Configuring Single Sign-on Between WebSphere Portal V6.1 and Windows Desktop using SPNEGO TAI

Transcription

1 Configuring Single Sign-on Between WebSphere Portal V6.1 and Windows Desktop using SPNEGO TAI A step by step guide to installing IBM WebSphere Portal V6.1, IBM DB2 V9.1, IBM HTTP Server V6.1 and for configuration steps of single sign-on between WebSphere Portal Server and Windows desktop using SPNEGO TAI (Kerberos authentication) Kerberos authentication can be configured to have single sign-on between Windows Desktop and WebSphere Portal V6.1. This is brand new and great opportunity for portal customers to implement one of the most required features in security configurations. Ali Beklen Software IT Architect, IBM Turkey alibek@tr.ibm.com Arden Agopyan Software IT Specialist, IBM CEEMEA arden@tr.ibm.com

2 Authors Ali Beklen, Software IT Architect, IBM Turkey Ali Beklen is a Software IT Architect working for IBM Turkey. He is experienced on designing integration solutions and he is Open Group Certified IT Specialist on collaboration solutions. Ali holds a Master of Computer Engineer degree from Maltepe University in Istanbul (Turkey). Arden Agopyan, Software IT Specialist, IBM CEEMEA arden@tr.ibm.com, Arden Agopyan is a WebSphere Application Infrastructure Community of Practice working for IBM Central & Eastern Europe, Middle East & Africa (CEEMEA). He is experienced on planning, design, implementation, and problem determination of WebSphere Infrastructure and Integration solutions. Arden holds a Computer Engineer degree from Galatasaray University in Istanbul (Turkey).

3 Section 1. Before you start Many portal installations require integration with any LDAP server -which can be an Active Directory- and in this case, also configuring Kerberos authentication to have single sign-on between Windows Desktop and WebSphere Portal. It was possible to have Active Directory integration but single sign-on (SSO) was not, until WebSphere Portal version V This is a brand new and great opportunity for portal customers to implement one of the most required features in security configurations. The aim of this tutorial is to allow users to use SPNEGO TAI for accessing WebSphere Portal Server resources without having to re-authenticate and to discover the WebSphere Portal V6.1 integration capabilities. Objectives In this complete step-by-step tutorial, learn how to: Install: o WebSphere Portal Extend V6.1 o DB2 Enterprise Server Edition V9.1 o IBM HTTP Server V6.1 Configure WebSphere Portal V6.1 to work with: o DB2 Enterprise Server Edition V9.1 o IBM HTTP Server. o Active Directory Configure WebSphere Portal V6.1 to have Single Sign-on between portal and Windows Desktop using SPNEGO TAI (Kerberos authentication). 1 This feature is available since WebSphere Application Server V6.1 but previous versions of WebSphere Portal were not running on this WebSphere Application Server version until WebSphere Portal V6.1.

4 Prerequisites This tutorial assumes that you re installing on Windows platform, on a single server environment and does not cover additional cluster configuration steps for the products listed above. This tutorial requires intermediate level WebSphere Application Server administration, Windows Domain and general Kerberos knowledge. System Requirements To implement this tutorial s scenario, you need the following software to install: WebSphere Portal Server V6.1 or above DB2 Enterprise V9.1 Microsoft Windows Server 2003 SP1 (W2K3) or above (server) Microsoft Windows XP Professional SP2 or above (client) Acronyms Following acronyms may be used in this tutorial: AD : Active Directory SPNEGO : Simple and Protected GSSAPI Negotiation Mechanism DNS : Domain Name System DC : Domain Controller DN : Distinguished Name SPN : Service Principal Name

5 Definitions SPNEGO: SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" which is used to negotiate one of a number of possible real mechanisms. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner. Kerberos: Kerberos is a computer network authentication protocol, which allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication both the user and the server verify each other's identity. Active Directory: Active Directory (AD) is a technology created by Microsoft that provides a variety of network services, including: LDAP-like Directory services Kerberos based authentication DNS based naming and other network information Section 2. Tutorial Scenario Imagine a user who has authenticated to Windows Domain and doing his/her daily works. When he/she needs to use WebSphere Portal, he/she doesn t want

6 to enter his/her authentication credentials again and again. In this case, as a WebSphere Portal administrator, you will need to integrate your current portal architecture to Microsoft Active Directory which has domain users, and to configure SSO between WebSphere Portal Server and Microsoft AD by using SPNEGO TAI. On the other hand, you will need to configure Kerberos authentication mechanism. This tutorial s scenario is designed to achieve this business case. In order to implement such a configuration prototype; you will need to have at least following machines with the following minimum configurations and levels: Microsoft Windows Server 2003 SP1 (W2K3) o Active Directory Domain Controller o Microsoft DNS Server o Kerberos Key Distribution Center Microsoft Windows XP Professional SP2 2 o Mozilla Firefox o Microsoft Internet Explorer This tutorial also covers all of the installation steps of the necessary products. (See Introduction section of this tutorial for complete list of products) Figure 1 illustrates the final configuration of this scenario. Note that, Figure 1 also contains the host names which we are going to use in the rest of this tutorial. 2 This machine must be a domain member.

7 Figure 1 Tutorial scenario configuration Section 3. Installing WebSphere Portal Server V6.1 In this section, you will be installing WebSphere Portal V6.1 on portal61.ibmdemo.com server. In order to install the product follow these procedures: Login to portal61.ibmdemo.com with operating system s administrative privileges (i.e. Administrator). Go to the WebSphere Portal installation CD 1 directory. Run install.bat

8 Figure 2 WebSphere Portal installation - Step 1 Select Full option and click next 3. Figure 3 WebSphere Portal installation - Step 2 Type the installation directory path than click Next. In this example,

9 E:\IBM\WebSphere. Figure 4 WebSphere Portal installation - Step 3 Leave the Node name and Host name fields as default than click Next. o Attention: If you want to change the node name, please do not type more than 5 characters. 3 Administration option does not install any out of the box portlets.

10 Figure 5 WebSphere Portal installation - Step 4 Type the Administrative user ID and the Administrative password (with its confirmation) and click next. These credentials will be used to manage your portal and its underlying application server.

11 Figure 6 WebSphere Portal installation - Step 5 Do not select Use Microsoft Windows Services option unless you are installing on a production environment, than click Next. Figure 7 WebSphere Portal installation step 6 Check the final installation information and if you are ready for the installation, click Next. o Attention: Installation can take several minutes to complete. Please be patient.

12 Figure 8 WebSphere Portal installation - Step 7 You must get the Installation was successful window. Congratulations! You have installed WebSphere Portal V6.1 successfully. In order to validate your installation: Open a Web browser. Navigate to: Enter administrative user ID and its password o For example, user ID: wpsadmin, password: wpsadmin. If you are able to login and see the welcome page successfully you can proceed to the next step. Section 4. Installing DB2

13 WebSphere Portal can hold its configuration data in a DB2 database. In order to transfer WebSphere Portal configuration data to DB2 we will install a fresh copy of DB2 ESE V9.1. Before installing DB2 ESE V9.1, log in to portal61.ibmdemo.com server with a user ID that has operating system administrative authority. This user should have the following specifications: Click Start > Programs > Administrative Tools > Computer Management > Local Users and Groups. o Belong to the local Administrator group o Act as part of the operating system Click Start > Programs > Administrative Tools > Local Security Policy. Then, click Local Policies > User Rights Assignment. o Act as part of the operating system o Have permissions to create a token object o Windows 2003 only: Have permissions to adjust memory quotas for a process o Have permissions to replace a process level token In order to install DB2, follow these procedures: Go to the DB2 install base directory and run setup.exe

14 Figure 9 DB2 ESE V9.1 installation - Step 1 In the welcome screen click Next. Figure 9 DB2 ESE V9.1 installation - Step 2 Select I accept the terms in the license agreement option and click Next.

15 Figure 10 DB2 ESE V9.1 installation - Step 2 Select Typical as the installation type and click Next. Figure 11 DB2 ESE V9.1 installation - Step 3

16 In the following screen, select the third option. If you want to change the default path, type a path for the response file and click Next. o Tip: This will allow you to save your installation settings in a response file. With this response file, you will not need to re-enter these settings when you install this product later on a server. Figure 12 DB2 ESE V9.1 installation - Step 4 Type the installation path of DB2 ESE V9.1 and click Next. In this tutorial case: E:\IBM\DB2\SQLLIB.

17 Figure 13 DB2 ESE V9.1 installation- Step 5 In following screen, in order to configure a DB2 administrative user, in the following screen, select your existing domain and type db2admin for both User name and Password. Select the Use the same user name and password option and click Next. Attention: This user will be created in your domain and you have to observe your domain password policy rules.

18 Figure 14 DB2 ESE V9.1 installation - Step 6 Select Create the default DB2 instance option and click Next. Figure 15 DB2 ESE V9.1 installation - Step 7

19 Select Single partition instance and click Next. Figure 16 DB2 ESE V9.1 installation - Step 8 Figure 17 DB2 ESE V9.1 installation - Step 9

20 Select DB2 under DB2 instances. Click Configure to check if the port number is and click OK, then click Next in the main dialog. Figure 18 DB2 ESE V9.1 installation - Step 10 Select Prepare the DB2 tools catalog, select DB2 as an instance and select New for both database and schema, click Next.

21 Figure 19 DB2 ESE V9.1 installation - Step 11 Uncheck the Set up your DB2 server to send notifications because we don t need it for now, and click Next. Figure 20 DB2 ESE V9.1 installation - Step 12

22 Select the Enable operating system security and click Next. Figure 21 DB2 ESE V9.1 installation - Step 13 Check the current installation settings and click Finish. Figure 22 DB2 ESE V9.1 installation - Step 14

23 Uncheck the Automatically launch option and click Finish. Congratulations! You have successfully installed the DB2 ESE V9.1! Section 5. Transferring WebSphere Portal configuration data to DB2 In this section, you will edit some property files and run validation and transferring tasks to transfer WebSphere Portal V6.1 configuration data to DB2 ESE V9.1. Before starting, locate following files and create a backup copy of each one without changing any values: wp_profile_root/configengine/properties/wkplc.properties wp_profile_root/configengine/properties/wkplc_comp.properties wp_profile_root/configengine/properties/wkplc_dbtype.properties Changing wkplc_comp.properties The WebSphere Portal database can be used to hold information for applications such as Feedback and LikeMinds. Use similar naming conventions for property values such as release.dbname, jcr.dbname, feedback.dbname, and likeminds.dbname (all these are required). Example values for release Db are: release.dbtype release.dbname db2 Release

24 release.dbschema release.datasourcename release.dburl release.dbuser release.dbpassword Release releasedbds jdbc:db2://portal61.ibmdemo.com:50000/releasedb :returnalias=0; db2admin db2admin Tips: o Use a forward slash (/) instead of a backslash (\). o There might be some additional database properties other than the ones listed here. Change only the properties within this task and skip all other properties. o The recommended value listed for each property represents the specific information that is required to configure WebSphere Portal for your target database. o Do not create database for every database request, use schemas instead of it. For example: o Type wpsdb for dbdomain.dbname for every databases except jcr, type jcrdb for jcr database. o Type different dbdomain.dbschema values for every database. o The values for at least one of the following properties must be unique for the release, customization, community, and JCR domains: dbdomain.dbtype dbdomain.dbname dbdomain.dburl

25 dbdomain.dbschema Warning: If you use the same values for all four properties across the release, customization, community, and JCR domains, the database-transfer task will fail because of ambiguous database object names. If DbUser, DbUrl, and DbPassword are not the same across domains, the value for DataSourceName must differ from the DataSourceName of the other domains. In other words, this value must be unique for the database domain. In wkplc_comp.properties, most properties are repeated for each domain. Use a text editor to open the properties file wkplc_comp.properties and modify the values corresponding to your environment. Save and close the file when you finish editing. Changing wkplc_dbtype.properties Update the following properties in the file wkplc_dbtype.properties. Example values: db2.dbdriver db2.dblibrary com.ibm.db2.jcc.db2driver E:/IBM/DB2/SQLLIB/java/db2jcc.jar; E:/IBM/DB2/SQLLIB/java/db2jcc_license_cu.jar db2.jdbcprovidername wpdbjdbc_db2 Save and close the file when you finish editing. Changing wkplc.properties

26 Update the following property in the file wkplc.properties. Example values: WasPassword PortalAdminPwd Wpsadmin Wpsadmin Save and close the file when you finish editing. Changing Derby timeout settings and Total transaction lifetime timeout Derby timeout settings for wpsdb and JTA need to be increased. To increase the default value of Derby timeout, 30 to 180, modify the file derby.properties located in the path wp_profile_root/portalserver/derby by adding the following line: derby.locks.waittimeout=180 In order to update Total transaction lifetime timeout: Login to the WebSphere Portal administrative console. Navigate to: Application servers > WebSphere_Portal > Transaction Service. Increase the value for Total transaction lifetime timeout, for example, 360. Setting up the database

27 Go to the directory: wp_profile_root/configengine. To create the databases, type the following command: ConfigEngine.bat create-database Figure 23 Database transfer - Step 1 Figure 24 Database transfer - Step 2 There must be a Build Successful message. Hint: Check the services file on the DB2 server system. If it does not specify DB2 connection and interrupt service ports, specify the ports for your operating system.

28 In order to add the service definition of DB2: Use a text editor to open the file: %SYSTEMROOT%\system32\drivers\etc\services. Add the text db2c_db /tcp, where db2 is the default instance. Creating database users To create the database users, type the following command: ConfigEngine.bat setup-database Figure 25 Database transfer - Step 3 Figure 26 Database transfer - Step 4 There must be a Build Successful message.

29 Validating configuration In order to validate the configuration you have done, open a command prompt and go to the directory: wp_profile_root/configengine. Enter the following commands to validate the configuration properties. DB Driver validation command: ConfigEngine.bat validate-database-driver -DTransferDomainList=release,customization,community,jcr,feedback,likeminds Figure 27 Database transfer - Step 5 Figure 28 Database transfer - Step 6

30 There must be a Build Successful message. DB Connection validation command: ConfigEngine.bat validate-database-connection -DTransferDomainList=release,customization,community,jcr,feedback,likeminds Figure 29 Database transfer - Step 7 Figure 30 Database transfer - Step 8 There must be a Build Successful message. In the same command prompt as the previous steps, go to the directory wp_profile_root/bin. Stop both WebSphere Application Server and the WebSphere Portal Server

31 Action Stopping WebSphere Application Server Stopping WebSphere Portal Server Command stopserver.bat server1 -username admin_userid -password admin_password stopserver.bat WebSphere_Portal -username admin_userid - password admin_password Figure 31 Database transfer - Step 9 Figure 32 Database transferring - Step 10 Transferring the database

32 Go to the directory wp_profile_root/configengine. Run the following command to start the database transfer: ConfigEngine.bat database-transfer -DTransferDomainList=release,customization,community,jcr,feedback,likeminds Figure 33 Database transfer - Step 11 Figure 34 Database transfer - Step 12 After running this task, a message must be added to the log files to verify that this task was successful. Check the log files. If the configuration fails, verify the values in the wkplc.properties, wkplc_comp.properties, and wkplc_dbtype.properties files and then repeat same steps. Reorg Check After transferring the database tables, perform a reorg check to improve the

33 performance. Perform this procedure for each database alias in the property file. Connect to a database by using the following command: db2 connect to database_alias user db2admin_userid using password When the connection is established, run the following command using the DB2 prompt: db2 reorgchk update statistics on table all > reorgcheck.out Figure 35 Database transfer - Step 13 Look in the reorg column for entries marked with a * (star or asterisk) in the file reorgcheck.out. For each line with a *, note the tablename and run the following commands for each tablename: db2 reorg table tablename db2 terminate After you have completed the reorg operation you must run the

34 following command: db2rbind database_name -l db2rbind.out -u db2_admin p password Note: The output file db2rbind.out is only created when there is an error for the db2rbind command. Validation of a successful transfer Go to the directory wp_profile_root/bin and start the WebSphere Portal with the following command: startserver.bat WebSphere_Portal To verify that the WebSphere Portal application server is running, open WebSphere Portal administrative console in a browser from the following URL: If you are able to login and see the Welcome page, it means that you successfully transferred your database to DB2. Section 6. Preparing the Active Directory server In this scenario, we need to use Microsoft AD as an LDAP to use same repository for WebSphere Portal Server and Windows Domain.

35 In order to achieve that, you need to register some users and groups which will help to communicate with WebSphere Portal. Required users and groups are: Users: wpsadmin: Primary administrative and primary portal administrative user. wpsbind: LDAP bind user. Groups: wpsadmins: Primary portal administrative group name. Creating an LDAP bind user Open the Active Directory Users and Computers application and create the LDAP bind user, wpsbind. After creating, add the user to the Administrators group and check the user properties.

36 Figure 36 Creating an LDAP bind user - Step 1 Figure 37 Creating an LDAP bind user - Step 2

37 Figure 38 Creating an LDAP bind user - Step 3 There is no need to put other users into Administrators group. Go to the directory wp_profile_root/portalserver/wizard and run the following command to start the configuration wizard: configwizard.bat Figure 39 Configuring security using wizard - Step 1

38 Select the Configuring security option then click Next. Figure 40 Configuring security using wizard - Step 2 There must be a username already assigned, so just type the password and click Next.

39 Figure 41 Configuring security using wizard - Step 3 Select Configuring Standalone LDAP registry option and click Next.

40 Figure 42 Configuring security using wizard - Step 4 Type the LDAP server s hostname and port and click Next. Note: LDAP port is generally 389. Figure 43 Configuring security using wizard - Step 5 Select Microsoft Active Directory 2003 as LDAP type and type the Bind distinguished name (this is the bind user that we have already created) and its password. Note: If you don t have it already, you can get the distinguished name by using an LDAP client (like JXplorer 4 ). You can connect to the LDAP and get all LDAP attributes with this kind of tools. 4 JXplorer is an open source, standards compliant general purpose java LDAP browser.

41 Figure 44 Configuring security using wizard - Step 6 In the following screen type Primary administrative user and Primary Portal administrative user credentials. Figure 45 Configuring security using wizard - Step 7

42 Leave the repository identifier and Realm name as default, type your base DN. Figure 46 Configuring security using wizard - Step 8 In the LDAP settings for Entity type Person screen, enter user for One or more object field and click Next.

43 Figure 47 Configuring security using wizard - Step 9 In the LDAP settings for Entity type Group screen, enter group for One or more object field and click Next

44 Figure 48 Configuring security using wizard - Step 10 In the LDAP settings for Group member attributes screen, enter: member for The name of the LDAP field group for The group object class.. field direct for The scope of the member field Click Next. Figure 48 Configuring security using wizard - Step 10 In the LDAP settings for Default Parent and RDN screen, enter the required values for PersonAccount and Group, type cn for the rest of the fields and click Next.

45 Figure 49 Configuring security using wizard - Step 11 In the LDAP Filter settings screen, leave the values as default and click Next.

46 Figure 50 Configuring security using wizard - Step 12 Review the settings and click Next. Figure 51 Configuring security using wizard - Step 13 There must be The task completed successfully message.

47 Figure 52 Configuring security using wizard - Step 14 Hint: For additional information, refer to the log file: \wp_profile\configengine\log\portal-ldap-security.log Section 7. Installing and configuring IBM HTTP Server and Plug-in for WebSphere Application Server In this section, we will install IBM HTTP Server V6.1 and the plug-in for WebSphere Application Server. We will also configure WebSphere Application Server to use IBM HTTP Server as a web server. Installing IBM HTTP Server V6.1 and Plug-in In order to install IBM HTTP Server and its Plug-in follow these steps: Go the IBM HTTP Server setup directory and run install.exe.

48 In the welcome screen, click Next. Figure 53 Installing IBM HTTP Server V6.1 and Plug-in - Step 1 Select I accept for the Software License Agreement and click Next. Figure 54 Installing IBM HTTP Server V6.1 and Plug-in - Step 2

49 If you get Passed message for system prerequisites check, click Next. If you get a Failed message get corrective action for the prerequisites before continuing the installation. Figure 55 Installing IBM HTTP Server V6.1 and Plug-in - Step 3 Type the preferred installation path and click Next. Here we used E:\IBM\IHS. Figure 56 Installing IBM HTTP Server V6.1 and Plug-in - Step 4

50 Leave the defaults for port values assignments and click Next. Figure 57 Installing IBM HTTP Server V6.1 and Plug-in - Step 5 Check all check boxes for Windows services creations and select Log on as a specified user account ; type the administrative user account for the domain and select Automatic as the startup type. Click Next.

51 Figure 58 Installing IBM HTTP Server V6.1 and Plug-in - Step 6 Check the user ID creation check box, type a new user id for IHS administration and click Next. Note: This is not a domain user. Figure 59 Installing IBM HTTP Server V6.1 and Plug-in - Step 7

52 Check the box to install the plug-in automatically, type the web server definition (name) and the hostname of the application server. Click Next. Figure 60 Installing IBM HTTP Server V6.1 and Plug-in - Step 8 Review the installation summary and click Next.

53 Figure 61 Installing IBM HTTP Server V6.1 and Plug-in - Step 9 Figure 62 Installing IBM HTTP Server V6.1 and Plug-in - Step 10 You must get the Success message. Click Finish. Warning: You have to edit the /IHS root/conf/httpd.conf file on the Web server in order to accept requests that contain trailing pathname information. To achieve this, set the AllowEncodedSlashes directive to On. This directive should be placed in the root level as a global directive. Configuring WebSphere Application Server to use IBM HTTP Server as a Web server In this section, we will configure WebSphere Application Server to use IBM HTTP Server as a web server. In order to achieve this configuration:

54 Go to the directory: /wp_profile/bin/ Start the WebSphere Portal, if it is not started. o startserver.bat WebSphere_Portal Login to WebSphere Application Server by typing the following URL: o From the Integrated Solution Console o Navigate to Server > Web Servers Click New server Type the server name (here, webserver1), select IBM HTTP Server as the server type, type the hostname and select Windows for your platform if it is not already selected. Click Next. Figure 63 Configuring WebSphere Application Server with IBM HTTP Server In the following screen, click Next.

55 Figure 64 Configuring WebSphere Application Server with IBM HTTP Server Fill the fields according to your IBM HTTP Server setup settings and click Next.

56 Figure 64 Configuring WebSphere Application Server with IBM HTTP Server Check your final settings and click Finish. Figure 65 Configuring WebSphere Application Server with IBM HTTP Server To save your new configuration to the WebSphere Application Server s master repository, click the Save link.

57 Figure 66 Configuring WebSphere Application Server with IBM HTTP Server Restart your IBM HTTP server. Figure 67 Configuring WebSphere Application Server with IBM HTTP Server

58 Click Generate Plug-in and then click Propagate Plug-in respectively to generate plug-in file. Click stop and then click start button to restart the server to reload the plug-in to the web server. Check the server status. Congratulations! You have successfully installed and configured IBM HTTP Server and Plug-in for WebSphere Application Server. Section 8. Configuring Kerberos Authentication using SPNEGO TAI In this section, we will configure Single Sign-On between Windows Desktop and WebSphere Portal Server. The objective of this section is to permit users to successfully access WebSphere Portal Server resources without having to re-authenticate and thus achieve Microsoft Windows desktop single sign-on capability. To achieve this configuration, we will see how to: On the Domain Controller Machine: Create a user account for the WebSphere Application Server in Microsoft Active Directory. This account will be eventually mapped to the Kerberos service principal name (SPN). On the Microsoft Active Directory machine where the Kerberos key distribution center (KDC) is active, map the user account to the Kerberos service principal name (SPN). Create the Kerberos keytab file and make it available to WebSphere Application Server. You can use the ktpass tool to

59 create the Kerberos keytab file (krb5.keytab). On the WebSphere Application Server Machine: Enable SPNEGO TAI. Create SPNEGO TAI properties. Configure JVM properties and enable the SPNEGO TAI in WebSphere Application Server in which it is defined. Install the Kerberos keytab file (created in Step 1) on the WebSphere Application Server machine. Create a basic Kerberos configuration file (krb5.ini or krb5.conf). On the client machine: Configure your Web browser to use SPNEGO authentication. (Firefox and Internet Explorer configurations are covered in this step.) Creating an Active Directory user account Open the Active Directory user management console

60 Figure 68 Creating a user account Step 1 Create a user named portalkerberos as a domain user. (This name is just an example) Figure 69 Creating a user account Step 2 Select Password never expires option. Mapping the user to the Kerberos service principal name (SPN)

61 Download and install Windows Server 2003 support tools from Microsoft web site. (Example link for W2K3 32 bit support tools: B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en) Go to your support tools installation directory. Run the setspn command with the following parameters: Setspn A HTTP/portal61.ibmdemo.com portalkerberos (Where portal61.ibmdemo.com is the hostname and portalkerberos is the username.) Figure 70 Mapping the user account to the Kerberos SPN Create the Kerberos keytab file Create a temp directory. In this tutorial, we created C:\Temp. Go to the support tools installation directory.

62 Run the ktpass command with the following parameters: ktpass out c:\temp\krb5.keytab -princ -mapuser portalkerberos -mapop set -pass portalkerberos -crypto rc4-hmac Figure 71 Create the Kerberos keytab file Warning: Don t use the argument value crypto DES-CBC-MD5 which is shown in the figure. You have to use -crypto rc4-hmac. Enabling and configuring the SPNEGO TAI In this section we will complete steps to enable and configure SPNEGO TAI Enabling Perform the following steps to enable the Simple and Protected GSS-API Negotiation Mechanism trust association interceptor: Log on to the WebSphere Application Server administrative console. Click Security > Secure administration, applications, and

63 infrastructure. Click Web security and then click Trust association. Ensure that the Enable trust association checkbox is checked and then click Interceptors. Click New and then type com.ibm.ws.security.spnego.trustassociationinterceptorimpl in the Interceptor class name text field. Click OK and then click the Save to save changes to the master configuration repository. Configuring the trust association Log on to the WebSphere Application Server administrative console. Click Security > Secure administration, applications, and infrastructure. Click Web security and then click Trust association. Ensure that the Enable trust association checkbox is checked and then click Interceptors. Click com.ibm.ws.security.spnego.trustassociationinterceptorimpl Click Custom properties. Click New. Type com.ibm.ws.security.spnego.spn1.hostname for the Name field. Type portal61.ibdemo.com for Value field. Click Save. Click New to create a new property: Type com.ibm.ws.security.spnego.spn1.filterclass for the Name field.

64 Type com.ibm.ws.security.spnego.httpheaderfilter for the Value field. Save your changes to the master configuration repository. You will have your new properties in the Custom Properties list as below: Name Value com.ibm.ws.security.spnego.spn1.ho portal61.ibdemo.com stname com.ibm.ws.security.spnego.spn1.filt com.ibm.ws.security.spnego.httphea erclass derfilter Figure 72 SPNEGO custom properties Configuring JVM properties Log in to WebSphere Application Server administrative console. Click Servers > Application servers.

65 Select appropriate servers, then click Java and process management. Then click Process Definition. Click Java virtual machine and locate the Generic JVM arguments text box. Add the following: -Dcom.ibm.ws.security.spnego.isEnabled=true Click Servers > Application servers. Select appropriate servers, then click Java and process management. Then click Process Definition. Click Java virtual machine and click Custom Properties. Click New and type com.ibm.ws.security.spnego.isenabled for the Name field and type true for the Value field. Save your changes to the master configuration repository. Figure 73 JVM custom properties

66 Installing the Kerberos keytab file Go the directory: wp_profile/bin. Start server1 with the following command : startserver.bat server1 Figure 74 Starting server1 Check that C:\winnt folder exists. If not, create it. Copy the C:\temp\krb5.keytab file that we have already created to C:\winnt folder. Go to AppServer/bin directory and run wsadmin.bat. Figure 75 Using the wsadmin tool When you get WASX7209I prompt, run the following command to

67 install the keytab file: $AdminTask createkrbconfigfile {-krbpath c:\winnt\krb5.ini -realm IBMDEMO.COM -kdchost portal61.ibmdemo.com -dns ibmdemo.com -keytabpath c:\winnt\krb5.keytab -encryption rc4-hmac} Restart WebSphere Portal and server1. Client Web Browser Configuration Client-side applications are responsible for generating the SPNEGO token for use by the SPNEGO TAI. That s why, we have to configure client Web browsers too. In this section, you can find the configuration steps for Microsoft Internet Explorer and Mozilla Firefox. Microsoft Internet Explorer From the desktop, log in to the Windows Active Directory domain. Open a Microsoft Internet Explorer browser. In the Internet Explorer, go to Tools > Internet Options > Security tab. Select the Local intranet icon and click Sites. In the Local intranet window, ensure that Include all local (intranet) not listed in other zones check box is checked. Click Advanced.

68 In the Local intranet window, fill in the Add this Web site to the zone field with the Web address of the hostname so that the single sign-on (SSO) can be enabled to the list of the Web sites shown in the Web sites field. We will type here portal61.ibmdemo.com for this tutorial. Click OK to complete this step and close the Local intranet window. In the Internet Options window, click the Advanced tab and scroll to the Security settings. Ensure that the Enable Integrated Windows Authentication (requires restart) check box is checked. Click OK and restart your Internet Explorer to activate this configuration. Mozilla FireFox Open a Mozilla Firefox browser. In the address field, type about:config. In the Filter field, type network.n Double click on network.negotiate-auth.trusted-uris. This preference lists the sites that are permitted to engage in SPNEGO Authentication with the browser. Enter a comma-delimited list of trusted domains or URLs. We will type here portal61.ibmdemo.com for this tutorial. From the desktop, log in to the Windows Active Directory domain.

69 Validating Single Sign-On Now, it s time to validate your configurations for SSO. Warning: You must validate your configuration on a machine other than Domain Controller Server. From the desktop, log in to the Windows Active Directory domain. Open your Web browser. Go the address, You must be able to login directly without typing your credentials. Note: If it is not possible to login, check the server log for a detailed error message. If you installed WebSphere Portal Server on a different machine, date and time settings must be synchronized with Domain Controller machine. Congratulations! You have successfully configured Single Sign-On between Windows and WebSphere Portal Server. Section 9. Summary This tutorial showed you how you can install WebSphere Portal and DB2, transfer WebSphere Portal data to DB2, and configure Windows Desktop and SPNEGO TAI for accessing WebSphere Portal Server resources without having to re-authenticate. Resources IBM WebSphere Portal Server V6.1 Infocenter IBM WebSphere Application Server V6.1 Infocenter

70 Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol ( or ), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: AIX 5L AIX Build Forge CICS ClearCase MultiSite ClearCase ClearQuest DataPower DB2 Connect DB2 developerworks Domino HACMP i5/os IBM Informix iseries Language Environment Lotus OMEGAMON Parallel Sysplex POWER PR/SM Processor Resource/Systems Manager RACF Rational Rose Rational Redbooks Redbooks (logo) RequisitePro System i System z Tivoli VTAM WebSphere z/os zseries The following terms are trademarks of other companies: AMD, AMD Opteron, the AMD Arrow logo, and combinations thereof, are trademarks of Advanced Micro Devices, Inc. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. Novell, SUSE, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States

71 and other countries. Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporation and/or its affiliates. SAP, and SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries. EJB, Enterprise JavaBeans, J2EE, J2SE, Java, JavaBeans, Javadoc, JavaScript, JavaServer, JDBC, JDK, JMX, JNI, JRE, JSP, JVM, Solaris, Sun, Sun Java, ZFS, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Active Directory, ActiveX, Microsoft, SQL Server, Windows Server, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel Itanium, Intel Pentium, Intel, Itanium, Pentium, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.