It's all about Weblogic..!!!

Configure Kerberos with Weblogic Server

* The AD machine used in this configuration is :  SLKRBTRN6-01.slkrbtrn6.bea.com ( Windows 2008 R2 )

* Weblogic Server is on machine : SLKRBTRN6-03. ( Windows XP )

——-

Step 1 :

– Create a new user say, ” wlsclient ” on AD for your Weblogic server instance.

Note :

– The account type should be “User”, not a “Computer” in the AD.

– Check password never expires option for the user. 

– DES encryption type is disabled by default on Windows 2008 AD and hence donot check this option for the user.

– If your AD is on Windows 2003, enable DES encyption type for your user –> after enabling this option make sure you reset the password for this user.

Step 2 :

Create a krb5.ini file.

Syntax :

 *****

[libdefaults]

default_realm = <Identifies the default realm. Set its value to your Kerberos realm – all caps>

default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

permitted_enctypes =  aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

ticket_lifetime = 600

kdc_timesync = 1

ccache_type = 4 

[realms]

<Your Kerberos realm – remember all caps> = {

kdc = <IP address of the KDC/AD server>

(For Unix systems, you need to specify port 88, as in <IP-address>:88)

admin_server = <FQDN – host name of the KDC/AD server>

default_domain = <Windows domain name in caps>

}

[domain_realm]

.<DNS domain name suffix, starting with .> = .<Your Kerberos realm – remember all caps>

<DNS domain name suffix.> = <Your Kerberos realm – remember all caps> 

[appdefaults]

autologin = true

forward = true

forwardable = true

encrypt = true

 ***** 

Note :

* This file has to be created on the machine where Weblogic Server is installed. 

* If you have Weblogic Server installed on a Windows machines, create a file named krb5.ini  / On Unix machines, the file is called krb5.conf instead of krb5.ini. 

* See the following default Kerberos configuration files and their locations:

[Windows] The default location is c:\winnt\krb5.ini.

Note: if the krb5.ini file is not located in the c:\winnt directory it might be located in c:\windows.

[Linux] The default location is /etc/krb5.conf.

[AIX] [HP-UX] [Solaris] On other Unix platforms, the default location is /etc/krb5/krb5.conf.

Step 3 :

To check if the krb5.ini file you created is correct, run the following command :

Command : kinit wlsclient OR kinit wlsclient@<REALM>

Step 4 :

Now create a keytab file ( Run the following commands on AD machine ).

Syntax : ktpass –princ HTTP/<wls-server-name>@<REALM-NAME> -mapuser <account-name> –pass password -crypto all -ptype KRB5_NT_PRINCIPAL –out <keytab-file-name>

Command :  ktpass -princ HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM -mapuser wlsclient -pass Weblogic1 -crypto all -kvno 0 -ptype KRB5_NT_PRINCIPAL -out wlsclient.keytab

.

Note :

* Running ktpass will modify the account details, changing the user login name to match the service principal name – note that this is a consequence of running the above command, not something you need to do manually

* Click on the user ” wlsclient ” properties to see the change.

* Now copy the keytab file generated to machine where Weblogic Server is installed. 

Step 5 :

After copying the keytab file to the machine where Weblogic Server is installed, run the klist command to see the contents of the keytab file.

Syntax : klist -k <keytab>

Command : klist -e -k wlsclient.keytab

If your principal was created properly, you should be able to request a TGT (ticket Granting Ticket) from Kerberos using that principal.

If the keytab file was generated properly, then you should be able to use this file instead of the password of your account. kinit tests both simultaneously.

Syntax :  kinit –k –t <keytab-file> <account-name>

Command :

kinit -J-Dsun.security.krb5.debug=true -k -t wlsclient.keytab HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM

OR

java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t wlsclient.keytab HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM

.

Note :

* In UNIX use the -V switch or else there wont be any output. (  kinit -V –k –t <keytab-file> <account-name> )

*  The above debugs will not work in UNIX. It is specific to Windows.

Step 6 :

Now, lets configure Weblogic Server.

Create a file called ” krb5Login.conf ” and place it in the Weblogic Server domain directory :

Syntax :

com.sun.security.jgss.krb5.initiate {

com.sun.security.auth.module.Krb5LoginModule required

principal=”<Service principal account>@<Kerberos realm>”

useKeyTab=true

keyTab=<keytab>

storeKey=true

debug=true;

};

com.sun.security.jgss.krb5.accept {

com.sun.security.auth.module.Krb5LoginModule required

principal=”<Service principal account>@<Kerberos realm>”

useKeyTab=true

keyTab= <keytab>

storeKey=true

debug=true;

};

krb5Login.conf :

com.sun.security.jgss.krb5.initiate {

com.sun.security.auth.module.Krb5LoginModule required

principal=”HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM”

useKeyTab=true keyTab=wlsclient.keytab

storeKey=true debug=true;

};

com.sun.security.jgss.krb5.accept {

com.sun.security.auth.module.Krb5LoginModule required

principal=”HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM”

useKeyTab=true keyTab=wlsclient.keytab

storeKey=true debug=true;

};

Note :

* If you are using JDK 1.5 then change the following line in the above file from ” com.sun.security.jgss.krb5.accept ” to ” com.sun.security.jgss.accept “.

i.e donot use krb5 in the accept and initiate method in the above file if you are using JDK 1.5.

* Weblogic Server domain directory is the default location of keytab file and krb5Login.conf file.

.

Step 7 : 

Now lets add few -D parameters to Weblogic Server startup script.

-Djava.security.auth.login.config=krb5Login.conf

-Djavax.security.auth.useSubjectCredsOnly=false

-Dweblogic.security.enableNegotiate=true

-Djava.security.debug=configfile,configparser,gssloginconfig   // This is the debug flag to check if the config files get parsed properly.

-Dsun.security.krb5.debug=true

< Additional -D parameters that can be set >

-Djava.security.krb5.realm=<realm>

-Djava.security.krb5.kdc=<kdc>

// for IBM JDK you can use the following debug : -Dcom.ibm.security.jgss.debug=all

In windows edit ” startWebLogic.cmd ” file and add the following java options :

set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.auth.login.config=krb5Login.conf –Djavax.security.auth.useSubjectCredsOnly=false –Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true

In UNIX edit ” startWebLogic.sh ” file and add the following java options :

JAVA_OPTIONS=”${JAVA_OPTIONS} -Djava.security.auth.login.config=krb5Login.conf –Djavax.security.auth.useSubjectCredsOnly=false –Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true”

Step 8 :

Login to weblogic console and configure Active Directory provider.

Change the control flags of all the providers to ” Optional “.

If you have set control flag as sufficient then reorder the providers and make sure Active Directory providers is the first provider in the list.

.

Step 9 :

Now, create a ” NegotiateIdentityAsserter ” as shown below :

So now, the security provider configuration should look like :

.

Step 10 :

Setup your browser for Kerberos Authentication.

No special configuration needed for Chrome Browser.

For Internet Explorer :

Configure Local Intranet Domains

1. In Internet Explorer, select Tools > Internet Options.

2. Select the Security tab.

3. Select Local intranet and click Sites.

4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked.

5. Click Advanced.

6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK.

Configure Intranet Authentication

1. Select Tools > Internet Options.

2. Select the Security tab.

3. Select Local intranet and click Custom Level… .

4. In the Security Settings dialog box, scroll to the User Authentication section.

5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution.

6. Click OK.

Verify Proxy Settings

If you have a proxy server enabled:

1. Select Tools > Internet Options.

2. Select the Connections tab and click LAN Settings.

3. Verify that the proxy server address and port number are correct.

4. Click Advanced.

5. In the Proxy Settings dialog box, ensure that all desired domain names are entered in the Exceptions field.

6. Click OK to close the Proxy Settings dialog box.

Now, when you access your Weblogic Admin Console, you should be able to login to it without entering a username / password.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: