Enable Kerberos (SSO) with Workspace 11.1.1.3 on WebLogic 9.

2 MP3 & Apache HTTP Server

Celvin Kattookaran

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Table of Contents
Purpose................................................................................................................................3 Prerequisites.......................................................................................................................4 Join the Kerberos realm...................................................................................................7 Configuring the Active Directory Machine for Kerberos..............................................8 Create SSO Group in Active Directory...........................................................................8 Create SSO Group in Active Directory.........................................................................10 Creating Active Directory user which will be used as Kerberos Service Principal.......14 Mapping Local User to SPN..........................................................................................17 Creating krb5.ini............................................................................................................17 Add Weblogic Admin Server as a Windows Service....................................................19 Configuring the WebLogic Machine for Kerberos.......................................................20 Create Service Principal Name and Keytab File............................................................20 Check which SPNs are associated with the user............................................................22 Creating the JAAS Configuration File...........................................................................22 Create Active Directory Authenticator in WebLogic Security Realm..........................23 Change the control flag of DefaultAuthenticator...........................................................29 Check the active directory authenticator........................................................................29 Configure Negotiate Identity Asserter...........................................................................30 Reordering the Authentication providers.......................................................................32 Granting WebLogic Administrator Role to the SSO User.............................................33 Add Kerberos options in Weblogic startup script..........................................................35 Enable debugging in Weblogic (Optional)....................................................................35 Deploying Workspace......................................................................................................37 Configuring Workspace for SSO....................................................................................39 Customizing EPM Workspace Services Configuration Scripts.....................................39 Setting Up Workspace for Single Sign-On....................................................................39 Configuring Workspace for Single Sign-On..................................................................39 Updating JVM Arguments of Workspace......................................................................44 Adding Policies to workspace deployment....................................................................45 External Authentication in Hyperion Shared Services................................................48 Configuring Browser on Client Computers..................................................................53

2|Page

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Purpose
The purpose of this document is to describe the procedure that enables Oracle Hyperion Workspace, Fusion Edition V.11.1.1 for Windows Single Sign. In other words Windows logon using the Kerberos realm provides for transparent Workspace access. Once the user logs into to his computer (which is in his organization’s domain) he won’t be asked for a Workspace login.

3|Page

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Prerequisites
1. Have all machines into same time zone, time and date. It applies also to all clients. 2. Make sure server the connectivity is setup upon static IP and manual DNS IP's. Spotless DNS configuration for both forward & reverse resolution is fundamental to reliable Kerberos setup. 3. Test nslookup using forward & reverse resolution. 4. Test "dcdiag /s:ADmachine". Any error must be corrected before to proceed.
C:\Documents and Settings\Administrator.CELVIN-AD>dcdiag /s:CELVIN-AD.CERASOFT.com Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\CELVIN-AD Starting test: Connectivity ......................... CELVIN-AD passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\CELVIN-AD Starting test: Replications ......................... CELVIN-AD passed test Replications Starting test: NCSecDesc ......................... CELVIN-AD passed test NCSecDesc Starting test: NetLogons ......................... CELVIN-AD passed test NetLogons Starting test: Advertising ......................... CELVIN-AD passed test Advertising Starting test: KnowsOfRoleHolders ......................... CELVIN-AD passed test KnowsOfRoleHolders Starting test: RidManager ......................... CELVIN-AD passed test RidManager Starting test: MachineAccount ......................... CELVIN-AD passed test MachineAccount Starting test: Services ......................... CELVIN-AD passed test Services Starting test: ObjectsReplicated ......................... CELVIN-AD passed test ObjectsReplicated Starting test: frssysvol ......................... CELVIN-AD passed test frssysvol Starting test: frsevent ......................... CELVIN-AD passed test frsevent Starting test: kccevent ......................... CELVIN-AD passed test kccevent Starting test: systemlog ......................... CELVIN-AD passed test systemlog Starting test: VerifyReferences

4|Page

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

......................... CELVIN-AD passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : CERASOFT Starting test: CrossRefValidation ......................... CERASOFT passed test CrossRefValidation Starting test: CheckSDRefDom ......................... CERASOFT passed test CheckSDRefDom Running enterprise tests on : CERASOFT.com Starting test: Intersite ......................... CERASOFT.com passed test Intersite Starting test: FsmoCheck ......................... CERASOFT.com passed test FsmoCheck

5. The whole steup is under the assumption that workspace is deployed manually. 6. If you wish you can raise the functional level of your Active directory to Windows 2003. (I would recommend to do so, since I’ve working setup.) • Login to Active Directory User and Computers (Start Administrative Tools Active Directory User and Computers) Right click on your Domain  Raise Domain Functional Level.

5|Page

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

You’ll get a confirmation window. Click “OK”

7.

Install Windows 2003/2000 Support tools, we will be using • ksetup configures client to use a Kerberos V5 realm instead of a Windows Server 2003 domain • ktpass configures service as Kerberos principal, generates keytab file that contains service principal & key • setspn manipulates Service Principal Name (SPN) for an AD service account • ldifde which export the Active directory content (LDIF directory exchange)

Download Windows 2000 Service Pack 4 Support Tools from
http://www.microsoft.com/downloadS/details.aspx?FamilyID=f08d28f3-b835-4847b810-bb6539362473&displaylang=en

6|Page

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Download Windows Server 2003 Service Pack 2 32-bit Support Tools from
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D939B-9A772EA2DF90&displaylang=en

8.

Install Resource Kit Tools for troubleshooting Kerberos • kerbtray to view the tickets • klist to list and purge tickets (this utility comes with JRE also but with different options)

Download Windows 2000 Resource Kit Tools for administrative tasks from
http://support.microsoft.com/kb/927229

Join the Kerberos realm To join the Kerberos realm you can use ksetup
C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /addkdc CERASOFT.COM CELVIN-AD.CERASOFT.COM

where you enter the Kerberos realm name (capitalized) and the FQDN name of the KDC machine. To see the Kerberos state use /dumpstate switch with ksetup.
C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /dumpstate default realm = CERASOFT.com (NT Domain) CERASOFT.COM: kdc = CELVIN-AD.CERASOFT.COM Realm Flags = 0x0 none No user mappings defined. Note: This step is mainly used if your KDC is a non AD KDC or a UNIX based KDC.

It works also if you use ksetup for an Active Directory KDC but it is not required if you join the machines to the domain. After adding the machine to a Kerberos realm this value is stored in the registry.
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Domains

7|Page

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Configuring the Active Directory Machine for Kerberos.
Create SSO Group in Active Directory Create a group called wls_users (this group will hold all the WebLogic users) 1. Open the Active Directory console. (Start Administrative Tools Active Directory User and Computers) 2. Expand the node representing the Active Directory Domain Controller; for example, CERASOFT.com. 3. Right Click Users, then select New, and then Group.

8|Page

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

4. Enter the Group Name as wls_users. 5. Please make sure that the Group Scope is “Global” and Group Type is “Security” 6. Click OK.

9|Page

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Create SSO Group in Active Directory Create a user called “bea_sso_ad” 1. 2. Follow the steps to open up Active Directory Console. Right Click Users, then select New, User

10 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

3.

Enter the User Name as bea_sso_ad.

4. 5. 6.

Uncheck User must change password at next logon. Check Password never expires. Click Next to proceed with the user creation.

11 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

7.

Add SSO user to SSO group. a. Double click the user bea_sso_ad or right click Properties

b. c. d.

Open the “Member of” tab and click Add. Type the group name as wls_users. Click Check Names, click OK to add the group.

12 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Setup additional user properties for WebLogic user

13 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

e. f. g.

Click on the Account Tab of bea_sso_ad Select the Use DES encryption types for this account option. Please make sure that Do not require Kerberos preauthentication remains unchecked.

Creating Active Directory user which will be used as Kerberos Service Principal Create domain AD user "CELVIN-AD_WLS" (Server name_WLS) that will map to the Kerberos Service Principal.

1. 2. 3.

Follow the steps to create new user in active directory. Add the user (CELVIN-AD_WLS) to “Users” group. Follow the steps to add a user to a group.

14 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

4.

Setup Additional user properties for SPN (Service Principal Name) user.

15 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

a. b. c. d.

Click on the Account Tab of bea_sso_ad Select the Use DES encryption types for this account option. Select Account is trusted for delegation option. Select Do not require Kerberos preauthentication option.

5. Trust the user for delegation. You’ll get the delegation tab only if you are in Windows 2003 functional level. a. Trust this user for delegation to any service (Kerberos only).

16 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Mapping Local User to SPN Use ksetup to map the SPN user to a local user.
E:\Program Files\Support Tools>ksetup /MapUser CELVINAD_WLS@CERASOFT.com Administrator E:\Program Files\Support Tools>ksetup default realm = CERASOFT.com (NT Domain) Mapping CELVIN-AD_WLS@CERASOFT.com to Administrator.

Creating krb5.ini The Kerberos configuration properties, krb5.ini, must be configured on every WebLogic Application Server instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebLogic Application Server. Create krb5.ini in C\WINNT and C:\Windows as following.
[libdefaults] default_realm = CERASOFT.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc ticket_lifetime = 600 kdc_timesync = 1 ccache_type = 4 clockskew = 1200 [realms] CERASOFT.COM = { kdc = 10.8.5.70 admin_server = CELVIN-AD.CERASOFT.com default_domain = CERASOFT.com } [domain_realms] cerasoft.com = CERASOFT.COM .cerasoft.com = CERASOFT.COM [appdefaults] autologin = true forward = true forwardable = true encrypt = true

17 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

kinit is used to obtain and cache Kerberos ticket-granting tickets.
E:\bea\jdk150_12\bin>kinit -J-Dsun.security.krb5.debug=true -k -t e:\bea\bea.keytab HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM Config name: c:\winnt\krb5.ini >>>KinitOptions cache name is C:\Documents and Settings\Administrator.CELVINAD\ krb5cc_Administrator Principal is HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM >>> Kinit using keytab >>> Kinit keytab file name: e:\bea\bea.keytab >>> KeyTabInputStream, readName(): CERASOFT.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): CELVIN-AD.CERASOFT.com >>> KeyTab: load() entry length: 67; type: 1 Added key: 1version: 5 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 16 1 3. 0: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)= 0000: 29 80 E5 E5 61 D3 94 B6 >>> Kinit realm name is CERASOFT.COM >>> Creating KrbAsReq >>> KrbKdcReq local addresses for CELVIN-AD are: CELVIN-AD/10.8.5.70 IPv4 address default etypes for default_tkt_enctypes: 23 16 1 3. >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> Kinit: sending as_req to realm CERASOFT.COM >>> KrbKdcReq send: kdc=10.8.5.70 UDP:88, timeout=30000, number of retries =3, # bytes=181 >>> KDCCommunication: kdc=10.8.5.70 UDP:88, timeout=30000,Attempt =1, #bytes=181 >>> KrbKdcReq send: #bytes read=663 >>> KrbKdcReq send: #bytes read=663 >>> reading response from kdc >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: 2931d8b0 >>>crc32: 101001001100011101100010110000 >>> KrbAsRep cons in KrbAsReq.getReply HTTP/CELVIN-AD.CERASOFT.com New ticket is stored in cache file C:\Documents and Settings\Administrator.CELVI N-AD\krb5cc_Administrator

You can use the kerbtray and klist utilites to list the tickets stored. 18 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Add Weblogic Admin Server as a Windows Service.
In order to to install the Admin Server as a Windows service we make use of installSvc.cmd supplied with Weblogic. (Default location is %BEA_HOME%\weblogic92\server\bin). Create a bat script called createSvc.cmd with the following commands and save it to C:\
SETLOCAL set JAVA_HOME=E:\bea\jdk150_12 set JAVA_VENDOR=Sun set DOMAIN_NAME=Hyperion set USERDOMAIN_HOME=E:\bea\user_projects\domains\Hyperion set SERVER_NAME=AdminServer set WLS_USER=hyperion set WLS_PW=hyperion set MEM_ARGS=-Xms128m -Xmx256m cd %USERDOMAIN_HOME% call %USERDOMAIN_HOME%\bin\setDomainEnv.cmd call "E:\bea\weblogic92\server\bin\installSvc.cmd" ENDLOCAL

If you would like the System Out messages and System Error messages in separate log files add this line (shown in blue) to installSvc.cmd right after the line set WL_HOME=E:\bea\weblogic92
set JAVA_OPTIONS=Dweblogic.Stdout="E:\bea\user_projects\domains\Hyperion\logs\StdOut.log" Dweblogic.Stderr="E:\bea\user_projects\domains\Hyperion\logs\StdErr.log" %JAVA_OPTIONS%

If you wish to change the name of the service edit the portion in installSvc.cmd
-svcname:"beasvc %DOMAIN_NAME%_%SERVER_NAME%" Eg -svcname:"BEA Weblogic %DOMAIN_NAME%_%SERVER_NAME%"

Service will be created as BEA Weblogic Hyperion_AdminServer.

19 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Configuring the WebLogic Machine for Kerberos.
Create Service Principal Name and Keytab File
Note: This procedure should be performed on the machine that hosts the WebLogic server; for example, on your Workspace server.

The service principal name and keytab file are used to provide SSO between the browser and WebLogic SPNEGO filters. A keytab is a file that contains pairs of Kerberos principals and DESencrypted keys derived from the Kerberos password. It is used to log into Kerberos without being asked again for a username and password.
The keytab file is computer-independent. You can copy it from one computer to another. It is better to have a global keytab file. Note: Ensure the SPN is created using the fully qualified domain name (FQDN) of the WebLogic server.

1. Update the path setting of WebLogic server to include Windows Support tools installed path. 2. Open a command promt. 3. Type ktpass -princ HTTP/CELVINAD.CERASOFT.com@CERASOFT.COM -DesOnly -out E:\bea\bea.keytab -pass p@ssw0rd -mapuser CELVIN-AD_WLS -crypto DES-CBC-CRC After the execution of the command you’ll see a similar message. Ignore the warning, else if you want to add a ptype then add another switch as -ptype KRB5_NT_PRINCIPAL to the ktpass command.
C:\Documents and Settings\Administrator.CELVIN-AD>ktpass -princ HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM -DesOnly -out E:\bea\bea.keytab -pass p@ssw0rd -mapuser Celvin-AD_WLS -crypto DES-CBCCRC Targeting domain controller: CELVIN-AD.CERASOFT.com Using legacy password setting method Successfully mapped HTTP/CELVIN-AD.CERASOFT.com to CELVIN-AD_WLS. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to E:\bea\bea.keytab: Keytab version: 0x502 keysize 67 HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2980e5e561d394b6)

20 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

After the setting up the keytab the logon name for SPN user should change to HTTP/servername

4. You can add additional service principals using setspn utility. Use setspn –a servicename/servername user
E:\Program Files\Support Tools>setspn -a HTTP/CELVIN-AD CELVIN-AD_WLS Registering ServicePrincipalNames for CN=CELVINAD_WLS,CN=Users,DC=CERASOFT,DC=com HTTP/CELVIN-AD Updated object

21 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Check which SPNs are associated with the user.

You can use setspn utility, ldifde and ADSI edit utility to check the SPNs
C:\Documents and Settings\Administrator.CELVIN-AD>setspn -l CELVIN-AD_WLS Registered ServicePrincipalNames for CN=CELVINAD_WLS,CN=Users,DC=CERASOFT,DC=co m: HTTP/CELVIN-AD HTTP/CELVIN-AD.CERASOFT.com

Use LDIFDE to check which all entires are associated with host/http/HTTP string
C:\Documents and Settings\Administrator.CELVIN-AD>ldifde -f c:\spn_out.txt -d "DC=CERASOFT,DC=com" -l serviceprincipalname -r "(serviceprincipalname=*CELVIN-AD*)" -p subtree Connecting to "CELVIN-AD.CERASOFT.com" Logging in as current user using SSPI Exporting directory to file c:\spn_out.txt Searching for entries... Writing out entries. 1 entries exported The command has completed successfully Eg: Entry from spn_out.txt dn: CN=CELVIN-AD_WLS,CN=Users,DC=CERASOFT,DC=com changetype: add servicePrincipalName: HTTP/CELVIN-AD.CERASOFT.com

Creating the JAAS Configuration File The JAAS login configuration file identifies the system properties and login modules that direct WebLogic server to allow Kerberos authentication to occur.
com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; };

22 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/CELVIN-AD.CERASOFT.com@CERASOFT.COM" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; };

Save the file as BEA_HOME\krb5login.conf. Create Active Directory Authenticator in WebLogic Security Realm WebLogic security realm is a container for the users, groups, security policies, roles and providers that are used to protect WebLogic resources. We should create an active directory authenticator so that Active Directory users can access WebLogic.

1.

Login to WebLogic Domain.

23 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

2.

Select Security Realms from the Domain Structure.

3. 4.

Click Lock & Edit to make changes. Select myrealm, the default WebLogic realm.

24 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

5. 6.

Click on Providers Tab. Click New to add a new authenticator.

7. 8.

Type the name as ADName-AuthN Select Type as ActiveDirectoryAuthenticator.

Eg: CeraSoftAD-AuthN

9. Click OK to proceed.

25 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

10. 11. 12. 13.

Select the newly created provider from the summary list. Click on Common in the Configuration tab. Change the Control Flag to OPTIONAL. Click on Provider Specific tab

14. Change the Group Base DN to reflect your Active directory. This should be the Distinguished Name (DN) of the group to which the bea_sso_ad user belongs. For example, if the bea_sso_ad user belongs to the CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com. 15. Change the User Name Attribute to sAMAccountName, by default cn is selected. I would recommend to use sAMAccountName for MSAD. 26 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

16. Enter the Host name of Active Directory Machine.

17. Replace cn in the User From Name filter to sAMAccountName. 18. Replace cn in the Group From Name filter to sAMAccountName

27 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

19. In User Base DN, enter the DN of the LDAP directory tree that contains users. For example, if users are defined in CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com. 20. Check whether the active directory port is set correctly. 21. In Principal, enter the DN of the user (usually the Active Directory administrator) so that WebLogic canuse to connect to the Active Directory. For example, CN=Administrator, CN=Users,DC=CERASOFT,DC=com 22. Enter the Credential and confirm it. 23. Click Save to continue.

28 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Change the control flag of DefaultAuthenticator

a. Select DefaultAuthenticator from the summary of providers. b. Change the control flag to OPTIONAL. 24. Click on Activate Changes. 25. Restart the WebLogic service. Check the active directory authenticator 1. 2. 3. 4. 5. Log on to the WebLogic Server Administration Console. In Domain Structure, click Security Realms. Summary of Security Realms opens. In Realms, click the default (active) realm; for example, myrealm In the settings page, select the Users and Groups tab.

29 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

6.

Verify whether active directory users are listed.

Configure Negotiate Identity Asserter The Negotiate Identity Assertion provider enables single sign-on (SSO) with Microsoft clients. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos. 1. 2. 3. 4. 5. 6. Login to WebLogic Domain. Select Security Realms from the Domain Structure. Click Lock & Edit to make changes. Select myrealm, the default WebLogic realm. Click on Providers Tab. Click New to add a new authenticator.

30 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

7. 8.

Type the name as ADName-Neg_ID_Asserter Select the Type as NegotiateIdentityAsserter.

Eg. CeraSoftAD-Neg_ID_Asserter

9. Click on Provider Specific tab. 10. Uncheck Form Based Negotiation Enabled.

31 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Reordering the Authentication providers

11. Click Reorder in the Authentication providers. 12. In the reorder page move Active directory authenticator to first, Negotiate Identity Asserter as second, DefaultAuthenticator as third, DefaultIdentityAsserter as foruth.

13. Click Activate Changes in the change center. 14. Restart the WebLogic service. 32 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Granting WebLogic Administrator Role to the SSO User

1. 2. 3. 4. 5. 6. 7.

Login to WebLogic Administration console. Click Security Realms from Domain Structure. In the Realms list, click the default (active) realm; for example, myrealm. On the settings page, click the Roles and Policies tab. Expand the Global Roles node. Expand the Roles node. Select View Role Conditions for Admin.

33 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

8.

Click Add conditions.

9. In predicate list select Group. 10. Click Next to proceed.

11. In group argument name type the group to which bea_sso_ad belongs (here it is wls_users). 12. Click Add 13. Type Administrators and Click add to add Administrators group. 14. Click Finish 34 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

15. Click Save in the Global Settings Window. Add Kerberos options in Weblogic startup script You must edit the startup script for your WebLogic domain; for example, C:\bea \user_projects\domains\ws_domain\bin\startWeblogic.cmd, to include the following Kerberos options.
set KERB_OPTIONS=-Djava.security.krb5.realm=CERASOFT.COM -Djava.security.krb5.kdc=10.8.5.70 -Djava.security.auth.login.config=E:\bea\krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Djava.security.krb5.conf=C:\WINNT\krb5.ini set JAVA_OPTIONS=%JAVA_OPTIONS% %KERB_OPTIONS%

Enable debugging in Weblogic (Optional) This is an optional step, if you are enabling debugging in WebLogic; please increase the log rotation size from 500 KB to 2048 KB 1. 2. 3. 4. Login to Weblogic Administration console. Click on Lock & edit Click on Servers Select the server for which you want to change the size.

35 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

5. Go to Logging Rotation file size. 6. Change size there. 7. Click on Save and click Activate Change

1. Select Admin server from the summary of servers. 2. Go the Debug tab. 3. Expand weblogic and security.

4. Select DebugSecurityAtn, DebugSecurityAtz, DebugSecurity. 5. Click Enable. 6. Activate Changes in Change Center. 36 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Deploying Workspace
If you already deployed workspace, then delete workspace from the deployments in WebLogic Administration console.

Navigate to the expanded workspace directory, here it is
G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps

37 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

During the deployment process, specify these options in the Optional Settings page of WebLogic Install Application Assistant. 1. In Security, select Custom Roles and Policies: Use only roles and policies that are defined in the Administration console. 2. In Source accessibility, select I will make the deployment accessible from the following location. 3. In location, enter G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace.

38 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Configuring Workspace for SSO
Customizing EPM Workspace Services Configuration Scripts EPM Workspace Services include scripts that can be launched interactively to configure various part of the system. When the Manual option is selected during EPM Workspace deployment, the DEPLOYMENT_HOME variable declarations must be manually defined in %HYPERION_HOME %/products/Foundation/workspace/bin/settrustedpass.bat|sh To declare the variable declarations: 1. In a text editor, open:
%HYPERION_HOME%/products/Foundation/workspace/bin/settrustedpass.bat

2. Replace occurrences of the $J(trustedPass.deploymentHome) with DEPLOYMENT_HOME where DEPLOYMENT_HOME is the file-system path to the deployed EPM Workspace Web application.
eg. G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace

Run the bat file in Windows CMD: settrustedpass.bat Default initial password is: 123456 Enter new password at the prompt Re-enter the new Trusted Password Setting Up Workspace for Single Sign-On Workspace delegates the process of handling external authentication and SSO to Workspace Core Services. To enable this process, you must define the trusted password that is used to establish trust between Workspace and Workspace Core Services. Configuring Workspace for Single Sign-On The configuration file which help in SSO are • ws.conf (Workspace SSO configuration file) • tp.conf (trusted password configuration file) 39 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

These files are located, for example,
G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace\WEBINF\config.

SSO settings you define are used by Workspace CMC console.

1.

Login to Workspace.

2. 40 | P a g e

Navigate  Administer  Authentication

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

3. 4. 5. 6.

Enter the Trusted Password that we changed in the previous step. Confirm the password Check Use user’s logon credentials for pass-through. Click OK

7.

To change the SSO configuration we need to login to CMC console.

41 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

8. Start Workspace Agent UI from "Start"  "Oracle EPM System"  "Workspace"  "Utilities and Administration"  "Start Workspace Agent UI"

9. To launch CMC login to workspace and go to Navigate  Administer  Configuration Console

42 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

10. From the Current View select Web-Application Configuration. 11. Right Click on Workspace Web-Application. 12. Click properties.

13. Click on the User Interface window. 14. From the drop down, select $REMOTE LOGIN$ for Custom Username Policy.

43 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

15. From the drop down, select $TRUSTEDPASS$ for Custom Password Policy. Updating JVM Arguments of Workspace To update JVM arguments of Workspace. 1. Login to registry.

44 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

2. Navigate to HKLM\SOFTWARE\Hyperion Solutions\Workspace\HYS9Workspace 3. Add the following keys to the registry. 4. All JVMOptions are of type String. JVMOption12 – assuming that the last JVMOption in the registry is JVMOption11.
JVMOption12 = -Djava.security.krb5.realm=CERASOFT.COM JVMOption13 = -Djava.security.krb5.kdc=10.8.5.70 JVMOption14 = -Djava.security.auth.login.config=E:\bea\krb5Login.conf JVMOption15 = -Djavax.security.auth.useSubjectCredsOnly=false JVMOption16 = -Dweblogic.security.enableNegotiate=true JVMOption17 = -Djava.security.krb5.conf=C:\WINNT\krb5.ini

Update the JVMOptionCount to reflect the new number i.e. 17 Adding Policies to workspace deployment. You must create custom policies for the URL patterns specific to Workspace Web application.

To create custom polices 1. 2. 3. 4. 45 | P a g e Login to WebLogic Administration console. Click on Deployment from Domain Structure. Select workspace from the summary of deployments. Click on Security tab and go to URL Patterns

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

5.

Go to Policies

6. 7. 8.

Click New. Enter the URL Pattern as /index.jsp Select the Provider Name as XACMLAuthorizer.

9. 10. 11. 12. 46 | P a g e

Select the newly created policy. Click Add Conditions. In Predicate List select Group Click Next to proceed.

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

13. In group argument name type wls_users and click Add. 14. Click Finish.

47 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

External Authentication in Hyperion Shared Services
In order to use SSO we must provision MSAD users, so that they can use Hyperion products. 1. Login to Shared Services using URL http://localhost:28080/interop/

2. 48 | P a g e

Go to Administration  Configure User Directories.

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

3.

Click Add to create a new directory.

4. 5.

Select Microsoft Active Directory from the given list. Click Next to proceed.

49 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

6. 7. 8. 9.

Type a name for the directory. Enter the Active Directory Machine name in the Host Name field. Check whether the port is correct or not. Click on Fetch DNs

10. Enter the User DN and click on Append Base DN. (This user can be an AD Administrator or a User who can search for all the Hyperion users) 11. Enter Password. 50 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

12. Click Next to proceed.

13. Enter a user name and click Auto Configure 14. User RDN and all other attributes will be populated. 15. Click Next to proceed.

16. You can configure MSAD groups also in the similar way. 51 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

17. If you don’t want to use MSAD groups, I would recommend still configuring a group in MSAD where that group is the only container and it doesn’t have any users. 18. Click Finish to finish the external directory configuration.

19. Click OK 20. Restart Shared Services.

52 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

21. Login to Shared Services. 22. Expand the newly created user directory. 23. Click on Users.

24. Click Search and it should populate all the AD users if the configuration is correct.

Configuring Browser on Client Computers
Browsers used to access Hyperion products should be configured for Integrated Windows Authentication. You must use a browser that is capable of handling SPNEGO protocol. Internet Explorer 6 or later. 1. Login to Client Machine as an ordinary Hyperion user. 2. Start a browser session. 3. Select Tools, and then Internet Options

53 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

4. Click on Sites to add the intranet site.

5. Click on Advanced. 54 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

6. Type in the Workspace server name and click add. 7. Click OK till we come back to the Internet Options.

55 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

8. Select Security in the Internet Options, select Local Intranet. 9. Click on Custom Level 10. In User Authentication, check Automatic logon only in Intranet zone.

11. In the advanced Tab, check whether Enable Integrated Windows Authentication is checked or not. 12. Click OK to finish the settings.

\

56 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Open up internet explorer and type in the workspace URL http://servername/workspace. You’ll see a similar window, saying loading.

If your Kerberos authentication is working you’ll not see the standard Login screen.

57 | P a g e

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Instead you’ll be logged in without asking for a username and password!!!!!!!

58 | P a g e