Upload
others
View
21
Download
0
Embed Size (px)
Citation preview
KNIMEServer4.4EnterpriseSetupGuide
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
c
TABLEOFCONTENTSIntroduction....................................................................................................................................4EnterpriseUserAuthentication.......................................................................................................4
ConfiguringanLDAPconnectionforKNIMEServer............................................................................5Quickstart........................................................................................................................................5ADvancedTroubleshooting.............................................................................................................5SetupApacheDirectoryStudiotobrowseyourLDAPdirectory.....................................................7BrowseLDAPTree...........................................................................................................................9Determinewhetherusersarecheckedbybindmode,orcomparisonmode...............................11Groupaccess.................................................................................................................................13CombinedRealm...........................................................................................................................14EncryptedLDAP.............................................................................................................................16Troubleshooting............................................................................................................................16
ConfiguringSingle-Sign-OnwithKerberosandLDAP........................................................................17ActiveDirectoryConfiguration......................................................................................................17TomeeServerConfiguration.........................................................................................................19ClientConfiguration......................................................................................................................24Troubleshooting............................................................................................................................26
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
4
KN IME SERVER 4 .4
ENTERPR ISE SETUP GUIDE
INTRODUCTIONTheKNIMEServerenterprisesetupguidecoversadvancedtopicsofaKNIMEserverdeployment,setupandconfigurationinanenterpriseenvironment.IfyouarelookingtoinstalltheKNIMEServeryoushouldfirstconsulttheKNIMEServerInstallationQuickstartGuide.ForguidesonconnectingtotheKNIMEServerfromtheKNIMEAnalyticsPlatform,orusingtheKNIMEWebPortalpleaserefertotheguides:KNIMEExplorerUserGuideandKNIMEWebPortalUserGuide.ForallregularadministrationconfigurationoptionsandabasicunderstandingoftheKNIMEserverpleaseconsulttheKNIMEServerAdministrationGuide.Inthefollowingitisassumedthatyouhaveaknowledgeofallthingscoveredinthepreviouslymen-tionedguides.
ENTERPRISEUSERAUTHENTICATIONUserauthenticationinanenterpriseenvironmentisusuallydonethroughsomecentralizedservice.ThemostusedserviceisLDAP.LDAPauthenticationistherecommendedauthenticationinanycasewhereanLDAPserverisavailable.IfyouarefamiliarwithyourLDAPconfigurationyoucanaddthedetailsduringinstallationtime,oredittheserver.xmlfilepostinstallation.IfyouareunfamiliarwithyourLDAPsettings,youmayneedtocontactyourLDAPadministrator,orusetheconfigurationde-tailsforanyotherTomcatbasedsysteminyourorganization.ThisdocumentcontainsaquickstartguideforsettingupLDAP.Anotherpossibilityofuserauthenticationissingle-sign-on.KNIMEServercanbeconfiguredtosup-portKerberosauthenticationincombinationwithLDAP.ThisdocumentalsocontainsaguideforasimpleKerberossetup.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
5
CONFIGURINGANLDAPCONNECTIONFORKNIMESERVERKNIMEServermanagesalluserauthenticationbythebuiltinmechanismsofApacheTomcat.There-forethemostcomprehensivedocumentationforconfiguringauthenticationcanbefoundhere:https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.htmlSpecificallyforinformationaboutLDAP(alsoActiveDirectory)configuration,seehere:https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealmTerminology.ThroughoutthisdocumentwerefertoestablishinganLDAPconnection,LDAPaccountetc.SinceoneofthepopularwaystomanageuserauthenticationisMicrosoftActiveDirectory,andthissupportsLDAP,youmaywanttosubstituteLDAPaccountforActiveDirectoryaccount.
QUICKSTARTInmostcasesitshouldbepossibletocontactyourlocalLDAP/ActiveDirectoryadministratortheyshouldbeabletoprovidethenecessaryinformation.Youcanaskforthefollowing:
1) DotheyalreadyhaveconfigurationdetailsforaTomcatserver?Ifso,thisconnectioninfor-mationcanbereused.
2) LDAPConnectioninformation(Hostname,Port,isTLS/SSLused?).3) Whethertheyareusingbindmode,orcomparisonmode.4) Howthegroupinformationisstored.
Theywillneedtoprovideconfigurationthatcanfitintoatemplatelikethis:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:389" userPattern="uid={0},ou=people,dc=mycompany,dc=com" roleBase="ou=groups,dc=mycompany,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" />
Thisinformationisaddedtotheserver.xmlfilewhichisfoundin<apache-tomee>/conf/server.xml.ArestartoftheApacheTomeeprocessandKNIMEServerisrequiredforthechangestotheconfigu-rationfiletotakeeffect.
ADVANCEDTROUBLESHOOTINGTheremainingsectionsofthisdocumentationisaguideonhowtosetupanLDAPconnectionforKNIMEServer.Thisisonlyintendedasawaytogatherrelatedinformationintooneplace.ThisguideisnotascomprehensiveasthedocumentationforeitherLDAPorTomcat.ThefirstprerequisiteisApacheDirectoryStudio,orsomeotherLDAPconfigurationtool.WeuseApacheDirectoryStudiotodothetesting(https://directory.apache.org/studio/).Thebenefitofusingthistoolisthatitisopensource,freetodownload,worksonWindows/Linux/Mac,soacustomercandownloadthesoftwareanddoqueriestogetstarted.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
6
Wewillfollowthreebasicsteps:1) LDAPConnectioninformation(Hostname,Port,SSL?).2) Whethertheyareusingbindmode,orcomparisonmode.3) Howthegroupinformationisstored.
LDAPConnectioninformation(Hostname,Port,SSL):ToestablishaconnectiontoanLDAPserveryou’llneedtoknow:TheLDAPserverhostname(orIP).WhethertheserverusesSSLsecuredconnectionsornot.Whichportisbeingused.Defaultportsare(389forldap(unencrypted,orencryptedbyTLS),636forldaps(sslsecured)).
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
7
SETUPAPACHEDIRECTORYSTUDIOTOBROWSEYOURLDAPDIRECTORY
SETUPCONNECTIONTOSERVER
ADDINTHECONNECTIONDETAILSOFYOURLDAPSERVER
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
8
SETUPCONNECTIONTOLDAPSERVER
Notethatwedon’tuseauthenticationhere.Typically,youwillneedtoauthenticate,andinmostcasesthiscanbeyourLDAPusernameandpassword.
SETUPCONNECTION
Youcanclick‘FetchBaseDNs’toautopopulatetheanswers.InourexampletheBaseDNisdc=example,dc=com.Thiswillvary,forexampleknime.commightusetheBaseDNdc=knime,dc=com.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
9
FINALIZECONNECTION
Youcanleavethethenextpageasis,andclickFinish.
BROWSELDAPTREETheLDAPBrowserisnowpopulated,andyoucanbeginbrowsingtheLDAPdirectory.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
10
DETERMINEINFORMATIONREQUIREDFORKNIME/TOMCATLDAPCONFIGURATION
FirstrefertothetomcatdocumentationonLDAP(http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html/#JNDIRealm).Thedocumentationisverycomprehensive,Idistilledsomeofthekeypointsbelow.Forfulldetailsrefertothetomcatdocumentation.Basicallyweneedtoconstructsomethingthatlookslike:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://52.50.222.127:389" userPattern= TOBEDETERMINED roleBase= TOBEDETERMINED roleName= TOBEDETERMINED roleSearch= TOBEDETERMINED />
WealreadyknowtheconnectionURL,sincethiswasrequiredtosetupApacheDirectoryStudio.NextweneedtodeterminetheuserBaseproperty.ThefirstiteminthetreeisusuallytheBaseDN,whichwilldefinetheuserBaseproperty.
Youcanbrowsethetreetofindtheusers.Inourcaseou=People.Expandingthesubtreeshowsthelistofusers.Inourcasetherearefourusers(ec2-user,ldapuser1,ldapuser2,ldapuser3).
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
11
DETERMINEWHETHERUSERSARECHECKEDBYBINDMODE,ORCOMPARISONMODE
BINDMODE
Inourcase,ifusersloginase.g.ldapuser1(theusernameisthesameasthekey).WealreadyknowthebaseDN,andlookingattheuserinformationweseethattheuidistheusernamethatwewanttousetoauthenticate.SowecanconstructtheuserPattern.
UsetheuserPattern:uid={0},ou=people,dc=example,dc=comSotheexamplewouldlooklike:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://52.50.222.127:389" userPattern="uid={0},ou=people,dc=example,dc=com" roleBase=TOBEDETERMINED roleName=TOBEDETERMINED roleSearch=TOBEDETERMINED />
Notethatwestilldon’tknowhowtospecifyroleBase,roleName,roleSearch.We’llcomebacktothatlater.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
12
COMPARISONMODE
Inthiscasethereisnoone-to-onemappingbetweentheloginnameandtheusername,wewanttousee.g.theemailaddresscategory.Inthisexamplethatis‘[email protected]’.
Toperformthiskindoflogin,weneedcomparisonmode:HerethebaseDNisneededforuserBase,andwealsoneedtodefineuserSearch.Herewearesearchingformail.<Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="cn=Manager,dc=example,dc=com" connectionPassword="secret" connectionURL="ldap://52.50.222.127:389" userBase="ou=people,dc=example,dc=com" userSearch="(mail={0})" userRoleName="memberOf" roleBase= TOBEDETERMINED roleName= TOBEDETERMINED roleSearch= TOBEDETERMINED />
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
13
GROUPACCESSNowthatusersareauthenticated,weneedtoconfigurethegroupsthathaveaccess:ForthatwewillneedtheroleBaseandtheroleNameparameters.Youcanbrowsetheou=Grouptreeformoreinformation.Herelet’staketheexamplethatthehrpeoplegroupshouldbeabletoaccesstheKNIMEServer.
Intheexample,valueismemberthatwewanttosearchforis‘member’.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
14
Whichleadstotheconfiguration:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://52.50.222.127:389" userBase="ou=people,dc=example,dc=com" userSearch="(mail={0})" userRoleName="memberOf" roleBase= "ou=Group,dc=example,dc=com" roleName= "cn" roleSearch= "(member={0})" />
Thereisasecondpossibilitywheregroupmembershipisstoredintheuserdata(thisisuncommon,andnotcoveredinthisguide.SeethefullTomcatdocumentation).Nestedroles(wherearole/groupcancontainotherroles/groups)arealsopossible,inwhichcaseaddtheroleNestedparameter.E.g.Group‘IT’,containssomeusernames,plus‘Windows’,‘UNIX’,‘Mac’groups.Thosegroupsmayalsocontainsub-groups.HopefullyyounowhavethedetailsthatyouneedtoconnectKNIMEServertoLDAP.
ACTIVEDIRECTORYEXAMPLEIfyouareusingActiveDirectoryasyouruserdatabaseandstickedtothedefaultstructure,thefol-lowingconfigurationservesasagoodstartingpoint:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="cn=Manager,dc=example,dc=com" connectionPassword="secret" connectionURL="ldap://52.50.222.127:389" userSubtree="true" userBase="cn=Users,dc=domain,dc=com" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="cn=Users,dc=domain,dc=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true" roleNested="true"/>
Youhavetoadjustthethreehighlightedconnectionparameters,aswellasthetwodcvaluesintheuserBaseandroleBase.Theotherparameterscanusuallybeusedastheyare.
COMBINEDREALMItispossibletosetupacombinedrealmwhereboththeuserdatabaseandLDAPauthenticationareusedinparallel.Generallythisisnotrecommended,butcanbeusefulfordebuggingandinitialset-up/testing.Theexamplebelowshowshowthismightwork.<Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> <Realm className="org.apache.catalina.realm.JNDIRealm"
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
15
connectionURL="ldap://52.50.222.127:389" userBase="ou=people,dc=example,dc=com" userSearch="(mail={0})" userRoleName="memberOf" roleBase="ou=Group,dc=example,dc=com" roleName="cn" roleSearch="(member={0})"/> </Realm>
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
16
ENCRYPTEDLDAPIncaseyouareusingencryptedLDAPauthenticationandyourLDAPserverisusingaself-signedcer-tificate,Tomcatwillrefuseit.InthiscaseyouneedtoaddtheLDAPserver’scertificatetotheglobalJavakeystore,whichislocatedin<jredirectory>/lib/security/cacerts:keytool-import-v-noprompt-trustcacerts-file<servercertificate>-keystore<jre>/lib/security/cacerts-storepasschangeitAlternatively,youcancopythecacertsfile,addyourservercertificate,andaddthefollowingtwosystempropertiesto<tomeedirectory>/conf/catalina.properties:javax.net.ssl.trustStrore=<copiedkeystore>javax.net.ssl.keyStorePassword=changeit
TROUBLESHOOTINGInsomecasesyouwillwanttoextractadditionallogfileinformationabouttheLDAPauthenticationprocess.Inthiscaseyoucaneditapache-tomee*/conf/logging.propertiestoadd:org.apache.catalina.realm.level=ALLorg.apache.catalina.realm.useParentHandlers=trueorg.apache.catalina.authenticator.level=ALLorg.apache.catalina.authenticator.useParentHandlers=trueOnceyouhavemadethechangesyouwillneedtorestarttheapache-tomeeprocess/service.Whenyouhavesuccessfullydebuggedyourproblem,don’tforgettocommentoutorremovetheselinesfromthelogging.propertiesfile,asitwillcreateunnecessarilylargelogfiles.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
17
CONFIGURINGSINGLE-SIGN-ONWITHKERBEROSANDLDAPSingle-Sign-OncanbeconfiguredfortheKNIMEServer.ThisincludestheWebPortal,butalsoalloth-erservices(REST,SOAP,etc.)theKNIMEServerprovides.ThetechnologyusedtoachievethisisKerberos,whichisanetworkprotocolusedforauthenticationbythemeansofticketsandstrongencryption.InthefollowingitisassumedthatyouarefamiliarwiththebasicconceptsofKerberosandLDAP,asexplainedinthesectionbefore.Youcanfindcom-prehensivedocumentationforthelatestversionofKerberoshere.ThissectionprovidesastepbystepguideforsettingupKerberosauthenticationbythemeansofanActiveDirectoryserviceandWindowsclients.Othersetupsarepossibleandmayrequiredifferentprocedurestobefunctional.Pleasealsonotethateverysystemwilldeviateincertainaspectsfromthisguide,somakeadjust-mentswherenecessary.Kerberosrequiressetupforallthreepartiesinvolved:theKerberosandLDAPservice(ActiveDirecto-ry),theTomEEserverrunningKNIMEServer,andtheclients.
ACTIVEDIRECTORYCONFIGURATIONThefirststepistosetuptheActiveDirectorycorrectly.ItisassumedthatyoualreadyhaveanActiveDirectorydomainwithusersandcorrectgroupsforKNIMEServerusagesetup.Additionalstepsspe-cifictoKerberosare:
1. CreateatechnicaluserfortheTomEEserverinLDAP.
2. AssociateaServicePrincipalName(SPN)onwiththenewlycreateduserfortheTomEEserv-er.Todoso,openaWindowsPowerShellandenter:
setspn -s HTTP/TOMEE_FQDN@REALM TECHNICAL_USER Intheabovecommand,replace
• TOMEE_FQDNwiththefullyqualifieddomainname(FQDN)ofthemachinethatrunsKNIMEServer(andthustheTomEEserver),
• REALMwiththeKerberosrealmofyourActiveDirectoryinstallation,• andTECHNICAL_USERwiththenameofthetechnicaluseryouhavecreatedin
thepreviousstep.
Note:ItisimportantthatfortheTOMEE_FQDNtheDNS(FQDNtoIP)aswellasreverseDNS(IPtoFQDN)entriescanresolvedbythedomaincontrolleraswellallclients.
3. Makesurethattherightencryptionmethodsareactiveonthedomaincontroller.GotoAdministrativeTools->LocalSecurityPolicyBrowsetoSecuritySettings/LocalPolicies/SecurityOptionsFindtheentryNetworksecurity:ConfigureencryptiontypesallowedforKerberos
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
18
Ifthevalueisnotdefinedallencryptiontypesareallowed.Ifitisdefined,makesureitcon-tainsatleastthemethods:RC4_HMAC,AES128,AES256andFutureEncryptionTypes.
4. OpenaWindowsPowerShellandcreateakeytabfileusingthefollowingcommand.Adjustthevaluesaccordingtoyoursettings:
ktpass /out PATH/tomcat.keytab /mapuser TECHNICAL_USER@REALM /princ HTTP/TOMEE_FQDN@REALM /Pass +rndPass /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
ThecreatedkeytabfileneedstobecopiedtotheTomEEserverlater.
5. Openthe“UserProperties”intheActiveDirectoryforthetechnicalTomEEuseryouhavecreated.Gotothe“Account”tab.Makesurethefollowingsettingsareset:
1. Passwordneverexpires=true2. Usercannotchangepassword=true3. ThisaccountsupportsKerberosAES128bitencryption=true4. ThisaccountsupportsKerberosAES256bitencryption=true5. UseKerberosDESencryptionforthisaccount=shouldpreferablybefalse
Thengotothe“Delegation”tabandsettheradiobuttonto:
6. Trustthisuserfordelegationtoanyservice(Kerberosonly)
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
19
TOMEESERVERCONFIGURATION
1. InstalltheKNIMEServerasoutlinedintheKNIMEServerInstallationQuickstartGuide.
2. MakeappropriateconfigurationadjustmentsasexplainedintheKNIMEServerAdministra-tionGuide.
3. SetupLDAPauthenticationintheserver.xmltoconnecttoyourActiveDirectory,asdescribed
intheprevioussection.NotethatitmightbenecessarytocreateatemporarylistingusertoperformtheLDAPlookups.Thisstepisoptional,butrecommendedtotestthatthebasicLDAPauthorizationisfunctional.
4. VerifythattheenvironmentvariablesJAVA_HOMEandCATALINA_HOMEareproperlyde-
fined.JAVA_HOMEshouldpointtotheJDK8homedirectory,containingthebinfolder,andCATALINA_HOMEshouldpointtotheTomEEdirectorycontainingit’sbinfolder.
a. OnWindowsthiscanbedoneinControlPanel->System->Advancedsystemsettings
b. ClickonEnvironmentVariablesc. IntheSystemVariablesgroupcheckfortheexistenceofJAVA_HOMEand
CATALINA_HOME.Createoradjustthevaluesaccordingly.a. OnLinuxcreateorchangethevaluesin/etc/sysconfig/tomcat
5. OnceaworkingstandardLDAPsetuphasbeenverified,makeabackupofthecontentsof
CATALINA_HOME/confbycopyingittoCATALINA_HOME/conf_ldap
6. OnWindowsuserregedittosettheregistrykeysettinginHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parametersaddthekeyallowtgtsessionkey(REG_DWORD)andsetthevalueto1.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
20
7. OnWindowsmakesurethattherightencryptionmethodsforKerberosareactive.GotoAdministrativeTools->LocalSecurityPolicyBrowsetoSecuritySettings/LocalPolicies/SecurityOptionsFindtheentryNetworksecurity:ConfigureencryptiontypesallowedforKerberos
Ifthevalueisnotdefinedallencryptiontypesareallowed.Ifitisdefined,makesureitcon-tainsatleastthemethods:RC4_HMAC,AES128,AES256andFutureEncryptionTypes.
8. InstalltheJavaCryptographyExtension(JCE)UnlimitedStrengthJurisdictionPolicyfilesfor
JDK8.a. Downloadthearchivefrom
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
21
b. CreateabackupofthesecuritypolicyfilesintheJava8JRElocations(jre/lib/security,andjdk/jre/lib/security)
c. ExtractthearchiveintoyourJava8JRElocations(jre/lib/security,andjdk/jre/lib/security)replacingthefilesinthosedirectories.
9. CopythepreviouslycreatedkeytabfilefortheSPNtoalocationofyourchoosing.Recom-
mendedwouldbe<CATALINA_HOME>/conf/
10. Createakrb5.inforkrb5.conffilein<CATALINA_HOME/conf/Thecontentsofthefileshouldlooklike:
[libdefaults] default_realm=REALM default_keytab_name="CATALINA_BASE/conf/tomcat.keytab" default_txt_enctypes=aes256-cts-hmac-shal-96,aes128-cts-hmac-shal-96 default_tgs_enctypes=aes256-cts-hmac-shal-96,aes128-cts-hmac-shal-96 forwardable=true [realms] REALM={ kdc=DOMAIN_CONTROLLER_FQDN:88 } [domain_realm] yourdomain.com=REALM .yourdomain.com=REALM
Adjustthevaluesaccordingtoyourconfiguration.IfyouwanttouseadifferentlocationorfilenameforthisfileyoucandosobydefiningtheJavasystemproperty-Djava.security.krb5.conf=PATH_TO_KRB_CONF(inCATALI-NA_HOME/conf/system.properties)
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
22
11. Createoreditthefile<CATALINA_HOME>/conf/jaas.confThecontentsofthefileshouldlooklike:
com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/TOMEE_FQDN@REALM" keyTab="CATALINA_HOME/conf/tomcat.keytab" storeKey=true useKeyTab=true useTicketCache=true isInitiator=true refreshKrb5Config=true moduleBanner=true storePass=true; }; com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/TOMEE_FQDN@REALM" keyTab="CATALINA_HOME/conf/tomcat.keytab" storeKey=true useKeyTab=true useTicketCache=true isInitiator=true refreshKrb5Config=true moduleBanner=true storePass=true; };
Adjustthevaluesaccordingtoyourconfiguration.Notethatthelocationtothekeytabfilemighthavetobegivenasanabsolutepath.IfyouwanttouseadifferentlocationorfilenameforthisfileyoucandosobydefiningtheJavasystemproperty-Djava.security.auth.login.conf=PATH_TO_LOGIN_CONFInKerberosdocumentationthisfileisoftenreferredtoasthelogin.conf
12. AddthefollowingpropertytothelistofJVMsystempropertiesatstartup.Usuallytheycanbedefinedin<CATALINA_HOME>/conf/system.properties:-Djavax.security.auth.useSubjectCredsOnly=false
13. ConfiguretheKNIMEServerAuthenticatorvalve:a. Navigateto<CATALINA_HOME>/conf/Catalina/localhost/b. Edittheknime.xmlfile(thenameofthefileisequaltothecontextrootthatwasset
intheKNIMEServerinstaller,thedefaultisknime,iftheknime.warfilewasrenamedtorenamed.war,thexmlfilewillbecalledrenamed.xml)
c. Findtheline
<Valve className="com.knime.enterprise.tomcat.authenticator. KnimeServerAuthenticator" enableSpnego="false" basicAuthPaths="/rest,/webservices" formAuthPaths="/" />
d. Changeitto
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
23
<Valve className="com.knime.enterprise.tomcat.authenticator. KnimeServerAuthenticator" enableSpnego="true" basicAuthPaths=”/rest,/webservices” />
e. Bydefault,theRESTandSOAPwebservicesaresetuptousebasicHTTPauthentica-
tion.IfyouwanttouseSingle-Sign-OnalsofortheRESTand/orSOAPwebservices,e.g.ifyouareusingaRESTclientthatsupportsKerberos,adjustthebasicAuthPathsattributeaccordingly.Itisacommaseparatedlistofpathsoverwritingthedefaultauthenticationmethod.DeletingtheattributeenablesKerberosforallservices.ForexampleifRESTissupposedtobeusedwithSingle-Sign-Ontheattributewouldlooklikethis:basicAuthPaths=”/webservices”
14. Modifytheserver.xmlandadjusttheJNDIRealmsettingstoconnecttoyourLDAP.Ifyou
havesuccessfullytestedsetupinstep3,itissufficienttoremovetheconnectionNameandconnectionPasswordattributes.PleasenotethatwithKerberostheconnectionNameandconnectionPasswordattributesareignored.AlsotheuseoftheuserPatternisnotsupportedbyTomcatwhenusingKerberos.UseuserBaseincombinationwithuserSearchinstead.Therealmdefinitioncouldlooklikethis:
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://dc.domain.com:3268" userSubtree="true" userBase="cn=Users,dc=domain,dc=com" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="cn=Users,dc=domain,dc=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true" roleNested="true"/>
IfyouareusingKerberosinacombinedrealm,makesuretheJNDIRealmconnectingtoyourLDAPisfirstinthelistofrealms.
15. RestarttheKNIMEServerforthechangestotakeeffect.InspectthelogfilesinCATALI-
NA_HOME/logstomakesurethattherearenoerrormessagesrelatingtoyourchanges.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
24
CLIENTCONFIGURATIONClientconfigurationrequiresonlytwosteps.Theclientmachineneedstobepartofthedomain,andtheenduserloggedintothatdomain.AllbrowsersusedbytheclientneedtohaveKerberosauthenticationenabled.
ENABLINGKERBEROSAUTHENTICATIONININTERNETEXPLORER
1. Openthe“InternetOptions”menuandbrowsetothe“Advanced”tab.
Thesetting“EnableIntegratedWindowsAuthentication”needstobechecked.
2. Browsetothe“Security”tab,select“LocalIntranet”andclickonthe“Sites”button.
3. Clickon“Advanced”andaddtheURLoftheKNIMEServertothelistofwebsitesinthezone.
4. Clickon“CustomLevel”andcheckthatinLocalIntranetSecurityLevel->UserAuthenticationissetto“AutomaticlogononlyinIntranetzone”
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
25
5. ItmightbenecessarytoalsoaddtheKNIMEServertothelistoftrustedsites.Todoso,goto“TrustedSites”andclickonthe“Sites”button.AddtheURLoftheKNIMEServertothelistofwebsitesinthezone.
6. CheckthattheTrustedSitesSecurityLevel->UserAuthenticationissetto“Automaticlog-on
withcurrentusernameandpassword”.
ENABLEKERBEROSAUTHENTICATIONINFIREFOX
6. StartFirefoxandtypeabout:configintheaddressbar.
7. Ignorethewarningbyclickingonthe“I’llbecareful,Ipromise!”button.
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
26
8. Findtheappropriatesettingsbytypingnetwork.negotiate-authinthesearchfield.
Changethenetwork.negotiate-auth.delegation-urisandnetwork.negotiate-auth.trusted-uristocon-taintheURLoftheKNIMEServer.Itmightbeenoughtojustenteryourdomain.
TROUBLESHOOTINGAKerberossetupisusuallyverycomplexandneedspreciseconfiguration.Errormessagesareoftentimescryptic.TodebugaKerberossetupitisveryhelpfultoenableadditionalloggingfortheauthenticationintheTomEEserver.Todosoyoucanconfigureafewthings.
1. ToenableloggingintheKrb5modules,addorenablethefollowingtwolinesinbothsectionofthejaas.conf(orlogin.confin<CATALINA_HOME>/conf):
debug=true moduleBanner=true
Notethatthedebugoutputisonlyprintedtoconsole.
2. ToincreasethedebugoutputoftheKerberosimplementationinJavaaddthefollowingsys-tempropertyonstartup(canbedoneinsystem.propertiesfilein<CATALINA_HOME>/conf):
-Dsun.security.krb5.debug=true
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
27
3. Adddebuggingforauthenticationandrealmmodulesbyaddingtothelogging.propertiesfilein<CATALINA_HOME>/conf.Forclarityallauthenticationoutputcanbeloggedintoasepa-ratefile.
[…] 4auth.org.apache.juli.FileHandler.level = FINE 4auth.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 4auth.org.apache.juli.FileHandler.prefix = auth. […] org.apache.catalina.realm.level = ALL org.apache.catalina.realm.handlers = 4auth.org.apache.juli.FileHandler org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.handlers = 4auth.org.apache.juli.FileHandler com.knime.enterprise.tomcat.handlers = 4auth.org.apache.juli.FileHandler com.knime.enterprise.tomcat.level = DEBUG org.apache.juli.logging.UserDataHelper.CONFIG = INFO_ALL org.apache.coyote.http11.level = DEBUG org.apache.coyote.http11.handlers = 4auth.org.apache.juli.FileHandler
KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)
©Copyright,KNIME.comAG,Zurich,Switzerland.
28
KNIME.comAGTechnoparkstrasse18005Zurich,Switzerlandwww.knime.cominfo@knime.comKNIMEisaregisteredtrademarkofKNIMEGmbH,Konstanz,Germany.Allothertrademarksarethepropertyoftheirrespectiveowners.