Thursday, September 11, 2008

WNA Config with IDM version 1.4.0.1

Last part we missed in our 10g iAS integration setup was configuring WNA (Windows Native Authentication) using Kerberose. Which help you to avoid and challenge related to credentials. Here we go:
1. Have the Solaris administrator update the krb5.conf file as below
[libdefaults]
default_realm = DOMAINNAME.COM
clockskew = 300

[realms]
DOMAINNAME.COM = {
kdc = activedirectoryservername.com
kdc = activedirectoryservername.com
}
[domain_realm]
.domainname.com = DOMAINNAME.COM
domainname.com = DOMAINNAME.COM

2. Have the AD administrator create a service account for the OracleAS Single Sign-On server in Microsoft Active Directory. AD administrator will then need to create a keytab file for the server, and map the service principal (the server) to the account name. The keytab file stores the server's secret key. This file enables the server to authenticate to the KDC. The service principal is the entity, in this case, the single sign-on server, to which the KDC grants session tickets. The Keytab file is generated using KTPASS command executed on the AD host.

Ktpass.exe /princ HTTP/@DOMAINNAME.COM
/mapuser
/pass
/mapop set
+desonly
/ptype KRB5_NT_PRINCIPAL
/kvno 1
/crypto DES-CBC-CRC
/out sso.keytab

The AD Administrator will provide the keytab file which needs to be “binary” ftp’d or copied to SSO mid-tier (where OC4J_SECURITY runs) in $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory.

3. Backup following SSO files :
$ORACLE_HOME/sso/conf/policy.properties
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml
$ORACLE_HOME/opmn/conf/opmn.xml

4. Configure WNA using ossoca.jar

$OH/jdk/bin/java -jar $ORACLE_HOME/sso/lib/ossoca.jar wna \
-mode sso \
-oh $ORACLE_HOME \
-ad_realm DOMAINNAME.COM \
-kdc_host_port \
-verbose

Check login to https://hostname.domainname.com:4443/pls/orasso and click login. It should take you with any challenge. If it works you are done.

Happy Troubleshooting !!!

4 comments:

Anonymous said...

Hello Sundeep,
Excellent series of posts on EBS-OAS-SSO.

We already implemented EBS-SSO.
We have a requirement for WNA config for IDM.

For that..Once we configure WNA as needed, are there any steps that need to be performed on EBS side for enabling WNA/ or for registering EBS with WNA?

Your help is very much appreciated.

Thank you,
Preeti.

Sundeep Dubey said...

Hi Preeti,
There are not steps for WNA at EBS site, as WNA works at your browser level and EBS has no role in it.
Hope this helps

Thanks
Sundeep

Anonymous said...

Hello Sundeep,
I was hoping you can help me out here with regards to the ktpass command.

My servername is call axiom.abc.com and I'm generating the key with the following command:

ktpass -princ HTTP/axiom.abc.com@ABC.COM -mapuser axiom -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass axiom_passwd -out ssokeytab

Is this correct? Do I need to create the user "axiom" at AD as well?

Your help is very appreciated. Thanks!

Dave

Sundeep Dubey said...

Yes, you have to create axiom user in AD as well. This can be read only user.