Professional Documents
Culture Documents
Celvin Kattookaran
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Table of Contents
Purpose................................................................................................................................3 Prerequisites.......................................................................................................................4 Join the Kerberos realm...................................................................................................7 Configuring the Active Directory Machine for Kerberos..............................................8 Create SSO Group in Active Directory...........................................................................8 Create SSO Group in Active Directory.........................................................................10 Creating Active Directory user which will be used as Kerberos Service Principal.......14 Mapping Local User to SPN..........................................................................................17 Creating krb5.ini............................................................................................................17 Add Weblogic Admin Server as a Windows Service....................................................19 Configuring the WebLogic Machine for Kerberos.......................................................20 Create Service Principal Name and Keytab File............................................................20 Check which SPNs are associated with the user............................................................22 Creating the JAAS Configuration File...........................................................................22 Create Active Directory Authenticator in WebLogic Security Realm..........................23 Change the control flag of DefaultAuthenticator...........................................................29 Check the active directory authenticator........................................................................29 Configure Negotiate Identity Asserter...........................................................................30 Reordering the Authentication providers.......................................................................32 Granting WebLogic Administrator Role to the SSO User.............................................33 Add Kerberos options in Weblogic startup script..........................................................35 Enable debugging in Weblogic (Optional)....................................................................35 Deploying Workspace......................................................................................................37 Configuring Workspace for SSO....................................................................................39 Customizing EPM Workspace Services Configuration Scripts.....................................39 Setting Up Workspace for Single Sign-On....................................................................39 Configuring Workspace for Single Sign-On..................................................................39 Updating JVM Arguments of Workspace......................................................................44 Adding Policies to workspace deployment....................................................................45 External Authentication in Hyperion Shared Services................................................48 Configuring Browser on Client Computers..................................................................53
2|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Purpose
The purpose of this document is to describe the procedure that enables Oracle Hyperion Workspace, Fusion Edition V.11.1.1 for Windows Single Sign. In other words Windows logon using the Kerberos realm provides for transparent Workspace access. Once the user logs into to his computer (which is in his organizations domain) he wont be asked for a Workspace login.
3|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Prerequisites
1. Have all machines into same time zone, time and date. It applies also to all clients. 2. Make sure server the connectivity is setup upon static IP and manual DNS IP's. Spotless DNS configuration for both forward & reverse resolution is fundamental to reliable Kerberos setup. 3. Test nslookup using forward & reverse resolution. 4. Test "dcdiag /s:ADmachine". Any error must be corrected before to proceed.
C:\Documents and Settings\Administrator.CELVIN-AD>dcdiag /s:CELVIN-AD.CERASOFT.com Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\CELVIN-AD Starting test: Connectivity ......................... CELVIN-AD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\CELVIN-AD Starting test: Replications ......................... CELVIN-AD passed test Replications Starting test: NCSecDesc ......................... CELVIN-AD passed test NCSecDesc Starting test: NetLogons ......................... CELVIN-AD passed test NetLogons Starting test: Advertising ......................... CELVIN-AD passed test Advertising Starting test: KnowsOfRoleHolders ......................... CELVIN-AD passed test KnowsOfRoleHolders Starting test: RidManager ......................... CELVIN-AD passed test RidManager Starting test: MachineAccount ......................... CELVIN-AD passed test MachineAccount Starting test: Services ......................... CELVIN-AD passed test Services Starting test: ObjectsReplicated ......................... CELVIN-AD passed test ObjectsReplicated Starting test: frssysvol ......................... CELVIN-AD passed test frssysvol Starting test: frsevent ......................... CELVIN-AD passed test frsevent Starting test: kccevent ......................... CELVIN-AD passed test kccevent Starting test: systemlog ......................... CELVIN-AD passed test systemlog Starting test: VerifyReferences
4|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
......................... CELVIN-AD passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : CERASOFT Starting test: CrossRefValidation ......................... CERASOFT passed test CrossRefValidation Starting test: CheckSDRefDom ......................... CERASOFT passed test CheckSDRefDom Running enterprise tests on : CERASOFT.com Starting test: Intersite ......................... CERASOFT.com passed test Intersite Starting test: FsmoCheck ......................... CERASOFT.com passed test FsmoCheck
5. The whole steup is under the assumption that workspace is deployed manually. 6. If you wish you can raise the functional level of your Active directory to Windows 2003. (I would recommend to do so, since Ive working setup.) Login to Active Directory User and Computers (Start Administrative Tools Active Directory User and Computers) Right click on your Domain Raise Domain Functional Level.
5|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
7.
Install Windows 2003/2000 Support tools, we will be using ksetup configures client to use a Kerberos V5 realm instead of a Windows Server 2003 domain ktpass configures service as Kerberos principal, generates keytab file that contains service principal & key setspn manipulates Service Principal Name (SPN) for an AD service account ldifde which export the Active directory content (LDIF directory exchange)
6|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Download Windows Server 2003 Service Pack 2 32-bit Support Tools from
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D939B-9A772EA2DF90&displaylang=en
8.
Install Resource Kit Tools for troubleshooting Kerberos kerbtray to view the tickets klist to list and purge tickets (this utility comes with JRE also but with different options)
Download Windows 2000 Resource Kit Tools for administrative tasks from
http://support.microsoft.com/kb/927229
Join the Kerberos realm To join the Kerberos realm you can use ksetup
C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /addkdc CERASOFT.COM CELVIN-AD.CERASOFT.COM
where you enter the Kerberos realm name (capitalized) and the FQDN name of the KDC machine. To see the Kerberos state use /dumpstate switch with ksetup.
C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /dumpstate default realm = CERASOFT.com (NT Domain) CERASOFT.COM: kdc = CELVIN-AD.CERASOFT.COM Realm Flags = 0x0 none No user mappings defined. Note: This step is mainly used if your KDC is a non AD KDC or a UNIX based KDC.
It works also if you use ksetup for an Active Directory KDC but it is not required if you join the machines to the domain. After adding the machine to a Kerberos realm this value is stored in the registry.
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Domains
7|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
8|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
4. Enter the Group Name as wls_users. 5. Please make sure that the Group Scope is Global and Group Type is Security 6. Click OK.
9|Page
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Create SSO Group in Active Directory Create a user called bea_sso_ad 1. 2. Follow the steps to open up Active Directory Console. Right Click Users, then select New, User
10 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
3.
4. 5. 6.
Uncheck User must change password at next logon. Check Password never expires. Click Next to proceed with the user creation.
11 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
7.
Add SSO user to SSO group. a. Double click the user bea_sso_ad or right click Properties
b. c. d.
Open the Member of tab and click Add. Type the group name as wls_users. Click Check Names, click OK to add the group.
12 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
13 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
e. f. g.
Click on the Account Tab of bea_sso_ad Select the Use DES encryption types for this account option. Please make sure that Do not require Kerberos preauthentication remains unchecked.
Creating Active Directory user which will be used as Kerberos Service Principal Create domain AD user "CELVIN-AD_WLS" (Server name_WLS) that will map to the Kerberos Service Principal.
1. 2. 3.
Follow the steps to create new user in active directory. Add the user (CELVIN-AD_WLS) to Users group. Follow the steps to add a user to a group.
14 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
4.
Setup Additional user properties for SPN (Service Principal Name) user.
15 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
a. b. c. d.
Click on the Account Tab of bea_sso_ad Select the Use DES encryption types for this account option. Select Account is trusted for delegation option. Select Do not require Kerberos preauthentication option.
5. Trust the user for delegation. Youll get the delegation tab only if you are in Windows 2003 functional level. a. Trust this user for delegation to any service (Kerberos only).
16 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Mapping Local User to SPN Use ksetup to map the SPN user to a local user.
E:\Program Files\Support Tools>ksetup /MapUser CELVINAD_WLS@CERASOFT.com Administrator E:\Program Files\Support Tools>ksetup default realm = CERASOFT.com (NT Domain) Mapping CELVIN-AD_WLS@CERASOFT.com to Administrator.
Creating krb5.ini The Kerberos configuration properties, krb5.ini, must be configured on every WebLogic Application Server instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebLogic Application Server. Create krb5.ini in C\WINNT and C:\Windows as following.
[libdefaults] default_realm = CERASOFT.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc ticket_lifetime = 600 kdc_timesync = 1 ccache_type = 4 clockskew = 1200 [realms] CERASOFT.COM = { kdc = 10.8.5.70 admin_server = CELVIN-AD.CERASOFT.com default_domain = CERASOFT.com } [domain_realms] cerasoft.com = CERASOFT.COM .cerasoft.com = CERASOFT.COM [appdefaults] autologin = true forward = true forwardable = true encrypt = true
17 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
You can use the kerbtray and klist utilites to list the tickets stored. 18 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
If you would like the System Out messages and System Error messages in separate log files add this line (shown in blue) to installSvc.cmd right after the line set WL_HOME=E:\bea\weblogic92
set JAVA_OPTIONS=Dweblogic.Stdout="E:\bea\user_projects\domains\Hyperion\logs\StdOut.log" Dweblogic.Stderr="E:\bea\user_projects\domains\Hyperion\logs\StdErr.log" %JAVA_OPTIONS%
If you wish to change the name of the service edit the portion in installSvc.cmd
-svcname:"beasvc %DOMAIN_NAME%_%SERVER_NAME%" Eg -svcname:"BEA Weblogic %DOMAIN_NAME%_%SERVER_NAME%"
19 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
The service principal name and keytab file are used to provide SSO between the browser and WebLogic SPNEGO filters. A keytab is a file that contains pairs of Kerberos principals and DESencrypted keys derived from the Kerberos password. It is used to log into Kerberos without being asked again for a username and password.
The keytab file is computer-independent. You can copy it from one computer to another. It is better to have a global keytab file. Note: Ensure the SPN is created using the fully qualified domain name (FQDN) of the WebLogic server.
1. Update the path setting of WebLogic server to include Windows Support tools installed path. 2. Open a command promt. 3. Type ktpass -princ HTTP/CELVINAD.CERASOFT.com@CERASOFT.COM -DesOnly -out E:\bea\bea.keytab -pass p@ssw0rd -mapuser CELVIN-AD_WLS -crypto DES-CBC-CRC After the execution of the command youll see a similar message. Ignore the warning, else if you want to add a ptype then add another switch as -ptype KRB5_NT_PRINCIPAL to the ktpass command.
C:\Documents and Settings\Administrator.CELVIN-AD>ktpass -princ HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM -DesOnly -out E:\bea\bea.keytab -pass p@ssw0rd -mapuser Celvin-AD_WLS -crypto DES-CBCCRC Targeting domain controller: CELVIN-AD.CERASOFT.com Using legacy password setting method Successfully mapped HTTP/CELVIN-AD.CERASOFT.com to CELVIN-AD_WLS. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to E:\bea\bea.keytab: Keytab version: 0x502 keysize 67 HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2980e5e561d394b6)
20 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
After the setting up the keytab the logon name for SPN user should change to HTTP/servername
4. You can add additional service principals using setspn utility. Use setspn a servicename/servername user
E:\Program Files\Support Tools>setspn -a HTTP/CELVIN-AD CELVIN-AD_WLS Registering ServicePrincipalNames for CN=CELVINAD_WLS,CN=Users,DC=CERASOFT,DC=com HTTP/CELVIN-AD Updated object
21 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
You can use setspn utility, ldifde and ADSI edit utility to check the SPNs
C:\Documents and Settings\Administrator.CELVIN-AD>setspn -l CELVIN-AD_WLS Registered ServicePrincipalNames for CN=CELVINAD_WLS,CN=Users,DC=CERASOFT,DC=co m: HTTP/CELVIN-AD HTTP/CELVIN-AD.CERASOFT.com
Use LDIFDE to check which all entires are associated with host/http/HTTP string
C:\Documents and Settings\Administrator.CELVIN-AD>ldifde -f c:\spn_out.txt -d "DC=CERASOFT,DC=com" -l serviceprincipalname -r "(serviceprincipalname=*CELVIN-AD*)" -p subtree Connecting to "CELVIN-AD.CERASOFT.com" Logging in as current user using SSPI Exporting directory to file c:\spn_out.txt Searching for entries... Writing out entries. 1 entries exported The command has completed successfully Eg: Entry from spn_out.txt dn: CN=CELVIN-AD_WLS,CN=Users,DC=CERASOFT,DC=com changetype: add servicePrincipalName: HTTP/CELVIN-AD.CERASOFT.com
Creating the JAAS Configuration File The JAAS login configuration file identifies the system properties and login modules that direct WebLogic server to allow Kerberos authentication to occur.
com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; };
22 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; };
Save the file as BEA_HOME\krb5login.conf. Create Active Directory Authenticator in WebLogic Security Realm WebLogic security realm is a container for the users, groups, security policies, roles and providers that are used to protect WebLogic resources. We should create an active directory authenticator so that Active Directory users can access WebLogic.
1.
23 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
2.
3. 4.
Click Lock & Edit to make changes. Select myrealm, the default WebLogic realm.
24 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
5. 6.
7. 8.
Eg: CeraSoftAD-AuthN
9. Click OK to proceed.
25 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Select the newly created provider from the summary list. Click on Common in the Configuration tab. Change the Control Flag to OPTIONAL. Click on Provider Specific tab
14. Change the Group Base DN to reflect your Active directory. This should be the Distinguished Name (DN) of the group to which the bea_sso_ad user belongs. For example, if the bea_sso_ad user belongs to the CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com. 15. Change the User Name Attribute to sAMAccountName, by default cn is selected. I would recommend to use sAMAccountName for MSAD. 26 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
17. Replace cn in the User From Name filter to sAMAccountName. 18. Replace cn in the Group From Name filter to sAMAccountName
27 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
19. In User Base DN, enter the DN of the LDAP directory tree that contains users. For example, if users are defined in CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com. 20. Check whether the active directory port is set correctly. 21. In Principal, enter the DN of the user (usually the Active Directory administrator) so that WebLogic canuse to connect to the Active Directory. For example, CN=Administrator, CN=Users,DC=CERASOFT,DC=com 22. Enter the Credential and confirm it. 23. Click Save to continue.
28 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
a. Select DefaultAuthenticator from the summary of providers. b. Change the control flag to OPTIONAL. 24. Click on Activate Changes. 25. Restart the WebLogic service. Check the active directory authenticator 1. 2. 3. 4. 5. Log on to the WebLogic Server Administration Console. In Domain Structure, click Security Realms. Summary of Security Realms opens. In Realms, click the default (active) realm; for example, myrealm In the settings page, select the Users and Groups tab.
29 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
6.
Configure Negotiate Identity Asserter The Negotiate Identity Assertion provider enables single sign-on (SSO) with Microsoft clients. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos. 1. 2. 3. 4. 5. 6. Login to WebLogic Domain. Select Security Realms from the Domain Structure. Click Lock & Edit to make changes. Select myrealm, the default WebLogic realm. Click on Providers Tab. Click New to add a new authenticator.
30 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
7. 8.
Eg. CeraSoftAD-Neg_ID_Asserter
9. Click on Provider Specific tab. 10. Uncheck Form Based Negotiation Enabled.
31 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
11. Click Reorder in the Authentication providers. 12. In the reorder page move Active directory authenticator to first, Negotiate Identity Asserter as second, DefaultAuthenticator as third, DefaultIdentityAsserter as foruth.
13. Click Activate Changes in the change center. 14. Restart the WebLogic service. 32 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
1. 2. 3. 4. 5. 6. 7.
Login to WebLogic Administration console. Click Security Realms from Domain Structure. In the Realms list, click the default (active) realm; for example, myrealm. On the settings page, click the Roles and Policies tab. Expand the Global Roles node. Expand the Roles node. Select View Role Conditions for Admin.
33 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
8.
11. In group argument name type the group to which bea_sso_ad belongs (here it is wls_users). 12. Click Add 13. Type Administrators and Click add to add Administrators group. 14. Click Finish 34 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
15. Click Save in the Global Settings Window. Add Kerberos options in Weblogic startup script You must edit the startup script for your WebLogic domain; for example, C:\bea \user_projects\domains\ws_domain\bin\startWeblogic.cmd, to include the following Kerberos options.
set KERB_OPTIONS=-Djava.security.krb5.realm=CERASOFT.COM -Djava.security.krb5.kdc=10.8.5.70 -Djava.security.auth.login.config=E:\bea\krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Djava.security.krb5.conf=C:\WINNT\krb5.ini set JAVA_OPTIONS=%JAVA_OPTIONS% %KERB_OPTIONS%
Enable debugging in Weblogic (Optional) This is an optional step, if you are enabling debugging in WebLogic; please increase the log rotation size from 500 KB to 2048 KB 1. 2. 3. 4. Login to Weblogic Administration console. Click on Lock & edit Click on Servers Select the server for which you want to change the size.
35 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
5. Go to Logging Rotation file size. 6. Change size there. 7. Click on Save and click Activate Change
1. Select Admin server from the summary of servers. 2. Go the Debug tab. 3. Expand weblogic and security.
4. Select DebugSecurityAtn, DebugSecurityAtz, DebugSecurity. 5. Click Enable. 6. Activate Changes in Change Center. 36 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Deploying Workspace
If you already deployed workspace, then delete workspace from the deployments in WebLogic Administration console.
37 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
During the deployment process, specify these options in the Optional Settings page of WebLogic Install Application Assistant. 1. In Security, select Custom Roles and Policies: Use only roles and policies that are defined in the Administration console. 2. In Source accessibility, select I will make the deployment accessible from the following location. 3. In location, enter G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace.
38 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
2. Replace occurrences of the $J(trustedPass.deploymentHome) with DEPLOYMENT_HOME where DEPLOYMENT_HOME is the file-system path to the deployed EPM Workspace Web application.
eg. G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace
Run the bat file in Windows CMD: settrustedpass.bat Default initial password is: 123456 Enter new password at the prompt Re-enter the new Trusted Password Setting Up Workspace for Single Sign-On Workspace delegates the process of handling external authentication and SSO to Workspace Core Services. To enable this process, you must define the trusted password that is used to establish trust between Workspace and Workspace Core Services. Configuring Workspace for Single Sign-On The configuration file which help in SSO are ws.conf (Workspace SSO configuration file) tp.conf (trusted password configuration file) 39 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
1.
Login to Workspace.
2. 40 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
3. 4. 5. 6.
Enter the Trusted Password that we changed in the previous step. Confirm the password Check Use users logon credentials for pass-through. Click OK
7.
41 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
8. Start Workspace Agent UI from "Start" "Oracle EPM System" "Workspace" "Utilities and Administration" "Start Workspace Agent UI"
42 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
10. From the Current View select Web-Application Configuration. 11. Right Click on Workspace Web-Application. 12. Click properties.
13. Click on the User Interface window. 14. From the drop down, select $REMOTE LOGIN$ for Custom Username Policy.
43 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
15. From the drop down, select $TRUSTEDPASS$ for Custom Password Policy. Updating JVM Arguments of Workspace To update JVM arguments of Workspace. 1. Login to registry.
44 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
2. Navigate to HKLM\SOFTWARE\Hyperion Solutions\Workspace\HYS9Workspace 3. Add the following keys to the registry. 4. All JVMOptions are of type String. JVMOption12 assuming that the last JVMOption in the registry is JVMOption11.
JVMOption12 = -Djava.security.krb5.realm=CERASOFT.COM JVMOption13 = -Djava.security.krb5.kdc=10.8.5.70 JVMOption14 = -Djava.security.auth.login.config=E:\bea\krb5Login.conf JVMOption15 = -Djavax.security.auth.useSubjectCredsOnly=false JVMOption16 = -Dweblogic.security.enableNegotiate=true JVMOption17 = -Djava.security.krb5.conf=C:\WINNT\krb5.ini
Update the JVMOptionCount to reflect the new number i.e. 17 Adding Policies to workspace deployment. You must create custom policies for the URL patterns specific to Workspace Web application.
To create custom polices 1. 2. 3. 4. 45 | P a g e Login to WebLogic Administration console. Click on Deployment from Domain Structure. Select workspace from the summary of deployments. Click on Security tab and go to URL Patterns
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
5.
Go to Policies
6. 7. 8.
Click New. Enter the URL Pattern as /index.jsp Select the Provider Name as XACMLAuthorizer.
Select the newly created policy. Click Add Conditions. In Predicate List select Group Click Next to proceed.
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
13. In group argument name type wls_users and click Add. 14. Click Finish.
47 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
2. 48 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
3.
4. 5.
Select Microsoft Active Directory from the given list. Click Next to proceed.
49 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
6. 7. 8. 9.
Type a name for the directory. Enter the Active Directory Machine name in the Host Name field. Check whether the port is correct or not. Click on Fetch DNs
10. Enter the User DN and click on Append Base DN. (This user can be an AD Administrator or a User who can search for all the Hyperion users) 11. Enter Password. 50 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
13. Enter a user name and click Auto Configure 14. User RDN and all other attributes will be populated. 15. Click Next to proceed.
16. You can configure MSAD groups also in the similar way. 51 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
17. If you dont want to use MSAD groups, I would recommend still configuring a group in MSAD where that group is the only container and it doesnt have any users. 18. Click Finish to finish the external directory configuration.
52 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
21. Login to Shared Services. 22. Expand the newly created user directory. 23. Click on Users.
24. Click Search and it should populate all the AD users if the configuration is correct.
53 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
5. Click on Advanced. 54 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
6. Type in the Workspace server name and click add. 7. Click OK till we come back to the Internet Options.
55 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
8. Select Security in the Internet Options, select Local Intranet. 9. Click on Custom Level 10. In User Authentication, check Automatic logon only in Intranet zone.
11. In the advanced Tab, check whether Enable Integrated Windows Authentication is checked or not. 12. Click OK to finish the settings.
56 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
Open up internet explorer and type in the workspace URL http://servername/workspace. Youll see a similar window, saying loading.
If your Kerberos authentication is working youll not see the standard Login screen.
57 | P a g e
Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server
58 | P a g e