Configuring Kerberos Based SSO in Solaris and Weblogic

7/25/2019 Configuring Kerberos Based SSO in Solaris and Weblogic

1/14

IBM

Configuring Kerberos

based SSO in Solaris andWeblogic Applicationserver Environment

Kerberos configuration

Saravana Kumar KKB & Arvind Kumar P

[Abstract: Today many products have support for SSO. Kerberos is most recommendedefficient and secure network accesses across the enterprise. This article providesinformation about the configuration of single sign-on (SSO) using Kerberos in OracleSolaris and Oracle Web logic server.]

About the authors: Saravana is working as a Staff Software Engineer (QA) for IBM Policy N team underECM. You can contact him with your queries at [email protected] . Arvind is working as a AdvisorySoftware Engineer QA for Atlas team under ECM. Reach out to him at [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


2/14

Configuring Kerberos based SSO in Solaris and Weblogic Application serverEnvironment

2

1 Introduction:Single sign-on (SSO) allows users to sign in once to the system and login to otherapplication without any authentication.

1.1 Why Kerb eros ?Kerberos is a technology that allows for strong authentication in open and distributed

Networks. It is a credible security solution for four main reasons:

1. Kerberos is mature. It has been widely used and widely studied for a long time. Insecurity that counts for a great deal.

2. Kerberos meets the requirements of modern distributed systems. It was developedin response to a well-defined and clearly thought through set of requirements forsecure authentication in an open environment with insecure communications links;it has turned out that those requirements closely match the requirements of modern

distributed systems operating over networks based on Internet Protocols.3. Kerberos is architecturally sound. It is designed around a clear set of architecturaland functional abstractions; that architectural soundness has allowed it to evolveover time, and make it easy to integrate it into other systems. This samearchitectural soundness makes it easy to analyze how Kerberos will behave.

4. Kerberos is already in place. Kerberos is already integrated into most popularoperating systems and many widely-used software applications. It is an integral

part of todays IT infrastructure.

2 Machine configuration:

2.1 What is KDC ?The Kerberos Key Distribution Center (KDC) is a network service that supplies sessiontickets and temporary session keys to users and computers within an Active Directorydomain. The KDC runs on each domain controller as part of Active Directory DomainServices (AD DS).

2.2 What is SPNEGO?Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a standard protocolthat is used to negotiate the authentication protocol. It is used when a client applicationwants to authenticate to a remote server. SPNEGO is a standard specification defined inIETF RFC 2478. SPNEGO is used in a Web SSO. It is responsible for authenticatingaccess to a secured paged, such as a WebSphere Application Server resource that isidentified in an HTTP request. Microsoft also uses SPNEGO for its browser-based SSOsolutions.


3/14


3

Machine A Machine B(weblogic.kerb. mycompany.com)

(ad.kerb.mycompany.com)

7Windows 2008/2012KDC/ 6Domain controller

Solaris 10 Weblogic

Application server

41

32 8

Client.Kerb. mycompany.com 5

Figure 1: Machine configuration for Kerberos authentication

1. When the logged-on user (MACHINE C) requests a resource from OracleWebLogic Server (MACHINEB), it sends the initial HTTP GET verb.

2. Oracle WebLogic Server (MACHINEB), running the SPNEGO Token Handlercode, requires authentication and issues a 401 Access Denied, WWW-Authenticate: Negotiate response.

3. The client (Browser on MACHINEC) then requests the session ticket from theTGS/KDC (MACHINEA).

Client MachineWindows 8/ 7/vista-(Browser)Machine C


4/14


4

4. The TGS/KDC (MACHINEA) supplies the client with the necessary KerberosTicket (assuming the client is authorized) wrapped in a SPNEGO Token.

5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in anAuthorization: Negotiate base64(token) header.

6. SPNEGO Web authentication in Weblogic server sees the HTTP header with theSPNEGO token. SPNEGO validates the SPNEGO token and gets the identity(principal) of the user.

7. After Weblogic gets the identity of the user, it validates the user in MicrosoftActive Directory/KDC. When the identification process is executed, weblogicexecutes the related Java code (servlets, JSPs, EJBs, and so on) and checksauthorizations.

8. Oracle WebLogic Server's SPNEGO Token Handler code accepts and processesthe token through GSS API, authenticates the user and responds with the requestedURL.

3 Scenario Overview:This scenario contains 2 major parts:

1. Adding the Solaris machine to Domain controller2. Configuring Oracle Weblogic server for Kerberos

This scenario requires the following Pre-requisite: A functioning Microsoft Windows 2008 Active Directory Domain

Including: A domain controller A client workstation

Users must be able to log in to the domain.A working domain controller and at least one client computer in that domain is required.Using SPNEGO from the domain controller does not work. For more information, you canfind the tutorial How do I install Active Directory on the Windows Server 2008 server at:

http://www.petri.co.il/installing-active-directory-windows-server-2008.htm

A functioning Weblogic server with a domain created

4 Steps:

4.1 Machine: KDC- scenar io name: Machin e A

1. Create a user in Active directoryE.g.: solaris229Dont select any optio n except password, it will not expire and user cannot changepassword.
http://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008.htm


5/14


5

2. Generate Keytab file C:\Users\Administrator> ktpass -princ HTTP/[email protected] -mapuser solaris229 -pass Admin123 -out C:\solaris\krb5.keytab -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL

Transfer the keytab file to weblogic machine and to the domain bin directory of weblogic.

4.2 Machine: Weblog ic - scenar io mach ine nam e: Machin e B

4.2.1 Steps to configure system files:1. Edit the resolv.conf and add the domain controller specific entries.

Path : /etc/resolv.conf---------------------

domainname KERB.MYCOMPANY.COMnameserver search kerb.mycompany.com

2. Edit the host entry and add the domain controller specific entries.Path : /etc/hosts--------------- windowsvista.kerb.mycompany.com windowsvista ad.KERB.MYCOMPANY.COM ad

3. Edit the krb5.conf file and kdc.conf file in /etc/krb5 directory as mentionedbelowPath: /etc/krb5/krb5.confMove the krb5.conf file to Weblogic domain bin directory--------------- [libdefaults]

default_realm = KERB.MYCOMPANY.COMdefault_tkt_enctypes = rc4-hmac arcfour-hmac-md5default_tgs_enctypes = rc4-hmac arcfour-hmac-md5ticket_lifetime = 600

[realms]KERB. MYCOMPANY.COM = {

kdc = 9.126.145.237:88admin_server = ad

default_domain = KERB. MYCOMPANY.COM


6/14


6

}

[domain_realm]kerb.atlas.com = KERB. MYCOMPANY.COM.kerb.atlas.com = KERB. MYCOMPANY.COM

[appdefaults]kinit = {

autologin = truerenewable = true

forward = trueencrypt = true

forwardable= true

}gkadmin = {help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195

}

Path: /etc/krb5/kdc.conf-----------defaults]

kdc_ports = 88

[realms]KERB.MYCOMPANY.COM = {

profile = /etc/krb5/krb5.confdatabase_name = /var/krb5/principaladmin_keytab = /etc/krb5/krb5.keytabacl_file = /etc/krb5/kadm5.aclkadmind_port = 749max_life = 8h 0m 0smax_renewable_life = 7d 0h 0m 0sdefault_principal_flags = +preauth

}

4. Add below lines in nsswitch.confPath : /etc/nsswitch.conf----------

passwd: files ldap winbindgroup: files ldap winbind


7/14


7

4.2.2 Configuring Samba and Joining the domain 5. Edit the smb.conf

Path: /etc/sfw/smb.conf---------------

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTHworkgroup = KERB

# server string is the equivalent of the NT Description fieldserver string = Samba Server

# Security mode. Defines in which mode Samba will operate. Possible# values are share, user, server, domain and ads. Most people will want# user level security. See the Samba-HOWTO-Collection for details.

security = ADS# Use password server option only with security = server# The argument list may include:# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]# or to auto-locate the domain controller/s# password server = * password server = ad.KERB.MYCOMPANY.COM

6. Command to Join the Domain$ /usr/sfw/bin/net ads join -U 'HTTP/[email protected]'

Once this command runs successfully the machine will be joined to the Domain.You could see the machine in AD users and computers

4.2.3 Creating krb5Login configuration file

7. Create krb5Login.conf filePath: /bin

=============com.sun.security.jgss.initiate

{com.sun.security.auth.module.Krb5LoginModule required

principal= useKeyTab=truekeyTab= < path of the key Tab file name> storeKey=true debug=true;

};


8/14


8

com.sun.security.jgss.krb5.accept{

com.sun.security.auth.module.Krb5LoginModule Required principal= = useKeyTab=truekeyTab=" " storeKey=true debug=true;

};

4.2.4 Configuring Weblogic server

8. Add the below lines in weblogic startupFile name Startweblogic.sh

if [ "${WLS_REDIRECT_LOG}" = "" ] ; then

echo "Starting WLS with line:"echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Djava.security.auth.login.config="/export/home/oracle/Oracle/Middleware/user

_projects/domains/policyatlas/bin/krb5Login.conf" -Djava.security.krb5.conf="/export/home/oracle/Oracle/Middleware/user_project s/domains/policyatlas/bin/krb5.conf" -Djava.security.krb5.realm=KERB.ATLAS.COM -Djava.security.krb5.kdc=ad -

Dweblogic.StdoutSeverityLevel=64 -Dweblogic.Debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityAtn=false -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}${PROXY_SETTINGS} ${SERVER_CLASS}"

${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} -Dsun.security.krb5.debug=true -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Djava.security.auth.login.config="/export/home/oracle/Oracle/Middleware/user

_projects/domains/policyatlas/bin/krb5Login.conf" -

Djava.security.krb5.realm=KERB.ATLAS.COM -Djava.security.krb5.kdc=ad -Dweblogic.StdoutSeverityLevel=64 -Dweblogic.Debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityAtn=false -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}${PROXY_SETTINGS} ${SERVER_CLASS}:


9/14


9

9. Add the following in myrealm - providers of weblogic Home >Summary of Security Realms >myrealm >Providers

a) Add WebLogic Negotiate Identity Assertion provider

b) Add another realm Provider that performs LDAP authentication withfollowing details in Provider specific Tab

Figure 2: Weblogic Security Realm configuration


10/14


10

Save and restart web logic server.

4.3 Machine: c l ien t - scenar io m achine name: Machin e C

For Single Sign On to occur you will need an authenticated Microsoft client, belonging tothe domain controlled by your realm, and requesting access to the Oracle WebLogicServer service

4.3.1 Configuring Internet Explorer Browser

To configure an Internet Explorer browser to use Windows authentication, follow these procedures in Internet Explorer.

Conf igur e L ocal Intr anet Domains 1. In Internet Explorer, select Tools > Internet Options .2. Select the Security tab.3. Select Local intranet and click Sites .4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy

server and Include all local (intranet) sites not listed in other zones options arechecked.

Figure 3: Local Intranet Dialog Box for Internet Explorer

5. Click Advanced.6. In the Local intranet (Advanced) dialog box, add all relative domain names that will

be used for Oracle WebLogic Server instances participating in the SSO configuration (forexample, myhost.example.com) and click OK.


11/14


11

Fig 4: Advanced Local Intranet Dialog Box for Internet Explorer

Configure Intranet Authentication

1. Select Tools > Internet Options .2. Select the Security tab.3. Select Local intranet and click Custom Level... .4. In the Security Settings dialog box, scroll to the User Authentication section.5. Select Automatic logon only in Intranet zone . This option prevents users from

having to re-enter logon credentials, which is a key piece to this solution.6. Click OK .


12/14


12

Figure 5: Configure Intranet Authentication

Verify Proxy SettingsIf you have a proxy server enabled:

1. Select Tools > Internet Options .2. Select the Connections tab and click LAN Settings .3. Verify that the proxy server address and port number are correct.4. Click Advanced .5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in

the Exceptions field.6. Click OK to close the Proxy Settings dialog box.

4.3.2 Configuring Mozilla Firefox BrowserTo configure a Firefox browser to use Windows Integrated authentication, complete thefollowing steps:

1. Start Firefox.2. Enter about:config in the Location Bar.3. Enter the filter string network.negotiate.4. Set the preferences as shown in Figure below:


13/14


13

Figure 6: Fi refox confi guration

4.3.3 Configuring Google Chrome Browser No special configuration needed for Chrome Browser.

4.4 Other con f igura t ion :1. Ensure all the 3 machines Machine A, Machine B and C are able to ping each other

using machine hostnames . If not then it should be added in host entry.

5 Testing the SSOTo verify that SSO is configured properly, point a browser to the Web application or Webservice you want to use. If you are logged on to a Windows domain and have Kerberoscredentials acquired from the Active Directory server in the domain, you should be able toaccess the Web application or Web service without providing a username or password.


14/14


14

6 Troubleshooting commands

Run the below command in Solaris / Weblogic server machine

bash-3.00$ kinit -V -k -t

Eg: /export/home/oracle/Oracle/Middleware/user_projects/domains/policyatlas/bin/krb5.keytab HTTP/[email protected]

This should result the following message to confirm SON Username is able to authenticatewith KDC and using the key tab file which was generated.

Result: Authenticated to Kerberos v5

Documents

Configuring Kerberos Based SSO in Solaris and Weblogic