In Part 1 we started our SSO config by getting our Linux servers to talk to the KDC and we should have a working keytab file for our SPN. Now lets setup some things for our Weblogic to utilize this.
First, create the following krbLogin.conf file
krbServer {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/home/psoft/krb5.keytab"
isInitiator=false
principal="HTTP/websrv.testdomain.com";
};
Update the keyTab property to point to where ever you placed your keytab file and the principal should match your SPN you created. In this proof of concept I just placed this file in /home/psoft with the keytab file.
Now we need to tell Weblogic to use these files. We do this on the corresponding JAVA_OPTIONS line in setEnv.sh, in my case it now reads
JAVA_OPTIONS_LINUX="-jrockit -XnoOpt -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.auth.login.config=/home/psoft/krbLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf"
We added the following to the end of the options variable.
-Djava.security.auth.login.config=/home/psoft/krbLogin.conf
-Djava.security.krb5.conf=/etc/krb5.conf
Next lets edit web.xml in our PORTAL.war/WEB-INF directory we need to add the following
<filter>
<filter-name>KerberosSSO</filter-name>
<filter-class>com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter</filter-class>
<init-param>
<param-name>checkSecureConnection
</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>validateToken</param-name>
<param-value>true</param-value>
</init-param><init-param>
<param-name>verbose</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>KerberosSSO</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Here we apply the KerberosSSOFilter (which Oracle provides source for if you’d like to improve it) to the url-pattern /* so any request will go through the filter.
- The parameters
- checkSecureConnection: I set to false as i’m not using SSL in this environment. change to true if your using SSL
- validateToken: start with true so we can troubleshoot and verify things work at the web layer
- verbose: self explanatory, set to true until it works
After making these updates restart Weblogic and check for errors on startup in the logs. We are now to the point where we can test the Weblogic filter and make sure basic configuration is working.
Lets move on to our Windows workstation that is part of our Domain. Lets make sure our browser is setup for this. In most corporate environments this should already be setup. For IE, on the Security tab in Internet Options check the site options, if your PeopleSoft URL is not detected as part of the intranet, add it here by clicking sites -> advanced and adding it manually. Once this is done, lets see what happens. You won’t get logged in but we can see if the Kerberos Token is being processed properly. First lets tail PIA_stdout.log, then lets login through the normal webpage. After logging in here’s what we should have seen.
<Aug 29, 2012 9:18:10 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Requesting Kerberos token. (Connection is NOT secure)>
<Aug 29, 2012 9:18:10 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Received valid token for user@TESTDOMAIN.LOCAL.>
<Aug 29, 2012 9:18:10 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Sending token for mutual authentication.>
<Aug 29, 2012 9:18:35 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Received valid token for user@TESTDOMAIN.LOCAL.>
<Aug 29, 2012 9:18:35 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Sending token for mutual authentication.>
<Aug 29, 2012 9:18:35 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Valid session id. Not requesting Kerberos token.>
<Aug 29, 2012 9:18:35 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Valid session id. Not requesting Kerberos token.>
We can see the SSOFilter requests the token, see’s that it’s valid and identifies the user and domain. After logging in the SSOFilter see’s a valid session id and stops requesting the Kerberos Token.
So far so good. Next up, the application server side.
Leave a Reply