Sunday, November 16, 2014

Business Cases: IBM DB2 Extra - Configuring GSSAPI/Kerberos SSO with the Centrify GSS Plugin

This is the continuation of our previous post about integrating DB2 to AD by using the Centrify IBM DB2 SSO module.  The IBM DB2 SSO module provides 3 basic plugins:
  • The user/password plugin that leverages OS authentication (via PAM) to enable DB2 access to AD users.
  • The group plugin that exposes AD group memberships to DB2
  • The GSS (SSO) plugin that allows silent sign-on to DB2 and can be leveraged in AIX systems that are using LAM instead of PAM
The pre-requisites are the same as the previous post.  Because for the SSO plugin to work we need an AD account to create a keytab, we've added some additional steps.

A little bit of planning

Obtaining the AD Principal
A keytab file is usually tied to an AD principal;  all Centrified systems have one;  but in this case, we will have a service account and there are two ways to do this:

  • If you have an AD account that can create user principals:  
    • you can use the setupdb2.sh script, option 2 and follow the prompts
    • you can use the adkeytab command with the --new option and perform everything in a single step.
  • If you don't (which is quite common because of separation of duties), you need to request the account and then work in tandem with the AD folks to adopt the account.
Naming conventions
Because we're talking about AD accounts here, your organization may (hopefully) have a naming standard, if not, you have to keep in mind that you need to be able to identify the purpose of the AD account in AD.  A naming convention like this:
instanceName-server 
is simple enough and descriptive.  In this example, my instance is db2inst1 and the server is engcen8, therefore my AD account will be called db2inst-engcen8.

Container OU
If your AD admin is not messy, most likely they will have an OU designated for Service Accounts.  In fact, if you worked with Centrify Professional Services, there should be an OU under UNIX with the same name.  


Active Directory Account and Keytab

AD Account creation
When you request the account, the AD sysadmin will create an account like this:

Typically the best practices for service accounts are to set the password to never expire, and that the account can't change it.


Issue #1 - At this point, the password for this service account is known at least by one person.  This will go away once the keytab is adopted, the password will be randomized.

Now there are two things that can happen - the AD admin can grant you temporary full control of the account until you run adkeytab, or can just type in their password in the adequate moment.

Verify the account 
Use adquery user and the -A option and inspect the UPN and cn.  Here's the truncated output:

$ adquery user -A db2inst1-engcen8
dn:CN=db2inst1-engcen8,CN=Service-Accounts,DC=centrifyimage,DC=vms
samAccountName:db2inst1-engcen8
userPrincipalName:db2inst1-engcen8@centrifyimage.vms
canonicalName:centrifyimage.vms/Service-Accounts/db2inst1-engcen8

Issue # 2 the account is missing a servicePrincipalName (SPN), 
Issue # 3, the the userPrincipalName is in a non-MIT Kerberos friendly format. 

This means that we need 
  • To adopt the account, this will randomize the password and create a keytab file (options A or --adopt and K or --keytab);  e.g.  /home/db2inst1/db2inst1-engcen8.keytab  (permissioned accordingly)
  • To update the UPN (option -U or --upn);  e.g. engcen8@CENTRIFYIMAGE.VMS
  • To add an SPN (option -P or --principal) with the format instance/server@suffix@REALM; e.g. db2inst1/engcen8.centrifyimage.vms@CENTRIFYIMAGE.VMS
  • To specify an AD account that perform the adoption the keytab (-u --user). e.g. dwirth
    needs to be able to change account attributes like the UPN, SPN and password.
  • We need to know the canonicalName (cn) of the account.  e.g. db2inst1-engcen8

Adopt the keytab and modify the account attributes

Based on the information gathered above, our adkeytab command looks like this (elevating with dzdo to write to the target folder):

$ dzdo adkeytab --adopt --principal db2inst1/engcen8.centrifyimage.vms@CENTRIFYIMAGE.VMS --upn db2inst1-engcen8@CENTRIFYIMAGE.VMS --user dwirth -V --keytab /home/db2inst1/db2inst1-engcen8.keytab db2inst1-engcen8

Here's the command output (truncated)

dwirth@CENTRIFYIMAGE.VMS's password:
Adding managed account keys to configuration file: db2inst1-engcen8
Changing account 'db2inst1-engcen8' password with user 'dwirth@CENTRIFYIMAGE.VMS' credentials.
Key Version = 3
Success: Adopt Account: db2inst1-engcen8

Inspect the account post-adkeytab

$ adquery user -A db2inst1-engcen8
dn:CN=db2inst1-engcen8,CN=Service-Accounts,DC=centrifyimage,DC=vms
userPrincipalName:db2inst1-engcen8@CENTRIFYIMAGE.VMS
servicePrincipalName:db2inst1/engcen8.centrifyimage.vms

Notice how now the UPN was modified and how the account has a servicePrincipalName.

Make sure the keytab file has the right permissions

The owner of the keytab should be the instance account.
$ chown db2inst1:db2iadm1 /home/db2inst1/db2inst1-engcen8.keytab

Configuration of the SSO Module and DB2

At this point, all we need to do is rerun the setupdb2.sh script and follow the prompts to add the SSO plugin;  because we don't want to deactivate the existing ones, we will run option 1 again and point to the previously created keytab.


 /usr/share/centrifydc/bin/setupdb2.sh inst=db2inst1
Is db2inst1 a DB2 server install?
Enter y for yes, n for no [y]: y

db2inst1 is a 64 bit instance
DB2 server and client setup will be done.

Is this DB2 version 9.5 or later?
Enter y for yes, n for no [n]: y


Which DB2 auth method do you want to use?
[1] Username/Password and Single sign-on
[2] Single Sign-on only
[3] Username/Password only
[4] Skip this step
Select a number from the menu [1]:

Select a number from the menu [1]: 1


Use the CentrifyDC group plugin?
Enter y for yes, n for no [y]: y


Do you want to configure the instance user db2inst1 as a service account?
You must do this step if you want to use the GSS-Plugin.  If you already did
this step for this instance, select the option to indicate the keytab file
name.

[1] Use adkeytab to create a service account in Active Directory and keytab
    file.  NOTE: You need to specify a user name with administrator privileges
    on the domain to use adkeytab.
[2] Provide the name of an already existing keytab file.
[3] Skip this step
Select a number from the menu [1]: 2


What is the name of the keytab file? Full path please.
[ /home/db2inst1/db2inst1.keytab ]: /home/db2inst1/db2inst1-engcen8.keytab                          

What group should be used as the group owner of this file? All DB2 instances
that you want to use the username/password plugin must be in this group.
[db2iadm1]:


*********** adkeytab setup (required for GSS-plugin) ***********
Using /home/db2inst1/db2inst1-engcen8.keytab for the keytab file for instance: db2inst1
# db2set DB2ENVLIST=KRB5_KTNAME

adkeytab setup successfully!


******* Installing the plugins into instance: db2inst1 *******
Installing client side auth plugin
# rm -f sqllib/security32/plugin/client/centrifydc_db2gsskrb5.so

# cp /usr/share/centrifydc/lib/libcentrifydc_db2gsskrb5.so sqllib/security32/plugin/client/centrifydc_db2gsskrb5.so


Continuing will stop the DB2 instance: db2inst1, update the configuration
and then start the instance.
Continue? y

New configuration:
 Group Plugin                             (GROUP_PLUGIN) = centrifydc_db2group
 GSS Plugin for Local Authorization    (LOCAL_GSSPLUGIN) = centrifydc_db2gsskrb5
 Server List of GSS Plugins      (SRVCON_GSSPLUGIN_LIST) = centrifydc_db2gsskrb5
 Server Userid-Password Plugin        (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
 Server Connection Authentication          (SRVCON_AUTH) = GSS_SERVER_ENCRYPT
 Database manager authentication        (AUTHENTICATION) = SERVER
Starting instance
# db2start
SQL1063N  DB2START processing was successful.
The plugins for DB2 instance: db2inst1 were set up successfully!

I recommend a reboot at this point.

Verify that everything is working as expected

Log in with an AD user to the DB2 server

Issue the klist command to verify that you have a TGT (ticket-granting ticket), if not issue the /usr/share/centrifydc/kerberos/bin/kinit command and type your AD password when prompted.

$ klist
Ticket cache: FILE:/tmp/krb5cc_1627391058
Default principal: dwirth@CENTRIFYIMAGE.VMS

Valid starting     Expires            Service principal
11/16/14 22:19:10  11/17/14 08:19:13  krbtgt/CENTRIFYIMAGE.VMS@CENTRIFYIMAGE.VMS
        renew until 11/17/14 22:19:10

Attempt to access the sample database without specifying the username

$ db2 
db2  => connect to sample
   Database Connection Information

 Database server        = DB2/LINUXX8664 10.5.0
 SQL authorization ID   = DWIRTH
 Local database alias   = SAMPLE
db2  => quit 

Now verify that you have a Kerberos service ticket requested via GSSAPI.

$ klist
Ticket cache: FILE:/tmp/krb5cc_1627391058
Default principal: dwirth@CENTRIFYIMAGE.VMS

Valid starting     Expires            Service principal
11/16/14 22:19:10  11/17/14 08:19:13  krbtgt/CENTRIFYIMAGE.VMS@CENTRIFYIMAGE.VMS
        renew until 11/17/14 22:19:10
11/16/14 22:22:36  11/17/14 08:19:13  db2inst1/engcen8.centrifyimage.vms@CENTRIFYIMAGE.VMS
        renew until 11/17/14 22:19:10

Video

(10 minutes, 15 seconds)


Business Cases: Using the Centrify IBM DB2 SSO Module to Centralize Database Access in UNIX/Linux with AD

Background


Organizations can always count with the reliability of IBM hardware, operating systems and utilities for mission critical applications.  That’s why Centrify has invested in certifying the product lines with IBM infrastructure.

This post discusses the DB2 SSO Module; this plugin (like the Apache HTTP and Java plugins) leverages the Active Directory integration capabilities and robustness of the Centrify agent to provide additional value and functionality to DB2 implementations.

The DB2 plugin provides the following benefits:
  • No need to keep users local to the UNIX/Linux system to support DB2:  When used natively, DB2 users need to have user accounts in the local /etc/passwd file.  The DB2 enables AD users to access DB2 so the benefits of Unified Identity, Centralized Administration, Streamlined Authentication and Policy Enforcement are organically attained.
    In practical terms:  no more getting dinged by auditors when the account of a long-gone user is found active in the /etc/passwd of a DB2 system.
  • Long login names: Support for logins that are longer than 8 characters
  • Single Sign-on (SSO):  Centrify enables SSO to DB2 leveraging the GSSAPI
  • Active Directory Group Support:  AD group memberships can be leveraged to grant entitlements inside DB2. 
 This is one of the best Database to AD integration models out there.

This article covers setup, configuration and testing of the DB2 plugin on Linux 64 bit in a lab environment.  Like any other DBMS, a true production implementation requires planning and understanding of the current environment.

Requirements

  • A Centrified Unix/Linux system running a DB2 Instance (we’ll be using DB2 10.5 on Linux)
    Setup is pretty much the same if you have an IBM AIX system.  The only caveat is that if you’re using LAM instead of PAM, you’ll need to use the GSSAPI (SSO) plugin rather than the user/password plugin.
  • You need to know the DB2 Instance user name and password
  • You need to have the ability to create an AD service account or have an account prepared for you that can be adopted with AD Keytab (GSSAPI SSO plugin only).

Implementation Steps

Information and requirements gathering
  1.  Collect the OS version, architecture, version of Centrify adclient.uname -a, adinfo -v and adinfo -C provide that information
  2.  Collect the DB2 database version, architecturethe db2level command provides this information
  3. Request an AD service account OR have credentials to run adkeytab.
    $ cat /etc/redhat-release
    CentOS release 6.6 (Final)

    $ uname -a
    Linux engcen8.centrifyimage.vms 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

    $ adinfo -v
    adinfo (CentrifyDC 5.2.0-218)

    $ db2level
    DB21085I  This instance or install (instance name, where applicable: "db2inst1") uses "64" bits and DB2 code release "SQL10050" with level identifier "0601010E".
    Informational tokens are "DB2 v10.5.0.0", "s130528", "LINUXAMD64105", and Fix Pack "0".
    Product is installed at "/opt/ibm/db2/V10.5".

My server64 bit CentOS with DB2 10.5 64 bit, the instance name is db2inst1.  I will download the package DirectControl for IBM DB2 running on RHEL 4, 5, 6 x86_64 " the version is 4.4.4 as of the original post in November 2014.

Installation

Unpack and install the DB2 SSO plugin
$ tar xzvf centrifydc-db2-4.4.4-rhel3-x86_64.tgz
The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.
$ dzdo rpm -Uvh centrifydc-db2-4.4.4-rhel3-x86_64.rpm
Preparing...                ########################################### [100%]
   1:CentrifyDC-web      ########################################### [100%]

Installing and Configuring the User/Password and Group Plugins


The user/password plugin allows for DB2 to use PAM to provide access to AD users.  The group plugin allows the use of AD group memberships for the purposes of entitlements inside DB2. 

The master script is called setupdb2.sh and it is on /usr/share/centrifydc/bin.  The syntax is setupdb2.sh inst=<instancename>  In my case the instance is called db2inst1.

$ dzdo /usr/share/centrifydc/bin/setupdb2.sh inst=db2inst1
Is db2inst1 a DB2 server install?
Enter y for yes, n for no [y]: y

 db2inst1 is a 64 bit instance
DB2 server and client setup will be done.

 Is this DB2 version 9.5 or later?
Enter y for yes, n for no [n]: y
  

Which DB2 auth method do you want to use?
[1] Username/Password and Single sign-on
[2] Single Sign-on only
[3] Username/Password only
[4] Skip this step
Select a number from the menu [1]: 3


Which data sent to DB2 should be encrypted?
[1] Nothing
[2] The username and their password
[3] All data going to the server
[4] Encrypt and compress all data going to the server
[5] Skip this step
Select a number from the menu [2]: 3


Use the CentrifyDC group plugin?
Enter y for yes, n for no [y]: y


In order for the username/password plugin to work, the executable:
/usr/share/centrifydc/bin/db2userpass_checkpwd must be set uid and the
instance users must be allowed to run it.
What group should be used as the group owner of this file? All DB2 instances
that you want to use the username/password plugin must be in this group.
[db2iadm1]:

Are the following PAM settings OK for the centrifydc_db2userpass PAM service?
These settings will only affect the Centrify DB2 username/password module.
No other PAM services or DB2 plugins will be affected.  If these settings are
not OK, then you will have to set up PAM yourself.

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth

Enter y for yes, n for no [y]: y

<output truncated>

The DB2 configuration will be updated to:
SRVCON_AUTH  =  DATA_ENCRYPT
SRVCON_PW_PLUGIN  =  centrifydc_db2userpass
LOCAL_GSSPLUGIN  =  NULL
SRVCON_GSSPLUGIN_LIST  =  NULL
AUTHENTICATION  =  SERVER
GROUP_PLUGIN  =  centrifydc_db2group

Continuing will stop the DB2 instance: db2inst1, update the configuration
and then start the instance.
Continue?
Enter y for yes, n for no [y]: y


Stopping instance: db2inst1
# db2stop
<output truncated>

New configuration:
 Group Plugin                             (GROUP_PLUGIN) = centrifydc_db2group
 GSS Plugin for Local Authorization    (LOCAL_GSSPLUGIN) =
 Server List of GSS Plugins      (SRVCON_GSSPLUGIN_LIST) =
 Server Userid-Password Plugin        (SRVCON_PW_PLUGIN) = centrifydc_db2userpass
 Server Connection Authentication          (SRVCON_AUTH) = DATA_ENCRYPT
 Database manager authentication        (AUTHENTICATION) = SERVER
Starting instance
# db2start

At this point DB2 has been configured for the user/password (PAM) and Group plugins and we’re ready to test.

Testing the User/Password & Group Plugins


In my environment I enabled the sample database.

Test 1:  Sign-in with any AD account that is allowed to log into the system

Open the sample database
$ db2
db2 => connect to sample user fred.thomas
Enter current password for fred.thomas:

   Database Connection Information

Database server        = DB2/LINUXX8664 10.5.0
SQL authorization ID   = FRED.THO...
Local database alias   = SAMPLE

Note that Fred’s user ID is longer than 8 characters

Test 2:  Enumerate group memberships.

First, use adquery user –A | grep MemberOf to see the group memberships in AD

$ adquery user fred.thomas -A | grep memberOf
memberOf:centrifyimage.vms/Groups/DBA Staff - Contract,centrifyimage.vms/Groups/Demo Users,centrifyimage.vms/Groups/Google Apps

Based on this output my user belongs to DBA Staff – Contract, Domain Users, Demo Users and Google Apps

Connect to DB2 again and type the query below

db2 => SELECT * FROM table (SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID (CURRENT USER)) AS ST

GROUP                                                                             
------------------------------------------------------
DBA STAFF - CONTRACT                                                                                
DEMO USERS                                                                                         
DOMAIN USERS                                                                                       
GOOGLE APPS  

At this point we have verified that DB2 can enumerate the user’s groups from Active Directory.

Where to next?


You can engage your DBAs to test this solution.  The benefits are huge for organizations that are looking to consolidate processes in AD.
A follow-up post will discuss the SSO (GSSAPI) plugin.


Video Playlist

(2 videos, 10:36 total)



Appendix

Installing DB2 Express – C on CentOS 6.x
  • DB2 Setup uses the X-Window system, if you don’t have it
    # yum groupinstall "Desktop" "X Window System" "Fonts" "Desktop Platform"
  • Disable SELinux  (this is a requirement of DB2)
    Set the following line in /etc/selinux/config

    SELINUX=disabled

    And reboot your system.
  • Setup DB2 in graphical interface(I set up a database instance with all defaults – remember the instance user password)
  • Install the sample database
          $ dzdo su –db2inst1
     $ db2sampl
  • Test connectivity to the sample database

    $ db2 connect to sample user db2inst1
    Enter current password for db2inst1:


    Database Connection Information
    Database server        = DB2/LINUXX8664 10.5.0
    SQL authorization ID   = DB2INST1
    Local database alias   = SAMPLE

Saturday, November 15, 2014

Business Cases: Centrifying Java Application Servers to provide on premises AD-based SSO and Authorization

Background


Java application servers like JBOSS, Tomcat, WebSphere and WebLogic are pervasive in large enterprises.  So is Active Directory.  Just like with Apache HTTP, Centrify customers can leverage the tight AD integration in UNIX and Linux platforms and great support for the Windows platform as well. 

We covered the benefits during the Apache HTTP SSO discussion, and the principles are the same.
This post covers how to install the Java SSO module using Apache Tomcat as an example.

Requirements

  • A Centrified Unix/Linux system running Apache Tomcat (Tomcat6 in this example)alternatively, you can follow on JBOSS, WebSphere or WebLogic as well.  The system should be joined to a domain either in zone or workstation mode.
  •  Apache Tomcat running and accesible
  • A domain-joined PC system (or a centrified Mac) to test access from an authenticated Windows system  with a web browser (SPNEGO is not available on Safari)

Implementation Steps

Information gathering

1.            Collect the OS version, architecture, version of Centrify adclient and if an SPN for HTTP is registered
uname -a, adinfo -v and adinfo -C | grep http provide that information
2.            Collect the service status, version, architecture and java version.
“service tomcat(x) status, rpm –qa | grep tomcat and java-versiont” should provide this.
3.            Make sure the Tomcat home page (if enabled) is accessible from the Windows client.
4.            Obtain the proper version of the J2EE SSO plugin from the Centrify Customer Support Center.
Based on the information from steps 1 and 2, you can select which package to download. For example, in my CentOS 6.x, 64bit, Tomcat6

$ uname -a
Linux engcen8.centrifyimage.vms 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ java -version
java version "1.7.0_71"
OpenJDK Runtime Environment (rhel-2.5.3.1.el6-x86_64 u71-b14)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)
$ adinfo -v
adinfo (CentrifyDC 5.2.0-218)
$ adinfo -C | grep http
$ dzdo adinfo -C | grep http
                           http/engcen8.centrifyimage.vms
                           http/engcen8
[dwirth@engcen8 lib]$ rpm -qa | grep tomcat
tomcat6-6.0.24-80.el6.x86_64

It looks like my service is running and that is a 64 bit CentOS with Tomcat 6 based on this information,  I will download the package " DirectControl for J2EE App Servers on RHEL 4, 5, 6, Fedora 14, 15, 16, 17 x86_64 " the version is 4.4.4 as of the original post in November 2014.

Installation

Unpack and install the SSO plugin
$ tar xzvf centrify-web-4.4.4-rhel3-x86_64.tgz
The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.
$ dzdo rpm -Uvh centrifydc-web-4.4.4-rhel3-x86_64.rpm
Preparing...                ########################################### [100%]
   1:CentrifyDC-web      ########################################### [100%]

Configuration of the Java Server and Sample Application

Centrify provides a script that allows for the configuration of JBoss, Tomcat, Websphere and Weblogic.  These servers can run on Microsoft Windows, so there are versions of the plugin for those platforms too.  The script is in /usr/share/centrifydc/java/web and it’s called configure.pl.  All you need to do is follow the prompts to configure Tomcat (options 1-3) and ignore everything about ADFS or certificates at this time.

# /configure.pl

=====================================================================

Welcome to Centrify DirectControl for J2EE Servers Configuration.

 At any prompt, enter ? for help, or return to accept the default value (shown in brackets []).

Please select what type of J2EE server to configure:
[0] Tomcat.
[1] JBoss.
[2] WebLogic Server.
[3] WebSphere Application Server.
[4] Exit this configuration program.
Enter selection:
[0] > 0

===== Configure Tomcat Server for Centrify =====
[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script


[0] > 1

 === Copy Centrify jar files to Tomcat server ===

Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >
Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >
Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >
You have entered the following:

Tomcat Server directory = /usr/share/tomcat6
Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x

Is this correct (y/n) ?
[y] > y

Copying /usr/share/centrifydc/java/web/scripts/tomcat/centrifydc_jaas.config to /usr/share/tomcat6/c
<...>

===== Configure Tomcat Server for Centrify =====
[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script

Enter selection:
[0] > 3

=== Copy Centrify jar files to Tomcat server ===


Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >

Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >

Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >

You have entered the following:

Tomcat Server directory = /usr/share/tomcat6
Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x

Is this correct (y/n) ? y

<...>

===== Configure Tomcat Server for Centrify =====
[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script

Enter selection:
[0] > 3

=== Setup and deploy Centrify samples ===

Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >

Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >

Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >

You have entered the following:

Tomcat Server directory = /usr/share/tomcat6
Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x

Is this correct (y/n) ?
[y] > y

Do you want to setup the Centrify ADFS samples now (y/n) ?
(You must have the ADFS server's hostname and SSL port to setup the ADFS samples.)
[n] >

Verify that everything is working as expected


1.            Sign-in to a Windows client that is a member of your AD Domain

2.            Clear your Kerberos ticket cache by opening a command line and typing "klist purge"
C:\Users\dwirth>klist purge
Current LogonId is 0:0x9bb0d
Deleting all tickets:Ticket(s) purged!
3.            Open Internet Explorer and go to Internet Options > Security > Local Intranet > Sites > Advanced and make sure that your browser has the FQDN or the suffix of the SPN for HTTP registered by the server.
If using Firefox, go to about:config and search for network.automatic-ntlm-auth.trusted-uris, add the SPNs suffix or FQDN there.
4.            Go browse to http://<your-server>/centrifydc-samples.  This will expose the Centrify Sample pages.  Click on Kerberos.  If everything is correct, you should be able to see output that looks like this:

  1. Now if you inspect your kerberos ticket cache, you'll something like this (truncated):
    C:\Users\dwirth>klist
    Current LogonId is 0:0x9bb0d
    #0>     Client: DWirth @ CENTRIFYIMAGE.VMS
    Server: krbtgt/CENTRIFYIMAGE.VMS @ CENTRIFYIMAGE.VMS

    #1>
         Client: DWirth @ CENTRIFYIMAGE.VMS
    Server: HTTP/engcen8.centrifyimage.vms @ CENTRIFYIMAGE.VMS

Ticket # 0 is a Kerberos TGT and #1 is a service ticket that was requested by Diana to access the Apache HTTP service on engcen8.

Using the Java Plugin

The Java plugin has exposed the methods to leverage AD authentication via Centrify.  For example, the web.xml file of a server may add directives like these:

<login-config>
     <auth-method>SPNEGO</auth-method>
     <realm-name>CENTRIFYDC</realm-name>
</login-config> 

The Centrify Java Guide, explains to J2EE Web Admins and developers how to use these directives and methods.


Video Playlist

(7 minutes total)