Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Firstofallmakeafindandreplaceallinformationunder<>withyourowndata.knowingthattheseinformationarecasesensitive.
Repositoryname:
<repository_name>
ContentServer:
<CS_ServerName>
WebApplicationServer:
<HTTP_ServerName>
ActiveDirectoryServer:
<AD_ServerName>
FQDN(FullQualifiedDomainName): <ABC.ITU.CH>
fqdn:
<abc.itu.ch>
SSOHTTPUser:
<DocumentumHTTP>
SSOHTTPUserPassword:
<PWD_HTTP>
SSOContentServerUser:
<DocumentumCS>
SSOContentServerUserPassword:
<PWD_CS>
WebApplicationName:
<taskspace>
WebApplicationPort:
<8093>
%CATALINA_HOME%:
<C:\Apache\taskspace_8093_p>
AFromyourActiveDirectoryServer
1) UserCreation
Createthesetwousers:<DocumentumHTTP>and<DocumentumCS>
Check:
Use Kerberos DES encryption types for this account
This account supports Kerberos AES 128 bit encryption.
2) CreateKeytab
2.1)KeytabusedbytheContentServer
C:\>ktpass/pass<PWD_CS>out<repository_name>.0001.keytabprincCS/<repository_name>@<FQDN>cryptoALL+DumpSaltptype
KRB5_NT_PRINCIPAL/mapOpset/mapUser<DocumentumCS>@<FQDN>
2.1.2)Copythiskeytabfileunder<repository_name>.0001.keytabunder \\<CS_ServerName>\%DOCUMENTUM%\dba\auth\kerberos\
CreatedbyMichelManias
1/6
2.2)Keytabusedbyallyourwebapplication.
C:\>ktpass/pass<PWD_HTTP>out<DocumentumHTTP>.keytabprincHTTP/<HTTP_ServerName>.<abc.itu.ch>@<ABC.ITU.CH>cryptoALL+DumpSalt
ptypeKRB5_NT_PRINCIPAL/mapOpset/mapUser<DocumentumHTTP>@<ABC.ITU.CH>
BFromyourWebApplicationServer
WebApplicationServer:<HTTP_ServerName>
Updatefilewebapps\<taskspace>\wdk\app.xml
<!KerberosSSOauthenticationschemeconfiguration>
<kerberos_sso>
<enabled>true</enabled>
<browsers>
<windows>
<ieversions>6.0,7.0,8.0</ieversions>
<firefoxversions>2.0,3.0,3.5</firefoxversions>
</windows>
</browsers>
<!EnableloginfallbacktoDocbaseLoginscheme>
<docbase_login_fallback>false</docbase_login_fallback>
<!Mandatoryconfiguration:Providethekerberosrealm/domianname.>
<domain><fqdn></domain>
</kerberos_sso>
JASSConfigurationfile
Createfile\\<HTTP_ServerName> \%CATALINA_HOME%\<taskspace>\webapps\<taskspace>\WEBINF\krb5Login.conf
Warning1:
the bold red info must be replace by your <fqdn>, knowing that . Must be replaced by -
Warning2:
CreatedbyMichelManias
2/6
OntheApacheSetting
UpdateApacheServiceProperties
CreatedbyMichelManias
3/6
Add
Djava.security.krb5.config=%WINDIR%\krb5.ini
Djava.security.auth.login.config=<C:\Apache\taskspace_8093_p>\webapps\taskspace\WEBINF\krb5Login.conf
Djava.security.auth.useSubjectCredsOnly=false
COnyourWebApplicationServerandContentServer
CreateaFilekrb5.ini.Youwillhavetostoreitunderc:\windows\oftheContentServerandtheWebApplicationServer.
[libdefaults]
default_realm = <ABC.ITU.CH>
forwardable = true
ticket_lifetime = 24h
clockskew = 72000
default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
<ABC.ITU.CH> = {
kdc = <AD_ServerName>.<abc.itu.ch>
admin_server= <AD_ServerName>.<abc.itu.ch>
}
[domain_realm]
.<abc.itu.ch> = <abc.itu.ch>
DHowtodebugit
Update service Documentum Docbase Service <repository_name>inordertoadd-otrace_authentication, this will allow you to manage log file in a trace mode for
Kerberos authentication
C:\Documentum\product\6.7\bin\documentum.exe -docbase_name <repository_name> -security acl -otrace_authentication -init_file
C:\Documentum\dba\config\<repository_name>\server.ini -run_as_service -install_owner dmadmin -logfile C:\Documentum\dba\log\<repository_name>.log
CreatedbyMichelManias
4/6
Updatefile
\\<HTTP_ServerName> \%CATALINA_HOME%\<taskspace>\webapps\<taskspace>\WEBINF\classes\log4j.properties
InordertogetallDebuginformationunderTaskspace_8093_p.log
log4j.rootCategory=DEBUG,file,stdout
log4j.appender.file.File=C:\\Apache\\taskspace_8093_p\\logs\\Taskspace_8093_p.log
Updatefile\\<HTTP_ServerName>\%CATALINA_HOME%\<taskspace>\webapps\<taskspace>\WEB
INF\classes\com\documentum\debug\TraceProp.properties
Inordertogetmoredetaileddebuginformation
com.documentum.web.formext.Trace.SESSION=true
CheckJavaVersion
C:\Windows\system32>javaversion
javaversion"1.6.0_22"
Java(TM)SERuntimeEnvironment(build1.6.0_22b02)
JavaHotSpot(TM)64BitServerVM(build16.3b01,mixedmode)
JavaVersionmustbe1.6.0_20
UninstallexistingJavaversion
DownloadArchive:Java[tm]TechnologyProductsDownloadfrom:http://www.oracle.com/technetwork/java/archive139210.html
Select:JDK/JRE6
Select:6Update20
Archive:DownloadJavaPlatformStandardEdition(JavaSE)6Update20
DownloadJavaSEdevelopmentKit6u20forWindowsx64
Copyfileunderc:\temp\jdk6u20windowsx64.exe
InstallJDK1.6.0_20underc:\java\
UpdateeachApacheInstances
UpdateJavaVirtualMachinefromC:\Java\jdk1.6.0_22\jre\bin\server\jvm.dll
ToC:\Java\jdk1.6.0_20\jre\bin\server\jvm.dll
UpdateJAVA_HOMEVariable
C:\Java\jdk1.6.0_20
TotestwithFirefox
Typeabout:configunderthebrowser
UnderFilter,typenetwork.n
CreatedbyMichelManias
5/6
Updatevaluenetwork.negotiateauth.trusteduris
With:http://<HTTP_ServerName>.<abc.itu.ch>
TestURL:http://<HTTP_ServerName>.<abc.itu.ch>:<8093>/<taskspace>/appname=CORE
CheckLogfiles:<C:\Apache\taskspace_8093_p>\logs\Taskspace_8093_p.log
TotestKerberosPassword
FromyourContentServer
C:\>kinitCS/<repository_name>
PasswordforCS/<repository_name>@<FQDN>:
NewticketisstoredincachefileC:\Users\dmadmin\krb5cc_dmadmin
FromyourWebApplicationServer
C:\Java\jdk1.6.0_20\bin>kinitHTTP/<HTTP_ServerName>.<abc.itu.ch>
PasswordforHTTP/<HTTP_ServerName>.<abc.itu.ch>:
NewticketisstoredincachefileC:\Users\dmadmin\krb5cc_dmadmin
EListofexistingEMCWhitepapers
EMCDocumentumKerberosSSOAuthentication(ADetailedReview)May2011andAugust2010
TroubleshootingEMCDocumentumWEBTOPKERBEROSSSOENVIRONMENTS
EMCDocumentumWebDevelopmentKitandWebtopVersion6.7DeploymentGuide(Chapter11:ConfiguringKerberosAuthentication)
EMCDocumentumMyDocumentumforMicrosoftSharepoint
CreatedbyMichelManias
6/6