Download the KeyShield SSO install file and copy this to the server
Run the installer on Linux using ./inst_kshield_8.8.0.bin (or newer) If needed, make the file executable using “chmod +x {filename}” or on Windows by inst_kshield_8.8.0.exe (or newer).
Installation:
- Proceed – Y
- Select custom Java Location – N
- Please enter/confirm server IP address – Enter (when correct)
- KeyShield SSO server HTTP port – default 8485
- Start KeyShield SSO now – Y
After this the KeyShield SSO server is running and you can connect to the Web UI with http://server:8485
Under the Configuration tab click on “Authentication connectors”
Add Connector
- Enter a connector ID, this can be any name you like
- From the “Directory Service” drop-down list, select the option according to your directory service, e.g. “eDirectory”, “Active Directory”, etc.
- Click on the LDAP server(s) and enter the LDAP server and port
- Enter the “KeyShield SSO mgr account” (use the LDAP format cn=admin,o=xxx)
- Enter this user’s password in “KeyShield SSO mgr password”
- Uncheck the option “Validate mgr ACLs”
- Set the “LDAP search base” if other than root is needed
- Make sure the userIdAttribute is set to “cn” on eDirectory, or “sAMAccountName” on ActiveDirectory.
- Click on the “Optional API attributes” and type mail
Under the Configuration tab click on “Client Interfaces”
Add Interface
- Enter the “Display Name”, this can be any name you like
- Enter the server IP/hostname in the “Interface address”
- Select the connector, this is the one created above
Under the Configuration tab click on “API”
Click edit under API Configuration
- Enter a name in “Signing Certificate” this can be any name you like
- Click on the button on the bottom “Create API certificate”
- Enter the alias name, this can be any name you like ( gw_api for example)
- Enter the “Certificate Subject” after clicking the button with +
- Add both the FQDN and IP as 2 separate entries
- Enter the “Common Name” which should be the FQDN of the server
- Enter the “Organizational Unit”
- Enter the “Organization”
- Enter the other fields when you want but these are not required for the certificate
- Enter the “Certificate Authority Password” which by default is changeit. (However, you should definitely have your own secure CA password already set. It is set in the Certificates section of the menu under “ca-root-cert”.)
Under Certificates you should see now the certificate created above as example gw_api
- Click on the certificate
- Click on Export
- Click on Export Certificate
- Scroll down to the bottom and select “Download DER encoded certificate”
This downloaded certificate is needed in GroupWise in GWadmin.
- In gwadmin under System > System Preferences > KeyShield SSO Certificate click on the pencil icon
- Click on “Choose File”
- Select the downloaded certificate
- Click “Upload” and OK
In gwadmin for the user/PO or domain you want to have the KeyShield SSO enabled go to client options
- Click on the Security tab
- Check the “Keyshield SSO” option and OK
(If needed you can lock this)
At this point the user should be able to login without a password when the KeyShield SSO client is running and the user is authenticated to KeyShield.
For GW web you need to have the KeyShield SSO connection secure ( TLS ) as well so this will not yet work and needs some additional configuration.
In the KeyShield SSO Web UI under Certificates
- Click Create, Certificate
- Enter the Alias name, this can be any name but for example TLS
- Enter the “Certificate Subject” after clickin the button with +
- Add both the FQDN and IP as 2 separate entries
- Enter the “Common Name” which should the be the FQDN of the server
- Enter the “Organizational Unit”
- Enter the “Organization”
- Enter the other fields when you want but these are not required for the certificate
- Enter the “Certificate Authority Password” which by default is changeit
This certificate now should show in the list of certificates
Under Downloads in the section “Client configuration”
- Download the “Configuration file for xxxx”
- Download the “Certificate file for xxxx”
On the workstation that has the KeyShield client installed exit the KeyShield client
Then copy both downloaded files into the KeyShield installation directory
C:\Program Files (x86)\KeyShield SSO
Start the KeyShield client again and login as the user.
In the KeyShield client, “Current state” you now should see the “Server” and “Client” with a lock symbol.
At this point, both the GW Windows client and GW Web should be able to log in without a password when the user is authenticated to KeyShield on the workstation.