10.4 Configuring OSP to Use Kerberos for Single Sign-On

You can use Kerberos as an authentication method for the identity applications that allow SSO. This also allows users to use Integrated Windows Authentication to log in to the applications. This section provides instructions for configuring Active Directory to use Kerberos for connecting to the identity applications:

10.4.1 Configuring the Kerberos User Account in Active Directory

Use the Active Directory administration tools to configure Active Directory for Kerberos authentication. You need to create a new Active Directory user account for Identity Governance, Identity Reporting, and Workflow Engine. If Identity Governance, Identity Reporting or Workflow Engine are not on the same server, you must create three accounts. The user account name must use the DNS name of the server that hosts Identity Governance or Identity Reporting or Workflow Engine.

NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.

  1. As an Active Directory administrator, use the Microsoft Management Console (MMC) to create a new user account with the DNS name of the server that hosts Identity Governance or Identity Reporting.

    For example, if the DNS name of the server is idgov.mycompany.com, use the following information to create the user:

    First name: idgov

    User login name: HTTP/idgov.mycompany.com

    Pre-windows logon name: idgov

    Set password: Specify the appropriate password. For example: Passw0rd.

    Password never expires: Select this option.

    User must change password at next logon: Do not select this option.

  2. Associate the new user with the Service Principal Name (SPN).

    1. In the Active Directory server, open a cmd shell.

    2. At the command prompt, enter the following:

      setspn -A HTTP/DNS_Identity_Governance_server@WINDOWS-DOMAIN userID 

      For example:

      setspn -A HTTP/idgov.mycompany.com@MYCOMPANY.COM idgov
    3. Verify setspn by entering setspn -L userID.

  3. To generate the keytab file, use the ktpass utility:

    1. At the command line prompt, enter the following:

      ktpass /out filename.keytab /princ servicePrincipalName /mapuser userPrincipalName /mapop set /pass password /crypto ALL /ptype KRB5_NT_PRINCIPAL

      For example:

                        ktpass /out idgov.keytab /princ HTTP/identity-governance.mycompany.com@MYCOMPANY.COM /mapuser idgov  /mapop set /pass Passw0rd /crypto All /ptype KRB5_NT_PRINCIPAL
                      

      IMPORTANT:For domain or realm references, use uppercase format. For example, @MYCOMPANY.COM.

    2. Copy the rbpm.keytab file to your Identity Governance server.

  4. An an Administrator in Active Directory, create an end user account with the MCC to prepare for SSO.

    The end user account name must match some attribute value of an eDirectory user to support single sign-on. Create the user with some name such as cnano, remember the password, and ensure that User must change password at next logon is not selected.

  5. (Optional) Repeat these steps for Identity Reporting if you installed the reporting component on a separate server.

  6. (Optional) Repeat these steps for Workflow Engine if you installed it on a separate server.

  7. Configure the server for Identity Governance, Identity Reporting, or the server for Workflow Engine to accept the Kerberos configuration by proceeding to Section 10.4.2, Configuring the Servers for Identity Governance and its Components.

10.4.2 Configuring the Servers for Identity Governance and its Components

You must configure your Identity Governance, Identity Reporting, and the Workflow Engine servers to use the Kerberos keytab file and the user account that you created in Active Directory. Ensure that you complete Section 10.4.1, Configuring the Kerberos User Account in Active Directory before proceeding.

NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.

IMPORTANT:JDK 11.0.21 is the minimum required version for Identity Governance. With JDK 11, Oracle has made changes to Kerberos encryption types. Adjust your configuration as needed based on Deprecate 3DES and RC4 in Kerberos (JDK-8139348) section in the JDK 11.0.17 Release Notes.

  1. To define your operating system settings for the Kerberos configuration, complete the following steps:

    1. Open the krb5 file in a text editor on the Identity Governance server.

      Linux: /etc/krb5.conf

      Windows: C:\Windows\krb5.ini

    2. Add the following information to the krb5 file:

      [libdefaults]
          default_realm = WINDOWS-DOMAIN
          kdc_timesync = 0
          forwardable = true
          proxiable = false
      [realms]
          WINDOWS-DOMAIN = {
               kdc = FQDN Active Directory Server
               admin_server = FQDN Active Directory Server
          }
      [domain_realm]
          .your.domain = WINDOWS-DOMAIN
          your.domain = WINDOWS-DOMAIN

      For example:

      [libdefaults]
          default_realm = MYCOMPANY.COM
          kdc_timesync = 0
          forwardable = true
          proxiable = false
      [realms]
          MYCOMPANY.COM = {
               kdc = myadserver.mycompany.com
               admin_server = myadserver.mycompany.com
          }
      [domain_realm]
          .mycompany.com = MYCOMPANY.COM
          mycompany.com = MYCOMPANY.COM
    3. Save the changes and close the krb5 file.

  2. To define the Kerberos configuration information for Apache Tomcat, complete the following steps:

    1. Create a sample Kerberos_login.config file on the Identity Governance server where the Apache Tomcat instance is running with the following content:

      NOTE:The novlua user needs permissions to create the Kerberos_login.config file.

      com.sun.security.jgss.krb5.accept {
              com.sun.security.auth.module.Krb5LoginModule required
          debug="true"
              refreshKrb5Config="true"
          useTicketCache="true"
              ticketCache="/opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache"
          doNotPrompt="true"
              principal="HTTP/DNS_Identity_Governance_server@WINDOWS-DOMAIN"
          useKeyTab="true"
              keyTab="/absolute_path/filename.keytab"
          storeKey="true";
          };

      An example on a Windows server is as follows:

      keyTab="c:\\NetIQ\\IdentityGoverance\\apps\\tomcat\\kerberos\\rbpm.keytab"
    2. In the file, specify values for principal and keyTab. For example:

      principal="HTTP/idgov.mycompany.com@MYCOMPANY.COM"
      keyTab="/home/usr/rbpm.keytab"
      • The value for principal must match the same value that you specified for Kerberos. For more information, see Step 3.

      • Provide the absolute path of the keytab file on your Identity Governance server. The file does not have to reside in the default directory for Identity Governance.

    3. Refer to the Kerberos_login.config file in JVM java.security file with the following line:

      login.config.url.1=file:/opt/netiq/idm/apps/tomcat/kerberos/Kerberos_login.config

      The path listed is the default installation location for a Linux server.

      An example of the java.security file on a Windows server is as follows:

      login.config.url.1=file:c:/NetIQ/IdentityManager/apps/tomcat/kerberos/Kerberos_login.config
  3. To specify the authentication method in the Identity Governance Configuration utility, complete the following steps:

    1. Launch the Identity Governance Configuration Update utility on the Identity Governance server. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.

    2. Click the Authentication tab.

    3. At the end of the page, click Show Advanced Options.

    4. Under Authentication Method > Method select Kerberos.

    5. In the Mapping attribute name field, specify cn.

    6. Select any of the following options that apply to your environment:

    7. Click OK to save the changes.

    8. Restart Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.

  4. (Optional) Repeat these steps for Identity Reporting if you installed it on a separate server.

  5. (Optional) Repeat these steps for Workflow Engine if you installed it on a separate server.

  6. Configure the browsers that end-users use to access the identity applications. For more information, see Section 10.4.3, Configure Browsers to Use Integrated Windows Authentication.

10.4.3 Configure Browsers to Use Integrated Windows Authentication

The browsers used to access Identity Governance, Identity Reporting, and Workflow Engine also need to be configured for Integrated Windows Authentication. This section provides instructions for configuring an end-user computer to support single sign-on access using Integrated Windows Authentication.

NOTE:You must perform this procedure for each end-user computer where you want to provide single sign-on access to Identity Governance, Identity Reporting and Workflow Engine.

  1. Log in to the computer where users need single sign-on access.

  2. Open the Internet options control panel.

  3. Click Security.

  4. Click Trusted Sites > Sites.

  5. Add the DNS name of the Identity Governance, Identity Reporting, and Workflow Engine server.

    For example: idgov.mycompany.com

  6. Click Add, then click Close.

  7. Click Custom level....

  8. Under User Authentication, select Automatic logon with current user name and password.

  9. Click OK.

  10. In Internet Options, click Advanced.

  11. Under Security, select Enable Integrated Windows Authentication.

  12. Repeat this procedure for each end-user computer where you want to provide single sign-on access to Identity Governance, Identity Reporting., and Workflow Engine.