: 100 Preparing Your Enterprise for IBM SmartCloud for Social Business 9.2 What is SAML? The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. It was developed by the Security Services Technical Committee (SSTC) of the standards organization OASIS (the Organization for the Advancement of Structured Information Standards). This document provides a technical description of SAML V2.0. 9.2.1 Why SAML? There are a number of competing approaches to federated identity, including both proprietary and open standards. Clearly proprietary standards are inappropriate for SaaS offerings, and amongst the various alternatives SAML is widely considered the leading choice. In 2007, Gartner, an industry analyst firm, declared SAML 2.0 “the de facto federation standard across industries.” The federated identity services embedded within IBM SmartCloud for Social Business are provided by the Tivoli Federated Identity Manager (TFIM) which has the capability to accept identity tokens in a number of formats, including SAML 2.0, OpenID, and WS-Federation. Thus, a choice existed. SAML 1.1 was chosen over the others due to a combination of factors including its wide spread availability, security concerns raised about some of the alternatives, and ease of implementation for our clients. A federated identity using SAML is supported by a wide range of commonly used directory servers, including: IBM TFIM and IBM TFIM Business Gateway Microsoft®Active Directory Federation Services Novell Sun Federated Access Manager (formerly Sun Access Manager and Sun Federation Manager) Computer Associates Siteminder® Shibboleth® Chapter 9. Federated identity management integration 101 And others based on OpenSAML The identity provider can be set up on premises but also in the IBM Softlayer cloud as a dedicated customer solution, making a total cloud solution closer than ever before. Because the identity provider is fully customizable by your organization, there are many options to use in the authentication process. For example: On premises user names and passwords RSA Tokens SmartCards Fingerprints Iris Scans 9.2.2 Identity federation types SAML does not solve everything, notably in the context of email. The established protocols for POP, IMAP, and SMTP do not support federated identity concepts well. To help overcome these limitations of these older, established, mail protocols, CSG is able to adjust your IBM SmartCloud for Social Business environment to offer several federation configuration options: Non-Federated: An organization in which all subscribers will authenticate with a user name and password stored in the IBM SmartCloud for Social Business. In this case SAML SSO is not being used. Federated: An organization in which all subscribers must authenticate with their organization’s identity provider. Users cannot change their password inside IBM SmartCloud for Social Business. In this case SAML SSO is being used. Partial-Federated: An organization can have subscribers that are non-federated, federated, or modified-federated. In this case SAML SSO is being used, but if and how it is to be used is set individually for each user. Modified-Federated: An organization that will allow all subscribers to authenticate with a username and password stored in IBM SmartCloud for Social Business or their organization’s identity provider. In this case SAML SSO is being used, but is optional. The difference between Modified and Partial is that in a Modified organization all users have the option to use either authentication mechanism at any time. For example, a user clicking through from the company Intranet may be automatically signed on using SAML, but going directly to www.collabserv.com from home will be allowed to log in with their user ID and 102 Preparing Your Enterprise for IBM SmartCloud for Social Business password. Organizations defined as Partial have users who carry one of the explicit designations below, which controls the authentication process for the individual user. 9.2.3 User types There are three user types: Non-Federated: These are subscribers that use a username and password to authenticate directly with the IBM SmartCloud for Social Business. These users cannot use single sign on. Federated: These are subscribers that will not have a password in the IBM SmartCloud for Social Business and must authenticate through their organization’s identity provider. For these users SAML single sign on is mandatory. Modified: Subscribers of this type will be able to authenticate both with passwords stored in the IBM SmartCloud for Social Business or by using their organizations Identity Provider using SAML single sign on. The Federation type for the organization should be specified at the time the service is initially configured, as it will impact the process of user on-boarding (for example, federated users will not be asked to supply an initial password), although it can be changed later. 9.3 What you should be aware of Implementing SSO with the IBM SmartCloud for Social Business has a couple of items you should be aware off. Some technologies are not currently possible, others are when you follow a certain direction: Note: With ID Vault & Active Directory, using Notes Shared Login (NSL, Domino Policy deployment based solution). Not Client Single Login (CSL) which is seen in the IBM Notes Client as a separate install option. With SmartCloud Notes integrated IBM Sametime chat enabled to manage the client configuration. Chapter 9. Federated identity management integration 103 With IBM Notes 9 and accounts policies configured against forms-based on-premises SAML Identity Provider. With latest IBM Sametime client configured against forms-based on-premises SAML Identity Provider. For more information look at the Configuring the Sametime rich client for SAML and downloading information source. With custom developed authentication module specific to forms-based on-premises SAML Identity Provider. Common SAML implementation planned for a future release of mobile applications. 9.4 Preparing for federated identity management The difficulty of getting your system ready for federated identity management depends on both the state of your system, and on your knowledge and experience with SAML, SSO, LDAP, and related technologies. Before contacting your IBM customer service representative to enable federated identity management, review the following checklist: 1. Choose the version of SAML that you want to use. You can use either SAML 1.1 or SAML 2.0. 2. Choose the type of federation that you want to employ: Federated, Modified, or Partial. See the topic Federated identity management types for more information. 3. Review the IdP-initiated flow model and the SP-initiated hybrid flow model that SmartCloud for Social Business supports. See the topic Federated identity management flow models for more information. 4. Implement SAML on your web server. 5. Retrieve or create the private and public key pair that will be used in digital signatures. 6. Integrate your directory server with your SAML service. Administration is easier if all of your users are on the same directory server. 7. Implement and test the SAML Browser/POST profile in either SAML 1.1 or SAML 2.0. 8. Create a dummy service provider and conduct an IdP-initiated single sign-on test to make sure that everything is working correctly. 9. Create a SAML metadata file to transmit your identity provider metadata to the IBM customer service representative. If you are using SAML 1.1, you have the option of transmitting most of the information in an email or by some other means that you negotiate with the IBM customer service representative. However, in this case you must transmit the public key inside a Java™ keystore. 9.5 Enabling federated identity management When your system is ready for testing with the SmartCloud for Social Business system, contact an IBM customer services representative. Before you begin Before you start the enablement process, review the following list: 104 Preparing Your Enterprise for IBM SmartCloud for Social Business 1. Implement and test a federated identity management system that uses SAML. Make sure that your system is configured to send the user’s email address as the subject in a SAML assertion. 2. Test your system to make sure that it is configured for the type and flow model that you have chosen. See the topics Federated identity management types and Federated identity management flow models for more information. 3. Complete the checklist in the topic: Preparing for federated identity management Procedure To enable federated identity management, send an email to CSG. In the email, request to have federated identity management enabled for your organization. If you already know what version of SAML you are going to use, please let CSG know in this email already. In addition, CSG needs an email address (test email) that IBM can use when IBM sets up the Proof of Concept (PoC/Test) and you need to be ready to submit the metadata that will be used for PoC. An IBM customer services representative will contact you with instructions and provide details of the process. For more information please review this IBM technote. 9.6 Project steps and readiness checklist Here is a brief outline of the steps and items needed, to get Federated Identity set up. Any of these steps might have to be expanded, in your environment, into a small project to prepare the system. A readiness assessment should be done in advance of planning an implementation of federated identity, following this list. Are you currently using a directory server, such as TAM or AD, and is your directory server ready to support SAML based Federated Identity? Are your users all using the (or a) directory server? While it is not necessary for all users to be on a consolidated directory, If users are widely distributed over many servers (or some users are not on any) then it will be worth investigating the impact of directory consolidation before trying to set up Federated Identity. If you are using multiple directory servers, are any in remote locations that will have slow or unreliable connections to where remote users of IBM SmartCloud for Social Business might be logging in from? If access to a directory in Peru is unreliable from New York, this is not necessarily a problem if the server will be reliably available to employees in Peru. On the other hand, if a server in New York is hard to reach for mobile employees who are on assignment in Peru, it may be preferable not to federate those users. This step can help you determine what federation type you will need to set up. Are there any reasons (for example, security, network configuration) that would prevent your directory server from being reached from outside the firewall, to provide the necessary service? If security concerns will prevent your primary directory from being reachable for all the necessary cases, consider mirroring only the necessary data set onto another directory server that can be placed in a position with the necessary access available. Does the directory server hardware (and network) have capacity to accept the additional workload? As the Identity Provider, your set up should be complete, and tested, before providing your trust relationship data to IBM. An end to end test can be performed by setting up a dummy service provider on spare hardware either using your existing software (that is, the same Chapter 9. Federated identity management integration 105 directory server) or by downloading and setting up a free implementation from a source such as OpenSAML. Purchase the necessary certificates. Although self-signed certificates can be used, and are good for testing, browsers react badly to them and can confuse users with dire sounding warnings, and repeated requests to trust the certificate. Add IBM SmartCloud for Social Business as an allowed service for SAML authorization. Supply the trust relationship information package to IBM. 106 Preparing Your Enterprise for IBM SmartCloud for Social Business 10 Chapter 10. Scenarios This section presents IBM SmartCloud for Social Business implementation examples: Service Only: 10.1, “Implementing a new IBM stand alone (Service Only) SmartCloud for Social Business Trial environment”: This scenario demonstrates how quickly and easily an organization can implement a new stand-alone IBM SmartCloud environment. This includes an email platform as well as a collaboration platform. Hybrid: 10.2, “Implementing an IBM SmartCloud Notes environment with an existing IT Infrastructure” on page 132: This scenario demonstrates how an existing client organization can transform from having a traditional, entirely on-premises, IT infrastructure to adopt IBM SmartCloud for Social Business. User Management solution with Active Directory: 10.3, “Implementing a user management solution using Active Directory with an IBM SmartCloud for Social Business environment within an existing IT Infrastructure” on page 160: Potentially applicable to the above deployment options is an example where the on-premises MS Active Directory User Identity management is integrated with the IBM SmartCloud for Social Business. © Copyright IBM Corp. 2014. All rights reserved. 107 10.1 Implementing a new IBM stand alone (Service Only) SmartCloud for Social Business Trial environment In this scenario, we demonstrate how quickly and easily an organization can implement a new stand-alone IBM SmartCloud environment, including a brief overview of some of the features included. 10.1.1 Scenario overview If you do not have an existing email infrastructure that you want to either migrate from, or integrate with an IBM SmartCloud for Social Business environment, then one of the quickest and easiest ways to begin your cloud journey is to use the no-charge trial service. This enables you to create a new SmartCloud for Social Business environment that you can use for 60 days as pilot and proof of concept to evaluate the service. It is entirely no charge to use and does not require any billing information (for example, credit card) to set up. The trial reviewer guide is also available which introduces you to the different features included, and helps you get the most from your trial experience. It should be noted that, by default, the no-charge trial service only lasts for 60 days after which all of the data is automatically deleted. However, if you know it is likely that you would like your trial to become a production service in the future, then you can also request a customized trial from your IBM Sales Representative. This will enable you to retain your trial environment and associated data for future use when converted to a paid subscription. If you prefer to start off with a fully functional production account, you can also buy on-line by clicking Buy Online on the main IBM SmartCloud for Social Business portal: http://www.ibm.com/cloud-computing/social/us/en/planspricing/ Based on the country of choice, you see slightly different information after the following page: 108 Preparing Your Enterprise for IBM SmartCloud for Social Business If we would continue to buy an IBM SmartCloud Engage Advanced package in Europe, you would see: Chapter 10. Scenarios 109 You then sign in to IBM account, review the term, order and submit the order. To provide you with a reference, we show a “Self Service” implementation with a 60 Day Trial account using IBM SmartCloud Engage Advanced subscriptions. 10.1.2 Implementation The following steps provide a guide on how to create a trial SmartCloud for Social Business environment and how to access some of the key features: 1. Use a web browser to navigate to the IBM SmartCloud for Social Business website and click 60 Day Trial. 2. Select your country or region from the drop down menu and click Continue. 110 Preparing Your Enterprise for IBM SmartCloud for Social Business 3. Enter the requested details and click Submit. Note that the email address you enter in the first two fields should be an existing email account you want your registration details to be sent to and will become your login ID used to access the SmartCloud for Social Business environment. The IBM SmartCloud for Social Business email address you enter in the last field will be the new email address that you will use in the SmartCloud for Social Business environment: Chapter 10. Scenarios 111 4. After you click submit, you see a new page confirming your SmartCloud for Social Business environment has been created. However, before you can start using it, you must click an activation link included in a “welcome email” that will be sent to your existing email address that you specified in your registration details. 5. When you receive the welcome email, click the Click here to complete your registration link that is contained within it. 6. The link will open in a new browser page where you must specify the password you wish to use to log into your SmartCloud for Social Business environment and accept the terms and conditions of usage. 112 Preparing Your Enterprise for IBM SmartCloud for Social Business Chapter 10. Scenarios 113 7. After you click Submit, you are presented with the login window for your new SmartCloud for Social Business environment. Enter the credentials you specified as part of your registration to authenticate. 8. After you are logged in, you are presented with the home page: 114 Preparing Your Enterprise for IBM SmartCloud for Social Business 9. A good place to find lots of useful documentation and guides is in the Getting Started section. These include examples of how to perform common tasks and will help you become more familiar with your new SmartCloud for Social Business environment. Chapter 10. Scenarios 115 10. After you have read the initial documentation, we recommend you update your profile to ensure all your details are present and correct. This will help others in your SmartCloud for Social Business environment find you. 116 Preparing Your Enterprise for IBM SmartCloud for Social Business Note: More information on getting started in your SmartCloud for Social Business environment, including completing your profile and other initial configuration steps can be found here. 11. Your new SmartCloud for Social Business environment implementation may include an integrated email service called SmartCloud Notes, which is accessed through the Mail link on the SmartCloud for Social Business web page banner. When you first log into your new SmartCloud for Social Business mail account as the Administrator, you will have received two emails which provide more details of how to use it and how to register additional users. More information about using SmartCloud Notes is available here. SmartCloud Notes also includes an integrated Instant Messaging tool called Sametime Chat which enables real time collaboration. You can chat interactively with anyone else who is using the Sametime Chat tool. Using Sametime Chat is optional and each user must first enable it through their SmartCloud Notes preferences. Chapter 10. Scenarios 117 When enabled, the Sametime client is automatically integrated into SmartCloud Notes and users can click other users to chat with them. 118 Preparing Your Enterprise for IBM SmartCloud for Social Business More information about using SmartCloud Sametime Chat is available here. 12. An integrated calendar is also provided, accessed similarly using the Calendar link on the SmartCloud for Social Business web page banner: Chapter 10. Scenarios 119 13. The People link on the SmartCloud for Social Business web page banner enables you to manage your own profile details and provides a Contacts manager (address book): The People link also provides access to the directory of all the users in your SmartCloud for Social Business environment. You can use the directory for sending email other users, or to invite them to your network for the purposes of collaborating (sharing updates, documents, etc.). 120 Preparing Your Enterprise for IBM SmartCloud for Social Business Chapter 10. Scenarios 121 More information about using the People tool is available here. 14. The Communities link on the SmartCloud for Social Business web page banner provides access to the Communities tool. Communities is designed to enable people who share a common interest or goal (such as project team) to interact with one another to facilitate communication and collaboration. More information about using the Communities tool is available here. 15. The Apps link on the SmartCloud for Social Business web page banner provides access to the sub menu of all the different applications that are included in your new SmartCloud for Social Business environment: 122 Preparing Your Enterprise for IBM SmartCloud for Social Business – Activities is a tool that enables people involved in a project to share information, assign tasks, track progress, and share resources such as files, and bookmarked websites to help facilitate teaming and collaboration on shared goals and objectives. More information about using the Activities tool is available here. – Files is a tool that enables users to easily store, share, and collaborate on files in your SmartCloud for Social Business environment, by uploading a document and sharing it with a team of people or an individual. More information about using the Files tool is available here. – The Files application also provides access to SmartCloud Docs, which is an integrated office productivity suite for creating and editing documents, spreadsheets, and presentations. Not only does it replace the need to have traditional office productivity applications installed on local PCs, but it also enables team to collaborate directly on documents created and stored in your SmartCloud for Social Business environment. Chapter 10. Scenarios 123 More information about using the Docs tool is available here. – Meetings is a tool that provides online meetings, enabling user to either join an existing meeting or host their own and includes both screen and file sharing capabilities. 124 Preparing Your Enterprise for IBM SmartCloud for Social Business More information about using the Meetings tool is available here. – Notebook is a tool for creating simple note documents which is included as part of IBM SmartCloud Notes. – To Do is a task management tool that enables you to create, manage, and track To Do items, including the ability to assign them to other group members to help facilitate team working. Chapter 10. Scenarios 125 – There are also a number of additional applications that are available to download and run locally that can be accessed through Apps → Downloads and Setup on the SmartCloud for Social Business web page banner. The applications that are available to download are: – Sametime Chat: As well as using the cloud based Sametime Chat client that is integrated into SmartCloud Notes, you can optionally use a dedicated desktop based client as well. This can either be an existing client that is already install on a user’s desktop (such as an existing Lotus Notes client) which is configured to work with SmartCloud for Social Business, or you can chose to purchase, download and install a dedicated Sametime client. Mobile application versions of the chat client for Apple and Android devices can also be downloaded from here. 126 Preparing Your Enterprise for IBM SmartCloud for Social Business – IBM SmartCloud Notes: The IBM SmartCloud Notes download provides a set of databases that can be used to configure an existing IBM Notes Client already installed on a user’s local PC to connect to your IBM SmartCloud for Social Business environment. By default, the download option for IBM SmartCloud Notes is not included in the no-charge trial. However, if you wish to test this functionality as part of your trial, you can request that it be enabled through your IBM Sales representative. – IBM Connections Desktop Plug-in: There are two different plug-ins that can be downloaded and installed on local desktop machines that provide integration with your SmartCloud for Social Business environment. One is for Microsoft Windows and the other is for Microsoft Office. The following features are available from Microsoft Windows plug-in: • Upload local files from Windows Explorer or from your desktop • Share uploaded files with people, communities, or folders in IBM Connections • Work on files locally and publish them to Files, communities, Activities, or Wikis Chapter 10. Scenarios 127 • View people's contact details and get in touch with them (Not available on SmartCloud) • Pin, follow, or like files and folders • View or contribute comments for a file • Lock a file when you are editing it to prevent file conflicts • View and restore files from the trash • Share folders with Communities The following features are available from Microsoft Office plug-in: • Add a document to Files or Communities • Attach a document to an Activity or Wiki page • Publish a document to a Blog entry • Search for content in IBM Connections • Add someone’s profile information into a document • Add a bookmark from IBM Connections into a document • Add a URL from a document as a bookmark in IBM Connections • Add a presentation to Files or Communities • Attach a presentation to an Activity or Wiki page • Search for content in IBM Connections Add a spreadsheet to Files or Communities • Attach a spreadsheet to an Activity or Wiki page • Search for content in IBM Connections – The Discuss This and Related Community web browser buttons: These are two optional buttons that can be downloaded and installed into the tool bar of your local web browser to provide additional integration functions with SmartCloud for Social Business: • Discuss This: Enables you to add content from any web page or IBM SmartCloud Connections source to a forum topic by clicking the button in your browser tool bar. • Related Community: Enables you to share information with members of a community that your already belong to when you find a community that they might also be interested in. 16. If you are logged into SmartCloud for Social Business with an account that Administrator privileges, you are also able to use the Admin link on the SmartCloud for Social Business web page banner that provides access to administration section of your SmartCloud for Social Business environment. One of the main functions this provides is Manage Organization which is used to manage the different account customization and security options that are available for your SmartCloud for Social Business environment. 128 Preparing Your Enterprise for IBM SmartCloud for Social Business More information about the different Administration settings is available here. 17. One of the main administration functions available from the Admin → Manage Organization link is User Accounts, which is where all user provisioning related tasks are performed such as adding and deleting users: 18. You can create a new account for a user from User Accounts. This will grant them access to your SmartCloud for Social Business environment, including a new email account. To create a new account, simply click Add User Account and then complete the necessary fields. Chapter 10. Scenarios 129 130 Preparing Your Enterprise for IBM SmartCloud for Social Business 19. At the end of the Add New user process, a summary window is displayed showing all the details of the new user account you have created. Chapter 10. Scenarios 131 20. All you then need to do to complete the provisioning of the new user is provide the user details of their new email address, which is also their logon ID, and the password you created for them. Then they can log into and start using your SmartCloud for Social Business environment using those details by simply pointing their web browser to http://www.ibmcloud.com/social and clicking Sign In: 10.2 Implementing an IBM SmartCloud Notes environment with an existing IT Infrastructure In this scenario, we demonstrate how an existing client organization can transform from having a traditional, entirely on-premises, IT infrastructure to adopt IBM SmartCloud for Social Business including each of the major migrations steps. 132 Preparing Your Enterprise for IBM SmartCloud for Social Business 10.2.1 Scenario overview This scenario recognizes that many organizations already have an existing IT infrastructure and that starting with a brand new and entirely discrete cloud environment is not a viable option. As such one of the main purposes of this scenario is to show how it is possible to integrate SmartCloud for Social Business with an existing IT infrastructure by migrating some parts of it to the cloud and retaining other parts of it locally “on premises” where it is appropriate to do so. Existing (legacy) environment The example organization that this scenario is based on has an existing IT infrastructure comprised of the components shown in the following figure: The key components of the existing environment are: An IBM Domino Mail Server, which hosts the email of the organization’s users. In our scenario, there is only a single mail server, but the migration approach that will be used applies equally to one or multiple servers. An IBM Domino Mail Hub server, which would be used for routing email between multiple IBM Domino servers (typically those in different regions) and other IBM Domino domains. An IBM Domino Directory server, which would be the administration server of the IBM Domino domain and the replication hub server for the Domino Directory itself. An Active Directory Federation server, which provides directory services such as LDAP based user authentication. New (target) environment The example organization this scenario is based on implements the new environment shown in the following figure, which comprises a mix of on-premises and SmartCloud for Social Business based infrastructure: Chapter 10. Scenarios 133 The key components of the new environment are: The existing on-premises IBM Domino hub and directory servers will be retained. This is actually optional, but is being done in this scenario to show how it is possible for clients with large existing IBM Domino infrastructures to retain some parts of their IBM Domino environment locally should they want to. The Active Directory (AD) Federation server will also be retained on premises, but a new IBM SmartCloud integration client will be added to enable directory data to be synchronized with the IBM SmartCloud for Social Business environment. This will allow users to use their existing AD credentials for authentication purposes both locally and in the SmartCloud for Social Business environment. A new IBM Domino server will be deployed in the organization’s local DMZ network to provide native IBM Domino integration between the existing IBM Domino servers and the new SmartCloud for Social Business IBM Domino servers, such as replication and mail routing performed using Notes Remote Procedure Call (NRPC). The IBM Domino mail server will be located in the SmartCloud for Social Business environment, which users will be able to access by using either an IBM Notes client installed on their local PC within the organization’s network or through a web browser running on a PC anywhere. These mail servers will have native IBM Domino connectivity (that is, using NRCP) to the existing IBM Domino servers located on premises through the new IBM Domino Pass Thru server. New IBM Domino Mail Hub and Directory servers will be located in the SmartCloud for Social Business environment. These will provide mail routing and replication plus IBM Domino directory synchronisation capabilities between the existing on-premises IBM Domino servers and the SmartCloud for Social Business environment. New IBM Traveler servers will be located in the SmartCloud for Social Business environment and will provide users access to the email, calendar and contact data by using mobile smart-phone and tablet devices. 134 Preparing Your Enterprise for IBM SmartCloud for Social Business A new integration and migration service will be included in the SmartCloud for Social Business environment that will interact with the on premises IBM SmartCloud Integration client to facilitate Active Directory and LDAP integration services with the existing environment. The new SmartCloud for Social Business environment will include all of the new SmartCloud for Social Business provided tools and services to become a social business, such as Communities, Activities, Docs, Meetings, Files, and so on. 10.2.2 Setting up the SmartCloud Notes Hybrid configuration Network Connectivity and preparation To successfully use directory synchronization, we have setup the SmartCloud Notes Hybrid configuration. To make the setup a success, we have prepared our network and opened up the following ports on our firewalls. The following table shows what is necessary for a SmartCloud Notes Hybrid deployment: Port Source Target Description 1352 outgoing Notes Clients notes.ce.collabserv.com or notes.jp.collabserv.com or notes.na.collabserv.com Mail File Access for replication, sending and receiving of email. 1352 outgoing All Domino Servers notes.ce.collabserv.com or notes.jp.collabserv.com or notes.na.collabserv.com Free and Busy time lookups for cloud based users and NRPC Mail routing from on premises users. 1352 incoming Domino Pass thru Servers (DMZ) All Domino Servers NRPC Mail routing from cloud based users, directory synchronization from SCN directory sync servers to on-premises directory sync servers and Free & Busy time lookups from cloud based users to on prem. 1352 outgoing Domino Pass thru Servers (DMZ) notes.ce.collabserv.com or notes.jp.collabserv.com or notes.na.collabserv.com NRPC Mail routing and directory synchronization to SCN servers and to cloud based users. 1352 incoming Domino Pass thru Servers (DMZ) notes.ce.collabserv.com or notes.jp.collabserv.com or notes.na.collabserv.com NRPC Mail routing from cloud based users, directory synchronization from SCN directory sync servers to on-premises directory sync servers and Free & Busy time lookups from cloud based users to on prem. Note: For a more complete table, check Cheat Sheet: Firewall Settings for IBM SmartCloud Engage Advanced. In the following sections, we walk you through the steps to establish directory synchronization and set up a SmartCloud Notes Hybrid environment. Chapter 10. Scenarios 135 10.2.3 SmartCloud Notes Hybrid setup To set up the SmartCloud Notes Hybrid environment, we logged in to the IBM SmartCloud for Social Business and completed the following: 1. On the right hand top we clicked Admin → Manage Organization. (Administrative privileges were required). 2. We clicked IBMSmartCloud Notes on the left hand menu. Then clicked Account Settings. Selecting Hybrid You are now asked to select or deselect the option to set up your account in the hybrid configuration. This is a critical step in the set up process. 136 Preparing Your Enterprise for IBM SmartCloud for Social Business If you select to set up a hybrid environment and want to use a Service Only configuration later on, you need IBM support staff to clean up your cloud environment. This can take several working days and all information will be lost. To take the advantage of a hybrid environment and directory synchronization, select (tick mark) the Hybrid Environment option, click Set Up My Account, and click Continue to progress to the hybrid configuration steps. Pre-configuration test tool To run the Pre-configuration test tool, we downloaded the Pre-configuration Test Tool from the menu on the left hand side to verify our environment. In the Test Options section, you see the option to skip the group scan. If you have large numbers of groups in your Domino Directory, the actual group scan might take a considerable amount of time before the test completes. We just left it deselected, running a group scan. Chapter 10. Scenarios 137 Directory Sync Servers By going to Admin → Manage Organization → IBM SmartCloud Notes → Directory Sync Server, Add Domino Directory we started configuring the Hybrid setup. At the Directory Sync Server Configuration page we have entered the Dir01 server and the names.nsf We clicked Save to save the configuration changes. Mail Routing hosts We had defined Hub01/RBK as our one and only NRPC Mail Router system. 138 Preparing Your Enterprise for IBM SmartCloud for Social Business At least one server is required. For high available and disaster recovery scenarios, set up two systems. You can use the existing ones. More than two servers are not possible. It is an option to use different Domino Domains for mail routing. Mail Server Base Name naming We choosen the base name “CloudMailServer” for the servers that IBM will set up for us in the SmartCloud Notes environment. Pass-thru domains and servers We have entered the details displayed below to setup the PassThru environment Chapter 10. Scenarios 139 Certifier ID file We had created the ID file and uploaded the file to SmartCloud Notes by clicking Certifier ID File on the left hand menu. Then clicked Browse to browse to the actual ID File and entered our ID File password and clicked Upload. Enable the account The last step was to confirm our entries and activate the hybrid account by clicking Enable My Account. 140 Preparing Your Enterprise for IBM SmartCloud for Social Business At this time, the service attempted to run the initial directory synchronization and received the address book that we specified in the Directory Sync Server setup step. This took about 1 hour to complete. Domain Configuration tool To download the tool, we clicked the Domain Configuration Tool link on the left hand menu and accepted the terms We then clicked Continue to open the downloaded file. Followed by clicking Begin pre-configuration test. The tool showed some informational messages such as “No problems found” which were ok of course. To provide us with an overview of the required changes in our local address book, we have clicked Begin configuration report. Chapter 10. Scenarios 141 To make the required changes to server, location, connection, and group documents we have clicked Configure servers. Next was the verification of the internet domain. Internet Domain verification The verifying internet domains page on the wiki has shown us how to validate the internet domain for the ibm-redbooks organization. We clicked Verify Ownership to start validating the domain. This message shows it was validated: After this domain was verified, we had removed the CNAME record we created earlier. Issuing the vault trust certificate 1. Open the IBM Notes Domino Administrator Client, Click the configuration tab and click Manage.... under ID Vaults. 142 Preparing Your Enterprise for IBM SmartCloud for Social Business 2. Click Next. Chapter 10. Scenarios 143 144 Preparing Your Enterprise for IBM SmartCloud for Social Business 3. Click Add or Remove.. 4. Select the organization and click Add. Chapter 10. Scenarios 145 5. Click OK. 6. Click Next. 146 Preparing Your Enterprise for IBM SmartCloud for Social Business 7. Click Configure 8. Browse to the certificate file for that organization and click OK. Chapter 10. Scenarios 147 Enter the password for that ID 9. Click Done. 148 Preparing Your Enterprise for IBM SmartCloud for Social Business 10. Verify that the Vault Trust Certificate was issued, locate it on the Configuration tab by expanding Security → Certificates → Certificates, and then expanding Vault Trust Certificates. The actual document creation can take a few minutes. Allow time for the document to appear. For more details about these steps, see Exercise 1.14: Issuing vault trust certificate. Validating the setup When this configuration is complete, the IBM SmartCloud Notes service can then initiate a series of tests that validate the configuration and synchronization of directory content. To start the configuration test, click Run Tests under the Configuration Test menu item. Chapter 10. Scenarios 149 The following figure shows test 1 of 6: The following figure shows test 2 of 6: The following figure shows test 3 of 6: This error message is not a concern because this is an example of an initial deployment phase of the hybrid configuration where no ID File could have been uploaded to the environment. The following figure shows test 4 of 6: The following figure shows test 5 of 6: 150 Preparing Your Enterprise for IBM SmartCloud for Social Business The following figure shows test 6 of 6: At this step the hybrid configuration is successful and complete. 10.2.4 Mail Managed Replica As a minimum, we have made sure to have set the following parameters in the notes.ini of the IBM Notes Clients (to support the managed replica deployment and achieve maximum IBM Notes Client performance): CacheMail=3 (Create the managed replica if a local replica does not already exist.) OutgoingMailSendThreshold=1 (Set the mail threshold to 1. This means every time a new message is deposited in the local mailbox it will immediately be sent to the server.) ReplicateOnNewMail=1 (Replicate new mail from the server every time we detect new mail has been delivered. This is crucial in keeping the cache “up to date”) 10.2.5 Manual transition of on-premises IBM Domino user account(s) into SmartCloud Notes without data transfer This section describes how to transition on-premise user accounts from Domino into SmartCloud Notes using the IBM SmartCloud for Social Business administration console (AdminUI). The major steps of the transition process are: Step A: Identification of On-premise user to be migrated to SmartCloud for Social Business Step B: User transition process Step C: Completion of the transition process Step D: Verify transition Step A : Identification of On-premise user to be migrated to SmartCloud for Social Business. Follow the below steps for identification of user: 1. Open the Domino Administrator. Chapter 10. Scenarios 151 2. Click the People & Groups tab. 3. Click People in the left pane. 4. Identify the user. In this case, the user is “Pallavi Singh2”. Note: The mail file of the user points to “Mail01/RBK” which is the On-Premise Mail server. Step B : User transition process To start the transition process, follow these steps: 1. Open the AdminUI as an admin user. 2. Go to Manage Organization. 3. The Administration page opens up. 4. Under “System Settings”, click IBM SmartCloud Notes. 5. The “IBM SmartCloud Notes Administration” page opens up. Click User Provisioning. 152 Preparing Your Enterprise for IBM SmartCloud for Social Business 6. The “User Provisioning” page opens up. Because the user targeted for transition is “Pallavi Singh2”, in the search box, enter “singh2” as the search string. 7. The search results show the user “Pallavi Singh2”. Check the checkbox to the left of the user. Click Provision Selected to start the provisioning process. Chapter 10. Scenarios 153 8. The “Provisioning Options” page comes up. This page lists all the available subscriptions. In this case, the subscription under “Mail” is selected as the user needs a mail-only subscription. Select the applicable subscriptions for the user, as required. Click Next at the bottom of the page. 9. Now, the Mail template page comes up. In this case, the user needs “Mail9” template. Click the Select link next to the template name option to select the template. Click Next at the bottom of the page. 10. The initial password for the user needs to be given. This password will be used by the user to log onto the SmartCloud portal for the first time. Click Next at the bottom of the page. 154 Preparing Your Enterprise for IBM SmartCloud for Social Business 11. The confirmation page comes up. This provides a summary of provisioning options selected in the previous steps. If any changes are required, click Back to traverse to the previous pages. If no changes required, click Confirm. 12. The “User Provisioning Requests” dialog comes up. The user is listed. Click Request Provisioning to start the provisioning process. Chapter 10. Scenarios 155 13. The “User Provisioning” completes successfully. Step C : Completion of the transition process 1. Go to the “User Accounts” page. Search for the user who migrated. The status appears as “Pending”. 2. The user receives an email with instructions to log in to the SmartCloud portal to get activated. 3. The user logs into the portal using the initial password given. 4. The screen pops up to change the password. Click Continue. 156 Preparing Your Enterprise for IBM SmartCloud for Social Business 5. The Account information comes up. Review and click Submit. Step D : Verify transition 1. As an administrator, go to Domino Administrator. 2. Under “People & Groups” tab, go to People in the left pane. 3. Check the user. Chapter 10. Scenarios 157 4. Ensure that the mail file has changed to the cloud Mailserver. In this case, the user’s mail file has changed to CloudMailServer17/Cloud/RBK, which is the Cloud MailServer. 10.2.6 Batch transition of multiple user accounts from on-premises IBM Domino user accounts into SmartCloud Notes without data transfer In “Manual transition of on-premises IBM Domino user account(s) into SmartCloud Notes without data transfer” on page 151, we described how to provision one user in SmartCloud Notes. You can use Step B (from “Manual transition of on-premises IBM Domino user account(s) into SmartCloud Notes without data transfer” on page 151) to migrate multiple users selecting multiple users in the process. Using the UI tool to migrate users requires going through the a few UI windows. To make the transition even more simpler, IBM provides an alternative yet convenient non-UI method for transitioning multiple users. This convenient method requires an Integration server, a FTP server, and a user-provisioning change file. Integration server This enables you to integrate user provisioning from your on-premises administrative environment. User provisioning change file This file is a CSV file which contains the details of the users such as email address, subscription details, first name, last name, initial password, template, and so on. Sample user provisioning file has a couple of rules to be followed strictly: Rule1: The file name must be in a particular format. For example, customerId_sourceId_prv_seqnum.csv, where – customerID = your Company ID. This can be obtained by the administrator from the Company Accounts settings page on the SmartCloud for Social Business console. – sourceID = any uniqueID – prv = needs to be specified as-is – seqnum = an unique number for the file. For the details, see Chapter 7, “User Provisioning, Journaling, and mail data migrations” on page 61. Rule2 : Contents of the file 158 Preparing Your Enterprise for IBM SmartCloud for Social Business The contents of the file have to be in a particular order as follows: emailAddress,ACTION,subscriptionId,subscriptionId2,givenName,familyName,languag e,timeZone,password,altEmailAddress,notesTemplate,notesDN,assignTo,department,j obTitle,country,telephone,mobile,fax,address,suppressInvitation,federationType Entering all the details is not necessary, you can work with just using; email address, subscription details, first name, last name, initial password, at a minimum. Other details such as template can be specified. If not specified, the default option is taken. For example: ibm-red.user1@ibm-redbooks.nl,Add,123456789,,IBM-Red,User1,,,passw0rd All the parameters have to be in the specific order. If a particular option, such as subscriptionId2, must be left out but parameters after that have to be given, then a comma should be given. As in the example above, the last parameter specified is password, thereafter, there is no need to specify the remaining parameters by commas. See the attachments section for a sample User-provisioning file. For the details, see Chapter 7, “User Provisioning, Journaling, and mail data migrations” on page 61. FTP server The user-provisioning files are uploaded to the integration server using a secure FTP protocol. This same FTP transfer mechanism is also used when downloading associated results files. After the file is uploaded successful, the provisioning is also completed. The administrator can go to the IBM SmartCloud for Social Business admin console and view the user accounts. The users appear on the “User Accounts” page with status as “Pending”. This means that user provisioning attempt has completed. The users have received an email to activate their accounts by logging into the SmartCloud for Social Business portal. Once the user has logged on for the first time the status will change from Pending to Active. Chapter 10. Scenarios 159 10.3 Implementing a user management solution using Active Directory with an IBM SmartCloud for Social Business environment within an existing IT Infrastructure 10.3.1 Extending user identity management from AD to the IBM SmartCloud for Social Business IBM Tivoli Directory Integrator (referred to as TDI hereafter) is a tool for synchronizing data repositories with a special focus on identity data, including directories, databases, and operating system repositories. It is a common interface that is used to generate the csv files for IBM SmartCloud for Social Business. These files contain the input commands to create, update, or delete accounts in the cloud. These files also contain information about the actual user subscriptions in SmartCloud for Social Business. This chapter provides an example of how to manage SmartCloud for Social Business accounts by administrating an on-premises Active Directory (AD) environment. As indicated by the blue arrow in the figure below, we use the IBM SmartCloud Integration Client to set up the connection between the on-premises Active Directory system and the IBM SmartCloud Integration and Migration site. We describe first TDI installation, workspace setup, and project import. The second part of this chapter describes a scenario where we create, update, and delete accounts (or subscriptions) or switch subscriptions for users. To actually replay the scenario, you need basic knowledge about Microsoft Active Directory and IBM Tivoli Directory Integrator. To make this solution work, we created specific AD groups with a fixed format such as “smartcloudsubscriptionid_SC_subscriptionname”. Your corporate administrator can access 160 Preparing Your Enterprise for IBM SmartCloud for Social Business the subscription IDs and names through the Administration Interface (Admin → Manage Organization → Subscriptions → ).The following figure shows sample subscription IDs: In this demonstration, we use the following subscriptions and AD group names: Cloud Subscription Name Cloud Subscription ID On premises AD Group Name IBM SmartCloud Engage Standard 200000793 200000793_SC_EngageStandard IBM SmartCloud Notes 200000796 200000796_SC_Notes IBM SmartCloud Connections 200003321 200003321_SC_Connections IBM SmartCloud Docs 200000794 200000794_SC_Docs IBM SmartCloud Traveler 200000797 200000797_SC_Traveler Using AD this way, makes it very easy to manage your cloud subscriptions. You can (for example) simply add subscriptions to an AD group and with that have it automatically added to the Connections subscription in SmartCloud. Tivoli Directory Integrator installation This TDI installation was completed on a Windows 2008R2 Server. To install and configure the project, you need the TDI binaries and the sources files for this scenario. The installation steps are: 1. Download the following parts from IBM Passport Advantage and Fixcentral for the installation of TDI 7.1.0 with fixpack 7: – CZ9MJML.zip – 7.1.0-TIV-TDI-FP0007.zip 2. Download, from the attachment section of this document, the following files: – tdiInstaller.properties Chapter 10. Scenarios 161 – smartcloud.xml – smartcloud.tdiproperties Note: The attached files are for your reference only and are NOT supported or maintained by IBM. They are there to provide you with an overview and easiness of understanding. 3. Copy the downloaded files to the windows server where you would like to install TDI. Choose a location (for example, C:\Sources) for the files. 4. Unzip the CZ9MKML.zip into the sources folder. 5. Open the tdiInstaller.properties file and change the installation location (USER_INSTALL_DIR) to your preferred location. For example: USER_INSTALL_DIR=C:\\IBM\\TDI\\V71 6. Save and exit. 7. Start a command prompt (start → run → cmd) 8. Change the command prompt location to the folder where you have unzipped the CZ9MKML.zip package: For example: C:\Sources\CZ9MKML\windows_x86_64 9. Run the following command in the command prompt window, where is the actual location of your tdiInstaller.properties file install_tdiv71_win_x86_64.exe -f For example: "Install_tdiv71_win_x86_64.exe -f C:\Sources\tdiInstaller.properties" 10. Follow the instructions in the screens till last panel and wait untill the installation has finished. 11. Unzip the 7.1.0-TIV-TDI-FP0007.zip in the C:\Sources folder. 12. In the command prompt window, go to the USER_INSTALL_DIR\bin folder 13. Run the following command where is the location of the fixpack in the unzipped folder: applyUpdates.bat -update -clean For example: applyUpdates.bat -update "C:\Sources\TDI–7.1.0-TIV-TDI-FP0007\7.1.0-TIV-TDI-FP0007\TDI-7.1-FP0007.zip" -clean" 14. Check if the fixpack is correctly installed. Run run the following command (in the USER_INSTALL_DIR\bin folder): applyUpdates.bat -queryreg The result should show fixpack 7 (as below). 162 Preparing Your Enterprise for IBM SmartCloud for Social Business 15. Create a folder “CLOUD” in the USER_INSTALL_DIR\ 16. Create a folder “final” in the USER_INSTALL_DIR\CLOUD 17. Create a folder “workspace” in the USER_INSTALL_DIR\CLOUD\final 18. Create a folder “TDISOL” in the USER_INSTALL_DIR\CLOUD\final. This figure shows the required folder structure: 19. Add the smartcloud.xml and smartcloud.tdiproperties into the TDISOL folder. 20. Create a folder named “csvUploads” in the TDI folder: 21. Click Start → All Programs, then browse for IBM Tivoli Directory Integrator, open the folder and right click the “Start Configuration Editor” and then select “run as administrator”. Chapter 10. Scenarios 163 22. In the pop-up window, select the workspace. It is the USER_INSTALL_DIR\CLOUD\final\workspace folder. Click OK. 23. The Configuration Editor (CE) opens and shows the overview. Click “Create Tivoli Directory Integrator Project.” 24. Select “Import Configuration File” 25. Create a new project named: “cloud”. 26. From the menu select File → Import, then select Configuration and click Next. 164 Preparing Your Enterprise for IBM SmartCloud for Social Business 27. Select the smartcloud.xml from the TDISOL folder and click Finish. 28. At completion of the installation, close the Configuration Editor. 29. Open the smartcloud.tdiproperties and change the highlighted properties to your own configuration ad_changelog_ldap_page_size= ad_changelog_ldap_search_base=DC=ibm-redbooks,DC=nl ad_changelog_ldap_url=ldap:10.106.40.14:389 ad_changelog_ldap_use_ssl ad_changelog_ldap_user_login=Cloud IntegrationAdmin ad_changelog_ldap_user_password=PASSw0rd14 ad_changelog_sleep_interval ad_changelog_start_at ad_changelog_timeout ad_changelog_use_notifications possible subscription ids all_subscriptionIds=200000793,200000796 clientId is used to create the csv file – giving the name clientId=200031559 in some cases a default password is necessary defaultPassword=Welkom01 the subscriptions which require a password passwordRequiredSubscription=200000796 a default subscription subscriptionId=200000793 tds_changelog_debug= Chapter 10. Scenarios 165 tds_changelog_ldap_authentication_method= folder where the csv files are stored uploadLocation=C:\IBM\TDI\cvsUploads 30. Now, start the TDI Configuration editor again. Project Assembly lines For more information about the possibilities of User ID Management (adding, suspending, resuming, updating or changing “seats”), refer to Chapter 7, “User Provisioning, Journaling, and mail data migrations” on page 61 of this document. The project contains four assembly lines: “runAllSM4B” is the main assembly line (AL). “deleteAndChangeSeatSM4B” looks for deleted users in AD (or removed from both of the SmartCloud groups) and checks if a user has been moved to a different group. “updateSM4B” checks for all new or updated users. “seatsOverviewSM4B” generates a list of the users who are in one of the smart cloud groups in the AD. The “runAllSM4B” AL starts the “deleteAndChangeSeatSM4B”, “updateSM4B” and “seatsOverviewSM4B” assembly lines. In total there are four output files. Two csv files containing the updates for SmartCloud, one list file and a list of skipped accounts. The output file with the updates for the SmartCloud Integration and Migration Site: “C:\IBM\TDI\cvsUploads\_ad_prv_.csv”. The skipped AD accounts file is “C:\IBM\TDI\cvsUploads\_ADNotAdded_.csv”. 10.3.2 The scenario This scenario shows how to change, add, move, and delete users. This solution requires a SmartCloud for Social Business (organization) ID and a number of subscriptions (inside that organization) where the subscriber/user can be added to. We demonstrate adding and updating subscribers, perform a deletion, and move a subscriber to a different subscription. The scenario has three initial users and two user groups in Active Directory as follows: AD Name AD Type Cloud Subscription IDs Cloud Organization ID Nico Doe User Maria Doe User George Doe User 200000793_SC_EngageStandard Group 200000793 200031559 200003321_SC_Connections Group 200003321 200031559 The users have a displayName, givenName, FamilyName, emailaddress and are added to one of the two groups 20000793_SC_EngageStandard or 200003321_SC_Connections. 166 Preparing Your Enterprise for IBM SmartCloud for Social Business Both users and groups are in the same domain (ibm-redbooks.nl). The name of the users can be any name. The format of the group names must be starting with the IBM SmartCloud for Social Business subscription identifier. For example: <smartcloudsubscriptionid>_SC_<subscriptionname> Below is an example given of the user George Doe. He has been given a First Name, Last Name, Display Name and Email address. George is also a member of the Domain Users and the 2000000793_SC_EngageStandard group. Chapter 10. Scenarios 167 First run Start the TDI Configuration Editor and there are four assembly lines. When running the runAllSM4B assembly line for the first time, it creates three files as displayed below: 200031559_ADNotAdded_1399023630.csv This file is empty. 200031559_ad_prv_1399023630.csv: The file contains: emailAddress,action,subscriptionId,subscriptionId2,givenName,familyName,languag e,timeZone,password,altEmailAddress,notesTemplate,notesDN,assignTo,department,j obTitle,country,telephone,mobile,fax,address,SuppressInvitation,federationType nicodoe@ibm-redbooks.nl,Add,200000793,,nico,doe georgedoe@ibm-redbooks.nl,Add,200000793,,george,doe mariadoe@ibm-redbooks.nl,Add,200000793,,maria,doe Note that because this is creating the actual creation of a new account (provisioning of a user) a password is required. If you were to re-use this assembly line, you must make amendments so it includes your own default (new users) password. Having made it optional in the attached AL, the AL actually mentions “Welkom01” as an initial password. 168 Preparing Your Enterprise for IBM SmartCloud for Social Business The proper output file should show something similar to this: emailAddress,action,subscriptionId,subscriptionId2,givenName,familyName,languag e,timeZone,password,altEmailAddress,notesTemplate,notesDN,assignTo,department,j obTitle,country,telephone,mobile,fax,address,SuppressInvitation,federationType nicodoe@ibm-redbooks.nl,Add,200000793,,nico,doe,Welkom01,,, georgedoe@ibm-redbooks.nl,Add,200000793,,george,doe,Welkom01,,, mariadoe@ibm-redbooks.nl,Add,200000793,,maria,doe,Welkom01,,, This proper 200031559_ad_prv_1399023630.csv file is available, for your reference, in the attachment section of this document. The csv file is uploaded with (for example) FileZilla to the cloud Integration and Migration Site. (For more information check Chapter 7, “User Provisioning, Journaling, and mail data migrations” on page 61). The site processes the file and then the accounts are added. The users receive an email to complete the registration process. After the initial successful addition, the accounts are added with a pending status and the users must log on to active their account. AD Name Subscription IDs Organization ID AD Group Nico Doe 200000793 200031559 200000793_SC_EngageStandard Maria Doe 200000793 200031559 200000793_SC_EngageStandard George Doe 200000793 200031559 200000793_SC_EngageStandard 200031559_completelist.csv contains: CN=nico doe,CN=Users,DC=ibm-redbooks,DC=nl;200000793;;CN=200000793_SC_EngageStandard,CN =Users,DC=ibm-redbooks,DC=nl;nicodoe@ibm-redbooks.nl;doe;nico CN=george doe,CN=Users,DC=ibm-redbooks,DC=nl;200000793;;CN=200000793_SC_EngageStandard,CN =Users,DC=ibm-redbooks,DC=nl;georgedoe@ibm-redbooks.nl;doe;george CN=maria doe,CN=Users,DC=ibm-redbooks,DC=nl;200000793;;CN=200000793_SC_EngageStandard,CN =Users,DC=ibm-redbooks,DC=nl;mariadoe@ibm-redbooks.nl;doe;maria Chapter 10. Scenarios 169 Second run To test the delete, change seat, and update function with TDI, the AD entries are then modified with the following: Nico is moved from the 20000793_SC_EngageStandard to the 200003321_SC_Connections AD group. Maria is deleted. George is updated with a phone number. The Active Directory contains: AD Name Subscription IDs Organization ID AD Group Nico Doe 200003321 200031559 200003321_SC_Connections George Doe 200000793 200031559 200000793_SC_EngageStandard George’s phone number was added to his profile in the corporate cloud directory: To support these changes with your TDI AL, you must run the "runAllSM4B" AL again. It generates a number of files: There are two ad_prv_ files: – One for George’s update action, it contains George's phone number – The second ad_prv file contains the information for the change seat (Nico) and deletion of Maria's account. A complete list file: This file now only contains Nico and George. Maria is removed. 200031559_ADNotAdded_1399025136.csv is empty as there were no errors in the AL. 200031559_ad_prv_1399023630.csv contains: emailAddress,action,subscriptionId,subscriptionId2,givenName,familyName,languag e,timeZone,password,altEmailAddress,notesTemplate,notesDN,assignTo,department,j obTitle,country,telephone,mobile,fax,address,SuppressInvitation,federationType nicodoe@ibm-redbooks.nl,Add,200000793,,nico,doe georgedoe@ibm-redbooks.nl,Update,200000793,,george,doe"+31 20 1234567" 170 Preparing Your Enterprise for IBM SmartCloud for Social Business 200031559_ad_prv_1399025131.csv contains: emailAddress,action,subscriptionId,subscriptionId2,givenName,familyName,languag e,timeZone,password,altEmailAddress,notesTemplate,notesDN,assignTo,department,j obTitle,country,telephone,mobile,fax,address,SuppressInvitation,federationType nicodoe@ibm-redbooks.nl,ChangeSeat,200003321,,, mariadoe@ibm-redbooks.nl,remove,200000793,,maria,doe 200031559_completelist.csv contains: CN=nico doe,CN=Users,DC=ibm-redbooks,DC=nl;200003321;;CN=200003321_SC_Connections,CN=Us ers,DC=ibm-redbooks,DC=nl;nicodoe@ibm-redbooks.nl;doe;nico CN=george doe,CN=Users,DC=ibm-redbooks,DC=nl;200000793;;CN=200000793_SC_EngageStandard,CN =Users,DC=ibm-redbooks,DC=nl;georgedoe@ibm-redbooks.nl;doe;george When uploading the two csv files 200031559_ad_prv_1399025131.csv and 200031559_ad_prv_1399025136.csv to the cloud Integration and Migration Site, the changes are automatically processed again. As a result, Nico's subscription was replaced (in blue), Maria's account is removed and George's phone number is added to the user's details. Remarks In the first iteration, Nico seems to be added again. The Integration and Migration Site reports an error back in the report and trace files. This error is not an issue and can be ignored. The AD solution forces you to create the TDI AL this way because moving a user from one AD group to another changes the unique identifier chosen (distinguished name). Change the “updateSM4B” Active Directory Change Detector (ADCD) connector unique attribute name (see figure below) to make sure the Distinguished Name is not the identifier. Chapter 10. Scenarios 171 The Integration and Migration Site has provisioning limitations as explained in Chapter 7, “User Provisioning, Journaling, and mail data migrations” on page 61. This site can handle a maximum of 200 records in a single csv file. The assembly line does not take this into account. It is required to split the created csv files into multiple csv files and update the time stamp. TDI can split the file if you adjust the assembly line. We did not utilize this function in this example because we only wanted to show the basic process. The time stamp in the cvs file name is generated each time you run the assembly line, for example, “200031559_ad_prv_1399023630.csv”, 1399023630 is the time stamp. The time stamp is incremented so the csv files are processed after each other correctly. To re-run a csv file again, update the time stamp (in the name of the csv file). To clear the internal database that tracks the changes, delete the Delta Store in ADCD connector. This way, you can start all over again with a fresh list. Note: The attached files are for your reference only and are NOT supported or maintained by IBM. They are there to provide you with an overview and easiness of understanding. 172 Preparing Your Enterprise for IBM SmartCloud for Social Business A Appendix A. Installing the Social Business Toolkit SDK development environment The Social Business Toolkit SDK (SBT SDK) provides tools for creating applications that leverage the social-enabled IBM products such as Connections, Sametime, and SmartCloud for Social Business. Included in the SDK is a playground environment where you can experiment with the tools and techniques of social business application development. There are several installation options available for the SDK. You can use the Tomcat server that is distributed with the SDK, or you can use your own installation of Tomcat, WebSphere Application Server, Portal, or Domino. This section describes the steps that are required to install the IBM Social Business Toolkit SDK development environment. This environment uses the Eclipse IDE and an embedded Tomcat server which allows you to build socially enabled applications on your local machine. The installation and configuration procedure of Social Business Toolkit SDK includes the following steps: 1. 2. 3. 4. 5. Installing the Social Business Toolkit SDK Registering OAuth applications on the IBM Connections server Configuring the Eclipse IDE to run the embedded Tomcat server Configuring the SBT SDK and Eclipse IDE for social application development Verifying the Social Business Toolkit development environment installation © Copyright IBM Corp. 2014. All rights reserved. 173 A.1 Installing the Social Business Toolkit SDK The Social Business Toolkit SDK is a no-charge application available from OpenNTF.org. It includes the SDK libraries, sample applications, source code, and a Tomcat server for configuring a local development environment. You can download the SDK from here: http://ibmsbt.openntf.org Note: This environment was created using the January 25th, 2014 release of the SDK. You can see all available versions posted here. To install SBT SDK, in a terminal window, unzip the downloaded SBT SDK file. In our example, we place the zip file in the /residency directory and unzip the file with the following commands: cd /residency unzip sbtsdk-1.0.0.20140125-1133.zip A.2 Register OAuth applications You can use the wsadmin commands to register the Social Business Toolkit SDK sample applications for OAuth access: 1. In a terminal window, start the wsadmin utility and prepare the OAuth command environment with the following commands: cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin ./wsadmin.sh -lang jython -user wasadmin -password passw0rd execfile(“oauthAdmin.py”) 174 Preparing Your Enterprise for IBM SmartCloud for Social Business 2. You have initialized the OAuth administration environment. To register the “sbt.sample.web” application, enter the addApplication OAuth admin command, as follows: OAuthApplicationRegistrationService.addApplication('SBTK','SBTK','https://local host:8443/sbt.sample.web/service/oauth20_cb') where the first parameter represents the application identifier (appId), the second parameter is the application descriptive name (appName), and the third parameter is the callback (redirectURI) address to redirect to when the application has been granted authorization. The appId and appName values can be anything you like. The redirect URI determines where the response from the server is sent. 3. Aftre registering the “SBTK” application, you should retrieve its client secret using the following command: OAuthApplicationRegistrationService.getApplicationById('SBTK').get('client_secr et') 4. (Optional) Alternatively, you can see currently registered applications, including the secrets, by issuing the following command: OAuthApplicationRegistrationService.browseApplications() 5. Copy the “SBTK” client secret to the clipboard for pasting it into the sbt.properties file in a later step. To copy the client secret, highlight it and right-click on the highlighted area. Note: Highlight only the text inside the quotes Select Copy from the pop-up window. Appendix A. Installing the Social Business Toolkit SDK development environment 175 6. Exit the wsadmin utility with the following command (keep the terminal window open): quit Now that you register the SDK sample applications with the IBM Connections server for Oauth access, you are ready to configure the Social Business Toolkit to match your environment. A.3 Configuring the Social Business Toolkit The Social Business Toolkit SDK uses a properties file for much of the configuration of the SDK. Using properties file allows developers to focus on the code relevant to the current task without unnecessary overhead. For example, the properties file contains information about the target IBM Connections server and the Oauth details for registered applications. This allows the developers to streamline their code and not have to “hard code” server URLs, and so on. Complete the following steps to configure Social Business Toolkit SDK: 1. In a terminal window, make a backup copy of the original the sbt.properties file, and then open it for editing, with the following commands: cd /labs/sbtsdk/config cp sbt.properties sbt.properties.bak vi sbt.properties 2. For each property listed below, update it to the specified value. In this example, we are only concerned with properties relevant to the IBM Connections system. We do not access the IBM SmartCloud for Social Business. 176 Preparing Your Enterprise for IBM SmartCloud for Social Business 3. Save and close the sbt.properties file. Close the text editor. 4. Close the terminal window. A.4 Configuring the TrustedExternalApplication role for the WidgetContainer By default, IBM Connections only allows users to post to their own activity stream. However, when a third party application is posting events to the activity stream in IBM Connections, the third party application generally wants the ability to post to any user’s activity stream. To do this, you must assign a designated user the trustedExternalApplication role. Note: The user assigned here corresponds to the “connections.app.as.user” entry in the sbt.properties file. Complete these steps to assign the trustedExternalApplication role to a user: 1. In a web browser, start the IBM Connections Integrated Solutions Console console: http://connections.demos.ibm.com:9060/ibm/console 2. Log in with the following credentials: User name: wasadmin, password: passw0rd 3. On the left, select Applications → Application Types → WebSphere enterprise applications 4. On the right, click the link for WidgetContainer (it might be on page 2). 5. Under the Detail Properties section, click the Security role to user/group mapping link. Appendix A. Installing the Social Business Toolkit SDK development environment 177 6. On the next page, check “trustedExternalApplication” and click Map Users... 7. In the Search and Select Users section, search for “dmisawa” and click Search. 8. From the Available list, highlight “DMisawa” and click the right arrow to move his name to the Selected list. When finished, the Selected list should look the following figure: 178 Preparing Your Enterprise for IBM SmartCloud for Social Business 9. Click OK. You should see “DMisawa” under the mapped users for the “trustedExternalApplication” role. 10. Click OK to return to the Configuration page, click the Save link at the top. 11. Log out of the Integrated Solutions Console and close the browser. A.5 Preparing Tomcat In this configuration example, we configure the Eclipse IDE to use an embedded Tomcat server to host the SDK samples. You can also leverage this Tomcat server to build and test your own socially enabled applications. Procedure: 1. In a terminal window, unzip the Tomcat environment provided by the SDK with the following commands: cd /labs/sbtsdk/tomcat unzip apache-tomcat-7.0.30-sbt.zip 2. OAuth support requires the use of the secured (SSL) HTTP port for the redirection URI. To activate SSL support in Tomcat, make an adjustment to the location of the keystore file (without this adjustment, the Tomcat startup returns the “File not found” error trying to locate the keystore file and SSL fails to enable). The keystore file location and other ports related configuration is maintained in the Tomcat server.xml document. In the terminal window, enter the following commands to open the Tomcat configuration file: cd ./apache-tomcat-7.0.30/conf gedit server.xml 3. In the server.xml document, search for the “keystoreFile : keyword and change its value from the “conf/keystore” relative path to the “/labs/sbtsdk/tomcat/apache-tomcat-7.0.30/conf/keystore” absolute location in your file system. 4. Depending on the servers you have installed on the machine, you might also have to alter the default HTTP ports used by Tomcat. In this environment, the default (non-SSL) HTTP Appendix A. Installing the Social Business Toolkit SDK development environment 179 port value of 8080 is already being used by Domino. To avoid the conflict, modify the port number as follows: Locate the section for the non-SSL HTTP/1.1 Connector. In this section, change the default value of “8080” to “8081”. (To find this section quickly, just search the document for “8080”.) When finished, your XML should look like the following: Note: The default secured (SSL) port number of 8443 for Tomcat should work fine in this environment. If you must change this port, you make this modification in the same server.xml document. Note: If the default secured (SSL) port number is changed, the “redirect URI” specified during the SBTK application OAuth registration process (in earlier steps) must be modified to reflect the updated value. 5. Save and close the file. Close the text editor. A.6 Importing the SBT SDK projects into the Eclipse IDE The Eclipse IDE for Java EE Developers is free and contains tools for creating Web applications, including editors for JavaScript, HTML, CSS, and XML. In configuration example, we configure the Eclipse IDE for Social Business Toolkit SDK application development. Complete the following steps to import the sample applications into the IDE: 1. On the desktop, double-click the “Eclipse” icon to start the Eclipse IDE. 2. In the Workspace Launcher window, select a location for your development workspace. Enter the workspace directory and click OK. 180 Preparing Your Enterprise for IBM SmartCloud for Social Business 3. If you see the Welcome page, click the “Go to the Workbench”. 4. From the Eclipse file menu, choose File → Import... 5. In the Import window, select General → Existing Projects into Workspace and click Next. 6. For the root directory, click the Browse... button and navigate to the /labs/sbtsdk/source directory and click OK: 7. You do not need to import all projects. Deselect the following projects. You will not need them: acme.social.sample.ear com.ibm.sbt.libs.derby com.ibm.sbt.libs.domino com.ibm.sbt.sample.ear 8. Click Finish. After Eclipse builds your workspace, the projects should appear in the Project Explorer view on the left. A.7 Configuring Tomcat in the Eclipse IDE In this section, you configure the Tomcat instance from the SDK in the Eclipse IDE. This configuration allows you to launch and test the SDK samples and your own applications Procedure: 1. From the Eclipse file menu, click Window → Preferences. 2. Expand Server → Runtime Environments. Appendix A. Installing the Social Business Toolkit SDK development environment 181 3. On the right, click Add... 4. In the New Server Runtime Environment window, select “Apache Tomcat v7.0” and click Next. 5. For the “Tomcat installation directory”, click Browse... and navigate to the following location and click OK: /labs/sbtsdk/tomcat/apache-tomcat-7.0.30 6. Click Finish. 7. Click OK to close the Preferences window. 8. From the Eclipse top menu bar, choose Window → Show View → Other... 9. In the Show View window, choose Server → Servers and click OK. 10. A new Servers view tab appears at the bottom of the Eclipse IDE. Click new server wizard... 182 Preparing Your Enterprise for IBM SmartCloud for Social Business 11. In the New Server window, select Tomcat v7.0 Server for the server type. Leave everything else as the default values and click Next. 12. In the Add and Remove resources page, click the Add All button to add all resources to your Tomcat server and click Finish. 13. In the Project Explorer on the left, you should see a new “Servers” project. Expand this project to see your Tomcat server configuration. 14. Right-click the Tomcat v7.0 Server at localhost-config folder and choose Import... 15. In the Import window, choose General → File System and click Next. Appendix A. Installing the Social Business Toolkit SDK development environment 183 16. In the From directory field, click Browse... and navigate to the /labs/sbtsdk/config directory and click OK. 17. On the right, place a check mark beside “sbt.properties” and click Finish. A.8 Verifying the Social Business Toolkit development environment installation Before you start building your own applications, you should verify that everything was setup properly. You can do this by launching the embedded Tomcat server and viewing the Social Business Toolkit SDK samples applications. Use the following steps to verify the Social Business Toolkit development environment installation 1. In the Servers view at the bottom of the Eclipse IDE, highlight the entry for Tomcat. 2. On the right side in the Servers view, click the Start the server in debug mode ( icon and wait for Tomcat to start. 3. Open a web browser window and navigate to URL: http://localhost:8081/sbt.sample.web/home.jsp 184 Preparing Your Enterprise for IBM SmartCloud for Social Business ) 4. If the Samples Application page opens, you have installed your development environment successfully. To further verify your configuration, explore the samples. Note that only IBM Connections related samples were configured. To view the JavaScript examples, click the JavaScript tab at the top of the page. 5. On the left, navigate to Connections → Profiles and select the Get Profile link from the expanded folder. 6. The JavaScript SBT API code snippet that run to produce results should now be visible in the top panel on the right. You should also see the login form displayed in the “results” pane directly below it. This is because the Get Profile functionality requires a successful authentication. Log in with user name fadams and password passw0rd. 7. You should now see the Frank Adams’ profile information displayed in the results pane, showing his profile entry values obtained from the IBM Connections system. The output should be similar to the following: Appendix A. Installing the Social Business Toolkit SDK development environment 185 Notice the link at the bottom of the results pane. Clicking this link displays results in a full browser page. You can use the full page mode to perform troubleshooting and debugging, for example, by enabling the Firebug and refreshing the page. 8. After verifying that the SBT API works fine with the basic authentication, you should verify that the OAuth 2.0 based authorization is also operational. On the left, expand the Authentication section and click the Connections Basic Auth link. You should see the message “You are authenticated to this endpoint” and the Logout button should be visible underneath it. Click the Logout button. 9. A message confirming that you are no longer authenticated appears as shown: Note: To make sure that you are starting with a “clean slate” as far as the user session is concerned, you should remove the browser cookies by clicking History → Clear Recent History, checking the Cookies box and clicking Clear Now. 186 Preparing Your Enterprise for IBM SmartCloud for Social Business 10. Expand the Authentication section again (if not expanded) and select Connections Oauth 2.0. 11. In the results pane at the bottom left, click Login Popup. This action initiates the “SBTK” application request authorization sequence with the IBM Connections server based on the Oauth 2.0 protocol exchange (the “Oauth 2.0 dance” ). Depending on whether you are currently logged into Connections, you would be presented either with the Connections Login dialog window followed by the Connections Access Request window or you would just see the Connections Access Request window. 12. Because you are not currently logged in, the Connections Login window should appear. log in with user name fadams and password passw0rd and click OK. 13. If the login is successful, the Access Request window appears. You can either grant or deny the access. Granting the access allows the SBTK application to access user’s resources in IBM Connections. Denying the access prevents the application from getting any data. Appendix A. Installing the Social Business Toolkit SDK development environment 187 14. After granting the access, you should briefly see the Access Granted window and you should be redirected back to the SBTK application (recall the “SBTK” registration process earlier in this example). A message confirming that you are now authenticated should appear as shown below. 15. If you had chosen to deny the access, the Access Denied window would have been displayed. 188 Preparing Your Enterprise for IBM SmartCloud for Social Business 16. Finally, you can find out which applications are currently authorized to access the user’s IBM Connections information. To do that, enter the following URL in your browser: http://connections.demos.ibm.com/connections/oauth/apps By clicking the Revoke link on the right, you can remove the application from having the access to your IBM Connections resources. You can now use the Eclipse IDE to begin socializing your applications. Appendix A. Installing the Social Business Toolkit SDK development environment 189 190 Preparing Your Enterprise for IBM SmartCloud for Social Business B Appendix B. Example SmartCloud Notes Integration options B.1 SmartCloud Notes integration SmartCloud Notes offers integration options to both IBM and third party products that are optional for your deployments. This appendix shows a few examples of solutions that integrate with SmartCloud Notes specifically. The solutions shown here are purely examples of what is possible today and are supported by the IBM Business Partners that developed the products. These solutions are not supported © Copyright IBM Corp. 2014. All rights reserved. 191 by IBM directly. If you want to know if your SmartCloud Notes environment can benefit from integrating products provided by an IBM Business Partner, contact your software vendor. Note: The following text about products/solutions are composed and offered by IBM Business Partners and are supported by those partners. The IBM corporation does not support these products/solutions More detailed, technical, information is available in this article. The following products (in alphabetical order) are examples of SmartCloud Notes Integration: Crossware Mail Signature OnTime Group Calendar Riva / Salesforce CRM B.2 Example SmartCloud Notes Integration option - Crossware Mail Signatures The solutions shown here are purely examples of what is possible today and are supported by the IBM Business Partners that developed the products. These solutions are not supported by IBM directly. If you want to know if your SmartCloud Notes environment can benefit from integrating products provided by an IBM Business Partner, contact your software vendor. Note: The following text about products/solutions are composed and offered by IBM Business Partners and are supported by those partners. The IBM corporation does not support these products/solutions Crossware Mail Signature Crossware Mail Signature is a server-based email signature add-in to the IBM Domino Server that automatically adds compliant, personalized, and attractive email signatures to all emails. These signatures might include disclaimers, logos, graphics, and advertising banners that can be randomized or targeted to specific recipients. Companies send thousands of emails every day, therefore, it is vital to ensure that each email displays your brand image and the appropriate contact details and disclaimer information. Why choose Crossware Mail Signature? IT Management – Take control Save a huge amount of time by managing your entire organization’s email signatures from one central database. Marketing – Promote your brand Obtain the maximum out of your branding budget by ensuring that every email will convey your organization's professional brand image and advertisements. Legal – Protect your company Every single email from any device will be compliant with your correct disclaimer details. Mobile – Stay professional on the above Ensure that every email send from mobile devices also includes your company email signature. 192 Preparing Your Enterprise for IBM SmartCloud for Social Business How it works Crossware Mail Signature uses a Notes database to configure email signatures for individuals groups or organization units. The software assures that all emails have the proper email signature layout, disclaimers, banners, and logos added to them. Crossware Mail Signature runs in three modes: Server mode Local mode Hybrid mode Mode 1. Server based signatures In this mode, Crossware Mail Signature is implemented as an extension manager add-in to the Domino Server. Emails are created by the user but a signature is not applied by the local Notes mail client. Instead, the Crossware Mail Signature add-in applies the signatures to emails as the pass through the Domino server. The advantages of the server based signatures include: Email signature layout changes are immediately applied Emails from mobile devices will have the proper signatures Conditional signatures can be setup to match almost any need or variation The disadvantage of the server based signatures include: Users must become accustomed to not seeing their signatures when they create an email The following is a high level steps of the server based signature process: 1. You send an email from your desktop or a mobile device. 2. The email goes through your Domino server where Crossware Mail Signature appends all of your branding, contact details, appropriate disclaimer, and advertisements depending on the recipient or sender of the email. 3. The email arrives in the recipient's inbox with all of the correct details and imagery. The following figure illustrates this process. Mode 2. Local mode In this mode, Crossware Mail Signature creates a rich text signature and copies the signature to the users Calendar Profile in the Notes Mail file. Email signatures layouts are created for each user based on the layout design that applies to the user. The signature is then added to the user’s signature profile on the server copy of the user’s mail file, which then updates the local replica if there is one. Crossware Mail Signature also checks periodically to make sure the signature in the profile document matches what the design should be and updates and re-applies the correct signature. The advantages of the local mode are: Signature is applied and visible whenever a user opens a new email. Nothing seems different for the user. Appendix B. Example SmartCloud Notes Integration options 193 The disadvantages of the local mode are: Signature can be modified or removed leaving the email in violation of current laws. Emails from mobile devices do not have the proper signature layout. Signatures are static. Any logos or pictures are stored in the mail file each time an email is sent. Mode 3. Hybrid mode integrated with IBM SmartCloud Notes Hybrid mode can have either local signatures, server based signature, or a combination of both. The email signature is set up in such a way that part of the layout is added to the user’s signature profile on the server copy of the user’s mail file. When running on the SmartCloud Notes platform, it is assumed that the customer is running a hybrid solution, that is, a combination of SmartCloud Notes and on-premise Domino server. In this case, the Crossware Mail Signature application will be installed on the custome's on-premise Domino servers. The advantage of the hybrid mode are: Crossware Mail Signature can add server based signatures not available in SmartCloud. Signatures can be a combination of local or server based signatures. The disadvantage are: Internal emails will only have local signatures. Emails from mobile devices to internal recipients will not have a signature. There needs to be an on-premise server in place. In hybrid mode Crossware Mail Signature can work in the following modes: Server based signatures: Emails are relayed through the on-premise Domino server, which appends a signature before the email leaves the organization. Local signatures : The Crossware Mail Signature on the on-premise server can create local signatures and copy them to the users mail files in IBM Smartcloud Notes. The following figure illustrates that Crossware Mail Signature can work in either or both modes. It can create a local signatures for users and copy them to the users mail file. When an email is created, the signature will be added to the email before delivery. Signatures will be maintained and updated from the customer’s on-premise server using standard IBM Notes API. This will be static signatures consisting of personal details. 194 Preparing Your Enterprise for IBM SmartCloud for Social Business On outbound emails, Crossware mail Signature can append additional signature elements such as advertisements, banners, and legal disclaimers, that are not required for internal emails. B.3 Example SmartCloud Notes Integration option - OnTime Group Calendar The solutions shown here are purely examples of what is possible today and are supported by the IBM Business Partners that developed the products. These solutions are not supported by IBM directly. If you want to know if your SmartCloud Notes environment can benefit from integrating products provided by an IBM Business Partner, contact your software vendor. Note: The following text about products/solutions are composed and offered by IBM Business Partners and are supported by those partners. The IBM corporation does not support these products/solutions OnTime® Group Calendar for IBM SmartCloud Notes About OnTime® Group Calendar Since the initial product was designed and built based on customer requirements in 1998. OnTime® Group Calendar has remained the premier group calendar product on the market for IBM Notes and IBM Domino. OnTime® Group Calendar is built on the following core values: Scheduling: Minimize process time and find the earliest possible available time. Delegation: Access to act on consolidated scheduling data at all time. Match talent to time: Ensure a transparent view of availability. Improve customer service: Identify expertise and availability for a relevant and timely response. Always available: Must always be available whether working from the office or on the road. The product has evolved quite a bit since the early nineties and continues to prove that a group calendar can both be secure, scalable, customizable, modern, and social. The newest releases support both IBM Connections to provide a truly social group calendar experience and smart phones allowing users to bring their group calendar on the road, delivering on the promise that a group calendar should be available always in any product and on any platform. OnTime® Group Calendar is sold across the World to a diverse set of customers through a network of dedicated partners and directly from OnTime®. Users access OnTime® Group Calendar through a set of customized user interfaces for either IBM Notes, IBM Connections, web browsers, or smart phones such as the iPhone or Android based smart phones: IBM Notes fullscreen: group calendaring interface designed to provide an overview of many people at a time. IBM Notes sidebar: group calendar for your IBM Notes sidebar designed to provide a quick overview of your immediate team. Web browser: group calendar for your favorite browser. Appendix B. Example SmartCloud Notes Integration options 195 IBM Connections: group calendar widgets for Profiles and Communities in IBM Connections. Smartphone: group calendar interface for smartphones such as iPhone and Android to provide group calendar access on the go. Besides the above user interfaces, OnTime® Group Calendar also provides a standards based REST API allowing customers to reap the benefits of calendar functionality in custom developed applications without the complexities of developing these functionalities themselves. OnTime® Group Calendar have customers using this API to integrate with intranets, phone systems, and CRM systems to name just a few. How it works OnTime® Group Calendar works by aggregating information from monitored calendars into the OnTime® Group Calendar database in a proprietary and highly condensed format. By using this format, calendar appointments (meetings, appointments, and so on) of tens of thousands of users can be maintained in a small amount of storage space while allowing extremely fast access and preserving appropriate access restrictions in even highly sensitive environments. Besides traditional user, calendars OnTime® also support the calendars of rooms and resources. The OnTime® Group Calendar server run time monitors the calendars of configured users in real time and then updates the server backend store. The OnTime® Group Calendar clients utilize a standards based REST API to communicate with the OnTime® server and retrieve the required information for presentation. The API shields clients from knowing about the backend storage format and handles the security and privacy aspects making sure that users cannot read calendars and appointments of users they do not have access to. OnTime® Group Calendar comes with a rich security infrastructure allowing it to be tailored to meet any requirement. Security can be based on the access control list (ACL) of individual IBM Notes mail databases, on a role based access system, or by combing the two allowing for automated security configuration and user controlled access at the same time. The following diagram illustrates the architecture of the OnTime® Group Calendar synchronization and administration processes. 196 Preparing Your Enterprise for IBM SmartCloud for Social Business Moving OnTime® Group Calendar to IBM SmartCloud There is probably little doubt in most minds that the future of all or most enterprise computing is in the cloud. Therefore, it is important for the OnTime® Group Calendar to function perfectly with IBM SmartCloud Notes because it provides an avenue to the cloud for your current IBM Domino on-premises environment. You can now move your mail and calendar service either completely or partly to the cloud while keeping OnTime® Group Calendar as a part of your infrastructure. OnTime® Group Calendar now allows you to monitor both calendars on-premises and in IBM SmartCloud. So no matter whether a user is using IBM Notes or IBM iNotes, on-premises, or in IBM SmartCloud, they can continue to use the user interface that they prefer or is applicable to their need whether that be a user interface integrated into their IBM Notes client, in a web browser or on a smart phone. All this due to the flexibility of IBM SmartCloud and the API based architecture of OnTime® Group Calendar. As an additional benefit, you will gain access to the OnTime® standards based API that allows you to integrate calendaring into custom applications without worrying about the underlying deployment architecture as OnTime® Group Calendar bridges the gap between on-premises and IBM SmartCloud. Requirements for running against IBM SmartCloud Due to the fact that OnTime® Group Calendar has a server side component and heavily utilizes the application infrastructure of IBM Domino, customers must run IBM SmartCloud Notes in a hybrid setup. A hybrid setup is what allows customers to mix on-premises and cloud hosted mail users. In a hybrid setup, the customer will have at least two IBM Domino servers on-premises (the so called “directory” and “passthru” servers) and installing OnTime® Group Calendar on either one is supported although installing on the “directory” server is the preferred option. Besides the requirement to run in a hybrid setup customers also need a custom mail template to add the OnTime® specific design elements. Appendix B. Example SmartCloud Notes Integration options 197 B.4 Example SmartCloud Notes Integration option - Riva / Salesforce CRM The solutions shown here are purely examples of what is possible today and are supported by the IBM Business Partners that developed the products. These solutions are not supported by IBM directly. If you want to know if your SmartCloud Notes environment can benefit from integrating products provided by an IBM Business Partner, contact your software vendor. Note: The following text about products/solutions are composed and offered by IBM Business Partners and are supported by those partners. The IBM corporation does not support these products/solutions Riva CRM Integration for IBM SmartCloud Notes Riva bridges the gap between a dozen of the world's best CRM systems and IBM Notes, IBM Domino, and IBM Notes Traveler mobile devices. Riva seamlessly syncs CRM contacts, calendars, tasks, email, opportunities, cases, custom fields, and custom objects. Riva is trusted by over 800 customers globally, including 20 Fortune 500 companies, 10 of the 50 largest banks in the world, and numerous Global 1000 companies. Riva is the leader in CRM and email integration. Since 2008, the company has developed server-side integrations for a dozen of the world’s best CRM systems – including Salesforce, Microsoft Dynamics CRM, Oracle Sales Cloud, SugarCRM, NetSuite, Saleslogix, and others – and four enterprise email platforms. And Riva is now available for IBM SmartCloud Notes. Riva is not just another IBM Notes plug-in. Riva delivers direct, server-side synchronization of contacts, calendars, tasks, email, opportunities, cases, custom fields, and custom objects. With Riva, there are no client-side plug-ins to install, configure, manage, or fix. Nor are there any changes that are required to the IBM Notes mail template in the IBM SmartCloud Notes environment. Riva enables IBM collaboration solution customers to fully benefit from integration with all major customer relationship management systems and Marketo. Sales and support reps can view and manage CRM and Marketo marketing automation data directly from the IBM Notes desktop client (for PC, Mac, and Linux), the SmartCloud Notes web mail experience, virtual desktops running on Citrix, and all IBM Notes Traveler smartphones and tablets (iPad, iPhone, Android, BlackBerry, and Windows Phone devices). View Riva screenshots and videos. Did you know? The CRM market is expected to double in sales to $36B by 2017 and eclipse ERP in worldwide market size. CRM leads all enterprise software categories in projected growth. How well does your CRM integrate with IBM SmartCloud Notes? With IBM SmartCloud Notes, Riva can help solving your CRM integration challenges. Business value 1. Reliable CRM integration: The number one reason why companies deploy Riva is to sync CRM contacts, calendars, tasks, and email reliably. 198 Preparing Your Enterprise for IBM SmartCloud for Social Business 2. Ease of management: Riva connects CRM systems directly to IBM Notes and Domino. Riva gets installed once on a server and transparently synchronizes CRM data to hundreds or thousands of CRM users. Riva eliminates the need to install or configure any integration software on users’ desktops, laptops, and mobile devices. 3. IBM Notes Traveler support: Mobile sales reps benefit from online and offline access to customer data on iPad, iPhone, Android, BlackBerry, and Windows Phone devices – without having to have their laptop or desktop running to sync the CRM data. Riva delivers centralized management and control of CRM data integration. And Riva supports Good Technology, CipherCloud, MobileIron, and other mobile security solutions. 4. Supports all IBM Notes and Domino applications on-premises or in cloud: In addition to synchronizing CRM data to IBM Notes on Windows desktops, Riva bridges integration gaps for Mac, Linux, IBM iNotes, IBM SmartCloud, and IBM Notes for Citrix. 5. Highly configurable: Many CRM customers add custom fields and custom objects. Riva can be configured to sync these custom objects thereby providing complete control and flexibility as to what data gets synced. In addition, Riva delivers advanced contact sync filters, integration support for opportunities and cases, and support for multiple CRM systems. 6. Improves CRM adoption and sales productivity: Many sales reps spend most of their day working in the IBM SmartCloud (Notes) environment and on their IBM SmartCloud Notes Traveler mobile devices. If your corporate CRM is not integrated with IBM SmartCloud Notes, sales reps must spend time manually entering data in multiple systems and flip-flopping between applications. This usually results in sales reps not entering CRM data, which leads to CRM adoption and data quality challenges. Riva resolves this issue and enables CRM users to view and manage data in their choice of IBM SmartCloud Notes and IBM SmartCloud Notes Traveler mobile devices. Appendix B. Example SmartCloud Notes Integration options 199 What Riva syncs Solution architecture Riva delivers full support for native IBM Domino / Notes as well as SmartCloud Notes scalability, fault tolerance, and disaster recovery strategies. 200 Preparing Your Enterprise for IBM SmartCloud for Social Business Related information Riva datasheet Riva case study IBM Connect 2014 App Throwdown Finalist Riva knowledge base Riva screenshots Riva demo videos Appendix B. Example SmartCloud Notes Integration options 201 202 Preparing Your Enterprise for IBM SmartCloud for Social Business C Appendix C. Example SmartCloud Websphere Portal integration In this example, we show how a customization of navigation can be, when integrated with IBM SmartCloud for Social Business. We show a simple example without the technical details to provide you an idea of what is possible today. Introduction The integration of a user interface (UI) providing Cloud service always raises the question: “How can I ensure that the Cloud service integrates with my existing web user interface?”. Usually, there are three options : No integration Branding options on the integrated Cloud Service Integration at the browser level One of the options possible with IBM SmartCloud for Social Business is to embed either the customer owned application into the SmartCloud Navigation or to replace the SmartCloud Navigation with a customer defined version. In the following example, we focus on the replacement option. Example The figures below show the Smarter Workforce Talent Suite UI that is a combination of the SmartCloud for Social Business user interface and elements of a WebSphere Portal hosted user interface. In this scenario, the WebSphere Portal is the integration platform that provides a common look and feel for users. The SmartCloud for Social Business fits into this environment by requesting those artefacts from WebSphere Portal. © Copyright IBM Corp. 2014. All rights reserved. 203 The integration is happening at the browser level. The SmartCloud requests the additional artefacts from the WebSphere Portal environment to deliver a dynamic, customizable user interface. 204 Preparing Your Enterprise for IBM SmartCloud for Social Business Back cover ® Preparing Your Enterprise for IBM SmartCloud for Social Business Produced in collaboration with: ® INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION BUILDING TECHNICAL INFORMATION BASED ON PRACTICAL EXPERIENCE IBM Redbooks are developed by the IBM International Technical Support Organization. Experts from IBM, Customers and Partners from around the world create timely technical information based on realistic scenarios. Specific recommendations are provided to help you implement IT solutions more effectively in your environment. For more information: ibm.com/redbooks Content in this document was produced in collaboration with IBM© Collaboration Solutions and IBM© Redbooks©