Download pdf - Configuring Kerberos based SSO in Solaris and Weblogic ... · Configuring Kerberos based SSO in Solaris and Weblogic Application server Environment 2 1 Introduction: Single sign-on

IBM

Configuring Kerberos based SSO in Solaris and

Weblogic Application server Environment

Kerberos configuration

Saravana Kumar KKB & Arvind Kumar P

[Abstract: Today many products have support for SSO. Kerberos is most recommended efficient and secure network accesses across the enterprise. This article provides information about the configuration of single sign-on (SSO) using Kerberos in Oracle Solaris and Oracle Web logic server.]

About the authors: Saravana is working as a Staff Software Engineer (QA) for IBM Policy N team under ECM. You can contact him with your queries at [email protected]. Arvind is working as a Advisory Software Engineer QA for Atlas team under ECM. Reach out to him at [email protected]

mailto:[email protected]

mailto:[email protected]

Configuring Kerberos based SSO in Solaris and Weblogic Application server

Environment

2

1 Introduction: Single sign-on (SSO) allows users to sign in once to the system and login to other

application without any authentication.

1.1 Why Kerberos ?

Kerberos is a technology that allows for strong authentication in open and distributed

Networks. It is a credible security solution for four main reasons:

1. Kerberos is mature. It has been widely used and widely studied for a long time. In

security that counts for a great deal.

2. Kerberos meets the requirements of modern distributed systems. It was developed

in response to a well-defined and clearly thought through set of requirements for

secure authentication in an open environment with insecure communications links;

it has turned out that those requirements closely match the requirements of modern

distributed systems operating over networks based on Internet Protocols.

3. Kerberos is architecturally sound. It is designed around a clear set of architectural

and functional abstractions; that architectural soundness has allowed it to evolve

over time, and make it easy to integrate it into other systems. This same

architectural soundness makes it easy to analyze how Kerberos will behave.

4. Kerberos is already in place. Kerberos is already integrated into most popular

operating systems and many widely-used software applications. It is an integral

part of today’s IT infrastructure.

2 Machine configuration:

2.1 What is KDC ?

The Kerberos Key Distribution Center (KDC) is a network service that supplies session

tickets and temporary session keys to users and computers within an Active Directory

domain. The KDC runs on each domain controller as part of Active Directory Domain

Services (AD DS).

2.2 What is SPNEGO?

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a standard protocol

that is used to negotiate the authentication protocol. It is used when a client application

wants to authenticate to a remote server. SPNEGO is a standard specification defined in

IETF RFC 2478. SPNEGO is used in a Web SSO. It is responsible for authenticating

access to a secured paged, such as a WebSphere Application Server resource that is

identified in an HTTP request. Microsoft also uses SPNEGO for its browser-based SSO

solutions.


Environment

3

Machine A Machine B

(weblogic.kerb. mycompany.com)

(ad.kerb.mycompany.com)

7

Windows 2008/2012

KDC/ 6

Domain controller

Solaris 10 Weblogic

Application server

4

1

3

2 8

Client.Kerb. mycompany.com 5

Figure 1: Machine configuration for Kerberos authentication

1. When the logged-on user (MACHINE C) requests a resource from Oracle

WebLogic Server (MACHINEB), it sends the initial HTTP GET verb.

2. Oracle WebLogic Server (MACHINEB), running the SPNEGO Token Handler

code, requires authentication and issues a 401 Access Denied, WWW-

Authenticate: Negotiate response.

3. The client (Browser on MACHINEC) then requests the session ticket from the

TGS/KDC (MACHINEA).

Client Machine

Windows 8/ 7/vista-

(Browser)

Machine C


Environment

4

4. The TGS/KDC (MACHINEA) supplies the client with the necessary Kerberos

Ticket (assuming the client is authorized) wrapped in a SPNEGO Token.

5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an

Authorization: Negotiate base64(token) header.

6. SPNEGO Web authentication in Weblogic server sees the HTTP header with the

SPNEGO token. SPNEGO validates the SPNEGO token and gets the identity

(principal) of the user.

7. After Weblogic gets the identity of the user, it validates the user in Microsoft

Active Directory/KDC. When the identification process is executed, weblogic

executes the related Java code (servlets, JSPs, EJBs, and so on) and checks

authorizations.

8. Oracle WebLogic Server's SPNEGO Token Handler code accepts and processes

the token through GSS API, authenticates the user and responds with the requested

URL.

3 Scenario Overview: This scenario contains 2 major parts:

1. Adding the Solaris machine to Domain controller

2. Configuring Oracle Weblogic server for Kerberos

This scenario requires the following Pre-requisite:

A functioning Microsoft Windows 2008 Active Directory Domain

Including:

A domain controller

A client workstation

Users must be able to log in to the domain.

A working domain controller and at least one client computer in that domain is required.

Using SPNEGO from the domain controller does not work. For more information, you can

find the tutorial How do I install Active Directory on the Windows Server 2008 server at:

http://www.petri.co.il/installing-active-directory-windows-server-2008.htm

A functioning Weblogic server with a domain created

4 Steps:

4.1 Machine: KDC- scenario name: Machine A

1. Create a user in Active directory

E.g.: solaris229

Don’t select any option except password, it will not expire and user cannot change

password.

http://www.petri.co.il/installing-active-directory-windows-server-2008.htm


Environment

5

2. Generate Keytab file

C:\Users\Administrator> ktpass -princ HTTP/[email protected] -

mapuser solaris229 -pass Admin123 -out C:\solaris\krb5.keytab -crypto RC4-HMAC-NT -p

type KRB5_NT_PRINCIPAL

Transfer the keytab file to weblogic machine and to the domain bin directory of weblogic.

4.2 Machine: Weblogic - scenario machine name: Machine B

4.2.1 Steps to configure system files:

1. Edit the resolv.conf and add the domain controller specific entries.

Path : /etc/resolv.conf

---------------------

domainname KERB.MYCOMPANY.COM

nameserver <Domain controller IP>

search kerb.mycompany.com

2. Edit the host entry and add the domain controller specific entries.

Path : /etc/hosts

---------------

<IP Address> windowsvista.kerb.mycompany.com windowsvista

<IP Address> ad.KERB.MYCOMPANY.COM ad

3. Edit the krb5.conf file and kdc.conf file in /etc/krb5 directory as mentioned

below

Path: /etc/krb5/krb5.conf

Move the krb5.conf file to Weblogic domain bin directory

---------------

[libdefaults]

default_realm = KERB.MYCOMPANY.COM

default_tkt_enctypes = rc4-hmac arcfour-hmac-md5

default_tgs_enctypes = rc4-hmac arcfour-hmac-md5

ticket_lifetime = 600

[realms]

KERB. MYCOMPANY.COM = {

kdc = 9.126.145.237:88

admin_server = ad

default_domain = KERB. MYCOMPANY.COM


Environment

6

}

[domain_realm]

kerb.atlas.com = KERB. MYCOMPANY.COM

.kerb.atlas.com = KERB. MYCOMPANY.COM

[appdefaults]

kinit = {

autologin = true

renewable = true

forward = true

encrypt = true

forwardable= true

}

gkadmin = {

help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195

}

Path: /etc/krb5/kdc.conf

-----------

defaults]

kdc_ports = 88

[realms]

KERB.MYCOMPANY.COM = {

profile = /etc/krb5/krb5.conf

database_name = /var/krb5/principal

admin_keytab = /etc/krb5/krb5.keytab

acl_file = /etc/krb5/kadm5.acl

kadmind_port = 749

max_life = 8h 0m 0s

max_renewable_life = 7d 0h 0m 0s

default_principal_flags = +preauth

}

4. Add below lines in nsswitch.conf

Path : /etc/nsswitch.conf

----------

passwd: files ldap winbind

group: files ldap winbind


Environment

7

4.2.2 Configuring Samba and Joining the domain

5. Edit the smb.conf

Path: /etc/sfw/smb.conf

---------------

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH

workgroup = KERB

# server string is the equivalent of the NT Description field

server string = Samba Server

# Security mode. Defines in which mode Samba will operate. Possible

# values are share, user, server, domain and ads. Most people will want

# user level security. See the Samba-HOWTO-Collection for details.

security = ADS

# Use password server option only with security = server

# The argument list may include:

# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]

# or to auto-locate the domain controller/s

# password server = *

password server = ad.KERB.MYCOMPANY.COM

6. Command to Join the Domain

$ /usr/sfw/bin/net ads join -U 'HTTP/[email protected]'

Once this command runs successfully the machine will be joined to the Domain.

You could see the machine in AD users and computers

4.2.3 Creating krb5Login configuration file

7. Create krb5Login.conf file

Path: <Weblogic domain>/bin

=============

com.sun.security.jgss.initiate

{

com.sun.security.auth.module.Krb5LoginModule required

principal=”<SPN username>” useKeyTab=true

keyTab=”<path of the key Tab file name>” storeKey=true debug=true;

};


Environment

8

com.sun.security.jgss.krb5.accept

{

com.sun.security.auth.module.Krb5LoginModule Required

principal==”<SPN username>” useKeyTab=true

keyTab="<key Tab file name> " storeKey=true debug=true;

};

4.2.4 Configuring Weblogic server

8. Add the below lines in weblogic startup

File name Startweblogic.sh

if [ "${WLS_REDIRECT_LOG}" = "" ] ; then

echo "Starting WLS with line:"

echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} -

Dsun.security.krb5.d

ebug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.

enableNegotiate=true -

Djava.security.auth.login.config="/export/home/oracle/Oracle/Middleware/user

_projects/domains/policyatlas/bin/krb5Login.conf" -

Djava.security.krb5.conf="/export/home/oracle/Oracle/Middleware/user_project

s/domains/policyatlas/bin/krb5.conf" -

Djava.security.krb5.realm=KERB.ATLAS.COM -Djava.security.krb5.kdc=ad -

Dweblogic.StdoutSeverityLevel=64 -Dweblogic.Debug.DebugSecurityAtz=true -

Dweblogic.Debug.DebugSecurityAtn=false -Dweblogic.Name=${SERVER_NAME} -

Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}

${PROXY_SETTINGS} ${SERVER_CLASS}"

${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} -

Dsun.security.krb5.debug=true -Dsun.security.krb5.debug=true -

Djavax.security.auth.useSubjectCredsOnly=false -

Dweblogic.security.enableNegotiate=true -

Djava.security.auth.login.config="/export/home/oracle/Oracle/Middleware/user

_projects/domains/policyatlas/bin/krb5Login.conf" -

Djava.security.krb5.realm=KERB.ATLAS.COM -Djava.security.krb5.kdc=ad -

Dweblogic.StdoutSeverityLevel=64 -Dweblogic.Debug.DebugSecurityAtz=true -

Dweblogic.Debug.DebugSecurityAtn=false -Dweblogic.Name=${SERVER_NAME} -

Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${JAVA_OPTIONS}

${PROXY_SETTINGS} ${SERVER_CLASS}

:


Environment

9

9. Add the following in “myrealm- providers” of weblogic

Home >Summary of Security Realms >myrealm >Providers

a) Add “WebLogic Negotiate Identity Assertion provider”

b) Add another realm “Provider that performs LDAP authentication” with

following details in Provider specific Tab

Figure 2: Weblogic Security Realm configuration


Environment

10

Save and restart web logic server.

4.3 Machine: client - scenario machine name: Machine C

For Single Sign On to occur you will need an authenticated Microsoft client, belonging to

the domain controlled by your realm, and requesting access to the Oracle WebLogic

Server service

4.3.1 Configuring Internet Explorer Browser

To configure an Internet Explorer browser to use Windows authentication, follow these

procedures in Internet Explorer.

Configure Local Intranet Domains 1. In Internet Explorer, select Tools > Internet Options.

2. Select the Security tab.

3. Select Local intranet and click Sites.

4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy

server and Include all local (intranet) sites not listed in other zones options are

checked.

Figure 3: Local Intranet Dialog Box for Internet Explorer

5. Click Advanced.

6. In the Local intranet (Advanced) dialog box, add all relative domain names that will

be used for Oracle WebLogic Server instances participating in the SSO configuration (for

example, myhost.example.com) and click OK.


Environment

11

Fig 4: Advanced Local Intranet Dialog Box for Internet Explorer

Configure Intranet Authentication

1. Select Tools > Internet Options.

2. Select the Security tab.

3. Select Local intranet and click Custom Level... .

4. In the Security Settings dialog box, scroll to the User Authentication section.

5. Select Automatic logon only in Intranet zone. This option prevents users from

having to re-enter logon credentials, which is a key piece to this solution.

6. Click OK.


Environment

12

Figure 5: Configure Intranet Authentication

Verify Proxy Settings

If you have a proxy server enabled:

1. Select Tools > Internet Options.

2. Select the Connections tab and click LAN Settings.

3. Verify that the proxy server address and port number are correct.

4. Click Advanced.

5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in

the Exceptions field.

6. Click OK to close the Proxy Settings dialog box.

4.3.2 Configuring Mozilla Firefox Browser

To configure a Firefox browser to use Windows Integrated authentication, complete the

following steps:

1. Start Firefox.

2. Enter about:config in the Location Bar.

3. Enter the filter string network.negotiate.

4. Set the preferences as shown in Figure below:


Environment

13

Figure 6: Firefox configuration

4.3.3 Configuring Google Chrome Browser

No special configuration needed for Chrome Browser.

4.4 Other configuration:

1. Ensure all the 3 machines Machine A, Machine B and C are able to ping each other

using machine “hostnames”. If not then it should be added in host entry.

5 Testing the SSO To verify that SSO is configured properly, point a browser to the Web application or Web

service you want to use. If you are logged on to a Windows domain and have Kerberos

credentials acquired from the Active Directory server in the domain, you should be able to

access the Web application or Web service without providing a username or password.


Environment

14

6 Troubleshooting commands

Run the below command in Solaris / Weblogic server machine

bash-3.00$ kinit -V -k -t

<path of the keytab file> <spn name>

Eg:

/export/home/oracle/Oracle/Middleware/user_projects/domains/policyatlas/bin/krb5.keyta

b HTTP/[email protected]

This should result the following message to confirm SON Username is able to authenticate

with KDC and using the key tab file which was generated.

Result:

Authenticated to Kerberos v5