To configure your krb5.conf file, perform the following:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1. |
Login to the AD server as Administrator.
|
|
| 2. | Click Start -> Programs
-> Administrative Tools -> Active Directory Users and Computer
|
|
| 3. | Select the Users folder.
|
|
| 4. | Click Create User.
|
|
| 5. | Enter the following information: First name: Last name: Full name: User logon name: User logon name (pre-Windows 2000): Click Next.
|
|
| 6. |
Enter a password for this user. Do not select any password expiration settings. Click Next. The new user appears in the list of users.
|
|
Now you need to generate a keytab file that will be used by the SSO server to map the account name to the service principal name.
| 1. |
From the command line prompt use the ktpass command on your AD server to generate this file. The command is: C:\> ktpass -princ HTTP/aspen.us.oracle.com@ACME.COM -pass welcome1 -mapuser aspen -out aspen.keytab The -princ value is HTTP/ followed by the FQDN of your SSO server, followed by @YOUR_AD_DEFAULT_REALM. This is case sensitive and you must have the AD default realm in upper case. The FQDN of the SSO server should be in lower case. The -pass value must be set to the same password you assigned to the SSO hostname user account that you created in the AD server. The -mapuser value is the SSO hostname user you created in the AD server. The -out value is the name you want to give for the file output that is generated, for example hostname.keytab
|
|
| 2. |
After the keytab file is generated, copy the file to the $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory on the SSO server.
|
|
| 3. | Test your Kerberos connection
between your Linux server and the AD server. The kinit executable in Red
Hat Linux is located in the /usr/kerberos/bin
directory.
The command you can use to test this is: # /usr/kerberos/bin/kinit -k -t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/aspen.keytab HTTP/aspen.us.oracle.com Substitute $ORACLE_HOME with the full Oracle home directory path Substitute aspen.keytab with the name of the keytab file you generated with the -out option when you ran the ktpass command Substitute aspen.us.oracle.com with the FQDN of the machine your SSO server is running on If you are successful, there should be no output at all from this command. You should just get another command prompt back. If you see any output this indicates an error and you will need to resolve this problem before you go any further.
|
|
To configure WNA, modify the following files:
| 1. |
Configure the opmn.xml file. Edit the file $ORACLE_HOME/opmn/conf/opmn.xml using a text editor. In this file search for the value: process-type id="OC4J_SECURITY" module-id="OC4J" About seven lines down from this line you will see an opening tag called '<data id="Java-options" value="server"'. Near the end of this line we need to add two values. The first value is: -Djavax.security.auth.useSubjectCredsOnly=false The second value which should be added is: -Doracle.security.jazn.config=$ORACLE_HOME/j2ee/OC4J_ SECURITY/config/jazn.xml Both of these values are added at the end of this tag but before the last double quote in the line. Each value should be seperated by a space. Replace the $ORACLE_HOME with your Oracle home directory path. Save and exit the file.
|
|
| 2. |
Edit the jaxn.xml file. Open the $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml file in a text editor Make sure you have a tag line that looks like this in the file: <jazn provider="XML" location="./jazn-data.xml" />
|
|
| 3. |
Edit the jazn-data.xml and web.xml files. In a text editor open the file: $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml In this file search for the opening tag jazn-loginconfig. Copy and paste the following content: <application> In the text you pasted into the jazn-data.xml
file you need to modify the following: In this same text you will see a value of sso.keytab. Replace this value with the name of the keytab file you generated earlier. The keytab file is located in your $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory. Next you need to make a modification the the principal value. Save your changes and exit the file.
|
|
| 4. |
Edit the web.xml
file. $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml Immediately under the opening web-app
tag line paste the following section: <security-constraint> <!-- authentication -->
Save your changes and exit the file. |
|
| 5. | Edit the orion-application.xml
file. In a text editor, open the file: $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml Copy and paste the following section: <security-role-mapping
name="{{PUBLIC}}"> In the new section you just pasted into this file make the following changes: Change ldap://directory_server.domain:port
to ldap://aspen.us.oracle.com:3060 Change the default realm value default_realm_in_Oracle_Internet_Directory to us Change the kerberos-servicename from value=HTTP@sso.acme.com
to value=HTTP@aspen.us.oracle.com If there is already another <jazn provider> tag line in orion-application.xml file, delete this extra <jazn provider> tag line. Save this file and exit the editor.
|
|
| 6. |
Edit the policy.properties file. In a text editor open the file: $ORACLE_HOME/sso/conf/policy.properties Change the line that reads MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth to MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOKerbeAuth
|
|
| 7. | Restart the Oracle Application
Server.
From the command prompt type the following commands: # opmnctl stopall Wait about 1 minute before you start the application server. # opmnctl startall |
|
To configure your browser settings and test the WNA feature, perform the following steps:
| 1. |
Login to windows using a user account that has been synchronized from the AD server to the OID server. Although the passwords have not been synchronized with OID you will still be able to login to SSO applications because you have already setup OID for External Authentication.
|
|
| 2. |
After logging into the Windows domain, open the Internet Explorer browser. From the Tools menu in the browser, select Internet Options.
|
|
| 3. |
Select the Security tab.
|
|
| 4. |
Highlight the Local Intranet icon. Click Sites.
|
|
| 5. |
Click Advanced in the Local intranet dialog window.
|
|
| 6. |
Enter the URL for the machine that is running the SSO server (http://aspen.us.oracle.com) in the Add this Web site to the zone field. Do not enter the SSO login page or port number. Click Add.
|
|
| 7. |
Click OK. Click OK in the Local intranet window. Click OK in the Internet Options window.
|
|
| 8. |
Back at the Internet Options tab, click Customer Level. The User Authentication Logon should be set for Automatic logon only in Intranet zone.
|
|
| 9. | In the Internet Explorer browser,
enter the following URL to navigate to the SSO server login page .
http://aspen.us.oracle.com:7777/pls/orasso At the login page you will see a link in the upper left hand corner that reads Login. Click this link.
|
|
| 10. | Your Kerberos credentials will
be transparently passed through the IE browser to the SSO server and you
will be logged into the SSO server. Therefore you will not see a page that
asks for your credentials because login has been achieved transparently.
Thus when you click Login link, the link name changes to Logout.
|
|
Move
your mouse over this icon to hide all screenshots
Copyright © 2004 Oracle Corporation. All Rights Reserved.
|