Step- by- Step guide to extend Credential Sync between IBM WebSphere Portal 8.5 credential vault and Active Directory 2012 using Security Directory

Transcription

1 Step- by- Step guide to extend Credential Sync between IBM WebSphere Portal 8.5 credential vault and Active Directory 2012 using Security Directory Integrator (ex TDI) on Red- Hat (part 3)

2 Summary STEP- BY- STEP GUIDE TO EXTEND CREDENTIAL SYNC BETWEEN IBM WEBSPHERE PORTAL 8.5 CREDENTIAL VAULT AND ACTIVE DIRECTORY 2012 USING SECURITY DIRECTORY INTEGRATOR (EX TDI) ON RED- HAT (PART 3)... 1 ABSTRACT... 3 WINDOWS/UNIX DIFFERENCES... 3 HOSTNAMES USED IN THIS GUIDE... 3 MAIN GUIDE... 4 Pre check... 4 ARCHITECTURAL SCENARIO... 6 CONFIGURING TIVOLI DIRECTORY INTEGRATOR PASSWORD INTERCEPTOR... 7 CONFIGURE LDAP STORE... 9 Modifying the schema of Active Directory... 9 Configuration Pwd Plugin AUTHOR:... 12

3 Abstract This guide want to explain how install, and configure, Security Directory server to synchronize user Password between AD 2012 and IBM Portal 8.5 Credential Vault. IBM WebSphere Portal Server 8.5 Red Hat Enterprise Linux 6.0 update 3 DB Active Directory 2012 R2 mixed mode IBM HTTP Server 8.0 Security Directory Integrator 7.2 Security Directory Server Windows/Unix Differences This guide was written using Linux as the base operating system, however the steps/concepts listed in this guide are independent of operating system. The only significant difference is that for Windows, you must use the batch file commands instead of the UNIX shell commands listed in this guide. For example: UNIX:./startServer.sh WebSphere_Portal Windows: startserver.bat WebSphere_Portal Or UNIX:./ConfigEngine.sh cluster-node-config-cluster-setup Windows: ConfigEngine.bat cluster-node-config-cluster-setup Hostnames Used in this Guide To avoid confusion with my own hostnames, I've replaced each instance of the hostnames of my Servers with a sample value that corresponds to the server it belongs to so that it may be easier to understand which server I'm referring to in my examples. I use the following values: Database Server: LDAP Server: IBM HTTP Server: SDI Server: dbstore.ondemand.com ldap.ondemand.com portal.ondemand.com sdi.ondemand.com

4 Main Guide Pre check Verify have more then 5GB on temporary directory /tmp Open terminal and verify if your system is reachable using fully qualified hostname /]# ping first.ondemand.com In the same terminal, execute /]# ping localhost To verify the localhost network settings are configured properly on your machine. Linux/UNIX environments only. If in your environment do not use IPV6 verify that is disable in each machine. In the same terminal, execute /]# cat /etc/sysconfig/network And verify if your NETWORKING_IPV6 is set to no Ensure have sufficient file open limit, is set to or higher. ulimit -n Web Content Manager only: Complete the following steps to remove any file size limits: Use the ulimit -f command to set the maximum size of files that can be created. Following library is needed during installation process, if you do not configure X environment verify you can use export display to use each wizard, in this guide I use this method to execute installation. gtk el6.x86_64.rpm glib el6.x86_64.rpm libxtst el6.x86_64.rpm compat-libstdc el6.x86_64.rpm openmotif el6.x86_64.rpm pam el6.x86_64.rpm libxp el6.x86_64.rpm libxmu el6.x86_64.rpm kernel-headers el5.x86_64.rpm compat-glibc-headers x86_64.rpm compat-glibc x86_64.rpm libgtk-x so.0 libgtk-x so.0 libcanberra-gtk-module.so glibc el6.i686.rpm

5 compat-libstdc el6.x86_64.rpm compat-libstdc el6.i686.rpm yum search el6.i686.rpm libxp el6.x86_64.rpm openmotif el6.i686.rpm xterm xkeyboard-config tigervnc-server svn4359.el6.x86_64.rpm xorg-x11-twm el6.x86_64.rpm xorg-x11-font*

6 Architectural Scenario In this scenario, we have one AD, where we will install Password Interceptor, one server where we will install Security Directory Server and Security Directory Integrator, and ours Portal Environment. The idea is: when user change him password using Windows GINA, Password Interceptor catch password, encrypt it and store in a dedicated LDAP, when Password is store into LDAP, now Password interceptor commit to AD Password catch, and AD commit to user Password changed and run an Assembly Line that propagate new Password to Portal Credential Vault. In this mode configuring Kerberos SSO in Portal environment, when user open Portal page that show a portlet than use Credential Vault extending the SSO to another application can be authenticate user without reinsert his credential.

7 Configuring Tivoli Directory Integrator password interceptor Before you deploy the Windows Password Synchronizer, you must modify the Local Security Policy settings. Change the Local Security Policy as follows: Procedure 1. Select Control Panel > Administrative Tools > Local Security Policy. 2. Select Account Policies > Password Policy. 3. Select Passwords must meet complexity requirements > enabled. Results Note: 1. Restart the system for this change to take place. Make sure that you set up the Password Store properties file before you restart the system. 2. If the Windows Server is configured as a domain controller, you must apply the Passwords must meet complexity requirements setting to the Active Directory Domain. Therefore, you must use the Domain Security Policy tool to modify the settings. The Tivoli Directory Server password synchronizer intercepts changes to LDAP passwords. The first step is to register the plug-in with the IBM Directory Server. Before start you must execute some step to complete configuration steps to register the Password Synchronizer for password change notifications. 1. From the TDI_install_dir\pwd_plugins\windows directory, copy the DLL file tdipwflt.dll of the Windows Password Synchronizer to the System32 folder of the Windows installation folder. On 64 bit Windows operating systems, you must paste the 64 bit DLL of the Password Synchronizer in the System32 folder. 2. Add the name of the Windows Password Synchronizer DLL, tdipwflt_64 to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages Windows registry key. Do not delete any of the existing data from the Notification Packages.

8 3. From the TDI_install_dir\pwd_plugins\windows directory, run the registerpwsync.reg file, which is shipped with the Password Synchronizer. click yes The following key is created for the Windows Password Synchronizer in the Windows registry: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Security Directory Integrator\Windows Password Synchronizer Also, a string value ConfigFile is set and it contains the absolute file name of the configuration file of the Windows Password Synchronizer. 4. Restart the System

9 Configure LDAP Store Now to use your password interceptor, you must define where it write each information, in my case i use ldap to store information, in specific i choose to use AD as store. Modifying the schema of Active Directory You must modify the schema of the Sun Directory Server and the Active Directory with necessary configuration before you install the LDAP Password Store. Procedure 1. Modify the LDAP schema of the Sun Directory Server. Run the following command as one line: 2. ldapmodify -c -h LDAP Hostname -D admin DN -w admin PW-f TDI_install_dir/pwd_plugins/etc/ibm-diPersonForSunDS.ldif 3. Modify the LDAP schema of the Active Directory: a. Enable the Active Directory schema modification by editing the Windows registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters Add a REG_DWORD value named Schema Update Allowed with a value of 1 or any value greater than 0. b. Update sample domain with your domain in ibm-dipersonschemaforad.ldif In my case DC=shamrock,DC=com c. Run the following command to update the LDAP schema: ldifde -i -f TDI_install_dir/pwd_plugins/etc/ibmdiPersonSchemaForAD.ldif d. Open the Microsoft Management Console. e. Create a new Organizational Unit to store the changed passwords. f. Get the Distinguished Name of the Organizational Unit by using one of the following tools: ldifde.exe, csvde.exe, ordsquery.exe. The names are used when you configure the suffix of the LDAP Password Store in the pwsync.props file. g. Create an OrganizationalUint where store your password interceptor data OU=LDAPStore

10 Configuration Pwd Plugin You must set the properties of LDAP Password Store in the pwsync.props configuration file. The LDAP Password Store is therefore configured in the pwsync.props file of the plug-in. Note: In the configuration file, you must manually encrypt each password property. You can use the encryptpasswd utility for encryption. This utility uses a symmetric algorithm for encryption of the passwords. Make sure that the pwsync.props file is readable only by the trusted system users. The encryptpasswd utility requires that the password is passed as a parameter. The encrypted password is printed on the standard output. 1. Create an user to bind your ldap in my case tdipi /Td1P4ssw0rd$ 2. Create directory logs inside of <TDI_Home>/pwd_plugins, where set your log files. 3. Change log attribute to mapping your directory, remember Backslashes must be escaped logfile=c:\\ibm\\tdi\\v7.2\\pwd_plugins\\logs\\plugin.log javalogfile=c:\\ibm\\tdi\\v7.2\\pwd_plugins\\logs\\proxy.log 4. change syncclass to activate LDAP Store: The class for the LDAP Password Store is: com.ibm.di.plugin.pwstore.ldap.ldappasswordstore. syncclass=com.ibm.di.plugin.pwstore.ldap.ldappasswordstore 5. Mapping your LDAP attribute references: ldap.hostname=localhost ldap.port=389 ldap.admindn=tidipi@shamrock ldap.password=0c0bf0e3146b ldap.waitforstore=true ldap.suffix=ou=ldapstore,dc=shamrock,dc=com ldap.schemapersonobjectname=ibm-diperson ldap.schemauseridattributename=ibm-diuserid ldap.schemapasswordattributename=ibm-dipassword The suffix keyword is used to identify the container where the objects that contain the user ID and new password value are found. There are some additional optional keywords that you can use to override the default object class and attribute definitions. You can add the following properties name in the pwsync.props files and their associated default values: ldap.schemapersonobjectname ibm-diperson ldap.schemauseridattributename ibm-diuserid ldap.schemapasswordattributename ibm-dipassword Another optional attribute, ldap.delaymillis, is used when the ldap.waitforstore property is set to false. Whenldap.waitForStore=false, the ldap.delaymillis specifies the number of milliseconds of delay before the storage. A deadlock can occur when the: o IBM Security Directory Integrator Password Synchronizer for the Windows system is configured to use the LDAP Password Store. o LDAP Password Store is configured to store into the Active Directory on the same system where the Password Synchronizer is installed.

11 To avoid the deadlock, use this asynchronous mode of operation. In an asynchronous mode ldap.waitforstore=false, the password catcher code that communicates with the Windows system returns control to the Windows. After a short delay, the password store code that is running a separate thread attempts to store the password update into the Active Directory. If ldap.waitforstore=false and no value is specified for ldap.delaymillis, then a default of ldap.delaymillis=2000 is used. In this configuration, any Password Store failures are reported by using the log file, which is specified in the logfilepath property 6. If you want activate asymmetric password encryption set to true encrypt attribute. encrypt=true To disable asymmetric password encryption, set encrypt=false. When encrypt=false, any value inencryptkeystorefilepath, encryptkeystorefilepassword, encryptkeystorecertificat e, and encryptkeypassword is ignored. Password encryption Encryption of password values is supported by both the LDAP Password Store and the JMS Password Store. By default, the encryption is disabled. To turn it on, set the encrypt property to true. When encryption is used, the encryptkeystorefilepath, encryptkeystorefilepassword, and encryptkeystorecertifcate property values must also be set. The encryptkeypassword property must be set if you are using the LDAP Password Store. TheencryptKeyPassword property is irrelevant for the rest of the Password Stores. The password encryption and decryption functions use the RSA algorithm. The following example shows configuration properties for the encryption function: encryptkeystorefilepath=path to the keystore file encryptkeystorefilepassword=password of the keystore file; encoded with the "encryptpasswd" tool encryptkeystorecertifcate=the alias of the public key certificate in the keystore encryptkeypassword=password of the private key; encoded with 1. Create your.jks store certificate a. Create directory certs in your <TDI_Home>/pwd_plugins directory b. From <TDI_Home>/jvm/jre/bin execute keytool keytool -genkeypair -alias TDIPwdInt -keyalg RSA -keystore C:\IBM\TDI\V7.2\pwd_plugins\certs\tdiKey.jks -keysize dname cn=srvad01.shamrock.com -keypass myprivatekeypass -storepass P4ssw0rd Note: to read your jks use keytool -list -keystore C:\IBM\TDI\V7.2\pwd_plugins\certs\tdiKey.jks - storepass P4ssw0rd 2. Map your certificate to Password Interceptor plugins encrypt=true encryptkeystorefilepath=c:\\ibm\\tdi\\v7.2\\pwd_plugins\\certs\\tdikey. jks encryptkeystorefilepassword=2f5ae0e2062f0d66 encryptkeystorecertificate=tdipwdint encryptkeypassword=1217c3e318691e760c63dc0de7b7bbb8 Note: In the configuration file, you must manually encrypt each password property. You can use

12 the encryptpasswd utility for encryption. This utility uses a symmetric algorithm for encryption of the passwords Notes: 1. RSA is an asymmetric encryption algorithm, which uses a public key to encrypt and its associated private key to decrypt. Because you need the public key for encryption, distribute only the public key in the keystore file of the Password Store. This information is not relevant to the LDAP Password Store because it decrypts the already stored password values to determine which password to delete. Therefore, the private key is also required. 2. The keystore files contain sensitive data and must be properly protected by using file system permissions. Restart your server. Now when you change password for a user or user change his password, the Password plugin intercept change and store credential in your ldap, like this: Looking behind the scene The attribute ibm-diuserid is the bridge with user because this field will be equal to the samaccountname. Now we have two path to permit propagation of SSO, and both will be describe in next article. Author: Andrea Fontana IBM Champion for WebSphere on 2012, 2013, and 2014 IBM Champion for Collaborative Solution on 2015 DevloperWorks Contributor Author Can be contacted at: [email protected]