I have previously blogged about how to create a LTPA session cookie for Lotus Domino and now I am finally able to present the code for creating this LTPA cookie that can be implemented on the F5 BIG-IP platform using the F5 iRules Control Language (which builds upon the Tcl scripting language). I created the code by going through a Java library for creating a LTPA cooke created by Miha Vitorovič.

The F5 iRule code is available for you to download – you just need to add the code necessary to do authentication of the user. Check F5 DevCentral for examples on this – for instance this iRule example that does reverse proxy with basic SSO.

Update: Based on this blog post I have created an article on this in the Lotus Notes & Domino wiki per request from Joyce Davis.

The following shows the actual code:

when RULE_INIT {
 set cookie_name "LtpaToken"           # Don't change this
 set ltpa_version "\x00\x01\x02\x03"   # Don't change this
 set ltpa_secret "b64encodedsecretkey" # Set this to the LTPA secrey key from your Lotus Domino LTPA configuration
 set ltpa_timeout "1800"               # Set this to the timeout value from your Lotus Domino LTPA configuration
}

when HTTP_REQUEST {
 #
 # Do your usual F5 HTTP authentication here
 #

 # Initial values
 set creation_time_temp [clock seconds]
 set creation_time [format %X $creation_time_temp]
 set expr_time_temp [expr { $creation_time_temp + $::ltpa_timeout}]
 set expr_time [format %X $expr_time_temp]
 set username [HTTP::username]
 set ltpa_secret_decode [b64decode $::ltpa_secret]

 # First part of token
 set cookie_data_raw {}
 append cookie_data_raw $::ltpa_version
 append cookie_data_raw $creation_time
 append cookie_data_raw $expr_time
 append cookie_data_raw $username
 append cookie_data_raw $ltpa_secret_decode

 # SHA1 of first part of token
 set sha_cookie_raw [sha1 $cookie_data_raw]

 # Final not yet encoded token
 set ltpa_token_raw {}
 append ltpa_token_raw $::ltpa_version
 append ltpa_token_raw $creation_time
 append ltpa_token_raw $expr_time
 append ltpa_token_raw $username
 append ltpa_token_raw $sha_cookie_raw

 # Final Base64 encoded token
 set ltpa_token_final [b64encode $ltpa_token_raw]

 # Insert the cookie
 HTTP::cookie insert name $::cookie_name value $ltpa_token_final
 }

 # Remove Authorization HTTP header to avoid using basic authentication
 if { [HTTP::header exists "Authorization"] } {
 HTTP::header remove "Authorization"
 }
}

Lotus Domino uses LTPA as the authentication technology for single sign-on. LTPA involves creating a session cookie that can be used to achieve single sign-on across several servers.

LTPA can also be used in combination with a reverse proxy to authenticate users at the reverse proxy and then be able to forward the authenticated user to backend Lotus Domino servers. The reverse proxy will then have to send a LTPA session cookie along with the HTTP request to the Lotus Domino server. The Tivoli Access Manager Webseal reverse proxy can do just that and supports LTPA.

However, if you use a product that does not support LTPA, then you have to create the LTPA cookie yourself. Daniel Lehtihet has provided the details on how to create a LTPA session cookie in the Domino Experts forum – and Miha Vitorovič from NIL Data Communications has extended this to create a Java library with all the necessary code. In short, a LTPA session cookie consists of the following (with some SHA-1 and Base64 magic on top):

• LTPA token version
• Creation time
• Expiration time
• User name
• Domino server secret

I am currently on a project where we plan to use a F5 BIG-Ip application delivery controller to (among many things) authenticate and load balance HTTP requests against backend Lotus Domino servers. The solution will involve forwarding an authenticated user to the Lotus Domino server and this is where this post on creating your own LTPA session cookie comes into play. I plan to use the F5 iRules control language to create a LTPA session cookie when a user has been authenticated and then send this LTPA session cookie along with the HTTP requests to the Lotus Domino server.