Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.



Similar documents
Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

Sametime Version 9. Integration Guide. Integrating Sametime 9 with Domino 9, inotes 9, Connections 4.5, and WebSphere Portal

IBM Security QRadar Version (MR1) Checking the Integrity of Event and Flow Logs Technical Note

IBM Security QRadar Version (MR1) Replacing the SSL Certificate Technical Note

IBM Endpoint Manager for OS Deployment Windows Server OS provisioning using a Server Automation Plan

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

IBM Enterprise Marketing Management. Domain Name Options for

Tivoli Endpoint Manager for Security and Compliance Analytics. Setup Guide

IBM TRIRIGA Application Platform Version Reporting: Creating Cross-Tab Reports in BIRT

IBM Configuring Rational Insight and later for Rational Asset Manager

Remote Control Tivoli Endpoint Manager - TRC User's Guide

IBM Enterprise Marketing Management. Domain Name Options for

IBM Cognos Controller Version New Features Guide

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Single Sign-On Using SPNEGO

IBM Security QRadar Version Installing QRadar with a Bootable USB Flash-drive Technical Note

IBM Security SiteProtector System Migration Utility Guide

IBM Client Security Solutions. Password Manager Version 1.4 User s Guide

Reading multi-temperature data with Cúram SPMP Analytics

IBM TRIRIGA Anywhere Version 10 Release 4. Installing a development environment

Tivoli Endpoint Manager for Security and Compliance Analytics

IBM Security QRadar Version (MR1) Configuring Custom Notifications Technical Note

IBM SmartCloud Analytics - Log Analysis. Anomaly App. Version 1.2

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

Getting Started With IBM Cúram Universal Access Entry Edition

Kerberos and Windows SSO Guide Jahia EE v6.1

Platform LSF Version 9 Release 1.2. Migrating on Windows SC

Installing on Windows

Packet Capture Users Guide

Remote Support Proxy Installation and User's Guide

Tivoli IBM Tivoli Monitoring for Transaction Performance

IBM Client Security Solutions. Client Security User's Guide

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

IBM Lotus Protector for Mail Encryption. User's Guide

Patch Management for Red Hat Enterprise Linux. User s Guide

IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic

Implementing the End User Experience Monitoring Solution

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Active Directory Synchronization with Lotus ADSync

IBM XIV Management Tools Version 4.7. Release Notes IBM

IBM VisualAge for Java,Version3.5. Remote Access to Tool API

Version 8.2. Tivoli Endpoint Manager for Asset Discovery User's Guide

Configuring Single Sign-On for Application Launch in OpenManage Essentials

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

IBM Endpoint Manager Version 9.2. Software Use Analysis Upgrading Guide

IBM Cognos Controller Version New Features Guide

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

SmartCloud Monitoring - Capacity Planning ROI Case Study

IBM Endpoint Manager. Security and Compliance Analytics Setup Guide

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

IceWarp Server - SSO (Single Sign-On)

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Tivoli Endpoint Manager for Configuration Management. User s Guide

IBM Security QRadar Version Common Ports Guide

IBM WebSphere Adapter for PeopleSoft Enterprise Quick Start Tutorials

Linux. Managing security compliance

IBM WebSphere Message Broker - Integrating Tivoli Federated Identity Manager

IBM Security QRadar Version (MR1) Installing QRadar 7.1 Using a Bootable USB Flash-Drive Technical Note

IBM Security SiteProtector System Two-Factor Authentication API Guide

Disaster Recovery Procedures for Microsoft SQL 2000 and 2005 using N series

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

WebSphere Application Server V6: Diagnostic Data. It includes information about the following: JVM logs (SystemOut and SystemErr)

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

IBM FileNet System Monitor FSM Event Integration Whitepaper SC

IBM SmartCloud Analytics - Log Analysis Version User's Guide

CA Spectrum and CA Service Desk

HRSWEB ActiveDirectory How-To

IBM Rational Rhapsody NoMagic Magicdraw: Integration Page 1/9. MagicDraw UML - IBM Rational Rhapsody. Integration

Setting up CIFS shares and joining the Active Directory. Why join an N series storage system to Active Directory?

Release Notes. IBM Tivoli Identity Manager Oracle Database Adapter. Version First Edition (December 7, 2007)

Single Sign-on (SSO) technologies for the Domino Web Server

CA Performance Center

IBM Connections Plug-In for Microsoft Outlook Installation Help

IBM TRIRIGA Version 10 Release 4.2. Inventory Management User Guide IBM

TIBCO ActiveMatrix BPM Single Sign-On

Configuring Single Sign-on Between WebSphere Portal V6.1 and Windows Desktop using SPNEGO TAI

IBM Lotus Protector for Mail Encryption

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

IBM TRIRIGA Application Platform Version 3 Release 4.1. Single Sign-On Setup User Guide

IBM Lotus Protector for Mail Encryption

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

OS Deployment V2.0. User s Guide

CA Spectrum and CA Embedded Entitlements Manager

Rational Build Forge. AutoExpurge System. Version7.1.2andlater

Deploying Business Objects Crystal Reports Server on IBM InfoSphere Balanced Warehouse C-Class Solution for Windows

z/os V1R11 Communications Server system management and monitoring

Configuring IBM Cognos Controller 8 to use Single Sign- On

How-to: Single Sign-On

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

IBM WebSphere Application Server Version 7.0

Integrating ERP and CRM Applications with IBM WebSphere Cast Iron IBM Redbooks Solution Guide

Continuous access to Read on Standby databases using Virtual IP addresses

Administering Avaya one-x Agent with Central Management

Active Directory 2008 Implementation Guide Version 6.3

Active Directory 2008 Implementation. Version 6.410

QLogic 8Gb FC Single-port and Dual-port HBAs for IBM System x IBM System x at-a-glance guide

Rapid Data Backup and Restore Using NFS on IBM ProtecTIER TS7620 Deduplication Appliance Express IBM Redbooks Solution Guide

Transcription:

Configuring IBM Tivoli Integrated Portal server for single sign-on using Simple and Protected GSSAPI Negotiation Mechanism, and Microsoft Active Directory services Document version 1.0 Copyright International Business Machines Corporation 2013. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 1

Table of Contents Introduction... 2 Creating a user for SPNEGO authentication and a keytab file on the Active Directory server... 3 Create the krb5.conf file using the tipserver1.keytab file on the Tivoli Integrated Portal server... 5 Configuring the Tivoli Integrated Portal for SPNEGO and LDAP... 6 Add roles to the Active Directory user that will be connecting to the Tivoli Integrated Portal... 9 Internet browser configurations... 10 Enable logging in the Tivoli Integrated Portal for Troubleshooting... 10 Introduction The purpose of this paper is to detail the procedure for configuring IBM Tivoli Integrated Portal server for single sign-on using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), federated repositories, and Microsoft Active Directory services. The environment described in this paper uses the following products: Tivoli Integrated Portal server V2.2.0.11 installed on Red Hat Enterprise Linux operating system as the user bsmadmin. Microsoft Active Directory services installed on Windows 2008 operating system. The Active Directory domain name used in this paper is FEDIVT. Before performing this procedure Create a current backup of the Tivoli Integrated Portal installation using your preferred archiving method. Synchronize the system clocks on the Windows server and Linux server to within 5 minutes of each other. Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server. LDAP Host name Host name of the LDAP server LDAP Port Port for the LDAP server, default value 389 LDAP Type The type of LDAP used LDAP Repository Identifier Unique identifier for the LDAP repository within the Application Server. LDAP Bind ID The user ID used to bind to the LDAP server, this user must have at least read access LDAP Bind Password Password for the bind user ID LDAP Base Entry Base entry for the LDAP Server Table 1: Required LDAP configuration information. The values in Table 2 show the LDAP information that is used in this paper to configure the federated repositories within the Tivoli Integrated Portal server. LDAP Host name ad2008 LDAP Port 389 2

LDAP Type Microsoft Active Directory LDAP Repository Identifier TIVAD LDAP Bind ID cn=administrator,cn=users,dc=fedivt,dc=ibm,dc=com LDAP Bind Password passw0rd LDAP Base Entry DC=fedivt,DC=ibm,DC=com Table 2: Federated Configuration Information used in this document Creating a user for SPNEGO authentication and a keytab file on the Active Directory server 1. Create a user in Active directory named spnusr1 with a password of passw0rd as shown in the next three figures: Figure 1: Create user Figure 2: Create user continued 3

Figure 3: Create user finish Note: This user will be used for the SPNEGO configuration in the Tivoli Integrated Portal, it is not the user that is used to login to the Tivoli Integrated Portal for day to day operations. 2. Start a Windows command prompt and create a keytab file for the spnusr1 user using the ktpass command. The syntax for the ktpass command is: ktpass -out <keytab file> -princ <HTTP/<Tivoli Integrated Portal fully qualified hostname>@<active DIRECTORY DOMAIN> -mapuser <username> -ptype <principal type> The Command that was run to generate the keytab file: ktpass -out tipserver1.keytab -princ HTTP/fit-vm15-216.rtp.raleigh.ibm.com@FEDIVT - mapuser spnusr1 -pass passw0rd -ptype KRB5_NT_PRINCIPAL NOTE: The HTTP and Active Directory domain name must be uppercase. Figure 4 shows the output of the ktpass command above. Figure 4: ktpass command output If KTPASS failed getting target domain for specified user is received when running the ktpass command, re-run the command supplying the Active Directory domain name to the mapuser option, for example: -mapuser FEDIVT\spnusr1. 4

3. Verify the Service Principal Name for the spnusr1 user by issuing setspn -l spnusr1, the output is shown in Figure 5. Figure 5: setspn command output 4. Transfer the tipserver1.keytab file to the /tmp directory of the Tivoli Integrated Portal server, if transferring the file using FTP make sure to switch to binary transfer mode. Create the krb5.conf file using the tipserver1.keytab file on the Tivoli Integrated Portal server. 1. Create a directory for the tipserver1.keytab and krb5.conf files. 2. Copy the tipserver1.keytab file from /tmp to /etc/krb5 3. The Tivoli Integrated Portal was installed and is running as the user bsmadmin, because of this the following commands were run in this environment to allow the bsmadmin user access to the krb5 directory and files: chown R :bsmadmin /etc/krb5 chmod g+w /etc/krb5 4. Login to the Tivoli Integrated portal using the wsadmin.sh command utility /opt/ibm/tivoli/tipv2/profiles/tipprofile/bin/wsadmin.sh user tipadmin password passw0rd 5. At the wsadmin prompt issue the $AdminTask createkrbconfigfile to create the krb5.conf file from the tipserver1.keytab file. The syntax for the createkrbconfigfile option is: $AdminTask createkrbconfigfile {-krbpath <path/krb5.conf -realm <Active Directory Kerberos Realm name Uppercase> -kdchost <Hostname of the Active Directory server> -dns <internet domain name> -keytabpath <path/keytab file> The Command that was run to generate the /etc/krb5.conf file: wsadmin>$admintask createkrbconfigfile {-krbpath /etc/krb5/krb5.conf -realm FEDIVT - kdchost ad2008.tivlab.raleigh.ibm.com -dns raleigh.ibm.com -keytabpath /etc/krb5/tipserver1.keytab } 6. Type quit at the wsadmin prompt to exit. 5

Configuring the Tivoli Integrated Portal for SPNEGO and LDAP To configure the Tivoli Integrated Portal, do the following steps: 1. Log in to the Tivoli Integrated Portal Administrative console as the tipadmin user (http://hostname:16316/ibm/console ) and expand Security. 2. Click Global security. 3. Expand Web Security 4. Click SPNEGO Web authentication 7. Under SPNEGO Filters click New 8. Fill in the values for Hostname, Kerberos realm name, and click Trim Kerberos realm name from principal name as shown in Figure 6 Figure 6: SPNEGO filters 9. Click OK and when prompted click save. 10. Complete the default options for General Properties as shown in Figure 7 6

Figure 7: SPNEGO Web authentication 11. Click OK and when prompted click save 12. On the main Global Security page click Configure next to Federated repositories Figure 8: Tivoli Integrated Portal options 13. Click Add Base entry to Realm. Figure 9: Realm specifics 7

14. Click Add Repository. Figure 10: Adding a repository 15. Complete the fields as indicated in Figure 11. Click Apply, and when prompted, click Save. Figure 11: Repository properties 8

16. Complete the base entry fields, DC=fedivt,DC=ibm,DC=com was used in Figure 12 for both entries in this environment. Click Apply, and when prompted, click Save. Figure 12: Completing entries 17. Optional: Set a single sign on domain for use with LTPA if connecting to additional servers configured for LTPA single sign-on. A. Click Global security B. Expand Web security C. Click Single sign-on D. Fill in a value for Domain name, for example.ibm.com as shown in Figure 13 Figure 13: Single sign-on domain name E. Click OK and when prompted click save. 19. Stop and restart the Tivoli Integrated Portal /opt/ibm/tivoli/tipv2/profiles/tipprofile/bin/stopserver.sh server1 user tipadmin password passw0rd /opt/ibm/tivoli/tipv2/profiles/tipprofile/bin/startserver.sh server1 Add roles to the Active Directory user that will be connecting to the Tivoli Integrated Portal Note: This should not be the spnusr1 user. 9

1. Login to the Tivoli Integrated Portal application console as the tipadmin user (https://hostname:16311/ibm/console) 2. Expand Users and Groups and click on User Roles. 3. In the User ID field, fill in the user name of the Active Directory user that will be used to connect to the Tivoli Integrated portal using SPNEGO authentication (not the spnusr1 user) and click Search. 4. Assign the roles that are applicable for the specific user and click Save. Internet browser configurations Enable Microsoft Internet Explorer browser for SPNEGO: 1. Login to the Windows system configured as an Active Directory client. 2. Launch the Internet Explorer browser, click Tools and then click Internet Options. 3. Select the Security tab, click on the Local Intranet icon and then click Sites. 4. Ensure that all options are checked then click Advanced. 5. Under Add this website to the zone fill in the url for the Tivoli integrated portal, for example: https://fit-vm15-216.rtp.raleigh.ibm.com Then click Add and Close 6. Click OK to exit the Local Intranet Options 7. Click the Advanced tab and verify that the Enable Windows Integrated Authentication is checked, if not click to enable it. 8. Click OK to exit Internet Options 9. Stop and restart the Internet Explorer browser. Enable Mozilla Firefox browser for SPNEGO: 1. Launch the Firefox browser 2. In the URL field type about:config and when prompted click to accept the security warning. 3. In the Search field type network.n 4. Double click on network.negotiate-auth-trusted-uris 5. Type the URL for the Tivoli Integrated Portal, for example: https://fit-vm15-216.rtp.raleigh.ibm.com 6. Click OK 7. Stop and restart the Firefox browser Enable logging in the Tivoli Integrated Portal for Troubleshooting 1. To enable tracing to assist in troubleshooting SPNEGO request in the Tivoli Integrated Portal, login to the Tivoli Integrated Portal Administrative Console (https://hostname:16316/ibm/console) and expand Troubleshooting. 2. Click Logs and Trace. 10

Figure 14: Logs and Trace 3. Click the server listed under Server. Figure 15: server1 4. Click Change Log Detail Levels. Figure 16: Log Details 5. Click the Runtime tab 6. Click Save runtime changes to configuration as well 7. Append the following value to the current setting and click Apply, and when prompted click Save. :com.ibm.ws.security.spnego.*=all Note that the colons (:) are delimiters between values. 11

Figure 17: Change log details 8. A trace.log will now be in the /opt/ibm/tivoli/tipv2/profiles/tipprofile/logs/server1 directory. Notices Copyright IBM Corporation 2013 IBM United States of America Produced in the United States of America US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: 12

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PAPER AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes may be made periodically to the information herein; these changes may be incorporated in subsequent versions of the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this paper at any time without notice. Any references in this document to non-ibm websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 4205 South Miami Boulevard Research Triangle Park, NC 27709 U.S.A. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. If you are viewing this information softcopy, the photographs and color illustrations may not appear. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Other company, product, or service names may be trademarks or service marks of others. 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information