Appreciations accepted

Vladlen Litvinov, the author: If you have some job offer for me, I'm ready to discuss it. View Vladlen Litvinov's profile on LinkedIn


Tuesday, December 24, 2013

SPNEGO SSO in IBM BPM clustered environment

As you know, for Windows client Integrated Authentication in IBM WAS the mechanism called SPNEGO (The Simple and Protected GSS-API Negotiation Mechanism) is used.
Our BPM users can access to portals without input of username and password, using their Windows account.  

I won't give a detail guide because the old guide you can find here
But there is not a way for clustered environments here what are used in productive most frequently.
I can fill this defect.
I describe the features for clusters.

Step-by-step quickly:

1. Integrate your BPM clustered environment (I will write CE, OK?) with MS Active Directory. It is simply. Don't forget about this moment.

2. Restart CE and check domain's users authorization.

3. Create users for linking to Kerberos service principal name (SPN). You must create one user for any node and one user for your Web front server. Thereby, for CE with two nodes you must create three users!

3. Create keytab file for each user. Use different names of servers. Remember, one server - one keytab - one SPN!

4. Copy all our keytabs to some CE server.

5. Unite our keytabs using the command:

(WAS_Installer_Home)/was-iip-jdk/jre/bin/ktab -m <keytab file1> <keytab file2>

Repeat the command for uniting all the keytabs.

6. Create the file krb5.conf using the wsadmin command $AdminTask createKrbConfigFile

7. You must copy your united keytab and krb5.conf in the same folders in each of your servers. The folder must have the same path for all your servers!
In my case, /etc/krb5.conf and /opt/ibm/BPM8/bin/*.keytab

8. Set up SPNEGO using WAS ISC:

In first picture, everything is clear, but you must create as many filters how many keytabs you created in the point 3!
Second picture for a filter.
Criteria: request-url^=ProcessAdmin|portal|webapi|teamworks|rest|socialbus|ProcessPortal|bpm (for BPM)

Pay your attention, if you use UPN (not SPN by default) for authorization, you must uncheck Trim Kerberos realm from principal name.

9. Save, sync and restart CE.
10. Set up your browser and use SSO. 

No comments:

Post a Comment