Background
Java application servers like JBOSS, Tomcat, WebSphere
and WebLogic are pervasive in large enterprises. So is Active Directory. Just like with Apache HTTP, Centrify
customers can leverage the tight AD integration in UNIX and Linux platforms and
great support for the Windows platform as well.
We covered the benefits during the Apache HTTP SSO discussion, and the principles are the same.
This post covers how to install the Java SSO module using Apache Tomcat as an example.
We covered the benefits during the Apache HTTP SSO discussion, and the principles are the same.
This post covers how to install the Java SSO module using Apache Tomcat as an example.
Requirements
- A Centrified Unix/Linux system running Apache Tomcat (Tomcat6 in this example)alternatively, you can follow on JBOSS, WebSphere or WebLogic as well. The system should be joined to a domain either in zone or workstation mode.
- Apache Tomcat running and accesible
- A domain-joined PC system (or a centrified Mac) to test access from an authenticated Windows system with a web browser (SPNEGO is not available on Safari)
Implementation Steps
Information gathering
1.
Collect the OS version, architecture, version of Centrify
adclient and if an SPN for HTTP is registered
uname -a, adinfo -v and adinfo -C | grep http provide that information
uname -a, adinfo -v and adinfo -C | grep http provide that information
2.
Collect the service status, version, architecture and java
version.
“service tomcat(x) status, rpm –qa | grep tomcat and java-versiont” should provide this.
“service tomcat(x) status, rpm –qa | grep tomcat and java-versiont” should provide this.
3.
Make sure the Tomcat home page (if enabled) is accessible from
the Windows client.
4.
Obtain the proper version of the J2EE SSO plugin from the
Centrify Customer Support Center.
Based on the information from steps 1 and 2, you can select which package to download. For example, in my CentOS 6.x, 64bit, Tomcat6
Based on the information from steps 1 and 2, you can select which package to download. For example, in my CentOS 6.x, 64bit, Tomcat6
$ uname -a
Linux engcen8.centrifyimage.vms 2.6.32-504.el6.x86_64 #1 SMP Wed
Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ java -version
java version "1.7.0_71"
OpenJDK Runtime Environment (rhel-2.5.3.1.el6-x86_64 u71-b14)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)
$ adinfo -v
adinfo (CentrifyDC 5.2.0-218)
$ adinfo -C | grep http
$ dzdo adinfo -C | grep http
http/engcen8.centrifyimage.vms
http/engcen8
[dwirth@engcen8 lib]$ rpm -qa | grep tomcat
tomcat6-6.0.24-80.el6.x86_64
It looks like my service is
running and that is a 64 bit CentOS with Tomcat 6 based on this information,
I will download the package " DirectControl for J2EE App Servers on RHEL 4, 5, 6, Fedora 14, 15, 16,
17 x86_64 " the version is 4.4.4 as of the original post in November
2014.
Installation
Unpack and install the SSO plugin
$ tar xzvf centrify-web-4.4.4-rhel3-x86_64.tgz
The installation file on RHEL for this version is called
centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.
$ dzdo rpm -Uvh centrifydc-web-4.4.4-rhel3-x86_64.rpm
Preparing...
########################################### [100%]
1:CentrifyDC-web
########################################### [100%]
Configuration of the Java Server and Sample Application
Centrify provides a script that allows for the configuration of
JBoss, Tomcat, Websphere and Weblogic.
These servers can run on Microsoft Windows, so there are versions of the
plugin for those platforms too. The script
is in /usr/share/centrifydc/java/web and it’s called configure.pl. All you need to do is follow the prompts to
configure Tomcat (options 1-3) and ignore everything about ADFS or
certificates at this time.
# /configure.pl
=====================================================================
Welcome to Centrify
DirectControl for J2EE Servers Configuration.
At any prompt, enter ? for help, or return to
accept the default value (shown in brackets []).
Please select what
type of J2EE server to configure:
[0] Tomcat.
[1] JBoss.
[2] WebLogic Server.
[3] WebSphere
Application Server.
[4] Exit this
configuration program.
Enter selection:
[0] > 0
===== Configure Tomcat
Server for Centrify =====
[0] Run full
configuration (all options below).
[1] Copy Centrify jar
files to Tomcat server.
[2] Configure Tomcat
Server for Centrify.
[3] Setup and deploy
Centrify samples.
[4] Configure Tomcat
for SSL.
[5] Exit this script
[0] > 1
=== Copy Centrify jar files to Tomcat server
===
Enter the directory
where Tomcat Server is installed:
[/usr/share/tomcat6]
>
Enter the directory
where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64]
>
Enter the Tomcat
Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >
You have entered the
following:
Tomcat Server
directory = /usr/share/tomcat6
Java SDK directory =
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version
= 6.0.x
Is this correct (y/n)
?
[y] > y
Copying
/usr/share/centrifydc/java/web/scripts/tomcat/centrifydc_jaas.config to
/usr/share/tomcat6/c
<...>
===== Configure Tomcat
Server for Centrify =====
[0] Run full
configuration (all options below).
[1] Copy Centrify jar
files to Tomcat server.
[2] Configure Tomcat
Server for Centrify.
[3] Setup and deploy
Centrify samples.
[4] Configure Tomcat
for SSL.
[5] Exit this script
Enter selection:
[0] > 3
=== Copy Centrify jar
files to Tomcat server ===
Enter the directory
where Tomcat Server is installed:
[/usr/share/tomcat6]
>
Enter the directory
where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64]
>
Enter the Tomcat
Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >
You have entered the
following:
Tomcat Server
directory = /usr/share/tomcat6
Java SDK directory =
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version
= 6.0.x
Is this correct (y/n)
? y
<...>
===== Configure Tomcat
Server for Centrify =====
[0] Run full
configuration (all options below).
[1] Copy Centrify jar
files to Tomcat server.
[2] Configure Tomcat
Server for Centrify.
[3] Setup and deploy
Centrify samples.
[4] Configure Tomcat
for SSL.
[5] Exit this script
Enter selection:
[0] > 3
=== Setup and deploy
Centrify samples ===
Enter the directory
where Tomcat Server is installed:
[/usr/share/tomcat6]
>
Enter the directory
where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64]
>
Enter the Tomcat
Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >
You have entered the
following:
Tomcat Server directory
= /usr/share/tomcat6
Java SDK directory =
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version
= 6.0.x
Is this correct (y/n)
?
[y] > y
Do you want to setup
the Centrify ADFS samples now (y/n) ?
(You must have the
ADFS server's hostname and SSL port to setup the ADFS samples.)
[n] >
Verify that everything is working as expected
1.
Sign-in to a Windows client that is a member of your AD Domain
2.
Clear your Kerberos ticket cache by opening a command line and
typing "klist purge"
C:\Users\dwirth>klist purge
Current LogonId is 0:0x9bb0d
Deleting all tickets:Ticket(s) purged!
C:\Users\dwirth>klist purge
Current LogonId is 0:0x9bb0d
Deleting all tickets:Ticket(s) purged!
3.
Open Internet Explorer and go to Internet Options > Security
> Local Intranet > Sites > Advanced and make sure that your browser
has the FQDN or the suffix of the SPN for HTTP registered by the server.
If using Firefox, go to about:config and search for network.automatic-ntlm-auth.trusted-uris, add the SPNs suffix or FQDN there.
If using Firefox, go to about:config and search for network.automatic-ntlm-auth.trusted-uris, add the SPNs suffix or FQDN there.
4.
Go browse to http://<your-server>/centrifydc-samples.
This will expose the Centrify Sample pages. Click on Kerberos.
If everything is correct, you should be able to see output that looks
like this:
- Now if you
inspect your kerberos ticket cache, you'll something like this (truncated):
C:\Users\dwirth>klist
Current LogonId is 0:0x9bb0d
#0> Client: DWirth @ CENTRIFYIMAGE.VMS
Server: krbtgt/CENTRIFYIMAGE.VMS @ CENTRIFYIMAGE.VMS
#1> Client: DWirth @ CENTRIFYIMAGE.VMSServer: HTTP/engcen8.centrifyimage.vms @ CENTRIFYIMAGE.VMS
Ticket # 0 is a Kerberos TGT and #1 is a service ticket that was
requested by Diana to access the Apache HTTP service on engcen8.
Using the Java Plugin
The Java plugin has exposed the methods to leverage AD
authentication via Centrify. For
example, the web.xml file of a server may add directives like these:
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>CENTRIFYDC</realm-name>
</login-config>
</login-config>
The Centrify Java Guide, explains to J2EE Web Admins and
developers how to use these directives and methods.
Video Playlist
(7 minutes total)
No comments:
Post a Comment