mardi 17 septembre 2013

JD Edwards Single Sign-on via OAM & Kerberos (WNA)


JD Edwards Single Sign On…. You click on your browser favorite (or manually type the URL in the address field) and JDE opens without asking you to sign-in but use your Windows PC account to authenticate via the domain Active Directory... This is what I was asked to configure a few months ago. I always wondered if Oracle had an “add-on” to do this easily…. And I quickly discovered that they did NOT! But I did IT! 

When searching the Oracle support website for information, this is what I found:

Will SSO implementation eliminate the login screen for users on HTML client workstation?
Is the Unifed Logon Process possible in HTML/Web clients?
Is there a way to eliminate the login screen for Web clients?

To make it short, the same answer for the three questions was: NO so back to the drawing board, I wasn’t going to find an easy way through…

After a little digging in Server Manager I found the following in the Network Settings of my HTML instance ([SECURITY] section in the JAS.INI):

Enable Oracle Single Sign-on
Enable Oracle Access Manager

Oracle Single Sign-on…. Sounds good… What could it be…? Google it! Forget it…. You login to an Oracle “portal” which then, when you select JD Edwards in the portal sends you straight to the application without a JDE login screen. Good but not good enough, you still have a login screen (OK not JDE but you HAVE a login screen) and on top of that you have to use OID: the Oracle Active Directory… which means migrating all my Windows AD to OID: NO WAY!

So... Last option: OAM. This is what Oracle tells me about OAM:  

"Oracle Access Manager 11g is a Java Platform, Enterprise Edition (Java EE)-based enterprise-level security application that provides restricted access to confidential information and centralized authentication and authorization services. All existing access technologies in the Oracle Identity Management stack converge in Oracle Access Manager 11g."

Sounds alright, and OAM seems a lot more flexible that the Oracle Portal, ie you can use protocols such as SAML or Kerberos to configure Windows Native Authentication (WNA) and “remove” the OAM login screen and keep my Windows AD… spot on!

Here are the steps to install all this:

To install Oracle Identity and Access Management, you must obtain the following software:


• Oracle WebLogic Server 11g Release 1 (10.3.5).
Oracle Repository Creation Utility (11.1.2).
• Oracle Identity and Access Management Suite (11.1.2).
• Oracle WebTier Utilities (11.1.1.7).
Oracle Webgate.

Creating Database Schema using RCU

You must create and load the appropriate Oracle Fusion Middleware schemas in the database using RCU before installing and configuring Oracle Identity and Access Management components. Before running RCU, ensure that you have the database connection string, port, administrator credentials, and service name ready. When you run RCU, create and load only the following schemas for the Oracle Identity and Access Management component you are installing—do not select any other schema available in RCU:

To install the database software, follow the steps below:

- Log on as a member of the Administrators group for the computer on which you want to install Oracle components.

- Fom the downloaded directory ( D:\OracleSSO\rcu), double-click rcu.bat to start Oracle Universal Installer.

- Select Create and then Next.

- Enter your Database details.

- Select Components as below:


 

































- Click Finish, the required schemas for OAM will be created.

Installing Oracle Access Management (11.1.2)

To install the Oracle Oracle Identity and Access Management, follow the steps below:

- Invoke the setup.exe -jreLoc D:\Java\jrockit-jdk1.6.0_24-R28.1.3-4.0.1 from the staging area (C:\Users\admin_jde\Downloads\Oracle Identity and Access Management 11g (11.1.2.0.0)\Disk1).

- Click Next on Welcome screen.

- If you don't want to receive the security updates, then Uncheck "I wish to receive security updates via My Oracle Support. " option, Click Next and press Yes button.

- The installer performs prerequisite checks. Be sure to correct any failures before continuing, Click Next.

- Specify the Oracle Middleware Home and the Oracle Access Directory Home. The default home is Oracle_OAM, Click Next.

- Review the Installation Summary then Click Finish.

- Run the domain configure from D:\OracleSSO\Oracle_IDM1\common\bin.
- The Fusion Middleware Configuration Wizard screen appears, Select Create a new WebLogic domain option then Click Next.

- Select the components to configure. For OAM Server, you need Oracle Access Manager and Oracle Enterprise Manager. Oracle JRF - 11.1.1.0 is selected by default then Click Next.

- Enter a domain name and accept the default locations, Click Next.

- Enter the Administrator User Name and Password, Click Next.

- Select Production Mode and verify the JDK version and location.

- Enter the JDBC Component Schema, complete these fields, according to the schemas that have been created in previous step.

The installer verifies all of the component schema connections, Click Next.

- Select Administration Server and Managed Servers, Clusters and Machines options, Click Next.

- Enter the Administration Server Name; for example, AdminServerOAM. Do not accept the default listen port (7001) if you have Oracle Internet Directory Server already installed because it
might have used the default port. Enter a unique listen port for this OAM server. For example, port 7009.

- Accept the default values on the Configure Managed Servers page, Click Next.

- The Configure Clusters page appears, Click Next.

- Select the Machine Type: On Windows select the Machine tab. Select the Add tab, Enter a logical machine name then Click Next.

- Assign the servers to this logical machine, Click Next.

- Review the Configuration Summary. Click Create, Click Done once the domain creation is completed

- DO NOT start the Admin server before running the following 2 scripts:

D:\OracleSSO\Oracle_IDM1\common\bin\wlst.cmd D:\OracleSSO\Oracle_IDM1\common\tools\configureSecurityStore.py -d D:\OracleSSO\user_projects\domains\SSO -c IAM -p H75hsm49 -m create
D:\OracleSSO\Oracle_IDM1\common\bin\wlst.cmd D:\OracleSSO\Oracle_IDM1\common\tools\configureSecurityStore.py -d D:\OracleSSO\user_projects\domains\SSO -m validate

- Start the Admin Server: open a command window, change the directory to D:\OracleSSO\user_projects\domains\SSO, Run startWebLogic.cmd.

- Connect to the OAM Domain Administration console: http://jdedevweb:7009/console

- Select the Servers and start the oam_server1 managed server.

- Verify the OAM installation by opening the OAM Admin Console:
http://jdedevweb:7009/oamconsole (The oamport is the same as the WebLogic Console port).

Installing Oracle WebTier Utilities

Oracle Web Tier contains the following components:
- Oracle HTTP Server.
- Oracle Web Cache.
- Oracle Process Manager and Notification Server (OPMN).

To install the Oracle WebTier utilities, follow the steps below:
- Invoke the setup.exe from the staging area (C:\Users\admin_jde\Downloads\ofm_webtier_win_11.1.1.7.0_64_disk1_1of1\Disk1)

- Click Next on Welcome screen.

- If you don't want to receive the security updates, then Uncheck "I wish to receive security updates via My Oracle Support. " option, Click Next and press Yes button.

- Select "Install Software - Do Not Configure", Click Next.

- Enter Middleware Home: D:\OracleSSO\Oracle_WT1 and enter Oracle Home Directory : Oracle_WT1 , Click Next.

- Keep default values until last scren then Click Next.

- When Oracle WebTier is installed, Run the Configuration Tool to configure your Oracle Web Tier products by launching D:\OracleSSO\Oracle_WT1\bin\config.bat.

- Click Next on Welcome screen.

- Select "Oracle HTTP Server" and "Associate Selected Components with WebLogic Domain", Click Next.

- Specify the credentials for your existing WebLogic Domain which hosts Fusion Middleware (EM) Control, Click Next.

* hostname= jdewebdev
* port= 7009
* user= weblogic
* pwd= ***********

- Enter Oracle Home for the instance to be created: D:\OracleSSO\Oracle_WT1\instances\ssoinstance, instance name: ssoinstance  and OHS name: ohs1, Click Next.
- Select automatic port configuration, Click Next.

- Click Finish.

Installing Oracle WebGate

Oracle HTTP Server WebGate is a web server plug-in that is shipped out-of-the-box with Oracle Access Manager. The Oracle HTTP Server WebGate intercepts HTTP requests from users for web resources and forwards them to the Access Server for authentication and authorization. Oracle HTTP Server WebGate installation packages are found on media and virtual media that is separate from the core components.
Use these steps to install Oracle HTTP 11g WebGate:
- Invoke the setup.exe (setup.exe -jreLoc D:\Java\jrockit-jdk1.6.0_24-R28.1.3-4.0.1.) from the staging area (C:\Users\admin_jde\Downloads\ofm_webtier_win_11.1.1.7.0_64_disk1_1of1\Disk1).

- Click Next on the Welcome page.
- The installer performs prerequisite checks, Click Next.
- Specify the Middleware Home and WebGate Home Directory.
- Review the installation Summary then Click Finish.
- You must complete the following steps after installing Oracle HTTP Server 11g WebGate for Oracle Access Manager:
- Move to the following directory under your Oracle Home for WebGate: <webgate_home>\webgate\ohs\tools\deployWebGate
- Run the command: deployWebgateInstance.bat -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home> Where <Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server WebGate and created as the Oracle Home for WebGate. The <Webgate_Instance_Directory> is the location of WebGate Instance Home, which is same as the Instance Home of Oracle HTTP Server.


In our example we need to run:
deployWebGateInstance.bat -w D:\OracleSSO\Oracle_WT1\instances\ssoinstance\config\OHS\ohs1 -oh D:\OracleSSO\Oracle_OAMWebGate1
- Move to the directory: <webgate_home>\webgate\ohs/tools\editHttpConf
- On the command line, run the following command to copy the apache_webgate.template from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf: EditHttpConf.exe -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>] (The [-oh <Webgate_Oracle_Home>] and [-o <output_file>] parameters are optional.)
In our example we need to run:
EditHttpConf.exe -w D:\OracleSSO\Oracle_WT1\instances\ssoinstance\config\OHS\ohs1

Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server


- Sign in to Oracle Access Manager console (http://jdedevweb:7009/oamconsole) and select the "New OAM 11g Webgate":



- On Create OAM 11G Webgate, enter a name for the WebGate in the Name field. In the Security options area, select Open, and then click the Apply button. This creates entries for the new WebGate under the Host Identifiers and Application Domains nodes, as shown in the following screen.

















  




- To create the resource URL, in the Applications Domains node, click Resources under the new WebGate. In the Search Results area, click the Create button (paper icon):




- Repeat the preceding steps to add the following resource URL: /…/*.
- Double-click the Protected Resource Policy. The Resources tab displays the newly added resources:




















- Click the Responses tab and click the Add button (plus symbol icon):









- Review all registered agents, and then select the System Configuration tab.
- Open the Access Manager Settings section, and then open the SSO Agents option.
- In the "Access Manager Settings" section in the left pane, double-click OAM Agents and then click the Search button. A list of registered agents appears. The registered agent creates a cwallet.sso file and ObAccessClient.xml file.
- Copy these two files from <MW_HOME>/user_projects/domain/SSO/output/<Agent_name> and paste them to the following directory on the JD Edwards EnterpriseOne Server:
<MW_Home> Oracle_WT1\instances\ssoinstance\config\OHS\ohs1\webgate\config
- Restart the JD Edwards EnterpriseOne HTML Server.
- After you install and configure the Oracle HTTP Server and Oracle HTTP WebGate, you need to configure the mod_wl_ohs.conf file.
- Navigate to the mod_wl_ohs.conf file located at: MW_Home>/Oracle_WT1/instances/ ssoinstance /config/OHS/ohs1
- Edit the mod_wl_ohs.conf file. Add a Virtual Host section:
NameVirtualHost *:7777
<VirtualHost *:7777>
<Location /jde>
SetHandler weblogic-handler
WebLogicHost jdedevweb
WebLogicPort 8020
</Location>
</VirtualHost>

- Restart the HTTP server. Change the directory to MW_Home>/Oracle_WT1/instances/ ssoinstance /bin.
* Run ./opmnctl stopall
* Run ./opmnctl startall

Setting Up JD Edwards EnterpriseOne for Single Sign-On/Off Integration with OAM


This section discusses how to set up JD Edwards EnterpriseOne HTML Server for single sign-on integration with Oracle Access Manager through EnterpriseOne Server Manager.
- Open EnterpriseOne Server Manager from a browser.
- Select your EnterpriseOne HTML Server instance.
- Select Network Settings from the Configuration section:










Oracle Access Manager Sign-Off URL: http://jdedevweb:14100/oamsso/logout.html?end_url=http://jdedevweb:7777/jde/index.jsp
- Stop and restart the EnterpriseOne HTML Server.
- You can now access the JD Edwards application via the URL: http://JDEDEVWEB:7777/jde


Windows Native Authentification (KERBEROS) Configuration

Oracle Access Manager enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is known as Windows Native
Authentication (WNA).
Cross-platform authentication is achieved by emulating the negotiate behavior of native Windows-to-Windows authentication services that use the Kerberos protocol. In order for cross-platform
authentication to work, non-Windows servers (in this case, Oracle Access Manager) must parse SPNEGO tokens in order to extract Kerberos tokens which are then used for authentication.
With Oracle Access Manager single sign-on combined with WNA, a Kerberos session ticket is generated that contains her login credentials, among other things. This Kerberos session ticket is not
visible to the user.
However, with WNA implemented, the user can click on her Web application without another challenge for credentials. Instead, her Kerberos session ticket, which includes her credentials, is passed
through the browser to the Oracle Access Manager server. The server validates the credentials by checking them against the Key Distribution Center server (KDC server) on the Windows domain
server. (Note: The KDC, which is a trusted third party, uses logically separate servers to grant and process tickets, including the service server to authenticate session tickets and confirm the
client's identity.)
If authentication succeeds she is granted access to her Web applications automatically.
For instance, the application must be protected by an Oracle Access Manager application domain that uses the Kerberos authentication scheme (KerbScheme) with WNA as the challenge method.
In this case, credentials must be stored in a Windows Active Directory instance that is registered as a user-identify store with Oracle Access Manager.















- Create krb5.ini file (in: D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp) and copy it in C:\Windows:
[Libdefaults]
default_realm = DOMAIN.INT
ticket_lifetime = 600
clockskew = 600
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = yes
udp_preference_limit = 1
default_tkt_enctypes = RC4-HMAC arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = RC4-HMAC arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
DOMAIN.INT= {
kdc = server.domain.int
admin_server = server.domain.int
default_domain = DOMAIN.INT
}
[domain_realm]
.domain.int = DOMAIN.INT 
domain.int = DOMAIN.INT
- Create the Service Principal Name (SPN): You perform this task to create an SPN and associate it with a user. The following procedure includes an example user named testuser. The Oracle Access Manager server is deployed on a machine named JDEDEVWEB.DOMAIN.INT1.

- Run ktpass to create the service principal name and associate it with this user:

ktpass -princ HTTP/JDEDEVWEB.domain.int@domain.int -mapuser JDE -pass ******** -crypto ALL -out C:\TEMP\keytab.service

- Copy the newly created keytab.services file to the machine on which the NG server is running (D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp)

- Obtain the Kerberos Ticket
You use the klist and kinit command to obtains the master Kerberos ticket that you use to get tickets for other services (from JDK_HOME/bin):

klist -k -t -K -e FILE:D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\keytab.service

kinit -J-Dsun.security.krb5.debug=true -k –t D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\keytab.service

output:

D:\Java\jrockit-jdk1.6.0_24-R28.1.3-4.0.1\bin>java.exe -Dsun.security.krb5.debug
=true sun.security.krb5.internal.tools.Kinit -k -t D:\OracleSSO\Oracle_WT1\insta
nces\ssoinstance\tmp\keytab.service HTTP/JDEDEVWEB.DOMAIN.INT@DOMAIN.INT
>>>KinitOptions cache name is C:\Users\admin_jde\krb5cc_admin_jde
Principal is HTTP/JDEDEVWEB.DOMAIN.INT@DOMAIN.INT
>>> Kinit using keytab
>>> Kinit keytab file name: D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\keytab.service

>>> KeyTabInputStream, readName(): domain.int
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): JDEDEVWEB.domain.int
>>> KeyTab: load() entry length: 69; type: 1
>>> KeyTabInputStream, readName(): domain.int
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): JDEDEVWEB.domain.int
>>> KeyTab: load() entry length: 69; type: 3
>>> KeyTabInputStream, readName(): domain.int
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): JDEDEVWEB.domain.int
>>> KeyTab: load() entry length: 77; type: 23
>>> KeyTabInputStream, readName(): domain.int
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): JDEDEVWEB.domain.int
>>> KeyTab: load() entry length: 93; type: 18
>>> KeyTabInputStream, readName():domain.int
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): JDEDEVWEB. domain.int
>>> KeyTab: load() entry length: 77; type: 17
Added key: 17version: 5
Found unsupported keytype (18) for HTTP/JDEDEVWEB.DOMAIN.INT@DOMAIN.INT
Added key: 23version: 5
Added key: 3version: 5
Added key: 1version: 5
Ordering keys wrt default_tkt_enctypes list
Config name: C:\Windows\krb5.ini
default etypes for default_tkt_enctypes: 23 23 1 3.
0: EncryptionKey: keyType=23 kvno=5 keyValue (hex dump)=
0000: 14 1A E0 A1 B5 48 37 8C   AC BD EF DA 1A F4 C5 C8  .....H7.........

1: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)=
0000: A7 0E AE 1F 1A B0 9E A4

2: EncryptionKey: keyType=3 kvno=5 keyValue (hex dump)=
0000: A7 0E AE 1F 1A B0 9E A4

>>> Kinit realm name is DOMAIN.INT
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for JDEDEVWEB are:

        JDEDEVWEB/172.16.1.62
IPv4 address

        JDEDEVWEB/fe80:0:0:0:a141:c1bc:6745:a7a5%23
IPv6 address
default etypes for default_tkt_enctypes: 23 23 1 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> Kinit: sending as_req to realm DOMAIN.INT
>>> KrbKdcReq send: kdc=dedale. domain.int TCP:88, timeout=30000, number of re
tries =3, #bytes=217
>>>DEBUG: TCPClient reading 290 bytes
>>> KrbKdcReq send: #bytes read=290
>>> KrbKdcReq send: #bytes read=290
>>> KdcAccessibility: remove dedale. domain.int
>>> reading response from kdc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Fri Jun 14 12:17:09 CEST 2013 1371205029000
         suSec is 619898
         error code is 25
         error Message is Additional pre-authentication required
         realm is DOMAIN.INT
         sname is krbtgt/ DOMAIN.INT
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 23
>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16
>>>Pre-Authentication Data:
         PA-DATA type = 15
Kinit: PREAUTH FAILED/REQ, re-send AS-REQ
>>>KrbAsReq salt is DOMAIN.INTHTTPJDEDEVWEB. DOMAIN.INT
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> Kinit: sending as_req to realm DOMAIN.INT
>>> KrbKdcReq send: kdc=server.domain.int TCP:88, timeout=30000, number of re
tries =3, #bytes=293
>>>DEBUG: TCPClient reading 1634 bytes
>>> KrbKdcReq send: #bytes read=1634
>>> KrbKdcReq send: #bytes read=1634
>>> KdcAccessibility: remove server.domain.int
>>> reading response from kdc
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/JDEDEVWEB.DOMAIN.INT
New ticket is stored in cache file C:\Users\admin_jde\krb5cc_admin_jde
Follow the steps below in the OAM Administration console:

- Configure User Identity Store:





- Modify the Kerberos Module by browsing to System Configuration --> Access Manager --> Authentication Modules --> Kerberos Authentication Module --> Kerberos. Set required parameters as per your environment configuration. :

* Fichier de clés: D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\keytab.service
* Principal  : HTTP/JDEDEVWEB.DOMAIN.INT@DOMAIN.INT
* Fichier de configuration KRB  : D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\krb5.ini

 - Configure Authentification Policy for EntrepriseOne










- Enabling the Browser to Return Kerberos Tokens

To enable Kerberos tokens in Internet Explorer
1. On a Windows host in the Active Directory domain, sign in as a domain user.
2. Open the Internet Explorer browser.
3. From the Tools menu, click Internet Options, click Security, click Local Intranet,
click Advanced.
4. On the Advanced tab, Security section, check the box beside Enable Integrated
Windows Authentication, and click OK.
5. Add Oracle Access Manager CC host or domain name to Local Intranet zone: http://jdedevweb:7777 & http:// jdedevweb:14100).
6. Restart the Internet Explorer browser so the change takes effect.

To enable Kerberos tokens in Mozilla Firefox
1. Point the browser to about:config.
2. Add Oracle Access Manager CC host or domain name under
network.negotiate-auth.trusted-uris. Use the format
network.negotiate-auth.trusted-uris=http://mynode.myhost:myport
For instance for jdedevweb, you have to enter network.negotiate-auth.trusted-uris=http://gvajdepoc4:14100


You can now use URL: http://jdedevweb:7777/jde to login to your JD Edwards application, it will use your Windows PC login to log you in straight into JDE (Your Windows PC account will need to be created as a JDE user first…)


MM

3 commentaires:

  1. Hi MM,

    We are facing issue to setup SSO and we want to go as same way which you followed cause same requirements

    Please can you provide any details documents if possible ?
    Also please let me know exact version of software components which you used i.e it was all 32-bits or 64-bits or mixed

    Thanks

    RépondreSupprimer
  2. Nice post at all.. thank for nice sharing
    https://www.ssogen.com

    RépondreSupprimer