ENABLING KERBEROS SSO FOR EMC 2008 Server R2 version that supports Kerberos v5 authentication protocol. Refer to Microsoft help for setting up Active Directory and Domain for Kerberos. Add the required computers and users to the Active

Embed Size (px)

Text of ENABLING KERBEROS SSO FOR EMC 2008 Server R2 version that supports Kerberos v5 authentication...

  • ENABLING KERBEROS SSO FOR

    EMC DOCUMENTUM D2 APPLICATIONS IN A DISTRIBUTED

    WEBLOGIC/WEBSERVER/CONTENT SERVER CLUSTER ENABLED FOR

    HIGH AVAILABILITY

    ABSTRACT

    This white paper explains the process of enabling Kerberos Single Sign On in a distributed Content Server, WebLogic, and WebServer cluster and in an environment where load balance and high availability are enabled. This abstract appears as the online abstract for EMC.com/Powerlink.

    April 2015

    Copyright 2015 EMC Corporation. All Rights Reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. Part Number H12274

  • `

    2

    TABLE OF CONTENTS

    EXECUTIVE SUMMARY ............................................................................................................................3

    AUDIENCE ..............................................................................................................................................3

    TERMINOLOGY .......................................................................................................................................3

    PREREQUISITES .....................................................................................................................................3

    DEFINING SPN .......................................................................................................................................4

    Active Directory ................................................................................................................................... 4

    ACTIVE DIRECTORY SETUP .....................................................................................................................5

    Apache WebServer Load Balancer Configuration ...................................................................................... 5

    WEBLOGIC APPLICATION SERVER CLUSTER CONFIGURATION ...............................................................8

    Configuring Kerberos SSO in a WebLogic cluster and Apache WebServer load balance environment ............... 8

    Configuring Kerberos SSO on WebLogic application server instance ........................................................... 8

    CONTENT SERVER CLUSTER CONFIGURATION ........................................................................................9

    Configuring Kerberos SSO on Content Server Load Balance and Failover Environment .................................. 9

    Configuring the Content Server for Single Sign On ................................................................................... 9

    CLIENT MACHINE SETUP ......................................................................................................................10

    Client machine setup using IE ............................................................................................................. 10

    ENABLING SSO WHEN CO-EXISTENCE OF WDK CLIENTS AND D2 ON THE APPLICATION SERVER

    CLUSTER ...............................................................................................................................................12

    CONCLUSION ........................................................................................................................................13

    REFERENCES ........................................................................................................................................13

  • `

    3

    EXECUTIVE SUMMARY

    Kerberos is a computer network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. It is designed to provide strong authentication for client/server applications using secret-key cryptography. After using Kerberos to prove their identity, the client and server can also encrypt all communications to ensure privacy and data integrity as they go about their business.

    In summary, Kerberos is a solution to network security problems. It provides the tools of authentication and strong cryptography over the network to secure information systems across entire enterprise.

    The other most visible benefit of Kerberos for end-users is Single Sign On. The end user can sign on to the computer once and be automatically signed on to all applications on the computer. Kerberos accomplishes single sign on by storing credentials in a secure manner.

    With Documentum D2 adding support for Kerberos on a WebLogic/WebServer/Content Server cluster enabled with load balance and high availability, the end users are automatically logged in to the repository using credentials stored in the Windows private credential area. Unlike other SSO solutions, Kerberos SSO does not present any authentication challenge to the user. The only authentication challenge that the user will encounter is when a user logs in to the desktop using Windows domain credentials.

    This document also covers enabling SSO when wdk clients and D2 applications coexist in same repository.

    AUDIENCE

    This white paper is intended for engineers, support professionals, and customers. It provides a basic understanding of enabling Kerberos SSO in distributed cluster and load balance environments.

    TERMINOLOGY

    SSO: Single Sign On

    Single sign-on (SSO) is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again.

    KDC: Key Distribution Center

    The KDC is a domain service that uses a directory to hold its account database and global catalog for referral to KDCs in other domains.

    SPN: Service Principal Name

    The SPN is a mechanism to communicate with the application server.

    The service principal name (SPN) is the name by which a client uniquely identifies an instance of a service.

    Before a client can use an SPN to authenticate an instance of a service, the SPN must be registered on the user or computer account that the service instance will use to log in. Typically, service principal names are unique identifiers for services in a domain.

    PREREQUISITES This section lists environment details where the setup was configured and tested. This is a single working scenario, and not the requirement operating system.

    Active Directory machine Windows 2008 Server R2 version that supports Kerberos v5 authentication protocol. Refer to Microsoft help for setting up Active Directory and Domain for Kerberos. Add the required computers and users to the Active Directory.

    Content server machines

  • `

    4

    Windows Server 2008 R2 Requires two virtual machines Install Documentum 6.7 SP2 or above version of Content Server after adding the machine to the

    Kerberos domain.

    Application server machines Windows Server 2008 R2 - Requires two virtual machines Install the relevant application server version after adding the machine to the Kerberos domain.

    The D2 application is deployed on the application server machine.

    Apache WebServer machines Windows Server 2008 R2 Requires two virtual machines

    Install the relevant Apache WebServer version after adding the machine to the Kerberos domain.

    Load Balancer server machine Windows Server 2008 R2 Requires one virtual machine Install the relevant Apache WebServer and configure it as a load balancer between the two

    Apache WebServer machines after adding the machine to the Kerberos domain.

    Client machine Windows XP or Windows 7 Install the supported browser (Internet Explorer or Mozilla Firefox) configured to access D2 with

    Kerberos SSO support.

    Note: The Kerberos SSO must also work for D2-based applications deployed on Web Logic/Webserver load

    balancer in Linux and UNIX environments. The procedure for enabling the Kerberos SSO is the same.

    DEFINING SPN

    Active Directory

    An SPN (Service Principal Name) is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs. Windows 2003/2008 account names are not multipart as Kerberos principal names. Therefore, it is not possible to directly create an account of the name HTTP/hostname.dns.com.

    Such a principal instance is created using service principal name mappings. In this case, an account is created with a meaningful name hostname and a service principal name mapping is added for HTTP/hostname.dns.com.

    D2 uses browser SPNEGO support to implement Kerberos SSO. In this case, the browser requests for a service token from the KDC for the WebServer Load Balancer server. The browser prepares the Service Principal Name (SPN) in the following format: HTTP/fully qualified URL@REALM. For example, if the load balancer server Hostname is cs5-lb.ssotest.loc and the realm is SSOTEST.LOC, the browser framed SPN will be HTTP/cs5-lb.ssotest.loc@SSOTEST.LOC

    AppServer1 1

    AppServer1 1

    AppServer2

    WebServr2

    WebServr1

    Load Balancer

    End-user

    CS1

    AppServer1 1

    CS2

    mailto:HTTP/cs5-lb.ssotest.loc@SSOTEST.LOC.