Product Documentation
Abstract
This document contains instructions for configuring single sign-on (SSO) for IBM Content Navigator by using SPNEGO/Kerberos on Oracle WebLogic Server.
Note:
The steps described in this document should be considered as guidance only. The steps might be different in your environment and you might have to modify them depending on your requirements. Consult your administrator for your environmental modifications.
Content
To configure single sign-on integration between SPNEGO/Kerberos and IBM Content Navigator follow these steps:
- Configure your SSO environment for Oracle WebLogic Server.
- Verify your SSO configuration for Oracle WebLogic Server.
- Configure and deploy IBM Content Navigator with SPNEGO/Kerberos.
- Verify your deployment of IBM Content Navigator with SPNEGO/Kerberos.
- Additional configurations for IBM Content Manager OnDemand Repositories with Single Sign-on.
Step 1 - Configure your SSO environment for Oracle WebLogic Server
Before you configure single sign-on for SPNEGO/Kerberos for IBM Content Navigator, you must configure your WebLogic application server for SPNEGO/Kerberos. Oracle WebLogic Documentation covers these common steps. Refer to your version of WebLogic documentation for further details.
Remember: You must use Windows Active Directory as your directory service to use SPNEGO/Kerberos.
Prerequisites
Complete the following tasks before you configure your SSO environment:
- Configure your Active Directory domain and configure all of the client workstations as members of the same domain as your Active Directory server. If you have a more complex configuration, you can configure the client workstations as members of a different domain. However, you must cross-certify the servers.
- Install appropriate version of Oracle WebLogic Server for your IBM Content Navigator and create a WebLogic Server Domain.
Important: Session replication is required for failover support in a SPNEGO/Kerberos environment. If you do not enable session replication, users cannot sign into IBM Content Navigator when there is a failover to another node in the cluster. - Install and configure repositories for IBM Content Navigator such as IBM FileNet P8 Content Platform Engine or IBM Content Manager OnDemand. For more information, see relevant repository product documentation.
For more information, see the Hardware and software requirements for IBM Content Navigator for your installed version of IBM Content Navigator.
Procedure
Complete the appropriate task for your environment:
- Configure SSO on a single server system.
- Configure SSO on a highly available cluster system.
Configure SSO on a single server system
Single Sign-On configuration on different versions of WebLogic Server might be different. Refer to your version of Oracle WebLogic documentation. For example, for WebLogic version 12.2.1.3 follow the instructions provided in this paragraph Configuring Single Sign-On with Microsoft Clients.
Configure SSO on a highly available cluster system
For highly available clustered system you can follow the same steps as for single server environment with one exception, you need to create an SPN for web server (load balancer server) instead creating SPN for WebLogic server.
NOTE:
Single Sign-On configuration steps might be different on different versions of WebLogic. Make sure that you follow configuration steps described in Oracle WebLogic documentation applicable to your version.
The following configuration steps are just guidelines based on Oracle WebLogic version 12.2.1.3.
When you create a Kerberos identification for WebLogic Server, make the following modifications to the documented instructions:
- Step 1: Create a User Account for the Host Computer create a user account for the load balancer rather than for the host computer on which WebLogic Server runs.
- Step 2: Configure the User Account to Comply with Kerberos to configure user account.
- Step 3: Define a Service Principle Name and Create a Keytab for the Service, create the Service Principal Name (SPN) for the load balancer account that you created in step 1.
- Step 4: Verify Correct Setup
- Step 5: Update Default JDK Security Policy Files [Optional] - only applicable if use AES-256 encryption.
Step 2 - Verify your SSO configuration of Oracle WebLogic Server
To verify if the SPNEGO/Kerberos is configured correctly for WebLogic Server refer to WebLogic documentation. E.g. Verifying Configuration of SSO with Microsoft Clients.
Verify:
- Your client workstation is configured to use Windows Integrated Authentication. Login to client workstation with Windows domain LDAP user.
- Browser have been configured to use Windows Integrated Authentication.
Step 3 - Configure and deploy IBM Content Navigator with Kerberos/SPNEGO
After you configure your environment for SSO, you can install and deploy IBM Content Navigator. Refer to IBM Content Navigator Installation instructions in Knowledge Center.
Prerequisites
Complete all tasks in Installing IBM Content Navigator paragraph in Knowledge Center. Install the IBM Content Navigator software, but do not configure or deploy the IBM Content Navigator web application.
Procedure
To configure IBM Content Navigator for SSO by using Kerberos/SPNEGO:
- Run the IBM Content Navigator Configuration and Deployment Tool and create a new deployment profile for Oracle WebLogic Server.
- Run all of the configuration and deployment tasks that apply to your system. For more information, see Configuring and deploying IBM Content Navigator paragraph in IBM Content Navigator Knowledge Center.
NOTE: When you run the Configure the IBM Content Navigator Web Application task, ensure that you select Application server authentication for the IBM Content Navigator authentication option. This option configures IBM Content Navigator for SPNEGO/Kerberos. - Add the following entry to the krb5Login.conf file:
Navigator {
weblogic.security.auth.login.UsernamePasswordLoginModule required authOnLogin=true;
};
Highly available cluster systems: Update the krb5Login.conf file on each IBM Content Navigator node in the cluster. - Restart the application server where IBM Content Navigator is deployed.
Step 4 - Verifying deployment of IBM Content Navigator with SPNEGO/Kerberos SSO
http://<fully_qualified_IBM_Content_Navigator_server_name>:<port>/navigator
http://<fully_qualified_HTTP_Server_name>/navigator
Step 5 - Additional configurations for IBM Content Manager OnDemand Repositories with SSO
If you are planning to connect to IBM Content Manager OnDemand repository from Content Navigator desktop that is configured with Kerberos SSO and want to avoid an additional login to that repository, you need to configure Content Manager OnDemand server with SSO. Refer to this Tech Note for further configuration details.
https://www-01.ibm.com/support/docview.wss?uid=ibm10713479
Limitation
The following limitation applies to the IBM Edit Service client.
If the Edit Service client is installed with the "for all users" option on a shared workstation and single sign on is configured, only one user can run the Edit Service client at a time. The Edit Service client uses a single workstation port (13553) to process requests. If additional users are running the Edit Service client on the same workstation at the same time. a different port is assigned to each user's session, and the processing of documents fails.
If a user encounters problems processing documents, ensure all other users on the same workstation stop their instance of the Edit Service client.
Troubleshooting
IBM Content Navigator shows the Logout option when you select the drop-down menu on the user name but does not log out
IBM Content Navigator is not able to detect when Kerberos/SPNEGO is used with Oracle WebLogic Server.
To ensure that the Logout option is not available remove the Logout option from the "Banner user session context menu" type menu that is used by your desktop configuration. See the following Tech Note for details
-Dweblogic.log.RedirectStdoutToServerLogEnabled=true
-Dweblogic.DebugSecurityAtn=true
-Dsun.security.krb5.debug=true
Was this topic helpful?
Document Information
Modified date:
29 May 2020
UID
swg27039118