Configuring single sign-on for IBM Content Navigator by using SPNEGO/Kerberos on Oracle WebLogic Server

To configure single sign-on integration between SPNEGO/Kerberos and IBM Content Navigator follow these steps:

1. Configure your SSO environment for Oracle WebLogic Server.
2. Verify your SSO configuration for Oracle WebLogic Server.
3. Configure and deploy IBM Content Navigator with SPNEGO/Kerberos.
4. Verify your deployment of IBM Content Navigator with SPNEGO/Kerberos.
5. Additional configurations for IBM Content Manager OnDemand Repositories with Single Sign-on.

Step 1 - Configure your SSO environment for Oracle WebLogic Server

Before you configure single sign-on for SPNEGO/Kerberos for IBM Content Navigator, you must configure your WebLogic application server for SPNEGO/Kerberos. Oracle WebLogic Documentation covers these common steps. Refer to your version of WebLogic documentation for further details.

Remember: You must use Windows Active Directory as your directory service to use SPNEGO/Kerberos.

Prerequisites
Complete the following tasks before you configure your SSO environment:

• Configure your Active Directory domain and configure all of the client workstations as members of the same domain as your Active Directory server. If you have a more complex configuration, you can configure the client workstations as members of a different domain. However, you must cross-certify the servers.
• Install appropriate version of Oracle WebLogic Server for your IBM Content Navigator and create a WebLogic Server Domain.
  Important: Session replication is required for failover support in a SPNEGO/Kerberos environment. If you do not enable session replication, users cannot sign into IBM Content Navigator when there is a failover to another node in the cluster.
• Install and configure repositories for IBM Content Navigator such as IBM FileNet P8 Content Platform Engine or IBM Content Manager OnDemand. For more information, see relevant repository product documentation.

For more information, see the Hardware and software requirements for IBM Content Navigator for your installed version of IBM Content Navigator.

Procedure
Complete the appropriate task for your environment:

•   Configure SSO on a single server system.
•   Configure SSO on a highly available cluster system.

Configure SSO on a single server system

Single Sign-On configuration on different versions of WebLogic Server might be different. Refer to your version of Oracle WebLogic documentation.  For example, for WebLogic version 12.2.1.3 follow the instructions provided in this paragraph Configuring Single Sign-On with Microsoft Clients.

Configure SSO on a highly available cluster system

For highly available clustered system you can follow the same steps as for single server environment with one exception, you need to create an SPN for web server (load balancer server) instead creating SPN for WebLogic server.

NOTE:
Single Sign-On configuration steps might be different on different versions of WebLogic. Make sure that you follow configuration steps described in Oracle WebLogic documentation applicable to your version.

The following configuration steps are just guidelines based on Oracle WebLogic version 12.2.1.3.
When you create a Kerberos identification for WebLogic Server, make the following modifications to the documented instructions:

• Step 1: Create a User Account for the Host Computer create a user account for the load balancer rather than for the host computer on which WebLogic Server runs.
• Step 2: Configure the User Account to Comply with Kerberos to configure user account.
• Step 3: Define a Service Principle Name and Create a Keytab for the Service, create the Service Principal Name (SPN) for the load balancer account that you created in step 1.
• Step 4: Verify Correct Setup
• Step 5: Update Default JDK Security Policy Files [Optional] - only applicable if use AES-256 encryption.

Step 2 - Verify your SSO configuration of Oracle WebLogic Server

To verify if the SPNEGO/Kerberos is configured correctly for WebLogic Server refer to WebLogic documentation. E.g. Verifying Configuration of SSO with Microsoft Clients.
Verify:

• Your client workstation is configured to use Windows Integrated Authentication. Login to client workstation with Windows domain LDAP user.
• Browser have been configured to use Windows Integrated Authentication.
   

Step 4 - Verifying deployment of IBM Content Navigator with SPNEGO/Kerberos SSO

Step 5 - Additional configurations for IBM Content Manager OnDemand Repositories with SSO

If you are planning to connect to IBM Content Manager OnDemand repository from Content Navigator desktop that is configured with Kerberos SSO and want to avoid an additional login to that repository, you need to configure Content Manager OnDemand server with SSO. Refer to this Tech Note for further configuration details.
https://www-01.ibm.com/support/docview.wss?uid=ibm10713479

Limitation

The following limitation applies to the IBM Edit Service client.

If the Edit Service client is installed with the "for all users" option on a shared workstation and single sign on is configured, only one user can run the Edit Service client at a time. The Edit Service client uses a single workstation port (13553) to process requests. If additional users are running the Edit Service client on the same workstation at the same time. a different port is assigned to each user's session, and the processing of documents fails.

If a user encounters problems processing documents, ensure all other users on the same workstation stop their instance of the Edit Service client.

Troubleshooting
 

IBM Content Navigator shows the Logout option when you select the drop-down menu on the user name but does not log out
IBM Content Navigator is not able to detect when Kerberos/SPNEGO is used with Oracle WebLogic Server.
To ensure that the Logout option is not available remove the Logout option from the "Banner user session context menu" type menu that is used by your desktop configuration. See the following Tech Note for details