46.2 Configuring the Identity Applications Server

You must configure your identity applications server to use the Kerberos keytab file and the user account that you have created in Active Directory. Ensure that you complete Section 46.1, Configuring the Kerberos User Account in Active Directory before proceeding.

NOTE:For domain or realm references, use uppercase format. For example @MYCOMPANY.COM.

  1. To define your operating system settings for the Kerberos configuration, complete the following steps:

    1. Open the krb5 file in a text editor on the server that hosts the identity applications.

      Linux: /etc/krb5.conf

      Windows: C:\Windows\krb5.ini

      Unix: /etc/krb5/krb5.conf

    2. Add the following information to the krb5 file:

      [libdefaults]
    default_realm = WINDOWS-DOMAIN
    kdc_timesync = 0
    forwardable = true
    proxiable = false
[realms]
    WINDOWS-DOMAIN = {
         kdc = FQDN Active Directory Server
         admin_server = FQDN Active  Directory Server
    }
[domain_realm]
    .your.domain = WINDOWS-DOMAIN
    your.domain = WINDOWS-DOMAIN

      For example:

      [libdefaults]
    default_realm = MYCOMPANY.COM
    kdc_timesync = 0
    forwardable = true
    proxiable = false
[realms]
    MYCOMPANY.COM = {
         kdc = myadserver.mycompany.com
         admin_server = myadserver.mycompany.com
    }
[domain_realm]
    .mycompany.com = MYCOMPANY.COM
    mycompany.com = MYCOMPANY.COM

    3. Save the changes and close the krb5 file.

  2. (Conditional) To define the Kerberos configuration information for Tomcat, complete the following steps:

    1. Create a sample Kerberos_login.config file on the Tomcat application server with the following content:

      NOTE:The novlua user needs permissions to create the Kerberos_login.config file.

      com.sun.security.jgss.krb5.accept {
		    com.sun.security.auth.module.Krb5LoginModule required
    debug="true"
		    refreshKrb5Config="true"
    useTicketCache="true"
		    ticketCache="/opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache"
    doNotPrompt="true"
		    principal="HTTP/DNS_Identity_Applications_server@WINDOWS-DOMAIN"
    useKeyTab="true"
        keyTab="/absolute_path/filename.keytab"
    storeKey="true";
    };

      An example on a Windows server is as follows:

      keyTab="c:\\NetIQ\\IdentityManager\\apps\\tomcat\kerberos\\rbpm.keytab"

    2. In the file, specify values for principal and keyTab. For example:

      principal="HTTP/rbpm.mycompany.com@MYCOMPANY.COM"
keyTab="/home/usr/rbpm.keytab"

      • The value for principal must match the same value that you specified for Kerberos. For more information, see Step 3.

      • Provide the absolute path of the keytab file on your identity applications server. The file does not have to reside in the default directory for the identity applications.

    3. Refer to the Kerberos_login.config file in JVM java.security file with the following line: 

      login.config.url.1=file:/opt/netiq/idm/apps/tomcat/kerberos/Kerberos_login.config

      The path listed is the default installation location for a Linux server.

      An example of the java.security file on a Windows server is as follows:

      login.config.url.1=file:c:/NetIQ/IdentityManager/apps/tomcat/kerberos/Kerberos_login.config

  3. (Conditional) To define the Kerberos configuration for JBoss, complete the following steps:

    1. In a text editor, open the loginconfig.xml file, located by default in the jboss/server/context/conf directory.

    2. Add the following text to the file:

      <application-policy name = "com.sun.security.jgss.krb5.accept">
      <authentication>
          <login-module code = 
"com.novell.common.auth.sso.KerberosCredentialLoginModule" flag = "required" />
          <login-module code = 
"com.sun.security.auth.module.Krb5LoginModule" flag = "required">
              <module-option name = "debug">false</module-option>               <module-option name = "kdc">FQDN-Active-Directory-Server</ module-option>
              <module-option name = "realm">WINDOWS-DOMAIN</module-option>
              <module-option name = "useKeyTab">true</module-option>
              <module-option name = "keyTab">path-to-keytab</module-option>
              <module-option name = "storeKey">true</module-option>
              <module-option name = "useFirstPass">true</module-option>               <module-option name = "principal">HTTP/DNS_Identity_Applications_server</ module-option>
              <module-option name = "noPrompt">true</module-option>
          </login-module>
      </authentication>
  </application-policy>

      For example:

      <application-policy name = "com.sun.security.jgss.krb5.accept">
      <authentication>
          <login-module code = 
"com.novell.common.auth.sso.KerberosCredentialLoginModule" flag = 
"required" />
          <login-module code = 
"com.sun.security.auth.module.Krb5LoginModule" flag = "required">
              <module-option name = "debug">false</module-option>               <module-option name = "kdc">myadserver.mycompany.com</moduleoption>
              <module-option name = "realm">MYCOMPANY.COM</moduleoption>
              <module-option name = "useKeyTab">true</module-option>               <module-option name = "keyTab">/home/usr/rbpm.keytab</module-option>
              <module-option name = "storeKey">true</module-option>
              <module-option name = "useFirstPass">true</module-option>               <module-option name = "principal">HTTP/rbpm.mycompany.com</ module-option>
              <module-option name = "noPrompt">true</module-option>
          </login-module>
      </authentication>
  </application-policy>

  4. (Conditional) To define the Kerberos configuration for WebSphere, complete the following steps:

    1. On the WebSphere application server, create a Kerberos_login.config file.

    2. Using a text editor, add the following content to the file:

      IBMJGSSRBPM {com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeytab=file:///path_to_filename.keytab tryFirstPass=true principal="HTTP/rbpm.DNSNAme@MYDOMAIN.COM";};

      For example:

      IBMJGSSRBPM {com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeytab=file:///c:/rbpm.keytab tryFirstPass=true principal="HTTP/rbpm.mycompany.com@MYCOMPANY.COM";};

      NOTE:Provide the exact path or absolute path to your keytab file.

    3. Save and close the file.

    4. In a text editor, open the file for configuring the domain environment:

      • Linux: setDomainEnv.sh

      • Windows: setDomainEnv.cmd

    5. In the JAVA_OPTS section of the file, add an entry that specifies the location of the Kerberos_login.config file. For example:

      -Djava.security.auth.login.config=C:/kerberos_login.config

    6. Close and save the file.

  5. To specify the Authentication method in the RBPM Configuration utility, complete the following steps:

    1. Open the Configupdate utility.

    2. Click the Authentication tab.

    3. Scroll down to the Authentication Method section.

    4. In the Method field, select Kerberos.

    5. In the Mapping attribute name field, specify cn.

    NOTE:For more information about the RBPM Configuration utility, see Section 35.0, Configuring the Settings for the Identity Applications.

  6. (Optional) Repeat these steps for Identity Reporting if you installed the reporting component on a separate server.

  7. Configure the browsers that end-users use to access the identity applications. For more information, see Section 46.3, Configure the End-User Browsers to Use Integrated Windows Authentication.