Welcome to the third installment of PeopleSoft Desktop Single Sign-on via Kerberos. I hope to wrap up everything in this final post. In Part 1 we configured our Linux servers to talk to our Active Directory server and setup a user/SPN for our Kerberos Authentication. In Part 2 of the PeopleSoft Desktop SSO write up we configured our Linux Weblogic instance to use the Oracle provided servlet filter. We set filter mapping to /* to force every request through the KerberosSSO filter. Now it is time to move on to our app server and online configurations to finish this up.
In order for the application server to validate the Kerberos token we need to copy the java class files to $PS_HOME/class/com/peoplesoft/pt/desktopsso/kerberos. Oracle seems to be delivering these in $PS_HOME/class/com/peoplesoft/PT/desktopsso/kerberos but that doesn’t work! So either recopy these files from our webserver or the “PT” directory. We need both KerberosSSOValidator$1.class and KerberosSSOValidator.class.
Next lets update our psappsrv.cfg file with the following
-Djava.security.auth.login.config=/home/psoft/krbLogin.conf
-Djava.security.krb5.conf=/etc/krb5.conf
Look familiar? Yep, we did this on the web server. Did you create these files on the app server yet? If not copy them from your web server, don’t forget to copy the keytab file which is referenced in krbLogin.conf.
So the JavaVM Options line will read something like (it’s around line 925 in my config file)
JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Djava.security.auth.login.config=/home/psoft/krbLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf
Next lets edit the Peoplecode for FUNCLIB_LDAP.LDAPAUTH. First we want to edit the getWWWAuthConfig function. Update the username identified in &defaultUserID.
/* Updated for Kerberos Sign On */
&defaultUserId = "PUBUSER";
Next we want to add the following function at the end.
/*///////////////////////////////////////////////////////////////////////////////////////////// KRB_AUTHENTICATION used for Kerberos Single Sign On ////////////////////////////////////////////////////////////////////////////////////////////*/ Function KRB_AUTHENTICATION() If %PSAuthResult = True And &authMethod <> "WWW" And &authMethod <> "OAMSSO" And &authMethod <> "OSSO" And &authMethod <> "SSO" And &authMethod <> "LDAP" Then getWWWAuthConfig(); If %SignonUserId = &defaultUserId Then<br> Local string princName = %Request.GetHeader("KRB_USER"); Local string krbToken = %Request.GetHeader("Authorization"); Local string userName = princName; Local number foundDelim = Find("@", userName); If ( foundDelim > 0) Then &userName = Substring( userName, 1, foundDelim - 1); End-If; If Len( userName) > 0 Then &krbToken = Substring(&krbToken, 11, Len(&krbToken) + 1); &validator = GetJavaClass("com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator").getInstance(); Local string &validUserName = &validator.validate(&krbToken); If &validUserName <> "NULL" And &princName = &validUserName Then SetAuthenticationResult( True, Upper(&userName), "", False); &authMethod = "KRB"; End-If; End-If; End-If; End-If; End-Function;
Online create our public user PUBUSER and enable this user for guest login capabilities in the webprofile. Reload the profile using reloadconfig command or restart the web server. Once reloaded try it out and see if it works. Don’t load the signon.html page, it’s the signon page and of course will ask for a username/password. Start by trying to go to http://websrv.testdomain.com/psp/ps/EMPLOYEE/ERP/h/?tab=DEFAULT for Finance for example.
Leave a Reply to randy Cancel reply