Objective
Users should be able to access J2EE applications deployed on intranet without being prompted to login as long the user is logged into a windows domain. The following is based on how this was implemented in my last project.System Configuration
WebLogic Portal 10.3, JDK 1.6, RHEL Server, Windows XP and Windows 7 clients.Understanding Kerberos concepts
Kerberos ExplainedKerberos Configuration on WebLogic Host
JAVA GSS(Generic Security Services) API requires an entry for each domain in the kerberos configuration file, indicating the key distribution center(KDC). The kerbeors config file can be found here
Red Hat Enterprise Linux(RHEL): /etc/krb5.conf.
Windows: c:/windows/krb5.ini
Add the following line for each domain.
mydomain.com = {
kdc=xxx.xxx.xxx.xxx
}
Setup Kerberos identification for WebLogic Server
Create User Account
Create a user account in Active Directory for the host computer on which WebLogic Server is running, ex: ad_account
Setup SPN
- Create a Service Principal Name (SPN) for the above account using the following command.
Example:
setspn -a HTTP/myhost.mydomain.com ad_account
- To list out the SPNs associated with your account, use the following command
Example:
setspn -l ad_account@mydomain.com
Note: setspn utility is not available on Windows XP by default. It is part of Windows Support tools.
Generate Keytab
- Generate a keytab using the following command.
Example:
ktab -k myhost.keytab -a ad_account@mydomain.com
- Copy the keytab file generated in the previous step onto WebLogic domain home directory.
- Run knit tool as follows to verify that keytab works (Optional, for verification purpose)
Example:
kinit -k KEYTAB-FILE -t ad_account@mydomain.com
*On linux this command will not produce any output which means it succeeded.
Note: ktab and kinit are JDK utilities available only on Windows distribution. For linux any standard kerberos implementation can be utilized.
Setup Kerberos on Application Server
Create JAAS login file- Create a JAAS login file directly under domain directory, for ex:krb5.conf. Here is a sample file.
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="USER_ACCOUNT@DOMAIN" useKeyTab=true
keyTab=KEYTAB_NAME storeKey=true debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="USER_ACCOUNT@DOMAIN" useKeyTab=true
keyTab=KEYTAB_NAME storeKey=true debug=true;
};
JDK 1.5 and JDK 1.4
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="USER_ACCOUNT@DOMAIN" useKeyTab=true
keyTab=KEYTAB_NAME storeKey=true debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="USER_ACCOUNT@DOMAIN" useKeyTab=true
keyTab=KEYTAB_NAME storeKey=true debug=true;
};
KEYTAB: Keytab file copied under domain directory (Example:myhost.keytab)
PRINCIPAL: Principal name, this can be obtained by using klist command. (Example: ad_account@mydomain.com)
Example for JDK 1.6
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="ad_account@mydomain.com" useKeyTab=true
keyTab=myhost.keytab storeKey=true debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="ad_account@mydomain.com" useKeyTab=true
keyTab=myhost.keytab storeKey=true debug=true;
};
Configure Negotiate Identity Asserter
- Login to WebLogic Admin Console
- Navigate to Security Realms->my realm->Providers.
- Click on Lock and Edit
- Click on New
- Enter Name=NegoAsserter, Type =NegotiatedIdentityAsserter
- Click OK
- Click on the asserter created in the previous step, if not already on the asserter page.
- Click on Provider specific
- Uncheck Form Based Negotiation Enabled
- Click Save
- Now select DefaultIdentityAsserter from the providers list and delete it. We need to do this because there should not be any other asserter that responds to X509 tokens for the NegotiatedIdentityAsserter to work properly.
- Click on Activate Changes
-Djava.security.krb5.realm=mydomain.com
-Djava.security.krb5.kdc=xxx.xxx.xxx.xxx
-Djavax.security.auth.useSubjectCredsOnly=false
Optional: -Dsun.security.krb5.debug=true; I found this flag very useful while debugging.
The following needs to be part of AdminServer as well as the managed servers startup scripts.
JAVA_OPTIONS="-Djava.security.krb5.realm=mydomain.com -Djava.security.krb5.kdc= xxx.xxx.xxx.xxx
-Djava.security.auth.login.config=${DOMAIN_HOME}/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true
${JAVA_OPTIONS}"
export JAVA_OPTIONS
Enable Windows Integrated Authentication - Internet Explorer
- Click on Tools Internet Options.
- Select the Security tab.
- Select Local intranet and click Custom Level
- In the Security Settings dialog box, scroll to the User Authentication section.
- Select Automatic logon only in Intranet zone.
- Click OK.
No comments:
Post a Comment