Enable Kerberos With Workspace 11 1 1 3 PDF

Enable Kerberos
(SSO) with Workspace

11.1.1.3 on WebLogic 9.2 MP3 &
Apache HTTP Server
Celvin Kattookaran
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Table of Contents
Purpose................................................................................................................................3
Prerequisites.......................................................................................................................4
Join the Kerberos realm...................................................................................................7
Configuring the Active Directory Machine for Kerberos..............................................8
Create SSO Group in Active Directory...........................................................................8
Create SSO Group in Active Directory.........................................................................10
Creating Active Directory user which will be used as Kerberos Service Principal.......14
Mapping Local User to SPN..........................................................................................17
Creating krb5.ini............................................................................................................17
Add Weblogic Admin Server as a Windows Service....................................................19
Configuring the WebLogic Machine for Kerberos.......................................................20
Create Service Principal Name and Keytab File............................................................20
Check which SPNs are associated with the user............................................................22
Creating the JAAS Configuration File...........................................................................22
Create Active Directory Authenticator in WebLogic Security Realm..........................23
Change the control flag of DefaultAuthenticator...........................................................29
Check the active directory authenticator........................................................................29
Configure Negotiate Identity Asserter...........................................................................30
Reordering the Authentication providers.......................................................................32
Granting WebLogic Administrator Role to the SSO User.............................................33
Add Kerberos options in Weblogic startup script..........................................................35
Enable debugging in Weblogic (Optional)....................................................................35
Deploying Workspace......................................................................................................37
Configuring Workspace for SSO....................................................................................39
Customizing EPM Workspace Services Configuration Scripts.....................................39
Setting Up Workspace for Single Sign-On....................................................................39
Configuring Workspace for Single Sign-On..................................................................39
Updating JVM Arguments of Workspace......................................................................44
Adding Policies to workspace deployment....................................................................45
External Authentication in Hyperion Shared Services................................................48
Configuring Browser on Client Computers..................................................................53
2|Page
Purpose
The purpose of this document is to describe the procedure that enables Oracle
Hyperion Workspace, Fusion Edition V.11.1.1 for Windows Single Sign.
In other words Windows logon using the Kerberos realm provides for transparent
Workspace access. Once the user logs into to his computer (which is in his
organization’s domain) he won’t be asked for a Workspace login.
3|Page
Prerequisites
1. Have all machines into same time zone, time and date. It applies also to all
clients.
2. Make sure server the connectivity is setup upon static IP and manual DNS
IP's. Spotless DNS configuration for both forward & reverse resolution is
fundamental to reliable Kerberos setup.
3. Test nslookup using forward & reverse resolution.
4. Test "dcdiag /s:ADmachine". Any error must be corrected before to
proceed.
C:\Documents and Settings\Administrator.CELVIN-AD>dcdiag /s:CELVIN-AD.CERASOFT.com
Domain Controller Diagnosis
Performing initial setup:

Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CELVIN-AD

Starting test: Connectivity
......................... CELVIN-AD passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CELVIN-AD

Starting test: Replications
......................... CELVIN-AD passed test Replications
Starting test: NCSecDesc
......................... CELVIN-AD passed test NCSecDesc
Starting test: NetLogons
......................... CELVIN-AD passed test NetLogons
Starting test: Advertising
......................... CELVIN-AD passed test Advertising
Starting test: KnowsOfRoleHolders
......................... CELVIN-AD passed test KnowsOfRoleHolders
Starting test: RidManager
......................... CELVIN-AD passed test RidManager
Starting test: MachineAccount
......................... CELVIN-AD passed test MachineAccount
Starting test: Services
......................... CELVIN-AD passed test Services
Starting test: ObjectsReplicated
......................... CELVIN-AD passed test ObjectsReplicated
Starting test: frssysvol
......................... CELVIN-AD passed test frssysvol
Starting test: frsevent
......................... CELVIN-AD passed test frsevent
Starting test: kccevent
......................... CELVIN-AD passed test kccevent
Starting test: systemlog
......................... CELVIN-AD passed test systemlog
Starting test: VerifyReferences
4|Page
......................... CELVIN-AD passed test VerifyReferences
Running partition tests on : ForestDnsZones

Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones

......................... DomainDnsZones passed test CrossRefValidation

......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema

......................... Schema passed test CrossRefValidation
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration

......................... Configuration passed test CrossRefValidation
......................... Configuration passed test CheckSDRefDom
Running partition tests on : CERASOFT

......................... CERASOFT passed test CrossRefValidation
......................... CERASOFT passed test CheckSDRefDom
Running enterprise tests on : CERASOFT.com

Starting test: Intersite
......................... CERASOFT.com passed test Intersite
Starting test: FsmoCheck
......................... CERASOFT.com passed test FsmoCheck
5. The whole steup is under the assumption that workspace is deployed

manually.
6. If you wish you can raise the functional level of your Active directory to
Windows 2003. (I would recommend to do so, since I’ve working setup.)
• Login to Active Directory User and Computers (Start

Administrative Tools Active Directory User and Computers) Right
click on your Domain  Raise Domain Functional Level.
5|Page
• You’ll get a confirmation window. Click “OK”
7. Install Windows 2003/2000 Support tools, we will be using
• ksetup configures client to use a Kerberos V5 realm instead of a

Windows Server 2003 domain
• ktpass configures service as Kerberos principal, generates keytab
file that contains service principal & key
• setspn manipulates Service Principal Name (SPN) for an AD
service account
• ldifde which export the Active directory content (LDIF directory
exchange)
Download Windows 2000 Service Pack 4 Support Tools from
http://www.microsoft.com/downloadS/details.aspx?FamilyID=f08d28f3-b835-4847-
b810-bb6539362473&displaylang=en
6|Page
Download Windows Server 2003 Service Pack 2 32-bit Support Tools from
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-
939B-9A772EA2DF90&displaylang=en
8. Install Resource Kit Tools for troubleshooting Kerberos
• kerbtray to view the tickets

• klist to list and purge tickets (this utility comes with JRE also but
with different options)
Download Windows 2000 Resource Kit Tools for administrative tasks from
http://support.microsoft.com/kb/927229
Join the Kerberos realm
To join the Kerberos realm you can use ksetup
C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /addkdc

CERASOFT.COM CELVIN-AD.CERASOFT.COM
where you enter the Kerberos realm name (capitalized) and the FQDN name of the
KDC machine. To see the Kerberos state use /dumpstate switch with ksetup.
C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /dumpstate

default realm = CERASOFT.com (NT Domain)
CERASOFT.COM:
kdc = CELVIN-AD.CERASOFT.COM
Realm Flags = 0x0 none
No user mappings defined.
Note: This step is mainly used if your KDC is a non AD KDC or a UNIX based KDC.
It works also if you use ksetup for an Active Directory KDC but it is not required if
you join the machines to the domain.
After adding the machine to a Kerberos realm this value is stored in the registry.
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Domains
7|Page
Configuring the Active Directory Machine for Kerberos.

Create SSO Group in Active Directory
Create a group called wls_users (this group will hold all the WebLogic users)
1. Open the Active Directory console. (Start Administrative Tools

Active Directory User and Computers)
2. Expand the node representing the Active Directory Domain Controller; for
example, CERASOFT.com.
3. Right Click Users, then select New, and then Group.
8|Page
4. Enter the Group Name as wls_users.

5. Please make sure that the Group Scope is “Global” and Group Type is
“Security”
6. Click OK.
9|Page
Create SSO Group in Active Directory
Create a user called “bea_sso_ad”
1. Follow the steps to open up Active Directory Console.

2. Right Click Users, then select New, User
10 | P a g e
3. Enter the User Name as bea_sso_ad.
4. Uncheck User must change password at next logon.

5. Check Password never expires.
6. Click Next to proceed with the user creation.
11 | P a g e
7. Add SSO user to SSO group.

a. Double click the user bea_sso_ad or right click Properties
b. Open the “Member of” tab and click Add.

c. Type the group name as wls_users.
d. Click Check Names, click OK to add the group.
12 | P a g e
Setup additional user properties for WebLogic user
13 | P a g e
e. Click on the Account Tab of bea_sso_ad

f. Select the Use DES encryption types for this account option.
g. Please make sure that Do not require Kerberos preauthentication
remains unchecked.
Creating Active Directory user which will be used as Kerberos Service Principal
Create domain AD user "CELVIN-AD_WLS" (Server name_WLS) that will map

to the Kerberos Service Principal.
1. Follow the steps to create new user in active directory.

2. Add the user (CELVIN-AD_WLS) to “Users” group.
3. Follow the steps to add a user to a group.
14 | P a g e
4. Setup Additional user properties for SPN (Service Principal Name) user.
15 | P a g e
a. Click on the Account Tab of bea_sso_ad

b. Select the Use DES encryption types for this account option.
c. Select Account is trusted for delegation option.
d. Select Do not require Kerberos preauthentication option.
5. Trust the user for delegation. You’ll get the delegation tab only if you are
in Windows 2003 functional level.
a. Trust this user for delegation to any service (Kerberos only).
16 | P a g e
Mapping Local User to SPN
Use ksetup to map the SPN user to a local user.
E:\Program Files\Support Tools>ksetup /MapUser CELVIN-

AD_WLS@CERASOFT.com Administrator
E:\Program Files\Support Tools>ksetup

default realm = CERASOFT.com (NT Domain)
Mapping CELVIN-AD_WLS@CERASOFT.com to Administrator.
Creating krb5.ini
The Kerberos configuration properties, krb5.ini, must be configured on every

WebLogic Application Server instance in a cell in order to use the Simple and
Protected GSS-API Negotiation Mechanism (SPNEGO) trust association
interceptor (TAI) for WebLogic Application Server.
Create krb5.ini in C\WINNT and C:\Windows as following.
[libdefaults]
default_realm = CERASOFT.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4
clockskew = 1200
[realms]
CERASOFT.COM = {
kdc = 10.8.5.70
admin_server = CELVIN-AD.CERASOFT.com
default_domain = CERASOFT.com
}
[domain_realms]
cerasoft.com = CERASOFT.COM
.cerasoft.com = CERASOFT.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
17 | P a g e
kinit is used to obtain and cache Kerberos ticket-granting tickets.
E:\bea\jdk150_12\bin>kinit -J-Dsun.security.krb5.debug=true -k -t e:\bea\bea.keytab

HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM
Config name: c:\winnt\krb5.ini
>>>KinitOptions cache name is C:\Documents and Settings\Administrator.CELVIN-
AD\
krb5cc_Administrator
Principal is HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: e:\bea\bea.keytab
>>> KeyTabInputStream, readName(): CERASOFT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): CELVIN-AD.CERASOFT.com
>>> KeyTab: load() entry length: 67; type: 1
Added key: 1version: 5
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 16 1 3.
0: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)=
0000: 29 80 E5 E5 61 D3 94 B6
>>> Kinit realm name is CERASOFT.COM

>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for CELVIN-AD are:
CELVIN-AD/10.8.5.70
IPv4 address
default etypes for default_tkt_enctypes: 23 16 1 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> Kinit: sending as_req to realm CERASOFT.COM
>>> KrbKdcReq send: kdc=10.8.5.70 UDP:88, timeout=30000, number of retries =3, #
bytes=181
>>> KDCCommunication: kdc=10.8.5.70 UDP:88, timeout=30000,Attempt =1,
#bytes=181
>>> KrbKdcReq send: #bytes read=663

>>> KrbKdcReq send: #bytes read=663
>>> reading response from kdc
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 2931d8b0
>>>crc32: 101001001100011101100010110000
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/CELVIN-AD.CERASOFT.com
New ticket is stored in cache file C:\Documents and Settings\Administrator.CELVI
N-AD\krb5cc_Administrator
You can use the kerbtray and klist utilites to list the tickets stored.
18 | P a g e
Add Weblogic Admin Server as a Windows Service.

In order to to install the Admin Server as a Windows service we make use of
installSvc.cmd supplied with Weblogic. (Default location is
%BEA_HOME%\weblogic92\server\bin).
Create a bat script called createSvc.cmd with the following commands and save it
to C:\
SETLOCAL
set JAVA_HOME=E:\bea\jdk150_12
set JAVA_VENDOR=Sun
set DOMAIN_NAME=Hyperion
set USERDOMAIN_HOME=E:\bea\user_projects\domains\Hyperion
set SERVER_NAME=AdminServer
set WLS_USER=hyperion
set WLS_PW=hyperion
set MEM_ARGS=-Xms128m -Xmx256m
cd %USERDOMAIN_HOME%
call %USERDOMAIN_HOME%\bin\setDomainEnv.cmd
call "E:\bea\weblogic92\server\bin\installSvc.cmd"
ENDLOCAL
If you would like the System Out messages and System Error messages in separate
log files add this line (shown in blue) to installSvc.cmd right after the line
set WL_HOME=E:\bea\weblogic92
set JAVA_OPTIONS=-
Dweblogic.Stdout="E:\bea\user_projects\domains\Hyperion\logs\StdOut.log" -
Dweblogic.Stderr="E:\bea\user_projects\domains\Hyperion\logs\StdErr.log"
%JAVA_OPTIONS%
If you wish to change the name of the service edit the portion in installSvc.cmd
-svcname:"beasvc %DOMAIN_NAME%_%SERVER_NAME%"
Eg -svcname:"BEA Weblogic %DOMAIN_NAME%_%SERVER_NAME%"
Service will be created as BEA Weblogic Hyperion_AdminServer.
19 | P a g e
Configuring the WebLogic Machine for Kerberos.

Create Service Principal Name and Keytab File
Note: This procedure should be performed on the machine that hosts the WebLogic server;
for example, on your Workspace server.
The service principal name and keytab file are used to provide SSO between the
browser and WebLogic SPNEGO filters. A keytab is a file that contains pairs of
Kerberos principals and DESencrypted keys derived from the Kerberos password.
It is used to log into Kerberos without being asked again for a username and
password.
The keytab file is computer-independent. You can copy it from one computer to another. It
is better to have a global keytab file.
Note: Ensure the SPN is created using the fully qualified domain name (FQDN) of the
WebLogic server.
1. Update the path setting of WebLogic server to include Windows Support

tools installed path.
2. Open a command promt.
3. Type ktpass -princ HTTP/CELVIN-
AD.CERASOFT.com@CERASOFT.COM -DesOnly -out E:\bea\bea.keytab
-pass p@ssw0rd -mapuser CELVIN-AD_WLS -crypto DES-CBC-CRC
After the execution of the command you’ll see a similar message. Ignore
the warning, else if you want to add a ptype then add another switch as
-ptype KRB5_NT_PRINCIPAL to the ktpass command.
C:\Documents and Settings\Administrator.CELVIN-AD>ktpass -princ

HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM -DesOnly -out
E:\bea\bea.keytab -pass p@ssw0rd -mapuser Celvin-AD_WLS -crypto DES-CBC-
CRC
Targeting domain controller: CELVIN-AD.CERASOFT.com
Using legacy password setting method
Successfully mapped HTTP/CELVIN-AD.CERASOFT.com to CELVIN-AD_WLS.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to E:\bea\bea.keytab:
Keytab version: 0x502
keysize 67 HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM ptype 0
(KRB5_NT_UNKNOWN) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8
(0x2980e5e561d394b6)
20 | P a g e
After the setting up the keytab the logon name for SPN user should change to
HTTP/servername
4. You can add additional service principals using setspn utility.

Use setspn –a servicename/servername user
E:\Program Files\Support Tools>setspn -a HTTP/CELVIN-AD CELVIN-AD_WLS
Registering ServicePrincipalNames for CN=CELVIN-

AD_WLS,CN=Users,DC=CERASOFT,DC=com
HTTP/CELVIN-AD
Updated object
21 | P a g e
Check which SPNs are associated with the user.
You can use setspn utility, ldifde and ADSI edit utility to check the SPNs
C:\Documents and Settings\Administrator.CELVIN-AD>setspn -l CELVIN-AD_WLS

Registered ServicePrincipalNames for CN=CELVIN-
AD_WLS,CN=Users,DC=CERASOFT,DC=co
m:
HTTP/CELVIN-AD
HTTP/CELVIN-AD.CERASOFT.com
Use LDIFDE to check which all entires are associated with host/http/HTTP string
C:\Documents and Settings\Administrator.CELVIN-AD>ldifde -f c:\spn_out.txt -d

"DC=CERASOFT,DC=com" -l serviceprincipalname -r
"(serviceprincipalname=*CELVIN-AD*)" -p subtree
Connecting to "CELVIN-AD.CERASOFT.com"
Logging in as current user using SSPI
Exporting directory to file c:\spn_out.txt
Searching for entries...
Writing out entries.
1 entries exported
The command has completed successfully
Eg: Entry from spn_out.txt
dn: CN=CELVIN-AD_WLS,CN=Users,DC=CERASOFT,DC=com
changetype: add
servicePrincipalName: HTTP/CELVIN-AD.CERASOFT.com
Creating the JAAS Configuration File
The JAAS login configuration file identifies the system properties and login
modules that direct WebLogic server to allow Kerberos authentication to occur.
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM"
useKeyTab=true
keyTab="E:\\bea\\bea.keytab"
storeKey=true
debug=true;
};
22 | P a g e
com.sun.security.jgss.accept {
useKeyTab=true
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
useKeyTab=true
storeKey=true
debug=true;
};
Save the file as BEA_HOME\krb5login.conf.
Create Active Directory Authenticator in WebLogic Security Realm
WebLogic security realm is a container for the users, groups, security policies,
roles and providers that are used to protect WebLogic resources. We should create
an active directory authenticator so that Active Directory users can access
WebLogic.
1. Login to WebLogic Domain.
23 | P a g e
2. Select Security Realms from the Domain Structure.
3. Click Lock & Edit to make changes.

4. Select myrealm, the default WebLogic realm.
24 | P a g e
5. Click on Providers Tab.

6. Click New to add a new authenticator.
7. Type the name as ADName-AuthN

8. Select Type as ActiveDirectoryAuthenticator.
Eg: CeraSoftAD-AuthN
9. Click OK to proceed.
25 | P a g e
10. Select the newly created provider from the summary list.
11. Click on Common in the Configuration tab.
12. Change the Control Flag to OPTIONAL.
13. Click on Provider Specific tab
14. Change the Group Base DN to reflect your Active directory. This should
be the Distinguished Name (DN) of the group to which the bea_sso_ad user
belongs. For example, if the bea_sso_ad user belongs to the
CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com.
15. Change the User Name Attribute to sAMAccountName, by default cn is
selected. I would recommend to use sAMAccountName for MSAD.
26 | P a g e
16. Enter the Host name of Active Directory Machine.
17. Replace cn in the User From Name filter to sAMAccountName.

18. Replace cn in the Group From Name filter to sAMAccountName
27 | P a g e
19. In User Base DN, enter the DN of the LDAP directory tree that contains
users. For example, if users are defined in CERASOFT.COM/Users group,
enter CN=Users,DC=CERASOFT,DC=com.
20. Check whether the active directory port is set correctly.
21. In Principal, enter the DN of the user (usually the Active Directory
administrator) so that WebLogic canuse to connect to the Active Directory. For
example, CN=Administrator, CN=Users,DC=CERASOFT,DC=com
22. Enter the Credential and confirm it.
23. Click Save to continue.
28 | P a g e
Change the control flag of DefaultAuthenticator
a. Select DefaultAuthenticator from the summary of providers.

b. Change the control flag to OPTIONAL.
24. Click on Activate Changes.

25. Restart the WebLogic service.
Check the active directory authenticator
1. Log on to the WebLogic Server Administration Console.

2. In Domain Structure, click Security Realms.
3. Summary of Security Realms opens.
4. In Realms, click the default (active) realm; for example, myrealm
5. In the settings page, select the Users and Groups tab.
29 | P a g e
6. Verify whether active directory users are listed.
Configure Negotiate Identity Asserter
The Negotiate Identity Assertion provider enables single sign-on (SSO) with
Microsoft clients. The identity assertion provider decodes Simple and Protected
Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos
tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity
Assertion provider utilizes the Java Generic Security Service (GSS) Application
Programming Interface (API) to accept the GSS security context via Kerberos.
1. Login to WebLogic Domain.

2. Select Security Realms from the Domain Structure.
3. Click Lock & Edit to make changes.
4. Select myrealm, the default WebLogic realm.
5. Click on Providers Tab.
6. Click New to add a new authenticator.
30 | P a g e
7. Type the name as ADName-Neg_ID_Asserter

8. Select the Type as NegotiateIdentityAsserter.
Eg. CeraSoftAD-Neg_ID_Asserter
9. Click on Provider Specific tab.

10. Uncheck Form Based Negotiation Enabled.
31 | P a g e
Reordering the Authentication providers
11. Click Reorder in the Authentication providers.

12. In the reorder page move Active directory authenticator to first, Negotiate
Identity Asserter as second, DefaultAuthenticator as third,
DefaultIdentityAsserter as foruth.
13. Click Activate Changes in the change center.

14. Restart the WebLogic service.
32 | P a g e
Granting WebLogic Administrator Role to the SSO User
1. Login to WebLogic Administration console.

2. Click Security Realms from Domain Structure.
3. In the Realms list, click the default (active) realm; for example, myrealm.
4. On the settings page, click the Roles and Policies tab.
5. Expand the Global Roles node.
6. Expand the Roles node.
7. Select View Role Conditions for Admin.
33 | P a g e
8. Click Add conditions.
9. In predicate list select Group.

10. Click Next to proceed.
11. In group argument name type the group to which bea_sso_ad belongs
(here it is wls_users).
12. Click Add
13. Type Administrators and Click add to add Administrators group.
14. Click Finish
34 | P a g e
15. Click Save in the Global Settings Window.
Add Kerberos options in Weblogic startup script
You must edit the startup script for your WebLogic domain; for example, C:\bea
\user_projects\domains\ws_domain\bin\startWeblogic.cmd, to include the
following Kerberos options.
set KERB_OPTIONS=-Djava.security.krb5.realm=CERASOFT.COM
-Djava.security.krb5.kdc=10.8.5.70
-Djava.security.auth.login.config=E:\bea\krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true
-Djava.security.krb5.conf=C:\WINNT\krb5.ini
set JAVA_OPTIONS=%JAVA_OPTIONS% %KERB_OPTIONS%
Enable debugging in Weblogic (Optional)
This is an optional step, if you are enabling debugging in WebLogic; please increase the
log rotation size from 500 KB to 2048 KB
1. Login to Weblogic Administration console.

2. Click on Lock & edit
3. Click on Servers
4. Select the server for which you want to change the size.
35 | P a g e
5. Go to Logging Rotation file size.

6. Change size there.
7. Click on Save and click Activate Change
1. Select Admin server from the summary of servers.

2. Go the Debug tab.
3. Expand weblogic and security.
4. Select DebugSecurityAtn, DebugSecurityAtz, DebugSecurity.

5. Click Enable.
6. Activate Changes in Change Center.
36 | P a g e
Deploying Workspace
If you already deployed workspace, then delete workspace from the deployments in
WebLogic Administration console.
Navigate to the expanded workspace directory, here it is
G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps
37 | P a g e
During the deployment process, specify these options in the Optional Settings page
of WebLogic Install Application Assistant.
1. In Security, select Custom Roles and Policies: Use only roles and
policies that are defined in the Administration console.
2. In Source accessibility, select I will make the deployment accessible
from the following location.
3. In location, enter
G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace.
38 | P a g e
Configuring Workspace for SSO
Customizing EPM Workspace Services Configuration Scripts
EPM Workspace Services include scripts that can be launched interactively to

configure various part of the system. When the Manual option is selected during
EPM Workspace deployment, the DEPLOYMENT_HOME variable declarations
must be manually defined in %HYPERION_HOME
%/products/Foundation/workspace/bin/settrustedpass.bat|sh
To declare the variable declarations:
1. In a text editor, open:
%HYPERION_HOME%/products/Foundation/workspace/bin/settrustedpass.bat
2. Replace occurrences of the $J(trustedPass.deploymentHome) with

DEPLOYMENT_HOME
where DEPLOYMENT_HOME is the file-system path to the deployed EPM

Workspace Web application.
eg. G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace
Run the bat file in Windows CMD: settrustedpass.bat

Default initial password is: 123456
Enter new password at the prompt

Re-enter the new Trusted Password
Setting Up Workspace for Single Sign-On

Workspace delegates the process of handling external authentication and SSO to
Workspace Core Services. To enable this process, you must define the trusted
password that is used to establish trust between Workspace and Workspace Core
Services.
Configuring Workspace for Single Sign-On

The configuration file which help in SSO are
• ws.conf (Workspace SSO configuration file)
• tp.conf (trusted password configuration file)
39 | P a g e
These files are located, for example,

G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace\WEB-
INF\config.
SSO settings you define are used by Workspace CMC console.
1. Login to Workspace.
2. Navigate  Administer  Authentication
40 | P a g e
3. Enter the Trusted Password that we changed in the previous step.

4. Confirm the password
5. Check Use user’s logon credentials for pass-through.
6. Click OK
7. To change the SSO configuration we need to login to CMC console.
41 | P a g e
8. Start Workspace Agent UI from "Start"  "Oracle EPM System" 

"Workspace"  "Utilities and Administration"  "Start Workspace Agent UI"
9. To launch CMC login to workspace and go to Navigate  Administer 

Configuration Console
42 | P a g e
10. From the Current View select Web-Application Configuration.

11. Right Click on Workspace Web-Application.
12. Click properties.
13. Click on the User Interface window.

14. From the drop down, select $REMOTE LOGIN$ for Custom Username
Policy.
43 | P a g e
15. From the drop down, select $TRUSTEDPASS$ for Custom Password
Policy.
Updating JVM Arguments of Workspace
To update JVM arguments of Workspace.
1. Login to registry.
44 | P a g e
2. Navigate to HKLM\SOFTWARE\Hyperion
Solutions\Workspace\HYS9Workspace
3. Add the following keys to the registry.
4. All JVMOptions are of type String.
JVMOption12 – assuming that the last JVMOption in the registry is JVMOption11.
JVMOption12 = -Djava.security.krb5.realm=CERASOFT.COM
JVMOption13 = -Djava.security.krb5.kdc=10.8.5.70
JVMOption14 = -Djava.security.auth.login.config=E:\bea\krb5Login.conf
JVMOption15 = -Djavax.security.auth.useSubjectCredsOnly=false
JVMOption16 = -Dweblogic.security.enableNegotiate=true
JVMOption17 = -Djava.security.krb5.conf=C:\WINNT\krb5.ini
Update the JVMOptionCount to reflect the new number i.e. 17
Adding Policies to workspace deployment.
You must create custom policies for the URL patterns specific to Workspace Web
application.
To create custom polices
1. Login to WebLogic Administration console.

2. Click on Deployment from Domain Structure.
3. Select workspace from the summary of deployments.
4. Click on Security tab and go to URL Patterns
45 | P a g e
5. Go to Policies
6. Click New.
7. Enter the URL Pattern as /index.jsp
8. Select the Provider Name as XACMLAuthorizer.
9. Select the newly created policy.

10. Click Add Conditions.
11. In Predicate List select Group
46 | P a g e
13. In group argument name type wls_users and click Add.

14. Click Finish.
47 | P a g e
External Authentication in Hyperion Shared Services

In order to use SSO we must provision MSAD users, so that they can use Hyperion
products.
1. Login to Shared Services using URL http://localhost:28080/interop/
2. Go to Administration  Configure User Directories.

48 | P a g e
3. Click Add to create a new directory.
4. Select Microsoft Active Directory from the given list.

49 | P a g e
6. Type a name for the directory.

7. Enter the Active Directory Machine name in the Host Name field.
8. Check whether the port is correct or not.
9. Click on Fetch DNs
10. Enter the User DN and click on Append Base DN. (This user can be an
AD Administrator or a User who can search for all the Hyperion users)
11. Enter Password.
50 | P a g e
13. Enter a user name and click Auto Configure

14. User RDN and all other attributes will be populated.
16. You can configure MSAD groups also in the similar way.
51 | P a g e
17. If you don’t want to use MSAD groups, I would recommend still
configuring a group in MSAD where that group is the only container and it
doesn’t have any users.
18. Click Finish to finish the external directory configuration.
19. Click OK
20. Restart Shared Services.
52 | P a g e
21. Login to Shared Services.

22. Expand the newly created user directory.
23. Click on Users.
24. Click Search and it should populate all the AD users if the configuration is
correct.
Configuring Browser on Client Computers

Browsers used to access Hyperion products should be configured for Integrated
Windows Authentication. You must use a browser that is capable of handling
SPNEGO protocol. Internet Explorer 6 or later.
1. Login to Client Machine as an ordinary Hyperion user.

2. Start a browser session.
3. Select Tools, and then Internet Options
53 | P a g e
4. Click on Sites to add the intranet site.
5. Click on Advanced.
54 | P a g e
6. Type in the Workspace server name and click add.

7. Click OK till we come back to the Internet Options.
55 | P a g e
8. Select Security in the Internet Options, select Local Intranet.

9. Click on Custom Level
10. In User Authentication, check Automatic logon only in Intranet zone.
11. In the advanced Tab, check whether Enable Integrated Windows Authentication is
checked or not.
12. Click OK to finish the settings.
56 | P a g e
Open up internet explorer and type in the workspace URL

http://servername/workspace. You’ll see a similar window, saying loading.
If your Kerberos authentication is working you’ll not see the standard Login screen.
57 | P a g e
Instead you’ll be logged in without asking for a username and password!!!!!!!
58 | P a g e

Enable Kerberos With Workspace 11 1 1 3 PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Enable Kerberos With Workspace 11 1 1 3 PDF

Загружено:

Авторское право:

Доступные форматы

Enable Kerberos

(SSO) with Workspace

C:\Documents and Settings\Administrator.CELVIN-AD>dcdiag /s:CELVIN-AD.CERASOFT.com

Domain Controller Diagnosis

Performing initial setup:

Doing initial required tests

Testing server: Default-First-Site-Name\CELVIN-AD

Doing primary tests

Testing server: Default-First-Site-Name\CELVIN-AD

......................... CELVIN-AD passed test VerifyReferences

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : CERASOFT

Running enterprise tests on : CERASOFT.com

5. The whole steup is under the assumption that workspace is deployed

• Login to Active Directory User and Computers (Start

• You’ll get a confirmation window. Click “OK”

7. Install Windows 2003/2000 Support tools, we will be using

• ksetup configures client to use a Kerberos V5 realm instead of a

Download Windows 2000 Service Pack 4 Support Tools from

8. Install Resource Kit Tools for troubleshooting Kerberos

• kerbtray to view the tickets

Join the Kerberos realm

To join the Kerberos realm you can use ksetup

C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /addkdc

C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /dumpstate

Configuring the Active Directory Machine for Kerberos.

1. Open the Active Directory console. (Start Administrative Tools

4. Enter the Group Name as wls_users.

Create SSO Group in Active Directory

Create a user called “bea_sso_ad”

1. Follow the steps to open up Active Directory Console.

3. Enter the User Name as bea_sso_ad.

4. Uncheck User must change password at next logon.

7. Add SSO user to SSO group.

b. Open the “Member of” tab and click Add.

Setup additional user properties for WebLogic user

e. Click on the Account Tab of bea_sso_ad

Create domain AD user "CELVIN-AD_WLS" (Server name_WLS) that will map

1. Follow the steps to create new user in active directory.

a. Click on the Account Tab of bea_sso_ad

a. Trust this user for delegation to any service (Kerberos only).

Mapping Local User to SPN

Use ksetup to map the SPN user to a local user.

E:\Program Files\Support Tools>ksetup /MapUser CELVIN-

E:\Program Files\Support Tools>ksetup

The Kerberos configuration properties, krb5.ini, must be configured on every

Create krb5.ini in C\WINNT and C:\Windows as following.

kinit is used to obtain and cache Kerberos ticket-granting tickets.

E:\bea\jdk150_12\bin>kinit -J-Dsun.security.krb5.debug=true -k -t e:\bea\bea.keytab

>>> Kinit realm name is CERASOFT.COM

>>> KrbKdcReq send: #bytes read=663

Add Weblogic Admin Server as a Windows Service.

Service will be created as BEA Weblogic Hyperion_AdminServer.

Configuring the WebLogic Machine for Kerberos.

1. Update the path setting of WebLogic server to include Windows Support

C:\Documents and Settings\Administrator.CELVIN-AD>ktpass -princ

4. You can add additional service principals using setspn utility.

E:\Program Files\Support Tools>setspn -a HTTP/CELVIN-AD CELVIN-AD_WLS