1. Have the Solaris administrator update the krb5.conf file as below
[libdefaults]
default_realm = DOMAINNAME.COM
clockskew = 300
[realms]
DOMAINNAME.COM = {
kdc = activedirectoryservername.com
kdc = activedirectoryservername.com
}
[domain_realm]
.domainname.com = DOMAINNAME.COM
domainname.com = DOMAINNAME.COM
2. Have the AD administrator create a service account for the OracleAS Single Sign-On server in Microsoft Active Directory. AD administrator will then need to create a keytab file for the server, and map the service principal (the server) to the account name. The keytab file stores the server's secret key. This file enables the server to authenticate to the KDC. The service principal is the entity, in this case, the single sign-on server, to which the KDC grants session tickets. The Keytab file is generated using KTPASS command executed on the AD host.
Ktpass.exe /princ HTTP/
/mapuser
/pass
/mapop set
+desonly
/ptype KRB5_NT_PRINCIPAL
/kvno 1
/crypto DES-CBC-CRC
/out sso.keytab
The AD Administrator will provide the keytab file which needs to be “binary” ftp’d or copied to SSO mid-tier (where OC4J_SECURITY runs) in $ORACLE_HOME/j2ee/OC4J_SECURITY/config directory.
3. Backup following SSO files :
$ORACLE_HOME/sso/conf/policy.properties
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml
$ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml
$ORACLE_HOME/opmn/conf/opmn.xml
4. Configure WNA using ossoca.jar
$OH/jdk/bin/java -jar $ORACLE_HOME/sso/lib/ossoca.jar wna \
-mode sso \
-oh $ORACLE_HOME \
-ad_realm DOMAINNAME.COM \
-kdc_host_port
-verbose
Check login to https://hostname.domainname.com:4443/pls/orasso and click login. It should take you with any challenge. If it works you are done.
Happy Troubleshooting !!!
4 comments:
Hello Sundeep,
Excellent series of posts on EBS-OAS-SSO.
We already implemented EBS-SSO.
We have a requirement for WNA config for IDM.
For that..Once we configure WNA as needed, are there any steps that need to be performed on EBS side for enabling WNA/ or for registering EBS with WNA?
Your help is very much appreciated.
Thank you,
Preeti.
Hi Preeti,
There are not steps for WNA at EBS site, as WNA works at your browser level and EBS has no role in it.
Hope this helps
Thanks
Sundeep
Hello Sundeep,
I was hoping you can help me out here with regards to the ktpass command.
My servername is call axiom.abc.com and I'm generating the key with the following command:
ktpass -princ HTTP/axiom.abc.com@ABC.COM -mapuser axiom -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass axiom_passwd -out ssokeytab
Is this correct? Do I need to create the user "axiom" at AD as well?
Your help is very appreciated. Thanks!
Dave
Yes, you have to create axiom user in AD as well. This can be read only user.
Post a Comment