Scribd Logo
Carica

Benvenuto in Scribd!

  • Howtosetupkerberossso v1

    Caricato da

    michael
    25 visualizzazioni6 pagine
    how to set up Kerbos SSO for Documentum

    Titolo originale

    howtosetupkerberossso_v1

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    how to set up Kerbos SSO for Documentum

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    25 visualizzazioni6 pagine

    Howtosetupkerberossso v1

    Caricato da

    michael
    how to set up Kerbos SSO for Documentum

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 6

    HowtosetupKerberosSSO6.7onWindows2008R2ServerwithWindows7Clients,ApacheTomcatWebApplication.

    Firstofallmakeafindandreplaceallinformationunder<>withyourowndata.knowingthattheseinformationarecasesensitive.

    Repositoryname:

    <repository_name>
    ContentServer:

    <CS_ServerName>
    WebApplicationServer:

    <HTTP_ServerName>
    ActiveDirectoryServer:

    <AD_ServerName>
    FQDN(FullQualifiedDomainName): <ABC.ITU.CH>
    fqdn:

    <abc.itu.ch>
    SSOHTTPUser:

    <DocumentumHTTP>
    SSOHTTPUserPassword:

    <PWD_HTTP>
    SSOContentServerUser:

    <DocumentumCS>
    SSOContentServerUserPassword:
    <PWD_CS>
    WebApplicationName:

    <taskspace>
    WebApplicationPort:

    <8093>
    %CATALINA_HOME%:

    <C:\Apache\taskspace_8093_p>

    AFromyourActiveDirectoryServer

    1) UserCreation
    Createthesetwousers:<DocumentumHTTP>and<DocumentumCS>

    Check:
    Use Kerberos DES encryption types for this account
    This account supports Kerberos AES 128 bit encryption.

    2) CreateKeytab
    2.1)KeytabusedbytheContentServer

    C:\>ktpass/pass<PWD_CS>out<repository_name>.0001.keytabprincCS/<repository_name>@<FQDN>cryptoALL+DumpSaltptype
    KRB5_NT_PRINCIPAL/mapOpset/mapUser<DocumentumCS>@<FQDN>

    2.1.1)From AD User Properties, Update Delegation for user <DocumentumCS>


    check : Trust this user for delegation to any service (Kerberos only)

    2.1.2)Copythiskeytabfileunder<repository_name>.0001.keytabunder \\<CS_ServerName>\%DOCUMENTUM%\dba\auth\kerberos\
    CreatedbyMichelManias

    1/6


    2.2)Keytabusedbyallyourwebapplication.
    C:\>ktpass/pass<PWD_HTTP>out<DocumentumHTTP>.keytabprincHTTP/<HTTP_ServerName>.<abc.itu.ch>@<ABC.ITU.CH>cryptoALL+DumpSalt
    ptypeKRB5_NT_PRINCIPAL/mapOpset/mapUser<DocumentumHTTP>@<ABC.ITU.CH>

    2.2.1)From AD User Properties, Update Delegation for user <DocumentumHTTP>


    check : Trust this user for delegation to any service (Kerberos only)

    2.2.2)Copy Keytab file under \\<HTTP_ServerName> \%CATALINA_HOME%\<DocumentumHTTP>.keytab

    This path will be named <HTTP_KEYTAB_PATH>

    BFromyourWebApplicationServer

    WebApplicationServer:<HTTP_ServerName>
    Updatefilewebapps\<taskspace>\wdk\app.xml

    <!KerberosSSOauthenticationschemeconfiguration>
    <kerberos_sso>
    <enabled>true</enabled>
    <browsers>
    <windows>
    <ieversions>6.0,7.0,8.0</ieversions>
    <firefoxversions>2.0,3.0,3.5</firefoxversions>
    </windows>
    </browsers>
    <!EnableloginfallbacktoDocbaseLoginscheme>
    <docbase_login_fallback>false</docbase_login_fallback>
    <!Mandatoryconfiguration:Providethekerberosrealm/domianname.>
    <domain><fqdn></domain>
    </kerberos_sso>

    JASSConfigurationfile
    Createfile\\<HTTP_ServerName> \%CATALINA_HOME%\<taskspace>\webapps\<taskspace>\WEBINF\krb5Login.conf
    Warning1:
    the bold red info must be replace by your <fqdn>, knowing that . Must be replaced by -
    Warning2:

    CreatedbyMichelManias

    2/6

    <HTTP_KEYTAB_PATH> must be replace with you path related to your <documentumHTTP>.keytab


    Example:<HTTP_KEYTAB_PATH>=C\://Apache//taskspace_8093_p//<documentumHTTP>.keytab
    HTTP<HTTP_ServerName>abcituch
    {
    com.sun.security.auth.module.Krb5LoginModulerequired
    debug=true
    principal="HTTP/<HTTP_ServerName>.<fqdn>@<fqdn>"
    refreshKrb5Config=true
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    isInitiator=false
    keyTab="<HTTP_KEYTAB_PATH>";
    };

    OntheApacheSetting
    UpdateApacheServiceProperties

    CreatedbyMichelManias

    3/6

    Add
    Djava.security.krb5.config=%WINDIR%\krb5.ini
    Djava.security.auth.login.config=<C:\Apache\taskspace_8093_p>\webapps\taskspace\WEBINF\krb5Login.conf
    Djava.security.auth.useSubjectCredsOnly=false

    COnyourWebApplicationServerandContentServer

    CreateaFilekrb5.ini.Youwillhavetostoreitunderc:\windows\oftheContentServerandtheWebApplicationServer.
    [libdefaults]
    default_realm = <ABC.ITU.CH>
    forwardable = true
    ticket_lifetime = 24h
    clockskew = 72000
    default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
    default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
    permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
    [realms]

    <ABC.ITU.CH> = {
    kdc = <AD_ServerName>.<abc.itu.ch>
    admin_server= <AD_ServerName>.<abc.itu.ch>
    }
    [domain_realm]
    .<abc.itu.ch> = <abc.itu.ch>

    DHowtodebugit
    Update service Documentum Docbase Service <repository_name>inordertoadd-otrace_authentication, this will allow you to manage log file in a trace mode for
    Kerberos authentication
    C:\Documentum\product\6.7\bin\documentum.exe -docbase_name <repository_name> -security acl -otrace_authentication -init_file
    C:\Documentum\dba\config\<repository_name>\server.ini -run_as_service -install_owner dmadmin -logfile C:\Documentum\dba\log\<repository_name>.log

    CreatedbyMichelManias

    4/6

    Updatefile
    \\<HTTP_ServerName> \%CATALINA_HOME%\<taskspace>\webapps\<taskspace>\WEBINF\classes\log4j.properties
    InordertogetallDebuginformationunderTaskspace_8093_p.log
    log4j.rootCategory=DEBUG,file,stdout
    log4j.appender.file.File=C:\\Apache\\taskspace_8093_p\\logs\\Taskspace_8093_p.log

    Updatefile\\<HTTP_ServerName>\%CATALINA_HOME%\<taskspace>\webapps\<taskspace>\WEB
    INF\classes\com\documentum\debug\TraceProp.properties
    Inordertogetmoredetaileddebuginformation

    com.documentum.web.formext.Trace.SESSION=true

    CheckJavaVersion
    C:\Windows\system32>javaversion
    javaversion"1.6.0_22"
    Java(TM)SERuntimeEnvironment(build1.6.0_22b02)
    JavaHotSpot(TM)64BitServerVM(build16.3b01,mixedmode)

    JavaVersionmustbe1.6.0_20
    UninstallexistingJavaversion
    DownloadArchive:Java[tm]TechnologyProductsDownloadfrom:http://www.oracle.com/technetwork/java/archive139210.html
    Select:JDK/JRE6
    Select:6Update20
    Archive:DownloadJavaPlatformStandardEdition(JavaSE)6Update20
    DownloadJavaSEdevelopmentKit6u20forWindowsx64
    Copyfileunderc:\temp\jdk6u20windowsx64.exe
    InstallJDK1.6.0_20underc:\java\

    UpdateeachApacheInstances

    UpdateJavaVirtualMachinefromC:\Java\jdk1.6.0_22\jre\bin\server\jvm.dll

    ToC:\Java\jdk1.6.0_20\jre\bin\server\jvm.dll
    UpdateJAVA_HOMEVariable
    C:\Java\jdk1.6.0_20

    TotestwithFirefox
    Typeabout:configunderthebrowser
    UnderFilter,typenetwork.n
    CreatedbyMichelManias

    5/6

    Updatevaluenetwork.negotiateauth.trusteduris

    With:http://<HTTP_ServerName>.<abc.itu.ch>

    TestURL:http://<HTTP_ServerName>.<abc.itu.ch>:<8093>/<taskspace>/appname=CORE
    CheckLogfiles:<C:\Apache\taskspace_8093_p>\logs\Taskspace_8093_p.log

    TotestKerberosPassword
    FromyourContentServer
    C:\>kinitCS/<repository_name>
    PasswordforCS/<repository_name>@<FQDN>:
    NewticketisstoredincachefileC:\Users\dmadmin\krb5cc_dmadmin
    FromyourWebApplicationServer
    C:\Java\jdk1.6.0_20\bin>kinitHTTP/<HTTP_ServerName>.<abc.itu.ch>
    PasswordforHTTP/<HTTP_ServerName>.<abc.itu.ch>:
    NewticketisstoredincachefileC:\Users\dmadmin\krb5cc_dmadmin

    EListofexistingEMCWhitepapers

    EMCDocumentumKerberosSSOAuthentication(ADetailedReview)May2011andAugust2010
    TroubleshootingEMCDocumentumWEBTOPKERBEROSSSOENVIRONMENTS
    EMCDocumentumWebDevelopmentKitandWebtopVersion6.7DeploymentGuide(Chapter11:ConfiguringKerberosAuthentication)
    EMCDocumentumMyDocumentumforMicrosoftSharepoint

    CreatedbyMichelManias

    6/6

    Potrebbero piacerti anche