Академический Документы
Профессиональный Документы
Культура Документы
Celvin Kattookaran
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Table of Contents
Purpose................................................................................................................................3
Prerequisites.......................................................................................................................4
Join the Kerberos realm...................................................................................................7
Configuring the Active Directory Machine for Kerberos..............................................8
Create SSO Group in Active Directory...........................................................................8
Create SSO Group in Active Directory.........................................................................10
Creating Active Directory user which will be used as Kerberos Service Principal.......14
Mapping Local User to SPN..........................................................................................17
Creating krb5.ini............................................................................................................17
Add Weblogic Admin Server as a Windows Service....................................................19
Configuring the WebLogic Machine for Kerberos.......................................................20
Create Service Principal Name and Keytab File............................................................20
Check which SPNs are associated with the user............................................................22
Creating the JAAS Configuration File...........................................................................22
Create Active Directory Authenticator in WebLogic Security Realm..........................23
Change the control flag of DefaultAuthenticator...........................................................29
Check the active directory authenticator........................................................................29
Configure Negotiate Identity Asserter...........................................................................30
Reordering the Authentication providers.......................................................................32
Granting WebLogic Administrator Role to the SSO User.............................................33
Add Kerberos options in Weblogic startup script..........................................................35
Enable debugging in Weblogic (Optional)....................................................................35
Deploying Workspace......................................................................................................37
Configuring Workspace for SSO....................................................................................39
Customizing EPM Workspace Services Configuration Scripts.....................................39
Setting Up Workspace for Single Sign-On....................................................................39
Configuring Workspace for Single Sign-On..................................................................39
Updating JVM Arguments of Workspace......................................................................44
Adding Policies to workspace deployment....................................................................45
External Authentication in Hyperion Shared Services................................................48
Configuring Browser on Client Computers..................................................................53
2|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Purpose
The purpose of this document is to describe the procedure that enables Oracle
Hyperion Workspace, Fusion Edition V.11.1.1 for Windows Single Sign.
In other words Windows logon using the Kerberos realm provides for transparent
Workspace access. Once the user logs into to his computer (which is in his
organization’s domain) he won’t be asked for a Workspace login.
3|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Prerequisites
1. Have all machines into same time zone, time and date. It applies also to all
clients.
2. Make sure server the connectivity is setup upon static IP and manual DNS
IP's. Spotless DNS configuration for both forward & reverse resolution is
fundamental to reliable Kerberos setup.
3. Test nslookup using forward & reverse resolution.
4. Test "dcdiag /s:ADmachine". Any error must be corrected before to
proceed.
4|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
5|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
http://www.microsoft.com/downloadS/details.aspx?FamilyID=f08d28f3-b835-4847-
b810-bb6539362473&displaylang=en
6|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Download Windows Server 2003 Service Pack 2 32-bit Support Tools from
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-
939B-9A772EA2DF90&displaylang=en
Download Windows 2000 Resource Kit Tools for administrative tasks from
http://support.microsoft.com/kb/927229
where you enter the Kerberos realm name (capitalized) and the FQDN name of the
KDC machine. To see the Kerberos state use /dumpstate switch with ksetup.
Note: This step is mainly used if your KDC is a non AD KDC or a UNIX based KDC.
It works also if you use ksetup for an Active Directory KDC but it is not required if
you join the machines to the domain.
After adding the machine to a Kerberos realm this value is stored in the registry.
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Domains
7|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Create a group called wls_users (this group will hold all the WebLogic users)
8|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
9|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
10 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
11 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
12 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
13 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Creating Active Directory user which will be used as Kerberos Service Principal
14 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
4. Setup Additional user properties for SPN (Service Principal Name) user.
15 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
5. Trust the user for delegation. You’ll get the delegation tab only if you are
in Windows 2003 functional level.
16 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Creating krb5.ini
[libdefaults]
default_realm = CERASOFT.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4
clockskew = 1200
[realms]
CERASOFT.COM = {
kdc = 10.8.5.70
admin_server = CELVIN-AD.CERASOFT.com
default_domain = CERASOFT.com
}
[domain_realms]
cerasoft.com = CERASOFT.COM
.cerasoft.com = CERASOFT.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
17 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
CELVIN-AD/10.8.5.70
IPv4 address
default etypes for default_tkt_enctypes: 23 16 1 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> Kinit: sending as_req to realm CERASOFT.COM
>>> KrbKdcReq send: kdc=10.8.5.70 UDP:88, timeout=30000, number of retries =3, #
bytes=181
>>> KDCCommunication: kdc=10.8.5.70 UDP:88, timeout=30000,Attempt =1,
#bytes=181
You can use the kerbtray and klist utilites to list the tickets stored.
18 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
set WL_HOME=E:\bea\weblogic92
set JAVA_OPTIONS=-
Dweblogic.Stdout="E:\bea\user_projects\domains\Hyperion\logs\StdOut.log" -
Dweblogic.Stderr="E:\bea\user_projects\domains\Hyperion\logs\StdErr.log"
%JAVA_OPTIONS%
If you wish to change the name of the service edit the portion in installSvc.cmd
-svcname:"beasvc %DOMAIN_NAME%_%SERVER_NAME%"
Eg -svcname:"BEA Weblogic %DOMAIN_NAME%_%SERVER_NAME%"
19 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Note: This procedure should be performed on the machine that hosts the WebLogic server;
for example, on your Workspace server.
The service principal name and keytab file are used to provide SSO between the
browser and WebLogic SPNEGO filters. A keytab is a file that contains pairs of
Kerberos principals and DESencrypted keys derived from the Kerberos password.
It is used to log into Kerberos without being asked again for a username and
password.
The keytab file is computer-independent. You can copy it from one computer to another. It
is better to have a global keytab file.
Note: Ensure the SPN is created using the fully qualified domain name (FQDN) of the
WebLogic server.
After the execution of the command you’ll see a similar message. Ignore
the warning, else if you want to add a ptype then add another switch as
-ptype KRB5_NT_PRINCIPAL to the ktpass command.
After the setting up the keytab the logon name for SPN user should change to
HTTP/servername
21 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
You can use setspn utility, ldifde and ADSI edit utility to check the SPNs
Use LDIFDE to check which all entires are associated with host/http/HTTP string
dn: CN=CELVIN-AD_WLS,CN=Users,DC=CERASOFT,DC=com
changetype: add
servicePrincipalName: HTTP/CELVIN-AD.CERASOFT.com
The JAAS login configuration file identifies the system properties and login
modules that direct WebLogic server to allow Kerberos authentication to occur.
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM"
useKeyTab=true
keyTab="E:\\bea\\bea.keytab"
storeKey=true
debug=true;
};
22 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM"
useKeyTab=true
keyTab="E:\\bea\\bea.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM"
useKeyTab=true
keyTab="E:\\bea\\bea.keytab"
storeKey=true
debug=true;
};
WebLogic security realm is a container for the users, groups, security policies,
roles and providers that are used to protect WebLogic resources. We should create
an active directory authenticator so that Active Directory users can access
WebLogic.
23 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
24 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Eg: CeraSoftAD-AuthN
9. Click OK to proceed.
25 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
10. Select the newly created provider from the summary list.
11. Click on Common in the Configuration tab.
12. Change the Control Flag to OPTIONAL.
13. Click on Provider Specific tab
14. Change the Group Base DN to reflect your Active directory. This should
be the Distinguished Name (DN) of the group to which the bea_sso_ad user
belongs. For example, if the bea_sso_ad user belongs to the
CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com.
15. Change the User Name Attribute to sAMAccountName, by default cn is
selected. I would recommend to use sAMAccountName for MSAD.
26 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
27 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
19. In User Base DN, enter the DN of the LDAP directory tree that contains
users. For example, if users are defined in CERASOFT.COM/Users group,
enter CN=Users,DC=CERASOFT,DC=com.
20. Check whether the active directory port is set correctly.
21. In Principal, enter the DN of the user (usually the Active Directory
administrator) so that WebLogic canuse to connect to the Active Directory. For
example, CN=Administrator, CN=Users,DC=CERASOFT,DC=com
22. Enter the Credential and confirm it.
23. Click Save to continue.
28 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
29 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
The Negotiate Identity Assertion provider enables single sign-on (SSO) with
Microsoft clients. The identity assertion provider decodes Simple and Protected
Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos
tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity
Assertion provider utilizes the Java Generic Security Service (GSS) Application
Programming Interface (API) to accept the GSS security context via Kerberos.
30 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Eg. CeraSoftAD-Neg_ID_Asserter
31 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
32 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
33 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
11. In group argument name type the group to which bea_sso_ad belongs
(here it is wls_users).
12. Click Add
13. Type Administrators and Click add to add Administrators group.
14. Click Finish
34 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
You must edit the startup script for your WebLogic domain; for example, C:\bea
\user_projects\domains\ws_domain\bin\startWeblogic.cmd, to include the
following Kerberos options.
set KERB_OPTIONS=-Djava.security.krb5.realm=CERASOFT.COM
-Djava.security.krb5.kdc=10.8.5.70
-Djava.security.auth.login.config=E:\bea\krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true
-Djava.security.krb5.conf=C:\WINNT\krb5.ini
This is an optional step, if you are enabling debugging in WebLogic; please increase the
log rotation size from 500 KB to 2048 KB
35 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
36 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Deploying Workspace
If you already deployed workspace, then delete workspace from the deployments in
WebLogic Administration console.
G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps
37 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
During the deployment process, specify these options in the Optional Settings page
of WebLogic Install Application Assistant.
1. In Security, select Custom Roles and Policies: Use only roles and
policies that are defined in the Administration console.
2. In Source accessibility, select I will make the deployment accessible
from the following location.
3. In location, enter
G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace.
38 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
%HYPERION_HOME%/products/Foundation/workspace/bin/settrustedpass.bat
eg. G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace
39 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
1. Login to Workspace.
40 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
41 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
42 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
43 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
15. From the drop down, select $TRUSTEDPASS$ for Custom Password
Policy.
1. Login to registry.
44 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
2. Navigate to HKLM\SOFTWARE\Hyperion
Solutions\Workspace\HYS9Workspace
3. Add the following keys to the registry.
4. All JVMOptions are of type String.
JVMOption12 = -Djava.security.krb5.realm=CERASOFT.COM
JVMOption13 = -Djava.security.krb5.kdc=10.8.5.70
JVMOption14 = -Djava.security.auth.login.config=E:\bea\krb5Login.conf
JVMOption15 = -Djavax.security.auth.useSubjectCredsOnly=false
JVMOption16 = -Dweblogic.security.enableNegotiate=true
JVMOption17 = -Djava.security.krb5.conf=C:\WINNT\krb5.ini
You must create custom policies for the URL patterns specific to Workspace Web
application.
45 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
5. Go to Policies
6. Click New.
7. Enter the URL Pattern as /index.jsp
8. Select the Provider Name as XACMLAuthorizer.
46 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
47 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
49 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
10. Enter the User DN and click on Append Base DN. (This user can be an
AD Administrator or a User who can search for all the Hyperion users)
11. Enter Password.
50 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
16. You can configure MSAD groups also in the similar way.
51 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
17. If you don’t want to use MSAD groups, I would recommend still
configuring a group in MSAD where that group is the only container and it
doesn’t have any users.
18. Click Finish to finish the external directory configuration.
19. Click OK
20. Restart Shared Services.
52 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
24. Click Search and it should populate all the AD users if the configuration is
correct.
53 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
5. Click on Advanced.
54 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
55 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
11. In the advanced Tab, check whether Enable Integrated Windows Authentication is
checked or not.
12. Click OK to finish the settings.
56 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
If your Kerberos authentication is working you’ll not see the standard Login screen.
57 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
58 | P a g e