Configuring Kerberos based SSO in Solaris and Weblogic ... Configuring Kerberos based SSO in Solaris

  • View
    0

  • Download
    0

Embed Size (px)

Transcript

  • IBM

    Configuring Kerberos based SSO in Solaris and

    Weblogic Application server Environment

    Kerberos configuration

    Saravana Kumar KKB & Arvind Kumar P

    [Abstract: Today many products have support for SSO. Kerberos is most recommended efficient and secure network accesses across the enterprise. This article provides information about the configuration of single sign-on (SSO) using Kerberos in Oracle Solaris and Oracle Web logic server.]

    About the authors: Saravana is working as a Staff Software Engineer (QA) for IBM Policy N team under ECM. You can contact him with your queries at saravkkb@in.ibm.com. Arvind is working as a Advisory Software Engineer QA for Atlas team under ECM. Reach out to him at apachuno@in.ibm.com

    mailto:saravkkb@in.ibm.com mailto:apachuno@in.ibm.com

  • Configuring Kerberos based SSO in Solaris and Weblogic Application server

    Environment

    2

    1 Introduction: Single sign-on (SSO) allows users to sign in once to the system and login to other

    application without any authentication.

    1.1 Why Kerberos ?

    Kerberos is a technology that allows for strong authentication in open and distributed

    Networks. It is a credible security solution for four main reasons:

    1. Kerberos is mature. It has been widely used and widely studied for a long time. In security that counts for a great deal.

    2. Kerberos meets the requirements of modern distributed systems. It was developed in response to a well-defined and clearly thought through set of requirements for

    secure authentication in an open environment with insecure communications links;

    it has turned out that those requirements closely match the requirements of modern

    distributed systems operating over networks based on Internet Protocols.

    3. Kerberos is architecturally sound. It is designed around a clear set of architectural and functional abstractions; that architectural soundness has allowed it to evolve

    over time, and make it easy to integrate it into other systems. This same

    architectural soundness makes it easy to analyze how Kerberos will behave.

    4. Kerberos is already in place. Kerberos is already integrated into most popular operating systems and many widely-used software applications. It is an integral

    part of today’s IT infrastructure.

    2 Machine configuration:

    2.1 What is KDC ?

    The Kerberos Key Distribution Center (KDC) is a network service that supplies session

    tickets and temporary session keys to users and computers within an Active Directory

    domain. The KDC runs on each domain controller as part of Active Directory Domain

    Services (AD DS).

    2.2 What is SPNEGO?

    Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a standard protocol

    that is used to negotiate the authentication protocol. It is used when a client application

    wants to authenticate to a remote server. SPNEGO is a standard specification defined in

    IETF RFC 2478. SPNEGO is used in a Web SSO. It is responsible for authenticating

    access to a secured paged, such as a WebSphere Application Server resource that is

    identified in an HTTP request. Microsoft also uses SPNEGO for its browser-based SSO

    solutions.

  • Configuring Kerberos based SSO in Solaris and Weblogic Application server

    Environment

    3

    Machine A Machine B

    (weblogic.kerb. mycompany.com)

    (ad.kerb.mycompany.com)

    7

    Windows 2008/2012

    KDC/ 6

    Domain controller

    Solaris 10 Weblogic Application server

    4

    1

    3

    2 8

    Client.Kerb. mycompany.com 5

    Figure 1: Machine configuration for Kerberos authentication

    1. When the logged-on user (MACHINE C) requests a resource from Oracle WebLogic Server (MACHINEB), it sends the initial HTTP GET verb.

    2. Oracle WebLogic Server (MACHINEB), running the SPNEGO Token Handler code, requires authentication and issues a 401 Access Denied, WWW-

    Authenticate: Negotiate response.

    3. The client (Browser on MACHINEC) then requests the session ticket from the TGS/KDC (MACHINEA).

    Client Machine

    Windows 8/ 7/vista-

    (Browser)

    Machine C

  • Configuring Kerberos based SSO in Solaris and Weblogic Application server

    Environment

    4

    4. The TGS/KDC (MACHINEA) supplies the client with the necessary Kerberos Ticket (assuming the client is authorized) wrapped in a SPNEGO Token.

    5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header.

    6. SPNEGO Web authentication in Weblogic server sees the HTTP header with the SPNEGO token. SPNEGO validates the SPNEGO token and gets the identity

    (principal) of the user.

    7. After Weblogic gets the identity of the user, it validates the user in Microsoft Active Directory/KDC. When the identification process is executed, weblogic

    executes the related Java code (servlets, JSPs, EJBs, and so on) and checks

    authorizations.

    8. Oracle WebLogic Server's SPNEGO Token Handler code accepts and processes the token through GSS API, authenticates the user and responds with the requested

    URL.

    3 Scenario Overview: This scenario contains 2 major parts:

    1. Adding the Solaris machine to Domain controller 2. Configuring Oracle Weblogic server for Kerberos

    This scenario requires the following Pre-requisite:

     A functioning Microsoft Windows 2008 Active Directory Domain Including:

     A domain controller

     A client workstation

    Users must be able to log in to the domain.

    A working domain controller and at least one client computer in that domain is required.

    Using SPNEGO from the domain controller does not work. For more information, you can

    find the tutorial How do I install Active Directory on the Windows Server 2008 server at:

    http://www.petri.co.il/installing-active-directory-windows-server-2008.htm

     A functioning Weblogic server with a domain created

    4 Steps:

    4.1 Machine: KDC- scenario name: Machine A

    1. Create a user in Active directory

    E.g.: solaris229

    Don’t select any option except password, it will not expire and user cannot change

    password.

    http://www.petri.co.il/installing-active-directory-windows-server-2008.htm

  • Configuring Kerberos based SSO in Solaris and Weblogic Application server

    Environment

    5

    2. Generate Keytab file

    C:\Users\Administrator> ktpass -princ HTTP/solaris229@KERB.MYCOMPANY.COM -

    mapuser solaris229 -pass Admin123 -out C:\solaris\krb5.keytab -crypto RC4-HMAC-NT -p

    type KRB5_NT_PRINCIPAL

    Transfer the keytab file to weblogic machine and to the domain bin directory of weblogic.

    4.2 Machine: Weblogic - scenario machine name: Machine B

    4.2.1 Steps to configure system files:

    1. Edit the resolv.conf and add the domain controller specific entries.

    Path : /etc/resolv.conf

    ---------------------

    domainname KERB.MYCOMPANY.COM

    nameserver

    search kerb.mycompany.com

    2. Edit the host entry and add the domain controller specific entries.

    Path : /etc/hosts

    ---------------

    windowsvista.kerb.mycompany.com windowsvista

    ad.KERB.MYCOMPANY.COM ad

    3. Edit the krb5.conf file and kdc.conf file in /etc/krb5 directory as mentioned

    below

    Path: /etc/krb5/krb5.conf

    Move the krb5.conf file to Weblogic domain bin directory

    ---------------

    [libdefaults]

    default_realm = KERB.MYCOMPANY.COM

    default_tkt_enctypes = rc4-hmac arcfour-hmac-md5

    default_tgs_enctypes = rc4-hmac arcfour-hmac-md5

    ticket_lifetime = 600

    [realms]

    KERB. MYCOMPANY.COM = {

    kdc = 9.126.145.237:88

    admin_server = ad

    default_domain = KERB. MYCOMPANY.COM

  • Configuring Kerberos based SSO in Solaris and Weblogic Application server

    Environment

    6

    }

    [domain_realm]

    kerb.atlas.com = KERB. MYCOMPANY.COM

    .kerb.atlas.com = KERB. MYCOMPANY.COM

    [appdefaults]

    kinit = {

    autologin = true

    renewable = true

    forward = true

    encrypt = true

    forwardable= true

    }

    gkadmin = {

    help_url = http://docs.sun.com:80/ab2/coll.3