configuring kerberos based sso in solaris and weblogic
Post on 26-Feb-2018
236 Views
Preview:
TRANSCRIPT
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
1/14
IBM
Configuring Kerberos
based SSO in Solaris andWeblogic Applicationserver Environment
Kerberos configuration
Saravana Kumar KKB & Arvind Kumar P
[Abstract: Today many products have support for SSO. Kerberos is most recommendedefficient and secure network accesses across the enterprise. This article providesinformation about the configuration of single sign-on (SSO) using Kerberos in OracleSolaris and Oracle Web logic server.]
About the authors: Saravana is working as a Staff Software Engineer (QA) for IBM Policy N team underECM. You can contact him with your queries at saravkkb@in.ibm.com . Arvind is working as a AdvisorySoftware Engineer QA for Atlas team under ECM. Reach out to him at apachuno@in.ibm.com
mailto:saravkkb@in.ibm.commailto:saravkkb@in.ibm.commailto:saravkkb@in.ibm.commailto:apachuno@in.ibm.commailto:apachuno@in.ibm.commailto:apachuno@in.ibm.commailto:apachuno@in.ibm.commailto:saravkkb@in.ibm.com -
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
2/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
2
1 Introduction:Single sign-on (SSO) allows users to sign in once to the system and login to otherapplication without any authentication.
1.1 Why Kerb eros ?Kerberos is a technology that allows for strong authentication in open and distributed
Networks. It is a credible security solution for four main reasons:
1. Kerberos is mature. It has been widely used and widely studied for a long time. Insecurity that counts for a great deal.
2. Kerberos meets the requirements of modern distributed systems. It was developedin response to a well-defined and clearly thought through set of requirements forsecure authentication in an open environment with insecure communications links;it has turned out that those requirements closely match the requirements of modern
distributed systems operating over networks based on Internet Protocols.3. Kerberos is architecturally sound. It is designed around a clear set of architecturaland functional abstractions; that architectural soundness has allowed it to evolveover time, and make it easy to integrate it into other systems. This samearchitectural soundness makes it easy to analyze how Kerberos will behave.
4. Kerberos is already in place. Kerberos is already integrated into most popularoperating systems and many widely-used software applications. It is an integral
part of todays IT infrastructure.
2 Machine configuration:
2.1 What is KDC ?The Kerberos Key Distribution Center (KDC) is a network service that supplies sessiontickets and temporary session keys to users and computers within an Active Directorydomain. The KDC runs on each domain controller as part of Active Directory DomainServices (AD DS).
2.2 What is SPNEGO?Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a standard protocolthat is used to negotiate the authentication protocol. It is used when a client applicationwants to authenticate to a remote server. SPNEGO is a standard specification defined inIETF RFC 2478. SPNEGO is used in a Web SSO. It is responsible for authenticatingaccess to a secured paged, such as a WebSphere Application Server resource that isidentified in an HTTP request. Microsoft also uses SPNEGO for its browser-based SSOsolutions.
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
3/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
3
Machine A Machine B(weblogic.kerb. mycompany.com)
(ad.kerb.mycompany.com)
7Windows 2008/2012KDC/ 6Domain controller
Solaris 10 Weblogic
Application server
41
32 8
Client.Kerb. mycompany.com 5
Figure 1: Machine configuration for Kerberos authentication
1. When the logged-on user (MACHINE C) requests a resource from OracleWebLogic Server (MACHINEB), it sends the initial HTTP GET verb.
2. Oracle WebLogic Server (MACHINEB), running the SPNEGO Token Handlercode, requires authentication and issues a 401 Access Denied, WWW-Authenticate: Negotiate response.
3. The client (Browser on MACHINEC) then requests the session ticket from theTGS/KDC (MACHINEA).
Client MachineWindows 8/ 7/vista-(Browser)Machine C
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
4/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
4
4. The TGS/KDC (MACHINEA) supplies the client with the necessary KerberosTicket (assuming the client is authorized) wrapped in a SPNEGO Token.
5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in anAuthorization: Negotiate base64(token) header.
6. SPNEGO Web authentication in Weblogic server sees the HTTP header with theSPNEGO token. SPNEGO validates the SPNEGO token and gets the identity(principal) of the user.
7. After Weblogic gets the identity of the user, it validates the user in MicrosoftActive Directory/KDC. When the identification process is executed, weblogicexecutes the related Java code (servlets, JSPs, EJBs, and so on) and checksauthorizations.
8. Oracle WebLogic Server's SPNEGO Token Handler code accepts and processesthe token through GSS API, authenticates the user and responds with the requestedURL.
3 Scenario Overview:This scenario contains 2 major parts:
1. Adding the Solaris machine to Domain controller2. Configuring Oracle Weblogic server for Kerberos
This scenario requires the following Pre-requisite: A functioning Microsoft Windows 2008 Active Directory Domain
Including: A domain controller A client workstation
Users must be able to log in to the domain.A working domain controller and at least one client computer in that domain is required.Using SPNEGO from the domain controller does not work. For more information, you canfind the tutorial How do I install Active Directory on the Windows Server 2008 server at:
http://www.petri.co.il/installing-active-directory-windows-server-2008.htm
A functioning Weblogic server with a domain created
4 Steps:
4.1 Machine: KDC- scenar io name: Machin e A
1. Create a user in Active directoryE.g.: solaris229Dont select any optio n except password, it will not expire and user cannot changepassword.
http://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008.htm -
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
5/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
5
2. Generate Keytab file C:\Users\Administrator> ktpass -princ HTTP/solaris229@KERB.MYCOMPANY.COM -mapuser solaris229 -pass Admin123 -out C:\solaris\krb5.keytab -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
Transfer the keytab file to weblogic machine and to the domain bin directory of weblogic.
4.2 Machine: Weblog ic - scenar io mach ine nam e: Machin e B
4.2.1 Steps to configure system files:1. Edit the resolv.conf and add the domain controller specific entries.
Path : /etc/resolv.conf---------------------
domainname KERB.MYCOMPANY.COMnameserver search kerb.mycompany.com
2. Edit the host entry and add the domain controller specific entries.Path : /etc/hosts--------------- windowsvista.kerb.mycompany.com windowsvista ad.KERB.MYCOMPANY.COM ad
3. Edit the krb5.conf file and kdc.conf file in /etc/krb5 directory as mentionedbelowPath: /etc/krb5/krb5.confMove the krb5.conf file to Weblogic domain bin directory--------------- [libdefaults]
default_realm = KERB.MYCOMPANY.COMdefault_tkt_enctypes = rc4-hmac arcfour-hmac-md5default_tgs_enctypes = rc4-hmac arcfour-hmac-md5ticket_lifetime = 600
[realms]KERB. MYCOMPANY.COM = {
kdc = 9.126.145.237:88admin_server = ad
default_domain = KERB. MYCOMPANY.COM
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
6/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
6
}
[domain_realm]kerb.atlas.com = KERB. MYCOMPANY.COM.kerb.atlas.com = KERB. MYCOMPANY.COM
[appdefaults]kinit = {
autologin = truerenewable = true
forward = trueencrypt = true
forwardable= true
}gkadmin = {help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
Path: /etc/krb5/kdc.conf-----------defaults]
kdc_ports = 88
[realms]KERB.MYCOMPANY.COM = {
profile = /etc/krb5/krb5.confdatabase_name = /var/krb5/principaladmin_keytab = /etc/krb5/krb5.keytabacl_file = /etc/krb5/kadm5.aclkadmind_port = 749max_life = 8h 0m 0smax_renewable_life = 7d 0h 0m 0sdefault_principal_flags = +preauth
}
4. Add below lines in nsswitch.confPath : /etc/nsswitch.conf----------
passwd: files ldap winbindgroup: files ldap winbind
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
7/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
7
4.2.2 Configuring Samba and Joining the domain 5. Edit the smb.conf
Path: /etc/sfw/smb.conf---------------
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTHworkgroup = KERB
# server string is the equivalent of the NT Description fieldserver string = Samba Server
# Security mode. Defines in which mode Samba will operate. Possible# values are share, user, server, domain and ads. Most people will want# user level security. See the Samba-HOWTO-Collection for details.
security = ADS# Use password server option only with security = server# The argument list may include:# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]# or to auto-locate the domain controller/s# password server = * password server = ad.KERB.MYCOMPANY.COM
6. Command to Join the Domain$ /usr/sfw/bin/net ads join -U 'HTTP/solaris229@KERB.MYCOMPANY.COM'
Once this command runs successfully the machine will be joined to the Domain.You could see the machine in AD users and computers
4.2.3 Creating krb5Login configuration file
7. Create krb5Login.conf filePath: /bin
=============com.sun.security.jgss.initiate
{com.sun.security.auth.module.Krb5LoginModule required
principal= useKeyTab=truekeyTab= < path of the key Tab file name> storeKey=true debug=true;
};
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
8/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
8
com.sun.security.jgss.krb5.accept{
com.sun.security.auth.module.Krb5LoginModule Required principal= = useKeyTab=truekeyTab=" " storeKey=true debug=true;
};
4.2.4 Configuring Weblogic server
8. Add the below lines in weblogic startupFile name Startweblogic.sh
if [ "${WLS_REDIRECT_LOG}" = "" ] ; then
echo "Starting WLS with line:"echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Djava.security.auth.login.config="/export/home/oracle/Oracle/Middleware/user
_projects/domains/policyatlas/bin/krb5Login.conf" -Djava.security.krb5.conf="/export/home/oracle/Oracle/Middleware/user_project s/domains/policyatlas/bin/krb5.conf" -Djava.security.krb5.realm=KERB.ATLAS.COM -Djava.security.krb5.kdc=ad -
Dweblogic.StdoutSeverityLevel=64 -Dweblogic.Debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityAtn=false -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}${PROXY_SETTINGS} ${SERVER_CLASS}"
${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} -Dsun.security.krb5.debug=true -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Djava.security.auth.login.config="/export/home/oracle/Oracle/Middleware/user
_projects/domains/policyatlas/bin/krb5Login.conf" -
Djava.security.krb5.realm=KERB.ATLAS.COM -Djava.security.krb5.kdc=ad -Dweblogic.StdoutSeverityLevel=64 -Dweblogic.Debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityAtn=false -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}${PROXY_SETTINGS} ${SERVER_CLASS}:
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
9/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
9
9. Add the following in myrealm - providers of weblogic Home >Summary of Security Realms >myrealm >Providers
a) Add WebLogic Negotiate Identity Assertion provider
b) Add another realm Provider that performs LDAP authentication withfollowing details in Provider specific Tab
Figure 2: Weblogic Security Realm configuration
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
10/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
10
Save and restart web logic server.
4.3 Machine: c l ien t - scenar io m achine name: Machin e C
For Single Sign On to occur you will need an authenticated Microsoft client, belonging tothe domain controlled by your realm, and requesting access to the Oracle WebLogicServer service
4.3.1 Configuring Internet Explorer Browser
To configure an Internet Explorer browser to use Windows authentication, follow these procedures in Internet Explorer.
Conf igur e L ocal Intr anet Domains 1. In Internet Explorer, select Tools > Internet Options .2. Select the Security tab.3. Select Local intranet and click Sites .4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy
server and Include all local (intranet) sites not listed in other zones options arechecked.
Figure 3: Local Intranet Dialog Box for Internet Explorer
5. Click Advanced.6. In the Local intranet (Advanced) dialog box, add all relative domain names that will
be used for Oracle WebLogic Server instances participating in the SSO configuration (forexample, myhost.example.com) and click OK.
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
11/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
11
Fig 4: Advanced Local Intranet Dialog Box for Internet Explorer
Configure Intranet Authentication
1. Select Tools > Internet Options .2. Select the Security tab.3. Select Local intranet and click Custom Level... .4. In the Security Settings dialog box, scroll to the User Authentication section.5. Select Automatic logon only in Intranet zone . This option prevents users from
having to re-enter logon credentials, which is a key piece to this solution.6. Click OK .
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
12/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
12
Figure 5: Configure Intranet Authentication
Verify Proxy SettingsIf you have a proxy server enabled:
1. Select Tools > Internet Options .2. Select the Connections tab and click LAN Settings .3. Verify that the proxy server address and port number are correct.4. Click Advanced .5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in
the Exceptions field.6. Click OK to close the Proxy Settings dialog box.
4.3.2 Configuring Mozilla Firefox BrowserTo configure a Firefox browser to use Windows Integrated authentication, complete thefollowing steps:
1. Start Firefox.2. Enter about:config in the Location Bar.3. Enter the filter string network.negotiate.4. Set the preferences as shown in Figure below:
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
13/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
13
Figure 6: Fi refox confi guration
4.3.3 Configuring Google Chrome Browser No special configuration needed for Chrome Browser.
4.4 Other con f igura t ion :1. Ensure all the 3 machines Machine A, Machine B and C are able to ping each other
using machine hostnames . If not then it should be added in host entry.
5 Testing the SSOTo verify that SSO is configured properly, point a browser to the Web application or Webservice you want to use. If you are logged on to a Windows domain and have Kerberoscredentials acquired from the Active Directory server in the domain, you should be able toaccess the Web application or Web service without providing a username or password.
-
7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic
14/14
Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment
14
6 Troubleshooting commands
Run the below command in Solaris / Weblogic server machine
bash-3.00$ kinit -V -k -t
Eg: /export/home/oracle/Oracle/Middleware/user_projects/domains/policyatlas/bin/krb5.keytab HTTP/solaris229@KERB.MYATLAS.COM
This should result the following message to confirm SON Username is able to authenticatewith KDC and using the key tab file which was generated.
Result: Authenticated to Kerberos v5
top related