Novell Teaming is a complete Java/J2EE Web application and includes a Web server (Tomcat). Because the Web server listens on ports and processes network connections, you should consider the following as part of the installation process:
Firewall Setup: The default installation uses port 8080/8443 for the Web server. Some local firewalls (such as the Windows Security Center’s firewall) might restrict traffic to port 8080/8443 and thus require proper configuration for access by other systems.
If you can access Novell Teaming on the local server, but cannot access it from another system, examine your firewall settings.
NOTE:When utilizing an Oracle database, you may need to reconfigure Novell Teaming to run on port 8081.
Port Conflicts: The Tomcat software uses a number of TCP/IP ports for both Web traffic and management messages. If you have other Web servers (Apache, IIS, or Tomcat) or other software installed that uses the same port numbers, your Novell Teaming software does not function properly.
NOTE:Novell Open Enterprise Server 2 (OES 2) systems have another Tomcat application running by default.
The netstat -anp tcp command on Windows and the netstat -tan command on Linux can help find which ports are currently being used. For more information on network ports, consult your operating system networking guide.
When you are in this situation, make sure that in addition to the http/https ports (8080/8443) you also assign free port numbers to the and settings in the window when you run the installer.
Port Mapping: For instances where the port number on which Tomcat listens for connections is different than what the end user sees in his or her browser, change the and settings to the local server ports and set the and settings to the port numbers that the browsers are using in the window when you run the installer. See Port 80/443 configuration on Linux and Integrating with iChain for details.
The host, port, and securePort settings are used to generate URLs within the product and so must match what the user’s browser sees. Unless they are overridden by the and settings, the and settings are used as the server’s listen ports.
Liferay Session Timeout: You can configure Novell Teaming to log out of a session after a certain number of minutes. The default is 2 hours (240 minutes). You can change this by altering the setting in the window when you run the installer.
The default installation of Novell Teaming uses the Tomcat Web server. Although the Tomcat server is part of the Apache project, it is not the same thing as the Apache Web server. Tomcat is written in Java and can not perform some of the special privilege behaviors that Apache can.
In particular, Linux does not allow non-root processes from allocating TCP/IP ports less than 1024. For this reason, the default configuration for Tomcat (and Novell Teaming) uses ports 8080 for http and 8443 for https (SSL). Unfortunately, this requires specifying the port number in the browser's URL for Novell Teaming (such as http://icecore.mycompany.com:8080).
WARNING:Although running Tomcat as root solves this problem, it creates many (far worse) problems. Do not run Tomcat as root.
If you want Novell Teaming to be available on the default http/https ports, use an operating system feature called “kernel space port forwarding.” With this, the iptables command is used to map requests from port 80 to port 8080 (or whatever port you specify). For example:
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A OUTPUT -d yourHostname -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -d yourHostname -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A OUTPUT -d localhost -p tcp --dport 443 -j REDIRECT --to-ports 8443 iptables -t nat -A OUTPUT -d yourHostname -p tcp --dport 443 -j REDIRECT --to-ports 8443 iptables -t nat -A PREROUTING -d yourHostname -p tcp --dport 443 -j REDIRECT --to-ports 8443
These changes only affect the running system. You need to add them to your startup sequence. See the *iptables* and *iptables_save* man pages for more information about setting up port forwarding.
When you use this type of configuration, you must specify the ports the Tomcat server listens to and the ports that the browsers see in the window when you run the installer.
For example:
= 80
= 8080
= 443
= 8443
Liferay/Novell Teaming contains support for single sign-on (SSO) based on iChain®. When Novell Teaming is running in this mode, the iChain server performs user authentication tasks and passes a token representing the authenticated user’s login name to Liferay/Novell Teaming in each request to indicate who made the request.
You must configure Liferay/Novell Teaming with the same LDAP that iChain is using so that it can obtain and copy the user information into the portal. However, this configuration differs from the regular portal/LDAP integration because no password checking is performed against LDAP when logging into the portal (credential checking is only performed by the iChain server). This technique is safe only if all access to the portal is routed through the iChain proxy.
The SSO configuration sets up a valve that only permits access from the local server and the iChain proxy server. For more information about Tomcat’s valve configuration, see tomcat.apache.org.
IMPORTANT:You have two options available for WebDAV support:
To use a two-accelerator configuration for WebDAV support, you must select theoption and specify the iChain WebDAV accelerator in the field during installation.
If you do not use a a two-accelerator configuration for WebDAV support, you must use basic authorization headers to support WebDAV. With basic authorization headers, the WebDAV URLs are made public with iChain and the authentication work is delegated to Novell Teaming, which stores the passwords locally so that the Teaming WebDAV server can use them for WebDAV client authentication. In this case, the value of field in the installer is ignored and Novell Teaming does not perform hostname re-write for the WebDAV URLs.
To set up an iChain proxy:
Ensure that the iChain proxy’s port number matches the Novell Teaming/Liferay port number.
If you have configured Novell Teaming to run on port 8080, the iChain proxy should also use port 8080. If the port numbers differ, you must set the setting in the window when you run the installer.
For example, if iChain is set to provide access on the default ports (80/443) while Tomcat is listening on ports 8080/8443, use the following setting values in the window when you run the installer:
Host: your.server.host.name
Port: 80
Listen Port: 8080
Secure Port: 443
Secure listen Port: 8443
IMPORTANT:If the iChain proxy and Novell Teaming ports are not set up identically, you might experience page layout issues and other Novell Teaming features might not function properly.
In window of the installer, select the option, set the setting to the log-off URL provided by the iChain proxy server, and set the setting to the IP address of the iChain proxy server.
Finish running the installer’s New Installation or Reconfiguration. See Running the Installer.
After enabling the iChain SSO, log into Liferay by using a direct login URL: http://localhost:8080/c/portal/login and log in as admin.
Because the SSO configuration removes the link, you must type the URL manually.
If you have not already done so, use Liferay’sportlet to enable LDAP-based authentication.
This setup is necessary because Liferay must copy user data from the LDAP into the portal database upon user login.
To prevent users from logging into the portal directly through the portal’s login form, remove or rename the following file from Novell Teaming’s liferay-portal-tomcat directory:
webapps/ROOT/html/portal/login.jsp
You might also need to remove:
work/Catalina/localhost/_/org/apache/jsp/html/portal/login_jsp.*
Liferay/Novell Teaming is now ready to be put behind the proxy. Consult your iChain documentation on how to do this.
To enable iChain integration-related debug log messages, modify Liferay’s portal-log4j-ext.xml to add the following category:
<category name="com.sitescape.team.liferay.security.auth"> <priority value="DEBUG" /> </category>
Use this only for testing or troubleshooting purposes. You should not to have debug logging enabled on a production system.
IMPORTANT:If you are installing Novell Teaming for use with eDirectory and GroupWise, see Using iChain for Authenticating to Teaming or Conferencing
in Novell Teaming and Conferencing
in the GroupWise 7 Interoperability Guide for additional instructions.