Saturday, November 15, 2014

Business Cases: Centrifying Java Application Servers to provide on premises AD-based SSO and Authorization

Background


Java application servers like JBOSS, Tomcat, WebSphere and WebLogic are pervasive in large enterprises.  So is Active Directory.  Just like with Apache HTTP, Centrify customers can leverage the tight AD integration in UNIX and Linux platforms and great support for the Windows platform as well. 

We covered the benefits during the Apache HTTP SSO discussion, and the principles are the same.
This post covers how to install the Java SSO module using Apache Tomcat as an example.

Requirements

  • A Centrified Unix/Linux system running Apache Tomcat (Tomcat6 in this example)alternatively, you can follow on JBOSS, WebSphere or WebLogic as well.  The system should be joined to a domain either in zone or workstation mode.
  •  Apache Tomcat running and accesible
  • A domain-joined PC system (or a centrified Mac) to test access from an authenticated Windows system  with a web browser (SPNEGO is not available on Safari)

Implementation Steps

Information gathering

1.            Collect the OS version, architecture, version of Centrify adclient and if an SPN for HTTP is registered
uname -a, adinfo -v and adinfo -C | grep http provide that information
2.            Collect the service status, version, architecture and java version.
“service tomcat(x) status, rpm –qa | grep tomcat and java-versiont” should provide this.
3.            Make sure the Tomcat home page (if enabled) is accessible from the Windows client.
4.            Obtain the proper version of the J2EE SSO plugin from the Centrify Customer Support Center.
Based on the information from steps 1 and 2, you can select which package to download. For example, in my CentOS 6.x, 64bit, Tomcat6

$ uname -a
Linux engcen8.centrifyimage.vms 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ java -version
java version "1.7.0_71"
OpenJDK Runtime Environment (rhel-2.5.3.1.el6-x86_64 u71-b14)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)
$ adinfo -v
adinfo (CentrifyDC 5.2.0-218)
$ adinfo -C | grep http
$ dzdo adinfo -C | grep http
                           http/engcen8.centrifyimage.vms
                           http/engcen8
[dwirth@engcen8 lib]$ rpm -qa | grep tomcat
tomcat6-6.0.24-80.el6.x86_64

It looks like my service is running and that is a 64 bit CentOS with Tomcat 6 based on this information,  I will download the package " DirectControl for J2EE App Servers on RHEL 4, 5, 6, Fedora 14, 15, 16, 17 x86_64 " the version is 4.4.4 as of the original post in November 2014.

Installation

Unpack and install the SSO plugin
$ tar xzvf centrify-web-4.4.4-rhel3-x86_64.tgz
The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.
$ dzdo rpm -Uvh centrifydc-web-4.4.4-rhel3-x86_64.rpm
Preparing...                ########################################### [100%]
   1:CentrifyDC-web      ########################################### [100%]

Configuration of the Java Server and Sample Application

Centrify provides a script that allows for the configuration of JBoss, Tomcat, Websphere and Weblogic.  These servers can run on Microsoft Windows, so there are versions of the plugin for those platforms too.  The script is in /usr/share/centrifydc/java/web and it’s called configure.pl.  All you need to do is follow the prompts to configure Tomcat (options 1-3) and ignore everything about ADFS or certificates at this time.

# /configure.pl

=====================================================================

Welcome to Centrify DirectControl for J2EE Servers Configuration.

 At any prompt, enter ? for help, or return to accept the default value (shown in brackets []).

Please select what type of J2EE server to configure:
[0] Tomcat.
[1] JBoss.
[2] WebLogic Server.
[3] WebSphere Application Server.
[4] Exit this configuration program.
Enter selection:
[0] > 0

===== Configure Tomcat Server for Centrify =====
[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script


[0] > 1

 === Copy Centrify jar files to Tomcat server ===

Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >
Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >
Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >
You have entered the following:

Tomcat Server directory = /usr/share/tomcat6
Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x

Is this correct (y/n) ?
[y] > y

Copying /usr/share/centrifydc/java/web/scripts/tomcat/centrifydc_jaas.config to /usr/share/tomcat6/c
<...>

===== Configure Tomcat Server for Centrify =====
[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script

Enter selection:
[0] > 3

=== Copy Centrify jar files to Tomcat server ===


Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >

Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >

Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >

You have entered the following:

Tomcat Server directory = /usr/share/tomcat6
Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x

Is this correct (y/n) ? y

<...>

===== Configure Tomcat Server for Centrify =====
[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script

Enter selection:
[0] > 3

=== Setup and deploy Centrify samples ===

Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >

Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >

Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >

You have entered the following:

Tomcat Server directory = /usr/share/tomcat6
Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x

Is this correct (y/n) ?
[y] > y

Do you want to setup the Centrify ADFS samples now (y/n) ?
(You must have the ADFS server's hostname and SSL port to setup the ADFS samples.)
[n] >

Verify that everything is working as expected


1.            Sign-in to a Windows client that is a member of your AD Domain

2.            Clear your Kerberos ticket cache by opening a command line and typing "klist purge"
C:\Users\dwirth>klist purge
Current LogonId is 0:0x9bb0d
Deleting all tickets:Ticket(s) purged!
3.            Open Internet Explorer and go to Internet Options > Security > Local Intranet > Sites > Advanced and make sure that your browser has the FQDN or the suffix of the SPN for HTTP registered by the server.
If using Firefox, go to about:config and search for network.automatic-ntlm-auth.trusted-uris, add the SPNs suffix or FQDN there.
4.            Go browse to http://<your-server>/centrifydc-samples.  This will expose the Centrify Sample pages.  Click on Kerberos.  If everything is correct, you should be able to see output that looks like this:

  1. Now if you inspect your kerberos ticket cache, you'll something like this (truncated):
    C:\Users\dwirth>klist
    Current LogonId is 0:0x9bb0d
    #0>     Client: DWirth @ CENTRIFYIMAGE.VMS
    Server: krbtgt/CENTRIFYIMAGE.VMS @ CENTRIFYIMAGE.VMS

    #1>
         Client: DWirth @ CENTRIFYIMAGE.VMS
    Server: HTTP/engcen8.centrifyimage.vms @ CENTRIFYIMAGE.VMS

Ticket # 0 is a Kerberos TGT and #1 is a service ticket that was requested by Diana to access the Apache HTTP service on engcen8.

Using the Java Plugin

The Java plugin has exposed the methods to leverage AD authentication via Centrify.  For example, the web.xml file of a server may add directives like these:

<login-config>
     <auth-method>SPNEGO</auth-method>
     <realm-name>CENTRIFYDC</realm-name>
</login-config> 

The Centrify Java Guide, explains to J2EE Web Admins and developers how to use these directives and methods.


Video Playlist

(7 minutes total)

No comments:

Post a Comment