Configuring Kerberos SSO for OBIEE 12c

(Cont)

After Admin Server starts go to WebLogic Admin Console and check if the Active Directory Users & Groups are
retrieved or not

This means that the WebLogic console is able to use the given AD Config details and retrieve the users and groups
from AD.
veera.raghavendra.rao@oracle.com

Page 17 of 51

Now assign either the Groups or Users from Active Directory to the Application Roles in FMW EM.

veera.raghavendra.rao@oracle.com

Page 18 of 51

Add BIAuthors Group to BIContentAuthor

veera.raghavendra.rao@oracle.com

Page 19 of 51

Click OK in above screen

veera.raghavendra.rao@oracle.com

Page 20 of 51

Add BIConsumers Group to BIConsumer

veera.raghavendra.rao@oracle.com

Page 21 of 51

Now restart all the services

veera.raghavendra.rao@oracle.com

Page 22 of 51

Now try login to analytics as Active Directory Users

http://slc07czg.us.oracle.com:9502/analytics

If this Login is successful we can proceed with other steps.

veera.raghavendra.rao@oracle.com

Page 23 of 51

Lets decide on the encryptions to be used

From Active Directory 2008 Domain Level Microsoft started supporting AES encryptions.
But if we need Java to accept AES256 Encryptions we need to apply JCE for Java 8
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

As per the ReadMe we have to replace these files (US_export_policy.jar and local_policy.jar) from the jce_policy-8.zip to
the both jre locations
Before replacing the files from the zip take the backup of the original files and then replace them.
The 2 Locations will be
1. The initial Java 8 that you install before installing FMW Infrastructure and OBIEE
(C:\12c\Java\jdk1.8.0_77\jre\lib\security)
And
C:\12c\Middleware\Oracle_Home\oracle_common\jdk\jre\lib\security

veera.raghavendra.rao@oracle.com

Page 24 of 51

WebLogic Server Configuration

The server hosting the Weblogic server may or may not run on a Windows platform, and may or may not belong to
the same internet domain as the KDC and the client browser machine. The important configuration requirements
are:
The server has to be represented in the Kerberos realm via the principal we defined in the previous section
The server needs to be able to access the KDC.
The WebLogic server process needs to have access to the credentials of its account in Kerberos.
The WebLogic server must be configured to recognize a SPNEGO token in a request.

Configure WebLogic Server to find the KDC server

On Windows machines, create a file named krb5.ini, in the C:\Windows directory
On Unix machines, the file is called krb5.conf instead of krb5.ini, and the default location is in /etc/krb5/.
It may not be possible in all environments to create the file at this (/etc/krb5/) location, in which case on Linux
machines you can point to an alternate location with the environment variable KRB5_CONFIG and for Java command
lines the parameter -Djava.security.krb5.conf=<path>/krb5.conf.
NOTE: -Djava.security.krb5.conf=<path>/krb5.conf will be specified as JAVA_OPTIONS in setDomainEnv.cmd or sh

This file contains the Kerberos configuration information necessary for the WebLogic server to locate and
communicate with the Kerberos server and must have these contents:

For RC4

For DES (Not suggested since its old one)

Double Click this to check the code

veera.raghavendra.rao@oracle.com

Page 25 of 51

For AES128

For AES256

Can also use with multiple encryption types

*********************************************************************************
[libdefaults]
default_realm = CEAL.ORACLE.COM
default_tkt_enctypes = RC4-HMAC
default_tgs_enctypes = RC4-HMAC
permitted_enctypes = RC4-HMAC
ticket_lifetime = 600
[realms]
CEAL.ORACLE.COM = {
kdc = 10.240.106.128
admin_server = slc01pfz.us.oracle.com
default_domain = CEAL.ORACLE.COM
}
[domain_realm]
.ceal.oracle.com = CEAL.ORACLE.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
*********************************************************************************
Place this file in C:\Windows location
veera.raghavendra.rao@oracle.com

Page 26 of 51

Test if the WebLogic Server is able to find the KDC Server and able to obtain
a ticket or not:
Verify your Kerberos configuration
It is crucial at this specific point to verify that Kerberos is set up properly and that your principal and keytab are
valid. If they are not, then there is no point in going further in the process.
kinit is a utility provided with the JDK on Windows and as part of the kerberos (or kerberos-tools) package on Linux
that can be used to validate your Kerberos configuration. NB at this stage, we are just validating that the server itself
can communicate properly with the KDC, i.e. this is machine-level test, not a test of Weblogic config.
If your principal was created properly, you should be able to request a TGT (ticket Granting Ticket) from Kerberos
using that principal. If the keytab file was generated properly, then you should be able to use this file instead of the
password of your account. kinit tests both simultaneously. The syntax is
kinit k t <keytab-file> HTTP/<Weblogic_HostName>
NB in Unix/Linux, the principal name will be fully qualified in the form HTTP/<wls-server> and the syntax differs
slightly in that the V switch should be added or else it will complete silently
So, in our example scenario for Windows the synatx is:
C:\12c\Java\jdk1.8.0_77\bin\kinit k t
C:\12c\Middleware\Oracle_Home\user_projects\domains\bi\slc07czg.keytab HTTP/slc07czg.us.oracle.com
By default, on the Windows platform a cache file named <USER_HOME>\krb5cc_<USER_NAME> will be generated
and the output should be something similar to:
New ticket is stored in cache file C:\Users\aime\krb5cc_aime
And for Linux the example syntax would be
kinit V k t /scratch/12c/FMW/Oracle_Home/user_projects/domains/bi/slc07czg.keytab
HTTP/slc07czg.us.oracle.com

veera.raghavendra.rao@oracle.com

Page 27 of 51

For RC4-HMAC encryption

Right now my krb5.ini file has RC4-HMAC as the encryption type and the kinit goes fine
Let us check for AES128 encryption:

Right now my krb5.ini file has AES128-CTS-HMAC-SHA1-96 as the encryption type and the kinit goes fine
Let us check for AES256 encryption:

Right now my krb5.ini file has AES256-CTS-HMAC-SHA1-96 as the encryption type and the kinit doesnt pass
For AES256 it shows no support even though the ktpass command is run fine.
The reason is because the AES256 encryption is not fully supported by Windows 2008 R2 Domain level, it works
well if the AD Domain Level is 2012.
NOTE: For OBIEE12c on Windows 2008/2012 With Active Directory at Domain Level 2008 R2 we can use
RC4 and AES128 Encryptions.
NOTE: For OBIEE12c on Windows 2008/2012 With Active Directory at Domain Level 2012 R2 we can use
RC4, AES128 and AES256 Encryptions.
If you got to this step without any error, then you have successfully configured the KDC. Otherwise, please consult
the section on troubleshooting Kerberos configuration.

veera.raghavendra.rao@oracle.com

Page 28 of 51

Configure WebLogic Login Module

JAAS allows dynamic configuration of login modules, so we need to create a JAAS configuration file that specifies the
Kerberos login modules. Create a file named krb5Login.conf in the Weblogic domain directory (i.e. in our example
scenario this would be at %ORACLE_HOME%\user_projects\domains\bi\krb5Login.conf) with the following
contents:
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=HTTP/[short hostname of Weblogic server]@<Kerberos realm>
keyTab=<Name of the keytab file we created, relative to Weblogic domain directory>
useKeyTab=true
storeKey=true
debug=true;
};
So, in our example scenario, this would become:
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=HTTP/slc07czg.us.oracle.com@CEAL.ORACLE.COM
keyTab=slc07czg.keytab
useKeyTab=true
storeKey=true
debug=true;
};
Note that in practice it has been observed that different formats of specifying the principal work differently on
different JDKs and/or AD Domain Controllers. For example, in some instances the following has been used
successfully:
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=HTTP/ slc07czg.us.oracle.com@CEAL.ORACLE.COM
keyTab=bieesvr1.keytab
useKeyTab=true
storeKey=true
debug=true;
};

Double click to check the code

veera.raghavendra.rao@oracle.com

Page 29 of 51

Note that we specify just the name of the keytab file as both the keytab file and the krb5Login.conf file are in the
Weblogic domain directory. Also note the quotation marks around the principal name these are required.

Next, we need to specify the file location as a startup option in the WLS java command line:
-Djava.security.auth.login.config=krb5Login.conf
and specify the two following additional java options:
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.enableNegotiate=true
These settings can be specified in the Weblogic domain environment script which can be found in the bin
subdirectory under the Weblogic domain dir. So, in our example scenario, we would edit the file
%ORACLE_HOME%\user_projects\domains\bi\bin\setDomainEnv.cmd
Find the line that reads:
set JAVA_PROPERTIES=%JAVA_PROPERTIES% %EXTRA_JAVA_PROPERTIES%
and before it, insert this line:
set EXTRA_JAVA_PROPERTIES=Djava.security.auth.login.config=C:\12c\Middleware\Oracle_Home\user_projects\domains\bi\krb5Login.conf Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.realm=CEAL.ORACLE.COM Djava.security.krb5.kdc=slc01pfz.us.oracle.com -Dsun.security.krb5.debug=true Djava.security.enableNegotiate=true -Djava.security.krb5.conf=C:\Windows\krb5.ini %EXTRA_JAVA_PROPERTIES%

N.B. you will, of course, need to restart the Weblogic Admin Server and any/all Managed Servers for these settings to
take effect.
If your Weblogic server is on Linux and you were not able to place the krb5.conf file in the default location (usually
/etc/krb5 in Oracle Unbreakable Linux, but check details if you are using an alternate distribution), you also need to
specify the parameter -Djava.security.krb5.conf=<path>/krb5.conf before the %EXTRA_JAVA_PROPERTIES%.

veera.raghavendra.rao@oracle.com

Page 30 of 51

Configure the Single Pass Negotiate Identity Assertion provider

In order to enable WebLogic to extract a SPNEGO/Kerberos ticket from incoming requests, you need to enable the
NegotiateIdentityAsserter provider, which will use the login Config and keytab file we set up in the previous section
to communicate with the Kerberos server.
In the WebLogic Admin Console Add a New Authenticator and select the type as NegotiateIdentityAsserter.

veera.raghavendra.rao@oracle.com

Page 31 of 51

Click the Reorder button, then select the tickbox next to your NegotiateIdentityAsserter (SPNEGOAsserter in our
example), then use the shuttle control to put the NegotiateIdentityAsserter second in the list behind the
ActiveDirectoryAuthenticator we configured earlier.

CONFIGURE BI APP FOR SSO

Configure BI Analytics App to request SPNEGO Authentication
Finally on the WebLogic server, we need to change the deployment descriptors for the BI analytics application to
apply a security constraint so that it will request the SPNEGO/Kerberos authentication information.
Locate the analytics.ear in your Oracle BI Home directory.

veera.raghavendra.rao@oracle.com

Page 32 of 51

Make a backup copy of the ear file so that you have a restore point to refer back to (and revert to) if needed
Unpack the analytics.ear file to a temporary location, using the Java jar tool. Use the command line options xvf to
extract the contents to the current working directory
(e.g. C:\12c\Java\jdk1.8.0_77\bin\jar xvf C:\12c\Middleware\Oracle_Home\bi\bifoundation\jee\analytics.ear), so
you will probably want to create a temporary directory to hold the unpacked contents and change into that directory
before running the command.
The ear contains a META-INF directory and two war files, analytics.war and analytics-ws.war

In 7zip Tools Options Editor tab set the wordpad as editor

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe

Instead of java xvf commands use 7zip manager if 7zip exists

Unpack the analytics.war file to a second temporary location, it contains a default.jsp file and five top-level
directories, one of which is called WEB-INF.

veera.raghavendra.rao@oracle.com

Page 33 of 51

In the weblogic.xml file add below lines before </weblogic-web-app>

<security-role-assignment>
<role-name>SSORole</role-name>
<principal-name>SSOUsers</principal-name>
<principal-name>AnyGroupwhoshouldhaveSSO</principal-name>
</security-role-assignment>
</weblogic-web-app>

veera.raghavendra.rao@oracle.com

Page 34 of 51

Note that in practice, it has been observed that different platforms require slightly different formatting of the text
above.
Make sure there are no hidden characters and check the quotes are correct for your platform. In particular, it has
been noticed that cutting and pasting out of a document does not always result in a successful weblogic.xml.
The name of the role is not important, so long as it is consistent in this file and in sections we will add in the web.xml
file in the next step.
The principal name element(s) should refer to the Active Directory groups (not Application Roles) you wish to allow
access to the application. NB all BI users will need to be members of at least one of these groups.
Also, in the WEB-INF directory, you will find an existing file called web.xml. Edit web.xml and look for a section like
this:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Replace this section with the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>BI Analytics</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SSORole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>SSORole</role-name>
</security-role>

veera.raghavendra.rao@oracle.com

Page 35 of 51

The name of the role is not important, so long as it is consistent in this file and in the Weblogic.xml file.
Once you have edited both files, repackage the analytics.war file, again using the jar tool, and, in turn, repackage that
back into the analytics.ear file.

Next we need to redeploy the analytics.ear file to Weblogic so that the new security constraint will come into effect.
Log into Weblogic Admin Console and click on Deployments

veera.raghavendra.rao@oracle.com

Page 36 of 51