Friday, May 28, 2010

WebLogic Single Sign On - Kerberos Authentication

Objective

Users should be able to access J2EE applications deployed on intranet without being prompted to login as long the user is logged into a windows domain. The following is based on how this was implemented in my last project.

System Configuration

WebLogic Portal 10.3, JDK 1.6, RHEL Server, Windows XP and Windows 7 clients.

Understanding Kerberos concepts

Kerberos Explained

Kerberos Configuration on WebLogic Host


JAVA GSS(Generic Security Services) API requires an entry for each domain in the kerberos configuration file, indicating the key distribution center(KDC). The kerbeors config file can be found here
Red Hat Enterprise Linux(RHEL): /etc/krb5.conf.
Windows: c:/windows/krb5.ini

Add the following line for each domain.

  mydomain.com = {
   kdc=xxx.xxx.xxx.xxx
  }


Setup Kerberos identification for WebLogic Server


Create User Account

Create a user account in Active Directory for the host computer on which WebLogic Server is running, ex: ad_account

Setup SPN
  • Create a Service Principal Name (SPN) for the above account using the following command.
             setspn -a HTTP/{HostName:port] UserAccount

            Example:

             setspn -a HTTP/myhost.mydomain.com ad_account
  • To list out the SPNs associated with your account, use the following command
            setspn -l UserAccount

            Example:

            setspn -l ad_account@mydomain.com

Note: setspn utility is not available on Windows XP by default. It is part of Windows Support tools.

Generate Keytab
  • Generate a keytab using the following command.
            ktab -k KEYTAB-FILE -a UserAccount

            Example:

            ktab -k myhost.keytab -a ad_account@mydomain.com

  • Copy the keytab file generated in the previous step onto WebLogic domain home directory.
  • Run knit tool as follows to verify that keytab works (Optional, for verification purpose)
           kinit -k KEYTAB-FILE -t ad_account@mydomain.com

           Example:

           kinit -k KEYTAB-FILE -t ad_account@mydomain.com

*On linux this command will not produce any output which means it succeeded.

Note: ktab and kinit are JDK utilities available only on Windows distribution. For linux any standard kerberos implementation can be utilized.

Setup Kerberos on Application Server

Create JAAS login file
  • Create a JAAS login file directly under domain directory, for ex:krb5.conf. Here is a sample file.
JDK 1.6

  com.sun.security.jgss.krb5.initiate {

   com.sun.security.auth.module.Krb5LoginModule required

   principal="USER_ACCOUNT@DOMAIN" useKeyTab=true

   keyTab=KEYTAB_NAME storeKey=true debug=true;

  };

  com.sun.security.jgss.krb5.accept {

   com.sun.security.auth.module.Krb5LoginModule required

   principal="USER_ACCOUNT@DOMAIN" useKeyTab=true

   keyTab=KEYTAB_NAME storeKey=true debug=true;

  };


JDK 1.5 and JDK 1.4

  com.sun.security.jgss.initiate {

   com.sun.security.auth.module.Krb5LoginModule required

   principal="USER_ACCOUNT@DOMAIN" useKeyTab=true

   keyTab=KEYTAB_NAME storeKey=true debug=true;

  };

  com.sun.security.jgss.accept {

   com.sun.security.auth.module.Krb5LoginModule required

   principal="USER_ACCOUNT@DOMAIN" useKeyTab=true

   keyTab=KEYTAB_NAME storeKey=true debug=true;

  };

KEYTAB: Keytab file copied under domain directory (Example:myhost.keytab)
PRINCIPAL: Principal name, this can be obtained by using klist command. (Example: ad_account@mydomain.com)

Example for JDK 1.6

  com.sun.security.jgss.krb5.initiate {

   com.sun.security.auth.module.Krb5LoginModule required

   principal="ad_account@mydomain.com" useKeyTab=true

   keyTab=myhost.keytab storeKey=true debug=true;

  };

  com.sun.security.jgss.krb5.accept {

   com.sun.security.auth.module.Krb5LoginModule required

   principal="ad_account@mydomain.com" useKeyTab=true

   keyTab=myhost.keytab storeKey=true debug=true;

  };

Configure Negotiate Identity Asserter
  • Login to WebLogic Admin Console
  • Navigate to Security Realms->my realm->Providers.
  • Click on Lock and Edit
  • Click on New
  • Enter Name=NegoAsserter, Type =NegotiatedIdentityAsserter
  • Click OK
  • Click on the asserter created in the previous step, if not already on the asserter page.
  • Click on Provider specific
  • Uncheck Form Based Negotiation Enabled
  • Click Save
  • Now select DefaultIdentityAsserter from the providers list and delete it. We need to do this because there should not be any other asserter that responds to X509 tokens for the NegotiatedIdentityAsserter to work properly.
  • Click on Activate Changes
WebLogic Startup arguments

-Djava.security.krb5.realm=mydomain.com
-Djava.security.krb5.kdc=xxx.xxx.xxx.xxx
-Djavax.security.auth.useSubjectCredsOnly=false
Optional: -Dsun.security.krb5.debug=true; I found this flag very useful while debugging.

The following needs to be part of AdminServer as well as the managed servers startup scripts.

JAVA_OPTIONS="-Djava.security.krb5.realm=mydomain.com -Djava.security.krb5.kdc= xxx.xxx.xxx.xxx
-Djava.security.auth.login.config=${DOMAIN_HOME}/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true
${JAVA_OPTIONS}"

export JAVA_OPTIONS

Enable Windows Integrated Authentication - Internet Explorer

  • Click on Tools Internet Options.
  • Select the Security tab.
  • Select Local intranet and click Custom Level
  • In the Security Settings dialog box, scroll to the User Authentication section.
  • Select Automatic logon only in Intranet zone.
  • Click OK.

References

Configuring Single Sign-On with Microsoft Clients