Enable Kerberos With Workspace 11.1.1.3

Enable Kerberos (SSO) with Workspace 11.1.1.3 on WebLogic 9.
2 MP3 & Apache HTTP Server
Celvin Kattookaran
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Table of Contents
Purpose................................................................................................................................3 Prerequisites.......................................................................................................................4 Join the Kerberos realm...................................................................................................7 Configuring the Active Directory Machine for Kerberos..............................................8 Create SSO Group in Active Directory...........................................................................8 Create SSO Group in Active Directory.........................................................................10 Creating Active Directory user which will be used as Kerberos Service Principal.......14 Mapping Local User to SPN..........................................................................................17 Creating krb5.ini............................................................................................................17 Add Weblogic Admin Server as a Windows Service....................................................19 Configuring the WebLogic Machine for Kerberos.......................................................20 Create Service Principal Name and Keytab File............................................................20 Check which SPNs are associated with the user............................................................22 Creating the JAAS Configuration File...........................................................................22 Create Active Directory Authenticator in WebLogic Security Realm..........................23 Change the control flag of DefaultAuthenticator...........................................................29 Check the active directory authenticator........................................................................29 Configure Negotiate Identity Asserter...........................................................................30 Reordering the Authentication providers.......................................................................32 Granting WebLogic Administrator Role to the SSO User.............................................33 Add Kerberos options in Weblogic startup script..........................................................35 Enable debugging in Weblogic (Optional)....................................................................35 Deploying Workspace......................................................................................................37 Configuring Workspace for SSO....................................................................................39 Customizing EPM Workspace Services Configuration Scripts.....................................39 Setting Up Workspace for Single Sign-On....................................................................39 Configuring Workspace for Single Sign-On..................................................................39 Updating JVM Arguments of Workspace......................................................................44 Adding Policies to workspace deployment....................................................................45 External Authentication in Hyperion Shared Services................................................48 Configuring Browser on Client Computers..................................................................53
2|Page
Purpose
The purpose of this document is to describe the procedure that enables Oracle Hyperion Workspace, Fusion Edition V.11.1.1 for Windows Single Sign. In other words Windows logon using the Kerberos realm provides for transparent Workspace access. Once the user logs into to his computer (which is in his organizations domain) he wont be asked for a Workspace login.
3|Page
Prerequisites
1. Have all machines into same time zone, time and date. It applies also to all clients. 2. Make sure server the connectivity is setup upon static IP and manual DNS IP's. Spotless DNS configuration for both forward & reverse resolution is fundamental to reliable Kerberos setup. 3. Test nslookup using forward & reverse resolution. 4. Test "dcdiag /s:ADmachine". Any error must be corrected before to proceed.
C:\Documents and Settings\Administrator.CELVIN-AD>dcdiag /s:CELVIN-AD.CERASOFT.com Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\CELVIN-AD Starting test: Connectivity ......................... CELVIN-AD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\CELVIN-AD Starting test: Replications ......................... CELVIN-AD passed test Replications Starting test: NCSecDesc ......................... CELVIN-AD passed test NCSecDesc Starting test: NetLogons ......................... CELVIN-AD passed test NetLogons Starting test: Advertising ......................... CELVIN-AD passed test Advertising Starting test: KnowsOfRoleHolders ......................... CELVIN-AD passed test KnowsOfRoleHolders Starting test: RidManager ......................... CELVIN-AD passed test RidManager Starting test: MachineAccount ......................... CELVIN-AD passed test MachineAccount Starting test: Services ......................... CELVIN-AD passed test Services Starting test: ObjectsReplicated ......................... CELVIN-AD passed test ObjectsReplicated Starting test: frssysvol ......................... CELVIN-AD passed test frssysvol Starting test: frsevent ......................... CELVIN-AD passed test frsevent Starting test: kccevent ......................... CELVIN-AD passed test kccevent Starting test: systemlog ......................... CELVIN-AD passed test systemlog Starting test: VerifyReferences
4|Page
......................... CELVIN-AD passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : CERASOFT Starting test: CrossRefValidation ......................... CERASOFT passed test CrossRefValidation Starting test: CheckSDRefDom ......................... CERASOFT passed test CheckSDRefDom Running enterprise tests on : CERASOFT.com Starting test: Intersite ......................... CERASOFT.com passed test Intersite Starting test: FsmoCheck ......................... CERASOFT.com passed test FsmoCheck
5. The whole steup is under the assumption that workspace is deployed manually. 6. If you wish you can raise the functional level of your Active directory to Windows 2003. (I would recommend to do so, since Ive working setup.) Login to Active Directory User and Computers (Start Administrative Tools Active Directory User and Computers) Right click on your Domain Raise Domain Functional Level.
5|Page
Youll get a confirmation window. Click OK
7.
Install Windows 2003/2000 Support tools, we will be using ksetup configures client to use a Kerberos V5 realm instead of a Windows Server 2003 domain ktpass configures service as Kerberos principal, generates keytab file that contains service principal & key setspn manipulates Service Principal Name (SPN) for an AD service account ldifde which export the Active directory content (LDIF directory exchange)
Download Windows 2000 Service Pack 4 Support Tools from

http://www.microsoft.com/downloadS/details.aspx?FamilyID=f08d28f3-b835-4847b810-bb6539362473&displaylang=en
6|Page
Download Windows Server 2003 Service Pack 2 32-bit Support Tools from
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D939B-9A772EA2DF90&displaylang=en
8.
Install Resource Kit Tools for troubleshooting Kerberos kerbtray to view the tickets klist to list and purge tickets (this utility comes with JRE also but with different options)
Download Windows 2000 Resource Kit Tools for administrative tasks from
http://support.microsoft.com/kb/927229
Join the Kerberos realm To join the Kerberos realm you can use ksetup
C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /addkdc CERASOFT.COM CELVIN-AD.CERASOFT.COM
where you enter the Kerberos realm name (capitalized) and the FQDN name of the KDC machine. To see the Kerberos state use /dumpstate switch with ksetup.
C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /dumpstate default realm = CERASOFT.com (NT Domain) CERASOFT.COM: kdc = CELVIN-AD.CERASOFT.COM Realm Flags = 0x0 none No user mappings defined. Note: This step is mainly used if your KDC is a non AD KDC or a UNIX based KDC.
It works also if you use ksetup for an Active Directory KDC but it is not required if you join the machines to the domain. After adding the machine to a Kerberos realm this value is stored in the registry.
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Domains
7|Page
Configuring the Active Directory Machine for Kerberos.

Create SSO Group in Active Directory Create a group called wls_users (this group will hold all the WebLogic users) 1. Open the Active Directory console. (Start Administrative Tools Active Directory User and Computers) 2. Expand the node representing the Active Directory Domain Controller; for example, CERASOFT.com. 3. Right Click Users, then select New, and then Group.
8|Page
4. Enter the Group Name as wls_users. 5. Please make sure that the Group Scope is Global and Group Type is Security 6. Click OK.
9|Page
Create SSO Group in Active Directory Create a user called bea_sso_ad 1. 2. Follow the steps to open up Active Directory Console. Right Click Users, then select New, User
10 | P a g e
3.
Enter the User Name as bea_sso_ad.
4. 5. 6.
Uncheck User must change password at next logon. Check Password never expires. Click Next to proceed with the user creation.
11 | P a g e
7.
Add SSO user to SSO group. a. Double click the user bea_sso_ad or right click Properties
b. c. d.
Open the Member of tab and click Add. Type the group name as wls_users. Click Check Names, click OK to add the group.
12 | P a g e
Setup additional user properties for WebLogic user
13 | P a g e
e. f. g.
Click on the Account Tab of bea_sso_ad Select the Use DES encryption types for this account option. Please make sure that Do not require Kerberos preauthentication remains unchecked.
Creating Active Directory user which will be used as Kerberos Service Principal Create domain AD user "CELVIN-AD_WLS" (Server name_WLS) that will map to the Kerberos Service Principal.
1. 2. 3.
Follow the steps to create new user in active directory. Add the user (CELVIN-AD_WLS) to Users group. Follow the steps to add a user to a group.
14 | P a g e
4.
Setup Additional user properties for SPN (Service Principal Name) user.
15 | P a g e
a. b. c. d.
Click on the Account Tab of bea_sso_ad Select the Use DES encryption types for this account option. Select Account is trusted for delegation option. Select Do not require Kerberos preauthentication option.
5. Trust the user for delegation. Youll get the delegation tab only if you are in Windows 2003 functional level. a. Trust this user for delegation to any service (Kerberos only).
16 | P a g e
Mapping Local User to SPN Use ksetup to map the SPN user to a local user.
E:\Program Files\Support Tools>ksetup /MapUser CELVINAD_WLS@CERASOFT.com Administrator E:\Program Files\Support Tools>ksetup default realm = CERASOFT.com (NT Domain) Mapping CELVIN-AD_WLS@CERASOFT.com to Administrator.
Creating krb5.ini The Kerberos configuration properties, krb5.ini, must be configured on every WebLogic Application Server instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebLogic Application Server. Create krb5.ini in C\WINNT and C:\Windows as following.
[libdefaults] default_realm = CERASOFT.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc ticket_lifetime = 600 kdc_timesync = 1 ccache_type = 4 clockskew = 1200 [realms] CERASOFT.COM = { kdc = 10.8.5.70 admin_server = CELVIN-AD.CERASOFT.com default_domain = CERASOFT.com } [domain_realms] cerasoft.com = CERASOFT.COM .cerasoft.com = CERASOFT.COM [appdefaults] autologin = true forward = true forwardable = true encrypt = true
17 | P a g e
kinit is used to obtain and cache Kerberos ticket-granting tickets.

E:\bea\jdk150_12\bin>kinit -J-Dsun.security.krb5.debug=true -k -t e:\bea\bea.keytab HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM Config name: c:\winnt\krb5.ini >>>KinitOptions cache name is C:\Documents and Settings\Administrator.CELVINAD\ krb5cc_Administrator Principal is HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM >>> Kinit using keytab >>> Kinit keytab file name: e:\bea\bea.keytab >>> KeyTabInputStream, readName(): CERASOFT.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): CELVIN-AD.CERASOFT.com >>> KeyTab: load() entry length: 67; type: 1 Added key: 1version: 5 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 16 1 3. 0: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)= 0000: 29 80 E5 E5 61 D3 94 B6 >>> Kinit realm name is CERASOFT.COM >>> Creating KrbAsReq >>> KrbKdcReq local addresses for CELVIN-AD are: CELVIN-AD/10.8.5.70 IPv4 address default etypes for default_tkt_enctypes: 23 16 1 3. >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> Kinit: sending as_req to realm CERASOFT.COM >>> KrbKdcReq send: kdc=10.8.5.70 UDP:88, timeout=30000, number of retries =3, # bytes=181 >>> KDCCommunication: kdc=10.8.5.70 UDP:88, timeout=30000,Attempt =1, #bytes=181 >>> KrbKdcReq send: #bytes read=663 >>> KrbKdcReq send: #bytes read=663 >>> reading response from kdc >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: 2931d8b0 >>>crc32: 101001001100011101100010110000 >>> KrbAsRep cons in KrbAsReq.getReply HTTP/CELVIN-AD.CERASOFT.com New ticket is stored in cache file C:\Documents and Settings\Administrator.CELVI N-AD\krb5cc_Administrator
You can use the kerbtray and klist utilites to list the tickets stored. 18 | P a g e
Add Weblogic Admin Server as a Windows Service.

In order to to install the Admin Server as a Windows service we make use of installSvc.cmd supplied with Weblogic. (Default location is %BEA_HOME%\weblogic92\server\bin). Create a bat script called createSvc.cmd with the following commands and save it to C:\
SETLOCAL set JAVA_HOME=E:\bea\jdk150_12 set JAVA_VENDOR=Sun set DOMAIN_NAME=Hyperion set USERDOMAIN_HOME=E:\bea\user_projects\domains\Hyperion set SERVER_NAME=AdminServer set WLS_USER=hyperion set WLS_PW=hyperion set MEM_ARGS=-Xms128m -Xmx256m cd %USERDOMAIN_HOME% call %USERDOMAIN_HOME%\bin\setDomainEnv.cmd call "E:\bea\weblogic92\server\bin\installSvc.cmd" ENDLOCAL
If you would like the System Out messages and System Error messages in separate log files add this line (shown in blue) to installSvc.cmd right after the line set WL_HOME=E:\bea\weblogic92
set JAVA_OPTIONS=Dweblogic.Stdout="E:\bea\user_projects\domains\Hyperion\logs\StdOut.log" Dweblogic.Stderr="E:\bea\user_projects\domains\Hyperion\logs\StdErr.log" %JAVA_OPTIONS%
If you wish to change the name of the service edit the portion in installSvc.cmd
-svcname:"beasvc %DOMAIN_NAME%_%SERVER_NAME%" Eg -svcname:"BEA Weblogic %DOMAIN_NAME%_%SERVER_NAME%"
Service will be created as BEA Weblogic Hyperion_AdminServer.
19 | P a g e
Configuring the WebLogic Machine for Kerberos.

Create Service Principal Name and Keytab File
Note: This procedure should be performed on the machine that hosts the WebLogic server; for example, on your Workspace server.
The service principal name and keytab file are used to provide SSO between the browser and WebLogic SPNEGO filters. A keytab is a file that contains pairs of Kerberos principals and DESencrypted keys derived from the Kerberos password. It is used to log into Kerberos without being asked again for a username and password.
The keytab file is computer-independent. You can copy it from one computer to another. It is better to have a global keytab file. Note: Ensure the SPN is created using the fully qualified domain name (FQDN) of the WebLogic server.
1. Update the path setting of WebLogic server to include Windows Support tools installed path. 2. Open a command promt. 3. Type ktpass -princ HTTP/CELVINAD.CERASOFT.com@CERASOFT.COM -DesOnly -out E:\bea\bea.keytab -pass p@ssw0rd -mapuser CELVIN-AD_WLS -crypto DES-CBC-CRC After the execution of the command youll see a similar message. Ignore the warning, else if you want to add a ptype then add another switch as -ptype KRB5_NT_PRINCIPAL to the ktpass command.
C:\Documents and Settings\Administrator.CELVIN-AD>ktpass -princ HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM -DesOnly -out E:\bea\bea.keytab -pass p@ssw0rd -mapuser Celvin-AD_WLS -crypto DES-CBCCRC Targeting domain controller: CELVIN-AD.CERASOFT.com Using legacy password setting method Successfully mapped HTTP/CELVIN-AD.CERASOFT.com to CELVIN-AD_WLS. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to E:\bea\bea.keytab: Keytab version: 0x502 keysize 67 HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2980e5e561d394b6)
20 | P a g e
After the setting up the keytab the logon name for SPN user should change to HTTP/servername
4. You can add additional service principals using setspn utility. Use setspn a servicename/servername user
E:\Program Files\Support Tools>setspn -a HTTP/CELVIN-AD CELVIN-AD_WLS Registering ServicePrincipalNames for CN=CELVINAD_WLS,CN=Users,DC=CERASOFT,DC=com HTTP/CELVIN-AD Updated object
21 | P a g e
Check which SPNs are associated with the user.
You can use setspn utility, ldifde and ADSI edit utility to check the SPNs
C:\Documents and Settings\Administrator.CELVIN-AD>setspn -l CELVIN-AD_WLS Registered ServicePrincipalNames for CN=CELVINAD_WLS,CN=Users,DC=CERASOFT,DC=co m: HTTP/CELVIN-AD HTTP/CELVIN-AD.CERASOFT.com
Use LDIFDE to check which all entires are associated with host/http/HTTP string
C:\Documents and Settings\Administrator.CELVIN-AD>ldifde -f c:\spn_out.txt -d "DC=CERASOFT,DC=com" -l serviceprincipalname -r "(serviceprincipalname=*CELVIN-AD*)" -p subtree Connecting to "CELVIN-AD.CERASOFT.com" Logging in as current user using SSPI Exporting directory to file c:\spn_out.txt Searching for entries... Writing out entries. 1 entries exported The command has completed successfully Eg: Entry from spn_out.txt dn: CN=CELVIN-AD_WLS,CN=Users,DC=CERASOFT,DC=com changetype: add servicePrincipalName: HTTP/CELVIN-AD.CERASOFT.com
Creating the JAAS Configuration File The JAAS login configuration file identifies the system properties and login modules that direct WebLogic server to allow Kerberos authentication to occur.
com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; };
22 | P a g e
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; };
Save the file as BEA_HOME\krb5login.conf. Create Active Directory Authenticator in WebLogic Security Realm WebLogic security realm is a container for the users, groups, security policies, roles and providers that are used to protect WebLogic resources. We should create an active directory authenticator so that Active Directory users can access WebLogic.
1.
Login to WebLogic Domain.
23 | P a g e
2.
Select Security Realms from the Domain Structure.
3. 4.
Click Lock & Edit to make changes. Select myrealm, the default WebLogic realm.
24 | P a g e
5. 6.
Click on Providers Tab. Click New to add a new authenticator.
7. 8.
Type the name as ADName-AuthN Select Type as ActiveDirectoryAuthenticator.
Eg: CeraSoftAD-AuthN
9. Click OK to proceed.
25 | P a g e
10. 11. 12. 13.
Select the newly created provider from the summary list. Click on Common in the Configuration tab. Change the Control Flag to OPTIONAL. Click on Provider Specific tab
14. Change the Group Base DN to reflect your Active directory. This should be the Distinguished Name (DN) of the group to which the bea_sso_ad user belongs. For example, if the bea_sso_ad user belongs to the CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com. 15. Change the User Name Attribute to sAMAccountName, by default cn is selected. I would recommend to use sAMAccountName for MSAD. 26 | P a g e
16. Enter the Host name of Active Directory Machine.
17. Replace cn in the User From Name filter to sAMAccountName. 18. Replace cn in the Group From Name filter to sAMAccountName
27 | P a g e
19. In User Base DN, enter the DN of the LDAP directory tree that contains users. For example, if users are defined in CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com. 20. Check whether the active directory port is set correctly. 21. In Principal, enter the DN of the user (usually the Active Directory administrator) so that WebLogic canuse to connect to the Active Directory. For example, CN=Administrator, CN=Users,DC=CERASOFT,DC=com 22. Enter the Credential and confirm it. 23. Click Save to continue.
28 | P a g e
Change the control flag of DefaultAuthenticator
a. Select DefaultAuthenticator from the summary of providers. b. Change the control flag to OPTIONAL. 24. Click on Activate Changes. 25. Restart the WebLogic service. Check the active directory authenticator 1. 2. 3. 4. 5. Log on to the WebLogic Server Administration Console. In Domain Structure, click Security Realms. Summary of Security Realms opens. In Realms, click the default (active) realm; for example, myrealm In the settings page, select the Users and Groups tab.
29 | P a g e
6.
Verify whether active directory users are listed.
Configure Negotiate Identity Asserter The Negotiate Identity Assertion provider enables single sign-on (SSO) with Microsoft clients. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos. 1. 2. 3. 4. 5. 6. Login to WebLogic Domain. Select Security Realms from the Domain Structure. Click Lock & Edit to make changes. Select myrealm, the default WebLogic realm. Click on Providers Tab. Click New to add a new authenticator.
30 | P a g e
7. 8.
Type the name as ADName-Neg_ID_Asserter Select the Type as NegotiateIdentityAsserter.
Eg. CeraSoftAD-Neg_ID_Asserter
9. Click on Provider Specific tab. 10. Uncheck Form Based Negotiation Enabled.
31 | P a g e
Reordering the Authentication providers
11. Click Reorder in the Authentication providers. 12. In the reorder page move Active directory authenticator to first, Negotiate Identity Asserter as second, DefaultAuthenticator as third, DefaultIdentityAsserter as foruth.
13. Click Activate Changes in the change center. 14. Restart the WebLogic service. 32 | P a g e
Granting WebLogic Administrator Role to the SSO User
1. 2. 3. 4. 5. 6. 7.
Login to WebLogic Administration console. Click Security Realms from Domain Structure. In the Realms list, click the default (active) realm; for example, myrealm. On the settings page, click the Roles and Policies tab. Expand the Global Roles node. Expand the Roles node. Select View Role Conditions for Admin.
33 | P a g e
8.
Click Add conditions.
9. In predicate list select Group. 10. Click Next to proceed.
11. In group argument name type the group to which bea_sso_ad belongs (here it is wls_users). 12. Click Add 13. Type Administrators and Click add to add Administrators group. 14. Click Finish 34 | P a g e
15. Click Save in the Global Settings Window. Add Kerberos options in Weblogic startup script You must edit the startup script for your WebLogic domain; for example, C:\bea \user_projects\domains\ws_domain\bin\startWeblogic.cmd, to include the following Kerberos options.
set KERB_OPTIONS=-Djava.security.krb5.realm=CERASOFT.COM -Djava.security.krb5.kdc=10.8.5.70 -Djava.security.auth.login.config=E:\bea\krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Djava.security.krb5.conf=C:\WINNT\krb5.ini set JAVA_OPTIONS=%JAVA_OPTIONS% %KERB_OPTIONS%
Enable debugging in Weblogic (Optional) This is an optional step, if you are enabling debugging in WebLogic; please increase the log rotation size from 500 KB to 2048 KB 1. 2. 3. 4. Login to Weblogic Administration console. Click on Lock & edit Click on Servers Select the server for which you want to change the size.
35 | P a g e
5. Go to Logging Rotation file size. 6. Change size there. 7. Click on Save and click Activate Change
1. Select Admin server from the summary of servers. 2. Go the Debug tab. 3. Expand weblogic and security.
4. Select DebugSecurityAtn, DebugSecurityAtz, DebugSecurity. 5. Click Enable. 6. Activate Changes in Change Center. 36 | P a g e
Deploying Workspace
If you already deployed workspace, then delete workspace from the deployments in WebLogic Administration console.
Navigate to the expanded workspace directory, here it is

G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps
37 | P a g e
During the deployment process, specify these options in the Optional Settings page of WebLogic Install Application Assistant. 1. In Security, select Custom Roles and Policies: Use only roles and policies that are defined in the Administration console. 2. In Source accessibility, select I will make the deployment accessible from the following location. 3. In location, enter G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace.
38 | P a g e
Configuring Workspace for SSO

Customizing EPM Workspace Services Configuration Scripts EPM Workspace Services include scripts that can be launched interactively to configure various part of the system. When the Manual option is selected during EPM Workspace deployment, the DEPLOYMENT_HOME variable declarations must be manually defined in %HYPERION_HOME %/products/Foundation/workspace/bin/settrustedpass.bat|sh To declare the variable declarations: 1. In a text editor, open:
%HYPERION_HOME%/products/Foundation/workspace/bin/settrustedpass.bat
2. Replace occurrences of the $J(trustedPass.deploymentHome) with DEPLOYMENT_HOME where DEPLOYMENT_HOME is the file-system path to the deployed EPM Workspace Web application.
eg. G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace
Run the bat file in Windows CMD: settrustedpass.bat Default initial password is: 123456 Enter new password at the prompt Re-enter the new Trusted Password Setting Up Workspace for Single Sign-On Workspace delegates the process of handling external authentication and SSO to Workspace Core Services. To enable this process, you must define the trusted password that is used to establish trust between Workspace and Workspace Core Services. Configuring Workspace for Single Sign-On The configuration file which help in SSO are ws.conf (Workspace SSO configuration file) tp.conf (trusted password configuration file) 39 | P a g e
These files are located, for example,

G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace\WEBINF\config.
SSO settings you define are used by Workspace CMC console.
1.
Login to Workspace.
2. 40 | P a g e
Navigate Administer Authentication
3. 4. 5. 6.
Enter the Trusted Password that we changed in the previous step. Confirm the password Check Use users logon credentials for pass-through. Click OK
7.
To change the SSO configuration we need to login to CMC console.
41 | P a g e
8. Start Workspace Agent UI from "Start" "Oracle EPM System" "Workspace" "Utilities and Administration" "Start Workspace Agent UI"
9. To launch CMC login to workspace and go to Navigate Administer Configuration Console
42 | P a g e
10. From the Current View select Web-Application Configuration. 11. Right Click on Workspace Web-Application. 12. Click properties.
13. Click on the User Interface window. 14. From the drop down, select $REMOTE LOGIN$ for Custom Username Policy.
43 | P a g e
15. From the drop down, select $TRUSTEDPASS$ for Custom Password Policy. Updating JVM Arguments of Workspace To update JVM arguments of Workspace. 1. Login to registry.
44 | P a g e
2. Navigate to HKLM\SOFTWARE\Hyperion Solutions\Workspace\HYS9Workspace 3. Add the following keys to the registry. 4. All JVMOptions are of type String. JVMOption12 assuming that the last JVMOption in the registry is JVMOption11.
JVMOption12 = -Djava.security.krb5.realm=CERASOFT.COM JVMOption13 = -Djava.security.krb5.kdc=10.8.5.70 JVMOption14 = -Djava.security.auth.login.config=E:\bea\krb5Login.conf JVMOption15 = -Djavax.security.auth.useSubjectCredsOnly=false JVMOption16 = -Dweblogic.security.enableNegotiate=true JVMOption17 = -Djava.security.krb5.conf=C:\WINNT\krb5.ini
Update the JVMOptionCount to reflect the new number i.e. 17 Adding Policies to workspace deployment. You must create custom policies for the URL patterns specific to Workspace Web application.
To create custom polices 1. 2. 3. 4. 45 | P a g e Login to WebLogic Administration console. Click on Deployment from Domain Structure. Select workspace from the summary of deployments. Click on Security tab and go to URL Patterns
5.
Go to Policies
6. 7. 8.
Click New. Enter the URL Pattern as /index.jsp Select the Provider Name as XACMLAuthorizer.
9. 10. 11. 12. 46 | P a g e
Select the newly created policy. Click Add Conditions. In Predicate List select Group Click Next to proceed.
13. In group argument name type wls_users and click Add. 14. Click Finish.
47 | P a g e
External Authentication in Hyperion Shared Services

In order to use SSO we must provision MSAD users, so that they can use Hyperion products. 1. Login to Shared Services using URL http://localhost:28080/interop/
2. 48 | P a g e
Go to Administration Configure User Directories.
3.
Click Add to create a new directory.
4. 5.
Select Microsoft Active Directory from the given list. Click Next to proceed.
49 | P a g e
6. 7. 8. 9.
Type a name for the directory. Enter the Active Directory Machine name in the Host Name field. Check whether the port is correct or not. Click on Fetch DNs
10. Enter the User DN and click on Append Base DN. (This user can be an AD Administrator or a User who can search for all the Hyperion users) 11. Enter Password. 50 | P a g e
12. Click Next to proceed.
13. Enter a user name and click Auto Configure 14. User RDN and all other attributes will be populated. 15. Click Next to proceed.
16. You can configure MSAD groups also in the similar way. 51 | P a g e
17. If you dont want to use MSAD groups, I would recommend still configuring a group in MSAD where that group is the only container and it doesnt have any users. 18. Click Finish to finish the external directory configuration.
19. Click OK 20. Restart Shared Services.
52 | P a g e
21. Login to Shared Services. 22. Expand the newly created user directory. 23. Click on Users.
24. Click Search and it should populate all the AD users if the configuration is correct.
Configuring Browser on Client Computers

Browsers used to access Hyperion products should be configured for Integrated Windows Authentication. You must use a browser that is capable of handling SPNEGO protocol. Internet Explorer 6 or later. 1. Login to Client Machine as an ordinary Hyperion user. 2. Start a browser session. 3. Select Tools, and then Internet Options
53 | P a g e
4. Click on Sites to add the intranet site.
5. Click on Advanced. 54 | P a g e
6. Type in the Workspace server name and click add. 7. Click OK till we come back to the Internet Options.
55 | P a g e
8. Select Security in the Internet Options, select Local Intranet. 9. Click on Custom Level 10. In User Authentication, check Automatic logon only in Intranet zone.
11. In the advanced Tab, check whether Enable Integrated Windows Authentication is checked or not. 12. Click OK to finish the settings.
56 | P a g e
Open up internet explorer and type in the workspace URL http://servername/workspace. Youll see a similar window, saying loading.
If your Kerberos authentication is working youll not see the standard Login screen.
57 | P a g e
Instead youll be logged in without asking for a username and password!!!!!!!
58 | P a g e

Enable Kerberos With Workspace 11.1.1.3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enable Kerberos With Workspace 11.1.1.3

Uploaded by

Copyright:

Available Formats

Enable Kerberos (SSO) with Workspace 11.1.1.3 on WebLogic 9.

2 MP3 & Apache HTTP Server

Youll get a confirmation window. Click OK

Download Windows 2000 Service Pack 4 Support Tools from

Configuring the Active Directory Machine for Kerberos.

Enter the User Name as bea_sso_ad.

Setup additional user properties for WebLogic user

kinit is used to obtain and cache Kerberos ticket-granting tickets.

Add Weblogic Admin Server as a Windows Service.

Service will be created as BEA Weblogic Hyperion_AdminServer.

Configuring the WebLogic Machine for Kerberos.

Check which SPNs are associated with the user.

Login to WebLogic Domain.

Select Security Realms from the Domain Structure.

Click on Providers Tab. Click New to add a new authenticator.

Type the name as ADName-AuthN Select Type as ActiveDirectoryAuthenticator.

10. 11. 12. 13.

16. Enter the Host name of Active Directory Machine.

Change the control flag of DefaultAuthenticator

Verify whether active directory users are listed.

Type the name as ADName-Neg_ID_Asserter Select the Type as NegotiateIdentityAsserter.

Reordering the Authentication providers

Granting WebLogic Administrator Role to the SSO User

Click Add conditions.

9. In predicate list select Group. 10. Click Next to proceed.

Navigate to the expanded workspace directory, here it is

Configuring Workspace for SSO

These files are located, for example,

SSO settings you define are used by Workspace CMC console.

Navigate Administer Authentication

To change the SSO configuration we need to login to CMC console.

9. To launch CMC login to workspace and go to Navigate Administer Configuration Console

9. 10. 11. 12. 46 | P a g e

External Authentication in Hyperion Shared Services

Go to Administration Configure User Directories.

Click Add to create a new directory.

12. Click Next to proceed.

19. Click OK 20. Restart Shared Services.

Configuring Browser on Client Computers

4. Click on Sites to add the intranet site.

Instead youll be logged in without asking for a username and password!!!!!!!

You might also like