Thursday, July 11, 2013

SSO Configuration in Documentum 6.7

SSO Configuration

1) User Creation
Create these two users: <DocumentumHTTP> and <DocumentumCS>
Check:
Use Kerberos DES encryption types for this account
This account supports Kerberos AES 128 bit encryption.
2) Create Keytab
2.1) Keytab used by the Content Server

ktpass /pass <PWD_CS> ‐out <repository_name>.0001.keytab ‐princ CS/<repository_name>@<FQDN> ‐crypto ALL +DumpSalt ‐ptype

/mapOp set /mapUser <DocumentumCS>@<FQDN>

2.1.1)From AD User Properties, Update Delegation for user <DocumentumCS>
check : Trust this user for delegation to any service (Kerberos only)
2.1.2)Copy this keytab file under <repository_name>.0001.keytab under    \\<CS_ServerName>\%DOCUMENTUM%\dba\auth\kerberos\
2.2) Keytab used by all your web application.
C:\>ktpass /pass <PWD_HTTP>‐out <DocumentumHTTP>.keytab ‐princ HTTP/<HTTP_ServerName>.<abc.itu.ch>@<ABC.ITU.CH> ‐crypto ALL +DumpSalt
‐ptype KRB5_NT_PRINCIPAL /mapOp set /mapUser <DocumentumHTTP>@<ABC.ITU.CH>
2.2.1)From AD User Properties, Update Delegation for user <DocumentumHTTP>
check : Trust this user for delegation to any service (Kerberos only)
2.2.2) Copy Keytab file under \\<HTTP_ServerName> \%CATALINA_HOME%\<DocumentumHTTP>.keytab
This path will be named <HTTP_KEYTAB_PATH>
B ‐ From your Web Application Server
Web Application Server : <HTTP_ServerName>
Update file webapps\<taskspace>\wdk\app.xml
<!‐‐ Kerberos SSO authentication scheme configuration ‐‐>
<kerberos_sso>
<enabled>true</enabled>
<browsers>
<windows>
<ieversions>6.0,7.0,8.0</ieversions>
<firefoxversions>2.0,3.0,3.5</firefoxversions>
</windows>
</browsers>
<!‐‐ Enable login fall back to DocbaseLogin scheme ‐‐>
<docbase_login_fallback>false</docbase_login_fallback>
<!‐‐ Mandatory configuration: Provide the kerberos realm / domian name. ‐‐>
<domain><fqdn></domain>
</kerberos_sso>

We need to up update linuxe /etc/krb5.conf file with below
default_realm = <ABC.ITU.CH>
forwardable = true
ticket_lifetime = 24h
clockskew = 72000
default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
<ABC.ITU.CH> = {
kdc = <AD_ServerName>.<abc.itu.ch>
admin_server= <AD_ServerName>.<abc.itu.ch>
}
[domain_realm]
.<abc.itu.ch> = <abc.itu.ch>

Tracing

Now we need collect additional trace from WDK application.
1.            Edit the following entries in <web-app-root>/WEB-INF/classes/log4j.properties:
log4j.rootCategory=ERROR, file
log4j.category.MUTE=OFF
# Enable trace messages from WDK:
log4j.logger.com.documentum.web=DEBUG
# stdout is a ConsoleAppender that uses a PatternLayout:
log4j.appender.stdout.threshold=ERROR
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p [%t] %c - %m%n
# file is a FileAppender that uses a PatternLayout:
log4j.appender.file=org.apache.log4j.RollingFileAppender
log4j.appender.file.File=/tmp/wdktrace.log
log4j.appender.file.MaxFileSize=10500KB
log4j.appender.file.MaxBackupIndex=10
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=[%d{ISO8601}|%-5p|%-22t|%C|%M|%-4L] %m%n

This will send the trace to the "/tmp/wdktrace.log" file.

2.            Edit the <web-app-root>/WEB-INF/classes/com/documentum/debug/TraceProp.properties file by modifying the following parameters:
-              Set SESSIONENABLEDBYDEFAULT to true
-              Set SESSION to true
-              set SESSIONHANDLE to true
3.            Restart the application server.
4.            Clear the browser cache.
5.            Start the browser and log in to the WDK-based application.


Debugging

java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
This could mean that Jboss not configured correctly for Kerberos SSO authentication.

Please attach login-config.xml file from Jboss Application Server.
please provide JAVA_OPTS used by JBoss 4.3 EAP.
krb5.conf file from Application Server host

Additionally try to enable authentication trace on Content Server and reproduce issue.
API> apply,c,NULL,SET_OPTIONS,OPTION,S,trace_authentication,VALUE,B,T
Reproduce issue
API> apply,c,NULL,SET_OPTIONS,OPTION,S,trace_authentication,VALUE,B,F
Then attach docbase log with authentication trace inside.

In Wndows 7 we need to enable newtwork security as mentioned in


docu33143_White-Paper--EMC-Documentum-Kerberos-SSO-Authentication-—-A-Detailed-Review.pdf


We need to apply patch08 on the content server to resolve the issue between the user_name and user_login_name
Posted by at

1 comment:

  1. KhalidMarch 8, 2016 at 10:58 AM

    Hi, Have you ever done kerberos SSO on HTTPS. Need help in my project.

    ReplyDelete

Subscribe to: Post Comments (Atom)