Configuring IBM Tivoli Integrated Portal server for single sign-on using Simple and Protected GSSAPI Negotiation Mechanism, and Microsoft Active Directory services Document version 1.0 Copyright International Business Machines Corporation 2013. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 1
Table of Contents Introduction... 2 Creating a user for SPNEGO authentication and a keytab file on the Active Directory server... 3 Create the krb5.conf file using the tipserver1.keytab file on the Tivoli Integrated Portal server... 5 Configuring the Tivoli Integrated Portal for SPNEGO and LDAP... 6 Add roles to the Active Directory user that will be connecting to the Tivoli Integrated Portal... 9 Internet browser configurations... 10 Enable logging in the Tivoli Integrated Portal for Troubleshooting... 10 Introduction The purpose of this paper is to detail the procedure for configuring IBM Tivoli Integrated Portal server for single sign-on using Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), federated repositories, and Microsoft Active Directory services. The environment described in this paper uses the following products: Tivoli Integrated Portal server V2.2.0.11 installed on Red Hat Enterprise Linux operating system as the user bsmadmin. Microsoft Active Directory services installed on Windows 2008 operating system. The Active Directory domain name used in this paper is FEDIVT. Before performing this procedure Create a current backup of the Tivoli Integrated Portal installation using your preferred archiving method. Synchronize the system clocks on the Windows server and Linux server to within 5 minutes of each other. Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server. LDAP Host name Host name of the LDAP server LDAP Port Port for the LDAP server, default value 389 LDAP Type The type of LDAP used LDAP Repository Identifier Unique identifier for the LDAP repository within the Application Server. LDAP Bind ID The user ID used to bind to the LDAP server, this user must have at least read access LDAP Bind Password Password for the bind user ID LDAP Base Entry Base entry for the LDAP Server Table 1: Required LDAP configuration information. The values in Table 2 show the LDAP information that is used in this paper to configure the federated repositories within the Tivoli Integrated Portal server. LDAP Host name ad2008 LDAP Port 389 2
LDAP Type Microsoft Active Directory LDAP Repository Identifier TIVAD LDAP Bind ID cn=administrator,cn=users,dc=fedivt,dc=ibm,dc=com LDAP Bind Password passw0rd LDAP Base Entry DC=fedivt,DC=ibm,DC=com Table 2: Federated Configuration Information used in this document Creating a user for SPNEGO authentication and a keytab file on the Active Directory server 1. Create a user in Active directory named spnusr1 with a password of passw0rd as shown in the next three figures: Figure 1: Create user Figure 2: Create user continued 3
Figure 3: Create user finish Note: This user will be used for the SPNEGO configuration in the Tivoli Integrated Portal, it is not the user that is used to login to the Tivoli Integrated Portal for day to day operations. 2. Start a Windows command prompt and create a keytab file for the spnusr1 user using the ktpass command. The syntax for the ktpass command is: ktpass -out <keytab file> -princ <HTTP/<Tivoli Integrated Portal fully qualified hostname>@<active DIRECTORY DOMAIN> -mapuser <username> -ptype <principal type> The Command that was run to generate the keytab file: ktpass -out tipserver1.keytab -princ HTTP/fit-vm15-216.rtp.raleigh.ibm.com@FEDIVT - mapuser spnusr1 -pass passw0rd -ptype KRB5_NT_PRINCIPAL NOTE: The HTTP and Active Directory domain name must be uppercase. Figure 4 shows the output of the ktpass command above. Figure 4: ktpass command output If KTPASS failed getting target domain for specified user is received when running the ktpass command, re-run the command supplying the Active Directory domain name to the mapuser option, for example: -mapuser FEDIVT\spnusr1. 4
3. Verify the Service Principal Name for the spnusr1 user by issuing setspn -l spnusr1, the output is shown in Figure 5. Figure 5: setspn command output 4. Transfer the tipserver1.keytab file to the /tmp directory of the Tivoli Integrated Portal server, if transferring the file using FTP make sure to switch to binary transfer mode. Create the krb5.conf file using the tipserver1.keytab file on the Tivoli Integrated Portal server. 1. Create a directory for the tipserver1.keytab and krb5.conf files. 2. Copy the tipserver1.keytab file from /tmp to /etc/krb5 3. The Tivoli Integrated Portal was installed and is running as the user bsmadmin, because of this the following commands were run in this environment to allow the bsmadmin user access to the krb5 directory and files: chown R :bsmadmin /etc/krb5 chmod g+w /etc/krb5 4. Login to the Tivoli Integrated portal using the wsadmin.sh command utility /opt/ibm/tivoli/tipv2/profiles/tipprofile/bin/wsadmin.sh user tipadmin password passw0rd 5. At the wsadmin prompt issue the $AdminTask createkrbconfigfile to create the krb5.conf file from the tipserver1.keytab file. The syntax for the createkrbconfigfile option is: $AdminTask createkrbconfigfile {-krbpath <path/krb5.conf -realm <Active Directory Kerberos Realm name Uppercase> -kdchost <Hostname of the Active Directory server> -dns <internet domain name> -keytabpath <path/keytab file> The Command that was run to generate the /etc/krb5.conf file: wsadmin>$admintask createkrbconfigfile {-krbpath /etc/krb5/krb5.conf -realm FEDIVT - kdchost ad2008.tivlab.raleigh.ibm.com -dns raleigh.ibm.com -keytabpath /etc/krb5/tipserver1.keytab } 6. Type quit at the wsadmin prompt to exit. 5
Configuring the Tivoli Integrated Portal for SPNEGO and LDAP To configure the Tivoli Integrated Portal, do the following steps: 1. Log in to the Tivoli Integrated Portal Administrative console as the tipadmin user (http://hostname:16316/ibm/console ) and expand Security. 2. Click Global security. 3. Expand Web Security 4. Click SPNEGO Web authentication 7. Under SPNEGO Filters click New 8. Fill in the values for Hostname, Kerberos realm name, and click Trim Kerberos realm name from principal name as shown in Figure 6 Figure 6: SPNEGO filters 9. Click OK and when prompted click save. 10. Complete the default options for General Properties as shown in Figure 7 6
Figure 7: SPNEGO Web authentication 11. Click OK and when prompted click save 12. On the main Global Security page click Configure next to Federated repositories Figure 8: Tivoli Integrated Portal options 13. Click Add Base entry to Realm. Figure 9: Realm specifics 7
14. Click Add Repository. Figure 10: Adding a repository 15. Complete the fields as indicated in Figure 11. Click Apply, and when prompted, click Save. Figure 11: Repository properties 8
16. Complete the base entry fields, DC=fedivt,DC=ibm,DC=com was used in Figure 12 for both entries in this environment. Click Apply, and when prompted, click Save. Figure 12: Completing entries 17. Optional: Set a single sign on domain for use with LTPA if connecting to additional servers configured for LTPA single sign-on. A. Click Global security B. Expand Web security C. Click Single sign-on D. Fill in a value for Domain name, for example.ibm.com as shown in Figure 13 Figure 13: Single sign-on domain name E. Click OK and when prompted click save. 19. Stop and restart the Tivoli Integrated Portal /opt/ibm/tivoli/tipv2/profiles/tipprofile/bin/stopserver.sh server1 user tipadmin password passw0rd /opt/ibm/tivoli/tipv2/profiles/tipprofile/bin/startserver.sh server1 Add roles to the Active Directory user that will be connecting to the Tivoli Integrated Portal Note: This should not be the spnusr1 user. 9
1. Login to the Tivoli Integrated Portal application console as the tipadmin user (https://hostname:16311/ibm/console) 2. Expand Users and Groups and click on User Roles. 3. In the User ID field, fill in the user name of the Active Directory user that will be used to connect to the Tivoli Integrated portal using SPNEGO authentication (not the spnusr1 user) and click Search. 4. Assign the roles that are applicable for the specific user and click Save. Internet browser configurations Enable Microsoft Internet Explorer browser for SPNEGO: 1. Login to the Windows system configured as an Active Directory client. 2. Launch the Internet Explorer browser, click Tools and then click Internet Options. 3. Select the Security tab, click on the Local Intranet icon and then click Sites. 4. Ensure that all options are checked then click Advanced. 5. Under Add this website to the zone fill in the url for the Tivoli integrated portal, for example: https://fit-vm15-216.rtp.raleigh.ibm.com Then click Add and Close 6. Click OK to exit the Local Intranet Options 7. Click the Advanced tab and verify that the Enable Windows Integrated Authentication is checked, if not click to enable it. 8. Click OK to exit Internet Options 9. Stop and restart the Internet Explorer browser. Enable Mozilla Firefox browser for SPNEGO: 1. Launch the Firefox browser 2. In the URL field type about:config and when prompted click to accept the security warning. 3. In the Search field type network.n 4. Double click on network.negotiate-auth-trusted-uris 5. Type the URL for the Tivoli Integrated Portal, for example: https://fit-vm15-216.rtp.raleigh.ibm.com 6. Click OK 7. Stop and restart the Firefox browser Enable logging in the Tivoli Integrated Portal for Troubleshooting 1. To enable tracing to assist in troubleshooting SPNEGO request in the Tivoli Integrated Portal, login to the Tivoli Integrated Portal Administrative Console (https://hostname:16316/ibm/console) and expand Troubleshooting. 2. Click Logs and Trace. 10
Figure 14: Logs and Trace 3. Click the server listed under Server. Figure 15: server1 4. Click Change Log Detail Levels. Figure 16: Log Details 5. Click the Runtime tab 6. Click Save runtime changes to configuration as well 7. Append the following value to the current setting and click Apply, and when prompted click Save. :com.ibm.ws.security.spnego.*=all Note that the colons (:) are delimiters between values. 11
Figure 17: Change log details 8. A trace.log will now be in the /opt/ibm/tivoli/tipv2/profiles/tipprofile/logs/server1 directory. Notices Copyright IBM Corporation 2013 IBM United States of America Produced in the United States of America US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: 12
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PAPER AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes may be made periodically to the information herein; these changes may be incorporated in subsequent versions of the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this paper at any time without notice. Any references in this document to non-ibm websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 4205 South Miami Boulevard Research Triangle Park, NC 27709 U.S.A. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. If you are viewing this information softcopy, the photographs and color illustrations may not appear. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Other company, product, or service names may be trademarks or service marks of others. 13