1
Configuring IBM® Tivoli® Integrated Portal
server for single sign-on using Simple and
Protected GSSAPI Negotiation Mechanism, and
Microsoft® Active Directory® services
Document version 1.0
© Copyright International Business Machines Corporation 2013. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
2
Table of Contents Introduction ..................................................................................................................................... 2
Creating a user for SPNEGO authentication and a keytab file on the Active Directory server ..... 3 Create the krb5.conf file using the tipserver1.keytab file on the Tivoli Integrated Portal server. .. 5 Configuring the Tivoli Integrated Portal for SPNEGO and LDAP ................................................ 6 Add roles to the Active Directory user that will be connecting to the Tivoli Integrated Portal ..... 9 Internet browser configurations .................................................................................................... 10
Enable logging in the Tivoli Integrated Portal for Troubleshooting ............................................. 10
Introduction The purpose of this paper is to detail the procedure for configuring IBM Tivoli Integrated Portal server
for single sign-on using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), federated
repositories, and Microsoft Active Directory services. The environment described in this paper uses the
following products:
Tivoli Integrated Portal server V2.2.0.11 installed on Red Hat® Enterprise Linux® operating
system as the user „bsmadmin‟.
Microsoft Active Directory services installed on Windows® 2008 operating system.
The Active Directory domain name used in this paper is „FEDIVT‟.
Before performing this procedure
Create a current backup of the Tivoli Integrated Portal installation using your preferred archiving
method.
Synchronize the system clocks on the Windows server and Linux server to within 5 minutes of
each other.
Table 1 shows the LDAP server configuration required for configuring the federated repositories in the
Tivoli Integrated Portal server.
LDAP Host name Host name of the LDAP server
LDAP Port Port for the LDAP server, default value 389
LDAP Type The type of LDAP used
LDAP Repository Identifier Unique identifier for the LDAP repository within
the Application Server.
LDAP Bind ID The user ID used to bind to the LDAP server, this
user must have at least read access
LDAP Bind Password Password for the bind user ID
LDAP Base Entry Base entry for the LDAP Server Table 1: Required LDAP configuration information.
The values in Table 2 show the LDAP information that is used in this paper to configure the
federated repositories within the Tivoli Integrated Portal server. LDAP Host name ad2008
LDAP Port 389
3
LDAP Type Microsoft Active Directory
LDAP Repository Identifier TIVAD
LDAP Bind ID cn=Administrator,CN=Users,DC=fedivt,DC=ibm,DC=com
LDAP Bind Password passw0rd
LDAP Base Entry DC=fedivt,DC=ibm,DC=com Table 2: Federated Configuration Information used in this document
Creating a user for SPNEGO authentication and a keytab file on the Active Directory server
1. Create a user in Active directory named „spnusr1‟ with a password of „passw0rd‟ as shown in the
next three figures:
Figure 1: Create user
Figure 2: Create user continued
4
Figure 3: Create user finish
Note: This user will be used for the SPNEGO configuration in the Tivoli Integrated Portal, it is
not the user that is used to login to the Tivoli Integrated Portal for day to day operations.
2. Start a Windows command prompt and create a keytab file for the spnusr1 user using the ktpass
command. The syntax for the ktpass command is:
ktpass -out <keytab file> -princ <HTTP/<Tivoli Integrated Portal fully qualified
hostname>@<ACTIVE DIRECTORY DOMAIN> -mapuser <username> -ptype <principal
type>
The Command that was run to generate the keytab file:
ktpass -out tipserver1.keytab -princ HTTP/fit-vm15-216.rtp.raleigh.ibm.com@FEDIVT -
mapuser spnusr1 -pass passw0rd -ptype KRB5_NT_PRINCIPAL
NOTE: The HTTP and Active Directory domain name must be uppercase.
Figure 4 shows the output of the ktpass command above.
Figure 4: ktpass command output
If „KTPASS failed getting target domain for specified user‟ is received when running the ktpass
command, re-run the command supplying the Active Directory domain name to the mapuser
option, for example: -mapuser FEDIVT\spnusr1.
5
3. Verify the Service Principal Name for the spnusr1 user by issuing „setspn -l spnusr1‟, the output
is shown in Figure 5.
Figure 5: setspn command output
4. Transfer the tipserver1.keytab file to the /tmp directory of the Tivoli Integrated Portal server, if
transferring the file using FTP make sure to switch to binary transfer mode.
Create the krb5.conf file using the tipserver1.keytab file on the Tivoli Integrated Portal server.
1. Create a directory for the tipserver1.keytab and krb5.conf files.
2. Copy the tipserver1.keytab file from /tmp to /etc/krb5
3. The Tivoli Integrated Portal was installed and is running as the user bsmadmin, because of this
the following commands were run in this environment to allow the bsmadmin user access to the
krb5 directory and files:
chown –R :bsmadmin /etc/krb5
chmod g+w /etc/krb5
4. Login to the Tivoli Integrated portal using the wsadmin.sh command utility
/opt/IBM/tivoli/tipv2/profiles/TIPProfile/bin/wsadmin.sh –user tipadmin –password passw0rd
5. At the wsadmin prompt issue the „$AdminTask createKrbConfigFile‟ to create the krb5.conf file
from the tipserver1.keytab file.
The syntax for the createKrbConfigFile option is:
$AdminTask createKrbConfigFile {-krbPath <path/krb5.conf -realm <Active Directory Kerberos
Realm name Uppercase> -kdcHost <Hostname of the Active Directory server> -dns <internet
domain name> -keytabPath <path/keytab file>
The Command that was run to generate the /etc/krb5.conf file:
wsadmin>$AdminTask createKrbConfigFile {-krbPath /etc/krb5/krb5.conf -realm FEDIVT -
kdcHost ad2008.tivlab.raleigh.ibm.com -dns raleigh.ibm.com -keytabPath
/etc/krb5/tipserver1.keytab }
6. Type quit at the wsadmin prompt to exit.
6
Configuring the Tivoli Integrated Portal for SPNEGO and LDAP To configure the Tivoli Integrated Portal, do the following steps:
1. Log in to the Tivoli Integrated Portal Administrative console as the tipadmin user
(http://hostname:16316/ibm/console ) and expand Security.
2. Click Global security.
3. Expand Web Security
4. Click SPNEGO Web authentication
7. Under SPNEGO Filters click New
8. Fill in the values for Hostname, Kerberos realm name, and click Trim Kerberos realm name
from principal name as shown in Figure 6
Figure 6: SPNEGO filters
9. Click OK and when prompted click save.
10. Complete the default options for General Properties as shown in Figure 7
7
Figure 7: SPNEGO Web authentication
11. Click OK and when prompted click save
12. On the main Global Security page click Configure next to Federated repositories
Figure 8: Tivoli Integrated Portal options
13. Click Add Base entry to Realm.
Figure 9: Realm specifics
8
14. Click Add Repository.
Figure 10: Adding a repository
15. Complete the fields as indicated in Figure 11. Click Apply, and when prompted, click Save.
Figure 11: Repository properties
9
16. Complete the base entry fields, „DC=fedivt,DC=ibm,DC=com‟ was used in Figure 12 for both
entries in this environment . Click Apply, and when prompted, click Save.
Figure 12: Completing entries
17. Optional: Set a single sign on domain for use with LTPA if connecting to additional servers
configured for LTPA single sign-on.
A. Click Global security
B. Expand Web security
C. Click Single sign-on
D. Fill in a value for Domain name, for example „.ibm.com‟ as shown in Figure 13
Figure 13: Single sign-on domain name
E. Click OK and when prompted click save.
19. Stop and restart the Tivoli Integrated Portal
/opt/IBM/tivoli/tipv2/profiles/TIPProfile/bin/stopServer.sh server1 –user tipadmin –password
passw0rd
/opt/IBM/tivoli/tipv2/profiles/TIPProfile/bin/startServer.sh server1
Add roles to the Active Directory user that will be connecting to the Tivoli Integrated Portal Note: This should not be the spnusr1 user.
10
1. Login to the Tivoli Integrated Portal application console as the tipadmin user
(https://hostname:16311/ibm/console)
2. Expand Users and Groups and click on User Roles.
3. In the User ID field, fill in the user name of the Active Directory user that will be used to connect
to the Tivoli Integrated portal using SPNEGO authentication (not the spnusr1 user) and click
Search.
4. Assign the roles that are applicable for the specific user and click Save.
Internet browser configurations Enable Microsoft Internet Explorer® browser for SPNEGO:
1. Login to the Windows system configured as an Active Directory client.
2. Launch the Internet Explorer browser, click Tools and then click Internet Options.
3. Select the Security tab, click on the Local Intranet icon and then click Sites.
4. Ensure that all options are checked then click Advanced.
5. Under Add this website to the zone fill in the url for the Tivoli integrated portal, for example:
https://fit-vm15-216.rtp.raleigh.ibm.com
Then click Add and Close
6. Click OK to exit the Local Intranet Options
7. Click the Advanced tab and verify that the Enable Windows Integrated Authentication is
checked, if not click to enable it.
8. Click OK to exit Internet Options
9. Stop and restart the Internet Explorer browser.
Enable Mozilla® Firefox® browser for SPNEGO:
1. Launch the Firefox browser
2. In the URL field type about:config and when prompted click to accept the security warning.
3. In the Search field type network.n
4. Double click on network.negotiate-auth-trusted-uris
5. Type the URL for the Tivoli Integrated Portal, for example:
https://fit-vm15-216.rtp.raleigh.ibm.com
6. Click OK
7. Stop and restart the Firefox browser
Enable logging in the Tivoli Integrated Portal for Troubleshooting
1. To enable tracing to assist in troubleshooting SPNEGO request in the Tivoli Integrated Portal,
login to the Tivoli Integrated Portal Administrative Console
(https://hostname:16316/ibm/console) and expand Troubleshooting.
2. Click Logs and Trace.
11
Figure 14: Logs and Trace
3. Click the server listed under Server.
Figure 15: server1
4. Click Change Log Detail Levels.
Figure 16: Log Details
5. Click the Runtime tab 6. Click Save runtime changes to configuration as well
7. Append the following value to the current setting and click Apply, and when prompted click
Save. :com.ibm.ws.security.spnego.*=all
Note that the colons (:) are delimiters between values.
12
Figure 17: Change log details
8. A trace.log will now be in the /opt/IBM/tivoli/tipv2/profiles/TIPProfile/logs/server1
directory.
Notices
© Copyright IBM Corporation 2013
IBM United States of America
Produced in the United States of America
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available
in your area. Any reference to an IBM product, program, or service is not intended to state or imply
that only that IBM product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may be used instead.
However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product,
program, or service.
IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not grant you any license to these patents. You can
send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law:
13
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PAPER “AS IS”
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes may be made
periodically to the information herein; these changes may be incorporated in subsequent versions of
the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s)
described in this paper at any time without notice.
Any references in this document to non-IBM websites are provided for convenience only and do not
in any manner serve as an endorsement of those websites. The materials at those websites are not part
of the materials for this IBM product and use of those websites is at your own risk.
IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not give you any license to these patents. You can
send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
4205 South Miami Boulevard
Research Triangle Park, NC 27709 U.S.A.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without
notice, and represent goals and objectives only.
This information is for planning purposes only. The information herein is subject to change before the
products described become available.
If you are viewing this information softcopy, the photographs and color illustrations may not appear.
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service names might
be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at
“Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Other company, product, or service names may be trademarks or service marks of others.