This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Denise Halweg – Technical Support Manager and Moderator, [email protected]
17 December 2013
This session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information that you do not want shared publicly in the replay. By speaking during this presentation, you assume liability for your comments.
� Provide a high level overview and basic configuration of Kerberos and SPNEGO SSO (Single Sign-on) solutions for P8 enabled applications in a WebSphere environment.
� Discuss Kerberos configuration for Content Engine via WSI (Web –Services interface)
� Discuss SPNEGO configuration via the SPNEGO Web Authentication module in WebSphere v8.x for WorkplaceXT via HTTP
� Review troubleshooting scenarios, both Kerberos and SPNEGO
� Kerberos authentication goes far beyond this high –level explanation. However, some key terms that will be referenced.
� Key terms:– Client: An application that wishes to authenticate itself to a Service like Content Engine.
In regards to using Kerberos with Content Engine, a client might be applications using the Content Engine .NET API, examples: FEM (FileNet Enterprise Manager), FIMO, etc.
– Service: A server-based application running on a particular system (or one among many in a cluster) that can use Kerberos authentication to verify the identity of its clients. The Content Engine is such a service.
– Key Distribution Center (KDC): A central server known to both a Kerberos client and service that supplies Kerberos authentication services. The KDC knows passwords for both the client and the service and acts as an intermediary between the two.
– Kerberos Identity Account: An Active Directory user account. It will serve as the identity to the particular service.
– Service Principal Name (SPN): A name that identifies a particular Kerberos service that is registered by the KDC. It is in the form of SERVICE/name@REALM The client will use a SPN to identify which Kerberos service it would like to authenticate itself to.
– UPN (User Principal Name): similar to email format. typically in the form of "userid@REALM",
– Realm: For the Content Engine, this is equivalent to a Windows Active Directory domain. – Keytab: A key table. This is a secure table of user names (SPN’s) and passwords that
may be used by services to identity themselves to the KDC
� Kerberos is an Authentication protocol and is the default Windows Authentication protocol.
� Kerberos is comprised of three components:– Key Distribution Center (KDC), the client user and the server with the desired service to
access
� Why Kerberos:• User passwords never travel across the network.• Kerberos facilitates user authentication over a trusted host (Realm) on a untrusted
network• Single Sign-On makes use of TGT (Ticket Granting Ticket) which will be issued.
Once a Service/Resource is access it will make use of the Ticket provided by the KDC. User is asked to provide PW only once during session.
� The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS).
� Content Engine Kerberos prerequisites:– Only Windows clients can use Kerberos authentication– Windows Active Directory is required as your directory service.– Kerberos support is available to clients of the Content Engine Web Services API
� User authenticates once to desktop PC via AD domain login and then can securely access other systems transparently (SSO).
� Microsoft has extended Kerberos with a protocol known as Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) for sharing Windows credentials with Web servers
� The SPNEGO token wraps within a Kerberos Token.
� WebSphere Application Server V7.0 includes SPNEGO function via a new SPNEGO Web Authentication Module introduced in V7.0 (The SPNEGO TAI has been deprecated.)
� SPNEGO is initialized when processing a first inbound HTTP request.
� Kerberos credentials are carried via SPNEGO (Negotiate) HTTP header to WebSphere, where they are validated and then inserted into an LTPA token
Kerberos – Active Directory Kerberos Identity Creation
� The name of this account should be FNCEWS_ + host_name and will generally be similar to the short SPN name chosen above with an underscore ( _ ) in place of the slash ( / ). There are two exceptions, however:
– For clusters, where host_name would be a cluster name instead. – If the derived FNCEWS + host_name name would be longer than 20 characters, as it
would with host_names longer than 13 characters, a different shorter name must be used.
Kerberos – Login module configuration in WebSphere
� Create FileNetP8KerberosService configuration in the Application Logins. If Content Engine is configured using Configuration Manager, then a FileNetP8KerberosService is already created, and there is no need to add this again. Otherwise, click New and follow instructions to add FileNetP8KerberosService login configuration.
SPNEGO – Map the Service Principal Name (SPN) to the SPNEGO identity� Map both the host name and the FQDN
� Make sure the identity (spnegoweb) is unique in Active Directory users and computers.
� Adding using the –a command and Listing using the –l command
– C:\Users\Administrator>setspn -a HTTP/w2k8xt spnegowebRegistering ServicePrincipalNames for CN=spnegoweb,CN=Users,DC=edmdom,DC=comHTTP/w2k8xtUpdated object
C:\Users\Administrator>setspn -a HTTP/w2k8xt.edmdom.com spnegowebRegistering ServicePrincipalNames for CN=spnegoweb,CN=Users,DC=edmdom,DC=comHTTP/w2k8xt.edmdom.comUpdated object
C:\Users\Administrator>setspn -l spnegowebRegistered ServicePrincipalNames for CN=spnegoweb,CN=Users,DC=edmdom,DC=com:HTTP/w2k8xt.edmdom.comHTTP/w2k8xt
� Creating of the keytab command using the –out parameter:– C:\IBM\WebSphere\AppServer\java\jre\bin>ktpass -out c:\spnego\spnegoweb.keytab -princ HTTP/[email protected] -
� Appending to the existing keytab by using the –in parameter:– C:\IBM\WebSphere\AppServer\java\jre\bin>ktpass -in c:\spnego\spnegoweb.keytab -out c:\spnego\spnegoweb.keytab -princ
� Cause:Kerberos Identity is configured for DES encryption
� Resolving the problem:• Ensure the KDC is configured for the defined encryption• Ensure Keytab supports this encryption method• Consider using RC4-HMAC or other supported encryption types
Review WebSphere SystemOut.log (here FileNet Kerberos debug is enabled):
[11/19/13 19:15:18:455 PST] 00000029 SystemOut O [JGSS_DBG_CRED] No Kerberos creds in keytab for principal [email protected]
[11/19/13 19:15:18:455 PST] 00000029 SystemOut O [JGSS_DBG_CRED] No creds, login failed
[11/19/13 19:15:18:455 PST] 00000029 SystemOut O [DynLoginContext] JAAS login phase failed: Login failed: all login modules ignored.
[11/19/13 19:15:18:455 PST] 00000029 SystemOut O [J2EEAuthnUtil] TGT login failure
[11/19/13 19:15:18:471 PST] 00000029 SystemOut O [KrbServiceLoginModule] login failure: Failed initial service principal name login: Login failed: all login modules ignored.
� Cause:Kerberos Identity sAmAccountName does not include the CE hostname.
[12/9/13 9:43:46:967 PST] 00000029 WebCollaborat A SECJ0056E: Authentication failed for reason null; nested exception is: com.ibm.websphere.security.EntryNotFoundException
- Further up in the WebSphere SystemOut.log
[12/9/13 9:43:46:905 PST] 00000029 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on C:\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\ffdc\server1_22c59d7_13.12.09_09.43.46.8742854080120296757428.txt com.ibm.websphere.security.EntryNotFoundException 190
- FFDC file review shows the issue:
[12/9/13 9:43:46:874 PST] FFDC Exception:com.ibm.websphere.wim.exception.EntityNotFoundExceptionSourceId:com.ibm.websphere.security.EntryNotFoundException ProbeId:190 Reporter:com.ibm.websphere.security.EntryNotFoundException@22b606c com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4001E The '[email protected]' entity was not found. at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:229) atcom.ibm.ws.wim.registry.WIMUserRegistry$6.run(WIMUserRegistry.java:568)
NOTE: creating a keytab but not mapping principal to any user.For the account to work within a Windows domain, the principal must be mapped to an account, either at the domain level (with /mapuser) or locally (using ksetup) If you intend to map HTTP/[email protected] to an account through other means or don't need to map the user, this message can safely be ignored.
WARNING: pType and account type do not match. This might cause problems.
Building salt with principalname HTTP/w2k8xt.edmdom.com and domain EDMDOM.COM (encryption type 23)...
Hashing password with salt "EDMDOM.COMHTTPw2k8xt.edmdom.com".
� Learn about upcoming Support Technical Exchange webcasts, and access previously recorded presentations at:https://www-304.ibm.com/connections/communities/service/html/communityview?communityUuid=d58614c7-a87a-4bea-a0d3-572710d530db
� IBM Electronic Support Introductionhttp://www.ibm.com/support/electronicsupport/about.html
� Sign up to receive weekly technical My Notifications emails:http://www.ibm.com/software/support/einfo.html
� developerWorks Forums, Communities and Technical Topicshttp://www.ibm.com/developerworks/
� Quick Reference Guide for Using Service Request Toolhttp://www.ibm.com/support/docview.wss?uid=swg21207945
� IBM Support Assistanthttp://www.ibm.com/software/support/isa/
� Access product show-me demos and tutorials by visiting IBM Education Assistant:http://www.ibm.com/software/info/education/assistant
This Support Technical Exchange session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information you do not want shared publicly in the replay. By speaking in during this presentation, you assume liability for your comments.
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION, NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO NOR SHALL HAVE THE EFFECT OF CREATING ANY WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCT OR SOFTWARE.
Copyright and Trademark Information IBM, The IBM Logo and IBM.COM are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks and others are available on the web under “Copyright and Trademark Information” located at www.ibm.com/legal/copytrade.shtml.