Enable Kerberos With Workspace 11.1.1.3

Enable Kerberos

(SSO) with Workspace

11.1.1.3 on WebLogic 9.2 MP3 &

Apache HTTP Server

Celvin Kattookaran

Enable Kerberos (SSO) with Workspace 11.1.1.3 on Weblogic 9.2 MP3 & Apache HTTP Server

Table of Contents

Purpose................................................................................................................................3Prerequisites.......................................................................................................................4

Join the Kerberos realm...................................................................................................7Configuring the Active Directory Machine for Kerberos..............................................8

Create SSO Group in Active Directory...........................................................................8Create SSO Group in Active Directory.........................................................................10Creating Active Directory user which will be used as Kerberos Service Principal.......14Mapping Local User to SPN..........................................................................................17Creating krb5.ini............................................................................................................17

Add Weblogic Admin Server as a Windows Service....................................................19Configuring the WebLogic Machine for Kerberos.......................................................20

Create Service Principal Name and Keytab File............................................................20Check which SPNs are associated with the user............................................................22Creating the JAAS Configuration File...........................................................................22Create Active Directory Authenticator in WebLogic Security Realm..........................23Change the control flag of DefaultAuthenticator...........................................................29Check the active directory authenticator........................................................................29Configure Negotiate Identity Asserter...........................................................................30Reordering the Authentication providers.......................................................................32Granting WebLogic Administrator Role to the SSO User.............................................33Add Kerberos options in Weblogic startup script..........................................................35Enable debugging in Weblogic (Optional)....................................................................35

Deploying Workspace......................................................................................................37Configuring Workspace for SSO....................................................................................39

Customizing EPM Workspace Services Configuration Scripts.....................................39Setting Up Workspace for Single Sign-On....................................................................39Configuring Workspace for Single Sign-On..................................................................39Updating JVM Arguments of Workspace......................................................................44Adding Policies to workspace deployment....................................................................45

External Authentication in Hyperion Shared Services................................................48Configuring Browser on Client Computers..................................................................53

2 | P a g e


Purpose

The purpose of this document is to describe the procedure that enables Oracle Hyperion Workspace, Fusion Edition V.11.1.1 for Windows Single Sign.

In other words Windows logon using the Kerberos realm provides for transparent Workspace access. Once the user logs into to his computer (which is in his organization’s domain) he won’t be asked for a Workspace login.

3 | P a g e


Prerequisites

1. Have all machines into same time zone, time and date. It applies also to all clients.2. Make sure server the connectivity is setup upon static IP and manual DNS IP's. Spotless DNS configuration for both forward & reverse resolution is fundamental to reliable Kerberos setup.3. Test nslookup using forward & reverse resolution.4. Test "dcdiag /s:ADmachine". Any error must be corrected before to proceed.

C:\Documents and Settings\Administrator.CELVIN-AD>dcdiag /s:CELVIN-AD.CERASOFT.com

Domain Controller Diagnosis

Performing initial setup: Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\CELVIN-AD Starting test: Connectivity ......................... CELVIN-AD passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\CELVIN-AD Starting test: Replications ......................... CELVIN-AD passed test Replications Starting test: NCSecDesc ......................... CELVIN-AD passed test NCSecDesc Starting test: NetLogons ......................... CELVIN-AD passed test NetLogons Starting test: Advertising ......................... CELVIN-AD passed test Advertising Starting test: KnowsOfRoleHolders ......................... CELVIN-AD passed test KnowsOfRoleHolders Starting test: RidManager ......................... CELVIN-AD passed test RidManager Starting test: MachineAccount ......................... CELVIN-AD passed test MachineAccount Starting test: Services ......................... CELVIN-AD passed test Services Starting test: ObjectsReplicated ......................... CELVIN-AD passed test ObjectsReplicated Starting test: frssysvol ......................... CELVIN-AD passed test frssysvol Starting test: frsevent ......................... CELVIN-AD passed test frsevent Starting test: kccevent ......................... CELVIN-AD passed test kccevent Starting test: systemlog ......................... CELVIN-AD passed test systemlog Starting test: VerifyReferences

4 | P a g e


......................... CELVIN-AD passed test VerifyReferences

Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom

Running partition tests on : CERASOFT Starting test: CrossRefValidation ......................... CERASOFT passed test CrossRefValidation Starting test: CheckSDRefDom ......................... CERASOFT passed test CheckSDRefDom

Running enterprise tests on : CERASOFT.com Starting test: Intersite ......................... CERASOFT.com passed test Intersite Starting test: FsmoCheck ......................... CERASOFT.com passed test FsmoCheck

5. The whole steup is under the assumption that workspace is deployed manually.6. If you wish you can raise the functional level of your Active directory to Windows 2003. (I would recommend to do so, since I’ve working setup.)

• Login to Active Directory User and Computers (Start Administrative Tools Active Directory User and Computers) Right click on your Domain Raise Domain Functional Level.

5 | P a g e


• You’ll get a confirmation window. Click “OK”

7. Install Windows 2003/2000 Support tools, we will be using

• ksetup configures client to use a Kerberos V5 realm instead of a Windows Server 2003 domain• ktpass configures service as Kerberos principal, generates keytab file that contains service principal & key• setspn manipulates Service Principal Name (SPN) for an AD service account• ldifde which export the Active directory content (LDIF directory exchange)

Download Windows 2000 Service Pack 4 Support Tools from

http://www.microsoft.com/downloadS/details.aspx?FamilyID=f08d28f3-b835-4847-b810-bb6539362473&displaylang=en

6 | P a g e




Download Windows Server 2003 Service Pack 2 32-bit Support Tools from

http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en

8. Install Resource Kit Tools for troubleshooting Kerberos

• kerbtray to view the tickets• klist to list and purge tickets (this utility comes with JRE also but with different options)

Download Windows 2000 Resource Kit Tools for administrative tasks from

http://support.microsoft.com/kb/927229

Join the Kerberos realm

To join the Kerberos realm you can use ksetup

C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /addkdc CERASOFT.COM CELVIN-AD.CERASOFT.COM

where you enter the Kerberos realm name (capitalized) and the FQDN name of the KDC machine. To see the Kerberos state use /dumpstate switch with ksetup.

C:\Documents and Settings\Administrator.CELVIN-AD>ksetup /dumpstatedefault realm = CERASOFT.com (NT Domain)CERASOFT.COM: kdc = CELVIN-AD.CERASOFT.COM Realm Flags = 0x0 noneNo user mappings defined.

Note: This step is mainly used if your KDC is a non AD KDC or a UNIX based KDC.

It works also if you use ksetup for an Active Directory KDC but it is not required if you join the machines to the domain.

After adding the machine to a Kerberos realm this value is stored in the registry.

HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Domains

7 | P a g e

http://support.microsoft.com/kb/927229




Configuring the Active Directory Machine for Kerberos.Create SSO Group in Active Directory

Create a group called wls_users (this group will hold all the WebLogic users)

1. Open the Active Directory console. (Start Administrative Tools Active Directory User and Computers)2. Expand the node representing the Active Directory Domain Controller; for example, CERASOFT.com.3. Right Click Users, then select New, and then Group.

8 | P a g e


4. Enter the Group Name as wls_users.5. Please make sure that the Group Scope is “Global” and Group Type is “Security”6. Click OK.

9 | P a g e


Create SSO Group in Active Directory

Create a user called “bea_sso_ad”

1. Follow the steps to open up Active Directory Console.2. Right Click Users, then select New, User

10 | P a g e


3. Enter the User Name as bea_sso_ad.

4. Uncheck User must change password at next logon.5. Check Password never expires.6. Click Next to proceed with the user creation.

11 | P a g e


7. Add SSO user to SSO group.a. Double click the user bea_sso_ad or right click Properties

b. Open the “Member of” tab and click Add.c. Type the group name as wls_users.d. Click Check Names, click OK to add the group.

12 | P a g e


Setup additional user properties for WebLogic user

13 | P a g e


e. Click on the Account Tab of bea_sso_adf. Select the Use DES encryption types for this account option.g. Please make sure that Do not require Kerberos preauthentication

remains unchecked.

Creating Active Directory user which will be used as Kerberos Service Principal

Create domain AD user "CELVIN-AD_WLS" (Server name_WLS) that will map to the Kerberos Service Principal.

1. Follow the steps to create new user in active directory.2. Add the user (CELVIN-AD_WLS) to “Users” group.3. Follow the steps to add a user to a group.

14 | P a g e


4. Setup Additional user properties for SPN (Service Principal Name) user.

15 | P a g e


a. Click on the Account Tab of bea_sso_adb. Select the Use DES encryption types for this account option.c. Select Account is trusted for delegation option.d. Select Do not require Kerberos preauthentication option.

5. Trust the user for delegation. You’ll get the delegation tab only if you are in Windows 2003 functional level.

a. Trust this user for delegation to any service (Kerberos only).

16 | P a g e


Mapping Local User to SPN

Use ksetup to map the SPN user to a local user.

E:\Program Files\Support Tools>ksetup /MapUser [email protected] Administrator

E:\Program Files\Support Tools>ksetupdefault realm = CERASOFT.com (NT Domain)Mapping [email protected] to Administrator.

Creating krb5.ini

The Kerberos configuration properties, krb5.ini, must be configured on every WebLogic Application Server instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebLogic Application Server.

Create krb5.ini in C\WINNT and C:\Windows as following.

[libdefaults] default_realm = CERASOFT.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc ticket_lifetime = 600

kdc_timesync = 1ccache_type = 4clockskew = 1200

[realms] CERASOFT.COM = { kdc = 10.8.5.70 admin_server = CELVIN-AD.CERASOFT.com default_domain = CERASOFT.com } [domain_realms] cerasoft.com = CERASOFT.COM .cerasoft.com = CERASOFT.COM

[appdefaults]autologin = trueforward = trueforwardable = trueencrypt = true

17 | P a g e


kinit is used to obtain and cache Kerberos ticket-granting tickets.

E:\bea\jdk150_12\bin>kinit -J-Dsun.security.krb5.debug=true -k -t e:\bea\bea.keytab HTTP/[email protected] name: c:\winnt\krb5.ini>>>KinitOptions cache name is C:\Documents and Settings\Administrator.CELVIN-AD\krb5cc_AdministratorPrincipal is HTTP/[email protected]>>> Kinit using keytab>>> Kinit keytab file name: e:\bea\bea.keytab>>> KeyTabInputStream, readName(): CERASOFT.COM>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): CELVIN-AD.CERASOFT.com>>> KeyTab: load() entry length: 67; type: 1Added key: 1version: 5Ordering keys wrt default_tkt_enctypes listdefault etypes for default_tkt_enctypes: 23 16 1 3.0: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)=0000: 29 80 E5 E5 61 D3 94 B6

>>> Kinit realm name is CERASOFT.COM>>> Creating KrbAsReq>>> KrbKdcReq local addresses for CELVIN-AD are:

CELVIN-AD/10.8.5.70IPv4 addressdefault etypes for default_tkt_enctypes: 23 16 1 3.>>> KrbAsReq calling createMessage>>> KrbAsReq in createMessage>>> Kinit: sending as_req to realm CERASOFT.COM>>> KrbKdcReq send: kdc=10.8.5.70 UDP:88, timeout=30000, number of retries =3, #bytes=181>>> KDCCommunication: kdc=10.8.5.70 UDP:88, timeout=30000,Attempt =1, #bytes=181

>>> KrbKdcReq send: #bytes read=663>>> KrbKdcReq send: #bytes read=663>>> reading response from kdc>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType>>>crc32: 2931d8b0>>>crc32: 101001001100011101100010110000>>> KrbAsRep cons in KrbAsReq.getReply HTTP/CELVIN-AD.CERASOFT.comNew ticket is stored in cache file C:\Documents and Settings\Administrator.CELVIN-AD\krb5cc_Administrator

You can use the kerbtray and klist utilites to list the tickets stored.

18 | P a g e


Add Weblogic Admin Server as a Windows Service.In order to to install the Admin Server as a Windows service we make use of installSvc.cmd supplied with Weblogic. (Default location is%BEA_HOME%\weblogic92\server\bin).Create a bat script called createSvc.cmd with the following commands and save it to C:\

SETLOCALset JAVA_HOME=E:\bea\jdk150_12set JAVA_VENDOR=Sunset DOMAIN_NAME=Hyperionset USERDOMAIN_HOME=E:\bea\user_projects\domains\Hyperionset SERVER_NAME=AdminServerset WLS_USER=hyperionset WLS_PW=hyperionset MEM_ARGS=-Xms128m -Xmx256mcd %USERDOMAIN_HOME%call %USERDOMAIN_HOME%\bin\setDomainEnv.cmdcall "E:\bea\weblogic92\server\bin\installSvc.cmd"ENDLOCAL

If you would like the System Out messages and System Error messages in separatelog files add this line (shown in blue) to installSvc.cmd right after the line

set WL_HOME=E:\bea\weblogic92set JAVA_OPTIONS=-Dweblogic.Stdout="E:\bea\user_projects\domains\Hyperion\logs\StdOut.log" -Dweblogic.Stderr="E:\bea\user_projects\domains\Hyperion\logs\StdErr.log"%JAVA_OPTIONS%

If you wish to change the name of the service edit the portion in installSvc.cmd

-svcname:"beasvc %DOMAIN_NAME%_%SERVER_NAME%"Eg -svcname:"BEA Weblogic %DOMAIN_NAME%_%SERVER_NAME%"

Service will be created as BEA Weblogic Hyperion_AdminServer.

19 | P a g e


Configuring the WebLogic Machine for Kerberos.Create Service Principal Name and Keytab File

Note: This procedure should be performed on the machine that hosts the WebLogic server; for example, on your Workspace server.

The service principal name and keytab file are used to provide SSO between the browser and WebLogic SPNEGO filters. A keytab is a file that contains pairs of Kerberos principals and DESencrypted keys derived from the Kerberos password.

It is used to log into Kerberos without being asked again for a username and password.

The keytab file is computer-independent. You can copy it from one computer to another. It is better to have a global keytab file.

Note: Ensure the SPN is created using the fully qualified domain name (FQDN) of the WebLogic server.

1. Update the path setting of WebLogic server to include Windows Support tools installed path.2. Open a command promt.3. Type ktpass -princ HTTP/[email protected] -DesOnly -out E:\bea\bea.keytab -pass p@ssw0rd -mapuser CELVIN-AD_WLS -crypto DES-CBC-CRC

After the execution of the command you’ll see a similar message. Ignore the warning, else if you want to add a ptype then add another switch as -ptype KRB5_NT_PRINCIPAL to the ktpass command.

C:\Documents and Settings\Administrator.CELVIN-AD>ktpass -princ HTTP/[email protected] -DesOnly -out E:\bea\bea.keytab -pass p@ssw0rd -mapuser Celvin-AD_WLS -crypto DES-CBC-CRCTargeting domain controller: CELVIN-AD.CERASOFT.comUsing legacy password setting methodSuccessfully mapped HTTP/CELVIN-AD.CERASOFT.com to CELVIN-AD_WLS.WARNING: pType and account type do not match. This might cause problems.Key created.Output keytab to E:\bea\bea.keytab:Keytab version: 0x502keysize 67 HTTP/[email protected] ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x2980e5e561d394b6)

20 | P a g e


After the setting up the keytab the logon name for SPN user should change to HTTP/servername

4. You can add additional service principals using setspn utility.Use setspn –a servicename/servername user

E:\Program Files\Support Tools>setspn -a HTTP/CELVIN-AD CELVIN-AD_WLS

Registering ServicePrincipalNames for CN=CELVIN-AD_WLS,CN=Users,DC=CERASOFT,DC=com HTTP/CELVIN-ADUpdated object

21 | P a g e


Check which SPNs are associated with the user.

You can use setspn utility, ldifde and ADSI edit utility to check the SPNs

C:\Documents and Settings\Administrator.CELVIN-AD>setspn -l CELVIN-AD_WLSRegistered ServicePrincipalNames for CN=CELVIN-AD_WLS,CN=Users,DC=CERASOFT,DC=com: HTTP/CELVIN-AD HTTP/CELVIN-AD.CERASOFT.com

Use LDIFDE to check which all entires are associated with host/http/HTTP string

C:\Documents and Settings\Administrator.CELVIN-AD>ldifde -f c:\spn_out.txt -d "DC=CERASOFT,DC=com" -l serviceprincipalname -r "(serviceprincipalname=*CELVIN-AD*)" -p subtreeConnecting to "CELVIN-AD.CERASOFT.com"Logging in as current user using SSPIExporting directory to file c:\spn_out.txtSearching for entries...Writing out entries.1 entries exported

The command has completed successfully

Eg: Entry from spn_out.txt

dn: CN=CELVIN-AD_WLS,CN=Users,DC=CERASOFT,DC=comchangetype: addservicePrincipalName: HTTP/CELVIN-AD.CERASOFT.com

Creating the JAAS Configuration File

The JAAS login configuration file identifies the system properties and login modules that direct WebLogic server to allow Kerberos authentication to occur.

com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/[email protected]" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true;};

22 | P a g e


com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/[email protected]" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true; };com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/[email protected]" useKeyTab=true keyTab="E:\\bea\\bea.keytab" storeKey=true debug=true;};

Save the file as BEA_HOME\krb5login.conf.

Create Active Directory Authenticator in WebLogic Security Realm

WebLogic security realm is a container for the users, groups, security policies, roles and providers that are used to protect WebLogic resources. We should create an active directory authenticator so that Active Directory users can access WebLogic.

1. Login to WebLogic Domain.

23 | P a g e


2. Select Security Realms from the Domain Structure.

3. Click Lock & Edit to make changes.4. Select myrealm, the default WebLogic realm.

24 | P a g e


5. Click on Providers Tab.6. Click New to add a new authenticator.

7. Type the name as ADName-AuthN8. Select Type as ActiveDirectoryAuthenticator.

Eg: CeraSoftAD-AuthN

9. Click OK to proceed.

25 | P a g e


10. Select the newly created provider from the summary list.11. Click on Common in the Configuration tab.12. Change the Control Flag to OPTIONAL.13. Click on Provider Specific tab

14. Change the Group Base DN to reflect your Active directory. This should be the Distinguished Name (DN) of the group to which the bea_sso_ad user belongs. For example, if the bea_sso_ad user belongs to the CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com.15. Change the User Name Attribute to sAMAccountName, by default cn is selected. I would recommend to use sAMAccountName for MSAD.

26 | P a g e


16. Enter the Host name of Active Directory Machine.

17. Replace cn in the User From Name filter to sAMAccountName.18. Replace cn in the Group From Name filter to sAMAccountName

27 | P a g e


19. In User Base DN, enter the DN of the LDAP directory tree that contains users. For example, if users are defined in CERASOFT.COM/Users group, enter CN=Users,DC=CERASOFT,DC=com.20. Check whether the active directory port is set correctly.21. In Principal, enter the DN of the user (usually the Active Directory administrator) so that WebLogic canuse to connect to the Active Directory. For example, CN=Administrator, CN=Users,DC=CERASOFT,DC=com22. Enter the Credential and confirm it.23. Click Save to continue.

28 | P a g e


Change the control flag of DefaultAuthenticator

a. Select DefaultAuthenticator from the summary of providers.b. Change the control flag to OPTIONAL.

24. Click on Activate Changes.25. Restart the WebLogic service.

Check the active directory authenticator

1. Log on to the WebLogic Server Administration Console.2. In Domain Structure, click Security Realms.3. Summary of Security Realms opens.4. In Realms, click the default (active) realm; for example, myrealm5. In the settings page, select the Users and Groups tab.

29 | P a g e


6. Verify whether active directory users are listed.

Configure Negotiate Identity Asserter

The Negotiate Identity Assertion provider enables single sign-on (SSO) with Microsoft clients. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos.

1. Login to WebLogic Domain.2. Select Security Realms from the Domain Structure.3. Click Lock & Edit to make changes.4. Select myrealm, the default WebLogic realm.5. Click on Providers Tab.6. Click New to add a new authenticator.

30 | P a g e


7. Type the name as ADName-Neg_ID_Asserter8. Select the Type as NegotiateIdentityAsserter.

Eg. CeraSoftAD-Neg_ID_Asserter

9. Click on Provider Specific tab.10. Uncheck Form Based Negotiation Enabled.

31 | P a g e


Reordering the Authentication providers

11. Click Reorder in the Authentication providers.12. In the reorder page move Active directory authenticator to first, Negotiate Identity Asserter as second, DefaultAuthenticator as third, DefaultIdentityAsserter as foruth.

13. Click Activate Changes in the change center.14. Restart the WebLogic service.

32 | P a g e


Granting WebLogic Administrator Role to the SSO User

1. Login to WebLogic Administration console.2. Click Security Realms from Domain Structure.3. In the Realms list, click the default (active) realm; for example, myrealm.4. On the settings page, click the Roles and Policies tab.5. Expand the Global Roles node.6. Expand the Roles node.7. Select View Role Conditions for Admin.

33 | P a g e


8. Click Add conditions.

9. In predicate list select Group.10. Click Next to proceed.

11. In group argument name type the group to which bea_sso_ad belongs (here it is wls_users).12. Click Add13. Type Administrators and Click add to add Administrators group.14. Click Finish

34 | P a g e


15. Click Save in the Global Settings Window.

Add Kerberos options in Weblogic startup script

You must edit the startup script for your WebLogic domain; for example, C:\bea\user_projects\domains\ws_domain\bin\startWeblogic.cmd, to include the following Kerberos options.

set KERB_OPTIONS=-Djava.security.krb5.realm=CERASOFT.COM -Djava.security.krb5.kdc=10.8.5.70 -Djava.security.auth.login.config=E:\bea\krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Djava.security.krb5.conf=C:\WINNT\krb5.ini

set JAVA_OPTIONS=%JAVA_OPTIONS% %KERB_OPTIONS%

Enable debugging in Weblogic (Optional)

This is an optional step, if you are enabling debugging in WebLogic; please increase the log rotation size from 500 KB to 2048 KB

1. Login to Weblogic Administration console.2. Click on Lock & edit3. Click on Servers4. Select the server for which you want to change the size.

35 | P a g e


5. Go to Logging Rotation file size.6. Change size there.7. Click on Save and click Activate Change

1. Select Admin server from the summary of servers.2. Go the Debug tab.3. Expand weblogic and security.

4. Select DebugSecurityAtn, DebugSecurityAtz, DebugSecurity.5. Click Enable.6. Activate Changes in Change Center.

36 | P a g e


Deploying Workspace

If you already deployed workspace, then delete workspace from the deployments in WebLogic Administration console.

Navigate to the expanded workspace directory, here it is

G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps

37 | P a g e


During the deployment process, specify these options in the Optional Settings page of WebLogic Install Application Assistant.

1. In Security, select Custom Roles and Policies: Use only roles and policies that are defined in the Administration console.2. In Source accessibility, select I will make the deployment accessible from the following location.3. In location, enter G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace.

38 | P a g e


Configuring Workspace for SSO

Customizing EPM Workspace Services Configuration Scripts

EPM Workspace Services include scripts that can be launched interactively to configure various part of the system. When the Manual option is selected during EPM Workspace deployment, the DEPLOYMENT_HOME variable declarations must be manually defined in %HYPERION_HOME%/products/Foundation/workspace/bin/settrustedpass.bat|sh

To declare the variable declarations:

1. In a text editor, open:

%HYPERION_HOME%/products/Foundation/workspace/bin/settrustedpass.bat

2. Replace occurrences of the $J(trustedPass.deploymentHome) with DEPLOYMENT_HOME

where DEPLOYMENT_HOME is the file-system path to the deployed EPM Workspace Web application.

eg. G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace

Run the bat file in Windows CMD: settrustedpass.batDefault initial password is: 123456

Enter new password at the prompt Re-enter the new Trusted Password

Setting Up Workspace for Single Sign-OnWorkspace delegates the process of handling external authentication and SSO to Workspace Core Services. To enable this process, you must define the trusted password that is used to establish trust between Workspace and Workspace Core Services.

Configuring Workspace for Single Sign-OnThe configuration file which help in SSO are

• ws.conf (Workspace SSO configuration file)• tp.conf (trusted password configuration file)

39 | P a g e


These files are located, for example, G:\Hyperion\deployments\WebLogic9\servers\Workspace\webapps\workspace\WEB-INF\config.

SSO settings you define are used by Workspace CMC console.

1. Login to Workspace.

2. Navigate Administer Authentication

40 | P a g e


3. Enter the Trusted Password that we changed in the previous step.4. Confirm the password5. Check Use user’s logon credentials for pass-through.6. Click OK

7. To change the SSO configuration we need to login to CMC console.

41 | P a g e


8. Start Workspace Agent UI from "Start" "Oracle EPM System" "Workspace" "Utilities and Administration" "Start Workspace Agent UI"

9. To launch CMC login to workspace and go to Navigate Administer Configuration Console

42 | P a g e


10. From the Current View select Web-Application Configuration.11. Right Click on Workspace Web-Application.12. Click properties.

13. Click on the User Interface window.14. From the drop down, select $REMOTE LOGIN$ for Custom Username Policy.

43 | P a g e


15. From the drop down, select $TRUSTEDPASS$ for Custom Password Policy.

Updating JVM Arguments of Workspace

To update JVM arguments of Workspace.

1. Login to registry.

44 | P a g e


2. Navigate to HKLM\SOFTWARE\Hyperion Solutions\Workspace\HYS9Workspace3. Add the following keys to the registry. 4. All JVMOptions are of type String.

JVMOption12 – assuming that the last JVMOption in the registry is JVMOption11.

JVMOption12 = -Djava.security.krb5.realm=CERASOFT.COMJVMOption13 = -Djava.security.krb5.kdc=10.8.5.70 JVMOption14 = -Djava.security.auth.login.config=E:\bea\krb5Login.conf JVMOption15 = -Djavax.security.auth.useSubjectCredsOnly=false JVMOption16 = -Dweblogic.security.enableNegotiate=true JVMOption17 = -Djava.security.krb5.conf=C:\WINNT\krb5.ini

Update the JVMOptionCount to reflect the new number i.e. 17

Adding Policies to workspace deployment.

You must create custom policies for the URL patterns specific to Workspace Web application.

To create custom polices

1. Login to WebLogic Administration console.2. Click on Deployment from Domain Structure.3. Select workspace from the summary of deployments.4. Click on Security tab and go to URL Patterns

45 | P a g e


5. Go to Policies

6. Click New.7. Enter the URL Pattern as /index.jsp8. Select the Provider Name as XACMLAuthorizer.

9. Select the newly created policy.10. Click Add Conditions.11. In Predicate List select Group12. Click Next to proceed.

46 | P a g e


13. In group argument name type wls_users and click Add.14. Click Finish.

47 | P a g e


External Authentication in Hyperion Shared Services

In order to use SSO we must provision MSAD users, so that they can use Hyperion products.

1. Login to Shared Services using URL http://localhost:28080/interop/

2. Go to Administration Configure User Directories.48 | P a g e


3. Click Add to create a new directory.

4. Select Microsoft Active Directory from the given list.5. Click Next to proceed.

49 | P a g e


6. Type a name for the directory.7. Enter the Active Directory Machine name in the Host Name field.8. Check whether the port is correct or not.9. Click on Fetch DNs

10. Enter the User DN and click on Append Base DN. (This user can be an AD Administrator or a User who can search for all the Hyperion users)11. Enter Password.

50 | P a g e


12. Click Next to proceed.

13. Enter a user name and click Auto Configure14. User RDN and all other attributes will be populated.15. Click Next to proceed.

16. You can configure MSAD groups also in the similar way.

51 | P a g e


17. If you don’t want to use MSAD groups, I would recommend still configuring a group in MSAD where that group is the only container and it doesn’t have any users.18. Click Finish to finish the external directory configuration.

19. Click OK20. Restart Shared Services.

52 | P a g e


21. Login to Shared Services.22. Expand the newly created user directory.23. Click on Users.

24. Click Search and it should populate all the AD users if the configuration is correct.

Configuring Browser on Client Computers

Browsers used to access Hyperion products should be configured for Integrated Windows Authentication. You must use a browser that is capable of handling SPNEGO protocol. Internet Explorer 6 or later.

1. Login to Client Machine as an ordinary Hyperion user.2. Start a browser session.3. Select Tools, and then Internet Options

53 | P a g e


4. Click on Sites to add the intranet site.

5. Click on Advanced.

54 | P a g e


6. Type in the Workspace server name and click add.7. Click OK till we come back to the Internet Options.

55 | P a g e


8. Select Security in the Internet Options, select Local Intranet.9. Click on Custom Level10. In User Authentication, check Automatic logon only in Intranet zone.

11. In the advanced Tab, check whether Enable Integrated Windows Authentication is checked or not.

12. Click OK to finish the settings.

\

56 | P a g e


Open up internet explorer and type in the workspace URL http://servername/workspace. You’ll see a similar window, saying loading.

If your Kerberos authentication is working you’ll not see the standard Login screen.

57 | P a g e

http://servername/workspace


Instead you’ll be logged in without asking for a username and password!!!!!!!

58 | P a g e

Enable Kerberos With Workspace 11.1.1.3

Documents

Transcript of Enable Kerberos With Workspace 11.1.1.3