去年做Documentum项目时,客户要求配置单点登录(SSO)。跟着EMC给的文档配置时发现了很多错误,有些问题甚至EMC的support也搞不清楚。后来前后花了两个月时间终于配置成功并且部署在客户的生产环境上,目前运行稳定。
博客园的开篇文章,就把这个自己原创的SSO配置指南奉献出来。因为原文我是用英文写的,时间关系,这里就不翻译了。
EMC Documentum Webtop Kerberos SSO configuration
1. Revision History
Date | Version | Changes | Author
17 July, 2012 | 0.1 | How to create users and register SPN | Dylan ZHANG
23 July, 2012 | 1.0 | Add content server, apps server and client settings. | Dylan ZHANG
2. Briefing
To enable Documentum WDK SSO, it needs at least two users in AD, one is for Documentum Content Server (CS) and the other is for Webtop. Both of them are used for registering CS and Webtop as Service Principal in the Key Distribution Center (KDC), which is integrated with Windows Active Directory by default.
For more details about Webtop Kerberos SSO mechanism, please reference page 6 to 9 in h8031 – <EMC Documentum Kerberos SSO Authentication A Detailed Review>
- This document will focus on how to configure Documentum Webtop Kerberos SSO.
- This document will take internal testing DMS for example. Please change your settings accordingly.
3. Create users and register SPN.
3.1. Create user for Content Server
- 1) Create a user with logon name: cssso
- 2) Take the option “Password never expires”.
- 3) In the Command Prompt, input the following commands
- ktpass /pass P@ssw0rd -out ClusterTestingRep.0001.keytab -princ CS /ClusterTestingRep@DMS.DYLAN -crypto ALL +DumpSalt -ptype KRB5_NT_PRINCIPAL /mapOp set /mapUser cssso@DMS.DYLAN
- Where ClusterTestingRep is the repository name and DMS.DYLAN is the domain.
- 4) Go the user properties>Account, the user logon name will be changed to “CS/ClusterTestingRep”.
- 5) In the account options, do select the following two options
- a. User Kerberos DES encryption types for this account
- b. This account supports Kerberos AES 128 bit encryption
- 6) Go to the Delegation tab, select the option “Trust this user for delegation to any service(Kerberos only)”
Diagram 3-1 - User “cssso” properties
3.2. Create user for Webtop
- 1) Create a user with logon name: http1ssowebtop
- 2) Take the option “Password never expires”.
- 3) In the Command Prompt, input the following commands
- ktpass /pass P@ssw0rd -out http1webtop.keytab -princ HTTP/appsn1.dms.dylan@DMS.DYLAN -crypto ALL +DumpSalt -ptype KRB5_NT_PRINCIPAL /mapOp set /mapUser http1ssowebtop@DMS.DYLAN
- 4) Go the user properties>Account, the user logon name will be changed to “HTTP/appsn1.dms.dylan”.
- 5) In the account options, do select the following two options
- a. User Kerberos DES encryption types for this account
- b. This account supports Kerberos AES 128 bit encryption
- 6) Go to the Delegation tab, select the option “Trust this user for delegation to any service(Kerberos only)”
Diagram 3-2 – user http1ssowebtop properties
4. Content server setting
4.1. Copy keytab file
Copy the keytabe file generated in step 3.1 to the “C:\Documentum\dba\auth\kerberos”.
If content server runs in HA mode(Failover), copy the keytab file to the other nodes in the same path.
4.2. Create krb5.ini
Create the “krb5.ini” specified as following. Then save it to “C:\Windows”
[libdefaults]
default_realm = DMS.DYLAN
forwardable = true
ticket_lifetime = 24h
clockskew = 72000
default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
DMS.DYLAN = {
kdc = DomainC.dms.dylan
admin_server = DomainC.dms.dylan
}
[domain_realm]
.dms.dylan = dms.dylan
5. Apps server setting
5.1. Create krb5login.conf
Create a conf file with the following contents:
HTTP-appsn1-dms-dylan
{
com.sun.security.auth.module.Krb5LoginModule required
debug=true
principal="HTTP/appsn1 .dms.dylan@DMS.DYLAN "
refreshKrb5Config=true
useKeyTab=true
storeKey=true
useTicketCache=false
isInitiator=false
keyTab="C\://Program Files//Apache Software Foundation//Tomcat 6.0// http1webtop.keytab";
};
Save the file to “C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\webtop\WEB-INF”
5.2. Copy the keytab file to Tomcat
In step 3.2. there will be a keytab file named “http1webtop.keytab”. Copy it to “C:\Program Files\Apache Software Foundation\Tomcat 6.0”
5.3. Modify “web.xml” in “/webapps/webtop/wdk/”
Modify by the following settings.
<!-- Kerberos SSO authentication scheme configuration --> <kerberos_sso> <enabled>true</enabled> <browsers> <windows> <ieversions>6.0,7.0,8.0</ieversions> <firefoxversions>2.0,3.0,3.5</firefoxversions> </windows> </browsers> <!-- Enable login fall back to DocbaseLogin scheme --> <docbase_login_fallback>true</docbase_login_fallback> <!-- Mandatory configuration: Provide the kerberos realm / domian name. --> <domain>dms.dylan</domain> <!-- Specify the server name if DNS alias is used in the URL --> <server_name>appsn1.dms.dylan</server_name> </kerberos_sso>
5.4. Repeat step 4.2 in Application server.
5.5. Tomcat Java Tab setting
Add the following settings to Tomcat java tab
-Djava.security.krb5.config=%WINDIR%\krb5.ini
-Djava.security.auth.login.config=C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\webtop\WEB-INF\krb5Login.conf
-Djava.security.auth.useSubjectCredsOnly=false
6. DA settings
6.1. Re-Initialize Server
Login to DA > Administration > Basic Configuration > Content Servers, go the content server properties.
Diagram 6-1 Re-Initialize Server
6.2. Update user properties
Diagram 6-2 User Properties Settings
The “User Login Domain” should be set to the short domain name. (Page18, h3031)
7. Client settings
7.1. Group policy
Run gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Configureencryption types allowed for Kerberos, select all of the encryption types.
Diagram 7-1, Group policy setting
7.2. IE setting
1) Internet option > Local intranet > Sites, select the following options
Digram 7-2, Intranet setting
2) Click “Advanced”, and add the following link to the zone
appsn1.dms.dylan
3) Internet options > Advanced, select “Enable Integrated Windows Authentication*”
Diagram 7-3, IE advanced setting
8. Conclusion
Open IE, go to http://appsn1.dms.dylan/webtop, when it’s the first time user login, it will require user input windows user name and password. After click OK there will be page list available repositories. Choose one and login.
When next time user login Webtop, he will automatically go to the home page.
以上步骤里面用的domain是 dms.dylan,请大家根据自己的环境做出相应修改。
221
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
