38.2 Configuring the Identity Applications Server

You must configure your identity applications server to use the Kerberos keytab file and the user account that you have created in Active Directory. Ensure that you complete Configuring the Kerberos User Account in Active Directory before proceeding.

NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.

  1. To define your operating system settings for the Kerberos configuration, complete the following steps:

    1. Open the krb5 file in a text editor on the server that hosts the identity applications.

      Linux: /etc/krb5.conf

      Windows: C:\Windows\krb5.ini

      UNIX: /etc/krb5/krb5.conf

    2. Add the following information to the krb5 file:

      [libdefaults]
          default_realm = WINDOWS-DOMAIN
          kdc_timesync = 0
          forwardable = true
          proxiable = false
      [realms]
          WINDOWS-DOMAIN = {
               kdc = FQDN Active Directory Server
               admin_server = FQDN Active  Directory Server
          }
      [domain_realm]
          .your.domain = WINDOWS-DOMAIN
          your.domain = WINDOWS-DOMAIN

      For example:

      [libdefaults]
          default_realm = MYCOMPANY.COM
          kdc_timesync = 0
          forwardable = true
          proxiable = false
      [realms]
          MYCOMPANY.COM = {
               kdc = myadserver.mycompany.com
               admin_server = myadserver.mycompany.com
          }
      [domain_realm]
          .mycompany.com = MYCOMPANY.COM
          mycompany.com = MYCOMPANY.COM
    3. Save the changes and close the krb5 file.

  2. (Conditional) To define the Kerberos configuration information for Tomcat, complete the following steps:

    1. Create a sample Kerberos_login.config file on the Tomcat application server with the following content:

      NOTE:The novlua user needs permissions to create the Kerberos_login.config file.

      com.sun.security.jgss.krb5.accept {
              com.sun.security.auth.module.Krb5LoginModule required
          debug="true"
              refreshKrb5Config="true"
          useTicketCache="true"
              ticketCache="/opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache"
          doNotPrompt="true"
              principal="HTTP/DNS_Identity_Applications_server@WINDOWS-DOMAIN"
          useKeyTab="true"
              keyTab="/absolute_path/filename.keytab"
          storeKey="true";
          };

      An example on a Windows server is as follows:

      keyTab="c:\\NetIQ\\IdentityManager\\apps\\tomcat\kerberos\\rbpm.keytab"
    2. In the file, specify values for principal and keyTab. For example:

      principal="HTTP/rbpm.mycompany.com@MYCOMPANY.COM"
      keyTab="/home/usr/rbpm.keytab"
      • The value for principal must match the same value that you specified for Kerberos. For more information, see Step 3.

      • Provide the absolute path of the keytab file on your identity applications server. The file does not have to reside in the default directory for the identity applications.

    3. Refer to the Kerberos_login.config file in JVM java.security file with the following line:

      login.config.url.1=file:/opt/netiq/idm/apps/tomcat/kerberos/Kerberos_login.config

      The path listed is the default installation location for a Linux server.

      An example of the java.security file on a Windows server is as follows:

      login.config.url.1=file:c:/NetIQ/IdentityManager/apps/tomcat/kerberos/Kerberos_login.config
  3. To specify the Authentication method in the RBPM Configuration utility, complete the following steps:

    1. Open the Configupdate utility.

    2. Click the Authentication tab.

    3. Scroll down to the Authentication Method section.

    4. In the Method field, select Kerberos.

    5. In the Mapping attribute name field, specify cn.

  4. (Optional) Repeat these steps for Identity Reporting if you installed the reporting component on a separate server.

  5. Configure the browsers that end-users use to access the identity applications. For more information, see Configure the End-User Browsers to Use Integrated Windows Authentication.