1

Configuring IBM® Tivoli® Integrated Portal

server for single sign-on using Simple and

Protected GSSAPI Negotiation Mechanism, and

Microsoft® Active Directory® services

Document version 1.0

© Copyright International Business Machines Corporation 2013. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

2

Table of Contents Introduction ..................................................................................................................................... 2

Creating a user for SPNEGO authentication and a keytab file on the Active Directory server ..... 3 Create the krb5.conf file using the tipserver1.keytab file on the Tivoli Integrated Portal server. .. 5 Configuring the Tivoli Integrated Portal for SPNEGO and LDAP ................................................ 6 Add roles to the Active Directory user that will be connecting to the Tivoli Integrated Portal ..... 9 Internet browser configurations .................................................................................................... 10

Enable logging in the Tivoli Integrated Portal for Troubleshooting ............................................. 10

Introduction The purpose of this paper is to detail the procedure for configuring IBM Tivoli Integrated Portal server

for single sign-on using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), federated

repositories, and Microsoft Active Directory services. The environment described in this paper uses the

following products:

Tivoli Integrated Portal server V2.2.0.11 installed on Red Hat® Enterprise Linux® operating

system as the user „bsmadmin‟.

Microsoft Active Directory services installed on Windows® 2008 operating system.

The Active Directory domain name used in this paper is „FEDIVT‟.

Before performing this procedure

Create a current backup of the Tivoli Integrated Portal installation using your preferred archiving

method.

Synchronize the system clocks on the Windows server and Linux server to within 5 minutes of

each other.

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the

Tivoli Integrated Portal server.

LDAP Host name Host name of the LDAP server

LDAP Port Port for the LDAP server, default value 389

LDAP Type The type of LDAP used

LDAP Repository Identifier Unique identifier for the LDAP repository within

the Application Server.

LDAP Bind ID The user ID used to bind to the LDAP server, this

user must have at least read access

LDAP Bind Password Password for the bind user ID

LDAP Base Entry Base entry for the LDAP Server Table 1: Required LDAP configuration information.

The values in Table 2 show the LDAP information that is used in this paper to configure the

federated repositories within the Tivoli Integrated Portal server. LDAP Host name ad2008

LDAP Port 389

3

LDAP Type Microsoft Active Directory

LDAP Repository Identifier TIVAD

LDAP Bind ID cn=Administrator,CN=Users,DC=fedivt,DC=ibm,DC=com

LDAP Bind Password passw0rd

LDAP Base Entry DC=fedivt,DC=ibm,DC=com Table 2: Federated Configuration Information used in this document

Creating a user for SPNEGO authentication and a keytab file on the Active Directory server

1. Create a user in Active directory named „spnusr1‟ with a password of „passw0rd‟ as shown in the

next three figures:

Figure 1: Create user

Figure 2: Create user continued

4

Figure 3: Create user finish

Note: This user will be used for the SPNEGO configuration in the Tivoli Integrated Portal, it is

not the user that is used to login to the Tivoli Integrated Portal for day to day operations.

2. Start a Windows command prompt and create a keytab file for the spnusr1 user using the ktpass

command. The syntax for the ktpass command is:

ktpass -out <keytab file> -princ <HTTP/<Tivoli Integrated Portal fully qualified

hostname>@<ACTIVE DIRECTORY DOMAIN> -mapuser <username> -ptype <principal

type>

The Command that was run to generate the keytab file:

ktpass -out tipserver1.keytab -princ HTTP/fit-vm15-216.rtp.raleigh.ibm.com@FEDIVT -

mapuser spnusr1 -pass passw0rd -ptype KRB5_NT_PRINCIPAL

NOTE: The HTTP and Active Directory domain name must be uppercase.

Figure 4 shows the output of the ktpass command above.

Figure 4: ktpass command output

If „KTPASS failed getting target domain for specified user‟ is received when running the ktpass

command, re-run the command supplying the Active Directory domain name to the mapuser

option, for example: -mapuser FEDIVT\spnusr1.

5

3. Verify the Service Principal Name for the spnusr1 user by issuing „setspn -l spnusr1‟, the output

is shown in Figure 5.

Figure 5: setspn command output

4. Transfer the tipserver1.keytab file to the /tmp directory of the Tivoli Integrated Portal server, if

transferring the file using FTP make sure to switch to binary transfer mode.

Create the krb5.conf file using the tipserver1.keytab file on the Tivoli Integrated Portal server.

1. Create a directory for the tipserver1.keytab and krb5.conf files.

2. Copy the tipserver1.keytab file from /tmp to /etc/krb5

3. The Tivoli Integrated Portal was installed and is running as the user bsmadmin, because of this

the following commands were run in this environment to allow the bsmadmin user access to the

krb5 directory and files:

chown –R :bsmadmin /etc/krb5

chmod g+w /etc/krb5

4. Login to the Tivoli Integrated portal using the wsadmin.sh command utility

/opt/IBM/tivoli/tipv2/profiles/TIPProfile/bin/wsadmin.sh –user tipadmin –password passw0rd

5. At the wsadmin prompt issue the „$AdminTask createKrbConfigFile‟ to create the krb5.conf file

from the tipserver1.keytab file.

The syntax for the createKrbConfigFile option is:

$AdminTask createKrbConfigFile {-krbPath <path/krb5.conf -realm <Active Directory Kerberos

Realm name Uppercase> -kdcHost <Hostname of the Active Directory server> -dns <internet

domain name> -keytabPath <path/keytab file>

The Command that was run to generate the /etc/krb5.conf file:

wsadmin>$AdminTask createKrbConfigFile {-krbPath /etc/krb5/krb5.conf -realm FEDIVT -

kdcHost ad2008.tivlab.raleigh.ibm.com -dns raleigh.ibm.com -keytabPath

/etc/krb5/tipserver1.keytab }

6. Type quit at the wsadmin prompt to exit.

6

Configuring the Tivoli Integrated Portal for SPNEGO and LDAP To configure the Tivoli Integrated Portal, do the following steps:

1. Log in to the Tivoli Integrated Portal Administrative console as the tipadmin user

(http://hostname:16316/ibm/console ) and expand Security.

2. Click Global security.

3. Expand Web Security

4. Click SPNEGO Web authentication

7. Under SPNEGO Filters click New

8. Fill in the values for Hostname, Kerberos realm name, and click Trim Kerberos realm name

from principal name as shown in Figure 6

Figure 6: SPNEGO filters

9. Click OK and when prompted click save.

10. Complete the default options for General Properties as shown in Figure 7

7

Figure 7: SPNEGO Web authentication

11. Click OK and when prompted click save

12. On the main Global Security page click Configure next to Federated repositories

Figure 8: Tivoli Integrated Portal options

13. Click Add Base entry to Realm.

Figure 9: Realm specifics

8

14. Click Add Repository.

Figure 10: Adding a repository

15. Complete the fields as indicated in Figure 11. Click Apply, and when prompted, click Save.

Figure 11: Repository properties

9

16. Complete the base entry fields, „DC=fedivt,DC=ibm,DC=com‟ was used in Figure 12 for both

entries in this environment . Click Apply, and when prompted, click Save.

Figure 12: Completing entries

17. Optional: Set a single sign on domain for use with LTPA if connecting to additional servers

configured for LTPA single sign-on.

A. Click Global security

B. Expand Web security

C. Click Single sign-on

D. Fill in a value for Domain name, for example „.ibm.com‟ as shown in Figure 13

Figure 13: Single sign-on domain name

E. Click OK and when prompted click save.

19. Stop and restart the Tivoli Integrated Portal

/opt/IBM/tivoli/tipv2/profiles/TIPProfile/bin/stopServer.sh server1 –user tipadmin –password

passw0rd

/opt/IBM/tivoli/tipv2/profiles/TIPProfile/bin/startServer.sh server1

Add roles to the Active Directory user that will be connecting to the Tivoli Integrated Portal Note: This should not be the spnusr1 user.

10

1. Login to the Tivoli Integrated Portal application console as the tipadmin user

(https://hostname:16311/ibm/console)

2. Expand Users and Groups and click on User Roles.

3. In the User ID field, fill in the user name of the Active Directory user that will be used to connect

to the Tivoli Integrated portal using SPNEGO authentication (not the spnusr1 user) and click

Search.

4. Assign the roles that are applicable for the specific user and click Save.

Internet browser configurations Enable Microsoft Internet Explorer® browser for SPNEGO:

1. Login to the Windows system configured as an Active Directory client.

2. Launch the Internet Explorer browser, click Tools and then click Internet Options.

3. Select the Security tab, click on the Local Intranet icon and then click Sites.

4. Ensure that all options are checked then click Advanced.

5. Under Add this website to the zone fill in the url for the Tivoli integrated portal, for example:

https://fit-vm15-216.rtp.raleigh.ibm.com

Then click Add and Close

6. Click OK to exit the Local Intranet Options

7. Click the Advanced tab and verify that the Enable Windows Integrated Authentication is

checked, if not click to enable it.

8. Click OK to exit Internet Options

9. Stop and restart the Internet Explorer browser.

Enable Mozilla® Firefox® browser for SPNEGO:

1. Launch the Firefox browser

2. In the URL field type about:config and when prompted click to accept the security warning.

3. In the Search field type network.n

4. Double click on network.negotiate-auth-trusted-uris

5. Type the URL for the Tivoli Integrated Portal, for example:

https://fit-vm15-216.rtp.raleigh.ibm.com

6. Click OK

7. Stop and restart the Firefox browser

Enable logging in the Tivoli Integrated Portal for Troubleshooting

1. To enable tracing to assist in troubleshooting SPNEGO request in the Tivoli Integrated Portal,

login to the Tivoli Integrated Portal Administrative Console

(https://hostname:16316/ibm/console) and expand Troubleshooting.

2. Click Logs and Trace.

11

Figure 14: Logs and Trace

3. Click the server listed under Server.

Figure 15: server1

4. Click Change Log Detail Levels.

Figure 16: Log Details

5. Click the Runtime tab 6. Click Save runtime changes to configuration as well

7. Append the following value to the current setting and click Apply, and when prompted click

Save. :com.ibm.ws.security.spnego.*=all

Note that the colons (:) are delimiters between values.

12

Figure 17: Change log details

8. A trace.log will now be in the /opt/IBM/tivoli/tipv2/profiles/TIPProfile/logs/server1

directory.

Notices

© Copyright IBM Corporation 2013

IBM United States of America

Produced in the United States of America

US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP

Schedule Contract with IBM Corp.

IBM may not offer the products, services, or features discussed in this document in other countries.

Consult your local IBM representative for information on the products and services currently available

in your area. Any reference to an IBM product, program, or service is not intended to state or imply

that only that IBM product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may be used instead.

However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product,

program, or service.

IBM may have patents or pending patent applications covering subject matter described in this

document. The furnishing of this document does not grant you any license to these patents. You can

send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such

provisions are inconsistent with local law:

13

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PAPER “AS IS”

WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR

FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied

warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes may be made

periodically to the information herein; these changes may be incorporated in subsequent versions of

the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s)

described in this paper at any time without notice.

Any references in this document to non-IBM websites are provided for convenience only and do not

in any manner serve as an endorsement of those websites. The materials at those websites are not part

of the materials for this IBM product and use of those websites is at your own risk.

IBM may have patents or pending patent applications covering subject matter described in this

document. The furnishing of this document does not give you any license to these patents. You can

send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

4205 South Miami Boulevard

Research Triangle Park, NC 27709 U.S.A.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without

notice, and represent goals and objectives only.

This information is for planning purposes only. The information herein is subject to change before the

products described become available.

If you are viewing this information softcopy, the photographs and color illustrations may not appear.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business

Machines Corp., registered in many jurisdictions worldwide. Other product and service names might

be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at

“Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

Other company, product, or service names may be trademarks or service marks of others.