X

Deep dive into various configurations with Oracle Weblogic Server

Steps to configure Kerberos / SPNEGO / NTLM authentication with Weblogic Server running on IBM JDK (AIX machine)

Puneeth Prakash
Principal Software Engineer

AD Machine (Windows Server 2012 R2) used in this configuration is : slads.slab.bea.com 

WLS 10.3.6 is installed on AIX 6.1 : celbealnx4.us.oracle.com

kerberos_aix is the user created in AD which will represent the weblogic server machine.

 ***************************** 

Step 1 :

- Create a new user say, " kerberos_aix " on AD which will represent your Weblogic server instance. 


Note :

- The account type should be "User", not a "Computer" in the AD.

- Check password never expires option for the user. 

- DES encryption type is disabled by default on Windows 2008 AD and above and hence do not check this option for the user.

- If your AD is on Windows 2003, enable DES encyption type for your user --> after enabling this option make sure you reset the password for this user.

- If you want to use AES encryption type make sure you check " This account supports AES 128 bit encryption "/ "This account supports AES 256 bit encryption " in the username --> properties --> Account Options field.

- If you want to use  AES256-SHA1 cipher strength then,

You need to download and install this bundle which provides "unlimited strength" policy files which contain no restrictions on cryptographic strengths.

* For IBM JDK 6 and above: Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from :

 https://www-01.ibm.com/marketing/iwm/iwm/web/preLogin.do?source=jcesdk

< Additional Info >

http://goo.gl/XZRasJ

Step 2 :

Create a krb5.conf file. 

Syntax :

*****

[libdefaults]
default_realm = <Identifies the default realm. Set its value to your Kerberos realm - all caps>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes =  aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
ticket_lifetime = 600
kdc_timesync = 1
ccache_type = 4 
[realms]
<Your Kerberos realm – remember all caps> = {
kdc = <IP address of the KDC/AD server>
admin_server = <FQDN - host name of the KDC/AD server OR  IP address of KDC/AD server>
default_domain = <Windows domain name in caps>
}
[domain_realm]
.<DNS domain name suffix, starting with .> = <Your Kerberos realm – remember all caps>
<DNS domain name suffix.> = <Your Kerberos realm – remember all caps> 
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

 ***** 

Note :

* This file has to be created on the machine where Weblogic Server is installed. In this case it is present in AIX 6.1 machine.

In AIX machine, the default location is /etc/krb5/krb5.conf.

* It is always good to specify only the encryption type that is needed in default_tkt_enctypes and default_tgs_enctypes. For example rc4-hmac in this case. (have a look at the above screenshot). 

DOWNLOAD A SAMPLE OF KRB5.CONF

Step 3 :

Lets check if your AIX box is able to communicate with the KDC using the information provided in the krb5.conf  :

Command : kinit kerberos_aix OR kinit kerberos_aix @<REALM>


Step 4 :

( Run the following commands on AD machine ). 

Lets make sure that there are no duplicate SPNs in your AD box and then add an SPN to " kerberos_aix" user :

Syntax : setspn -S HTTP/<wls-server-name>@<REALM-NAME> <account_name> 

Command :  setspn -S HTTP/celbeaaix2.us.oracle.com@SLAB.BEA.COM kerberos_aix

Now lets create a keytab file :

Syntax : ktpass –princ HTTP/<wls-server-name>@<REALM-NAME> -mapuser <account-name> –pass password -crypto all -kvno 0 -ptype KRB5_NT_PRINCIPAL –out <keytab-file-name>

Command :  ktpass -princ HTTP/SLKRBTRN6-03@SLKRBTRN6.BEA.COM -mapuser wlsclient -pass Weblogic1 -crypto Rc4-HMAC-NT -kvno 0 -ptype KRB5_NT_PRINCIPAL -out kerberos_aix_rc4.keytab

Note :

* Running ktpass will modify the account details, changing the user login name to match the service principal name – note that this is a consequence of running the above command, not something you need to do manually

* Click on the user " kerberos_aix " properties to see the change.

* Now copy the keytab file generated (kerberos_aix_rc4.keytab) to machine where Weblogic Server is installed. 

* If you are using Windows 2003 AD then use the following command :

ktpass –princ HTTP/<wls-server-name>@<REALM-NAME> -mapuser <account-name> –pass password -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL –out <keytab-file-name>

* In the above command you can use "-crpto all" but there are few IBM JDK bugs which cause the JASS config to always look into the first encryption type available in the keytab and will fail saying it was not able to find RC4-HMAC. This is fixed in the latest versions of JDK, however it is safe to create a keytab containing only the required encryption type " -crypto RC4-HMAC-NT ".

Step 5 :

After copying the keytab file to the machine where Weblogic Server is installed, run the klist command to see the contents of the keytab file.

Syntax : klist -k <keytab>

Command : klist -e -k kerberos_aix_rc4.keytab

If your principal was created properly, you should be able to request a TGT (ticket Granting Ticket) from Kerberos using that principal.

If the keytab file was generated properly, then you should be able to use this file instead of the password of your account. kinit tests both simultaneously. 

Syntax :  kinit –k –t <keytab-file> <account-name>

Command :  kinit -k -t kerberos_aix_rc4.keytab HTTP/celbeaaix2.us.oracle.com@SLAB.BEA.COM

Output :

Done!

New ticket is stored in cache file /u01/CR-root/krb5cc_slcruser

Now lets enable few debugs to get a detailed output :

Command : 

java -Dcom.ibm.security.jgss.debug=all -Dcom.ibm.security.krb5.Krb5Debug=all com.ibm.security.krb5.internal.tools.Kinit -k -t kerberos_aix_rc4.keytab HTTP/celbeaaix2.us.oracle.com@SLAB.BEA.COM


Note :

*  When you lock and unlock your computer, you are causing Windows to request new Kerberos tickets. Another way to force Windows to request new Kerberos tickets is to run " klist purge " from the command prompt. This explicitly asks Windows to dump your currently Kerberos tickets and thus, request new ones.

Step 6 :

Now, lets create a JAAS config file, that will be used by Weblogic server :

Create a file called " krb5Login.conf " and place it in the Weblogic Server domain directory : 

Syntax :

Have a look at the following doc for list of supported and unsupported parameters in JAAS config file :

http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jgssDocs/jaas_login_user.html

Example : 

com.ibm.security.jgss.initiate {
com.ibm.security.auth.module.Krb5LoginModule required
credsType=initiator
debug=true;
};
com.ibm.security.jgss.krb5.accept {
com.ibm.security.auth.module.Krb5LoginModule required
principal="HTTP/celbeaaix2.us.oracle.com@SLAB.BEA.COM"
useKeytab="file:/refresh/CR-root/Oracle/Middleware3/user_projects/domains/kerberos_AIX/kerberos_aix_rc4.keytab"
credsType=acceptor
debug=true;
};

DOWNLOAD A SAMPLE OF KRB5LOGIN.CONF

Step 7 : 

Now lets add few -D parameters to Weblogic Server startup script :

 -Djava.security.auth.login.config=krb5Login.conf

 -Djavax.security.auth.useSubjectCredsOnly=false

 -Djava.security.krb5.conf=/etc/krb5/krb5.conf 

-Dweblogic.security.enableNegotiate=true

DEBUG Flags :

 -Dcom.ibm.security.jgss.debug=all

 -Djava.security.debug=configfile,configparser,gssloginconfig

-Dcom.ibm.security.krb5.Krb5Debug=all 

OPTIONAL Flags :

 -Djava.security.krb5.realm=<realm>

-Djava.security.krb5.kdc=<kdc>

Example : 

JAVA_OPTIONS="-Dcom.ibm.security.jgss.debug=all -Djava.security.auth.login.config=/u01/CR-root/Oracle/Middleware3/user_projects/domains/kerberos_AIX/krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.debug=configfile,configparser,gssloginconfig -Dcom.ibm.security.krb5.Krb5Debug=all -Dweblogic.security.enableNegotiate=true -Djava.security.krb5.conf=/etc/krb5/krb5.conf ${JAVA_OPTIONS}"

export JAVA_OPTIONS

Step 8 :

Login to weblogic console and configure Active Directory provider.

Change the control flags of all the providers to " Optional ".

If you have set control flag as sufficient then reorder the providers and make sure Active Directory providers is the first provider in the list. 

Step 9 :

Now, create a " NegotiateIdentityAsserter " 

Step 10 :

Setup your browser for Kerberos Authentication.

* No special configuration needed for Chrome Browser.

* For Mozilla Firefox browser :

1. Start Firefox.

2. Enter about:config in the Location Bar.

3. Enter the filter string network.negotiate.

4. Double click on network.negotitate-auth.delegation-uris  and enter " http://,https:// "

5. Double click on network.negotitate-auth.trusted-uris and enter " http://,https:// " 

* For Internet Explorer :

Configure Local Intranet Domains

   1. In Internet Explorer, select Tools > Internet Options.

   2. Select the Security tab.

   3. Select Local intranet and click Sites.

   4. In the Local intranet popup, ensure that the Include all sites that bypass the proxy server and Include all local (intranet) sites not listed in other zones options are checked.

   5. Click Advanced.

   6. In the Local intranet (Advanced) dialog box, add all relative domain names that will be used for Oracle WebLogic Server instances participating in the SSO configuration (for example, myhost.example.com) and click OK.

Configure Intranet Authentication

   1. Select Tools > Internet Options.

   2. Select the Security tab.

   3. Select Local intranet and click Custom Level... .

   4. In the Security Settings dialog box, scroll to the User Authentication section.

   5. Select Automatic logon only in Intranet zone. This option prevents users from having to re-enter logon credentials, which is a key piece to this solution.

   6. Click OK.

Now, when you access your Weblogic Admin Console, you should be able to login to it without entering a username / password.


Join the discussion

Comments ( 1 )
  • Puneeth Friday, July 31, 2015

    TROUBLESHOOTING :

    Error Trace :

    Kerberos SSO fails with the following errors in the logs :

    <Jun 16, 2015 11:52:00 PM GMT> <Debug> <SecurityAtn> <BEA-000000> <Negotiate filter: existing session, negotiation was started>

    <Jun 16, 2015 11:52:00 PM GMT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>

    <Jun 16, 2015 11:52:00 PM GMT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>

    <Jun 16, 2015 11:52:00 PM GMT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIde

    ntity(Authorization.Negotiate)>

    <Jun 16, 2015 11:52:00 PM GMT> <Debug> <SecurityAtn> <BEA-000000> <org.ietf.jgss.GSSException, major code: 13, minor code: 0

    major string: Invalid credentials

    minor string: Cannot get credential from JAAS Subject for principal: null

    org.ietf.jgss.GSSException, major code: 13, minor code: 0

    major string: Invalid credentials

    minor string: Cannot get credential from JAAS Subject for principal: null

    at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:23)

    at com.ibm.security.jgss.mech.krb5.y.d(y.java:281)

    at com.ibm.security.jgss.mech.krb5.y.a(y.java:221)

    at com.ibm.security.jgss.mech.krb5.y.a(y.java:136)

    at com.ibm.security.jgss.mech.krb5.y.<init>(y.java:216)

    at com.ibm.security.jgss.mech.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:50)

    at com.ibm.security.jgss.GSSManagerImpl.createMechCredential(GSSManagerImpl.java:57)

    at com.ibm.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:260)

    at com.ibm.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:78)

    After obtaining the ticket using kinit command, we see the following errors :

    [JGSS_DBG_PROV] Factory class name for provider IBMJGSSProvider version 1.6 is com.ibm.security.jgss.mech.krb5.Krb5MechFactory

    [JGSS_DBG_PROV] Prior to load

    [JGSS_DBG_PROV] Done to load

    [JGSS_DBG_PROV] Loaded factory for provider IBMJGSSProvider version 1.6

    [JGSS_DBG_PROV] Loaded factory ok

    [JGSS_DBG_PROV] getFactory: index = 1 found factory caller = -1

    [JGSS_DBG_CRED] usage: accept only, use no subject, useAllCred : false

    [JGSS_DBG_CRED] Obtaining creds from keytab for default service

    [KRB_DBG_KTAB] KeyTab:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'Loading the keytab file ... >>> KeyTab: load() entry length: 69

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): SLAB.BEA.COM

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): HTTP

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): celbeaaix2.us.oracle.com

    [KRB_DBG_KTAB] KeyTab:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'Loading the keytab file ... >>> KeyTab: load() entry length: 69

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): SLAB.BEA.COM

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): HTTP

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): celbeaaix2.us.oracle.com

    [KRB_DBG_KTAB] KeyTab:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'Loading the keytab file ... >>> KeyTab: load() entry length: 77

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): SLAB.BEA.COM

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): HTTP

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): celbeaaix2.us.oracle.com

    [KRB_DBG_KTAB] KeyTab:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'Loading the keytab file ... >>> KeyTab: load() entry length: 93

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): SLAB.BEA.COM

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): HTTP

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): celbeaaix2.us.oracle.com

    [KRB_DBG_KTAB] KeyTab:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'Loading the keytab file ... >>> KeyTab: load() entry length: 77

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): SLAB.BEA.COM

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): HTTP

    [KRB_DBG_KTAB] KeyTableInputStream:[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)': >>> KeyTabInputStream, readName(): celbeaaix2.us.oracle.com

    <Jun 17, 2015 6:47:55 PM GMT> <Debug> <SecurityAtn> <BEA-000000> <org.ietf.jgss.GSSException, major code: 11, minor code: 0

    major string: General failure, unspecified at GSSAPI level

    minor string: Cannot get credential for principal default service

    org.ietf.jgss.GSSException, major code: 11, minor code: 0

    major string: General failure, unspecified at GSSAPI level

    minor string: Cannot get credential for principal default service

    at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:11)

    at com.ibm.security.jgss.mech.krb5.y.b(y.java:189)

    at com.ibm.security.jgss.mech.krb5.y.a(y.java:107)

    at com.ibm.security.jgss.mech.krb5.y.a(y.java:491)

    at com.ibm.security.jgss.mech.krb5.y.<init>(y.java:471)

    at com.ibm.security.jgss.mech.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:31)

    at com.ibm.security.jgss.GSSManagerImpl.createMechCredential(GSSManagerImpl.java:68)

    at com.ibm.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:95)

    at com.ibm.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:88)

    at com.ibm.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:66)

    at com.ibm.security.jgss.GSSContextImpl.a(GSSContextImpl.java:416)

    at com.ibm.security.jgss.GSSContextImpl.<init>(GSSContextImpl.java:411)

    at com.ibm.security.jgss.GSSManagerImpl.createContext(GSSManagerImpl.java:4)

    at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:126)

    at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)

    at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:210)

    at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:130)

    at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:120)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)

    at java.lang.reflect.Method.invoke(Method.java:611)

    at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)

    at com.sun.proxy.$Proxy16.assertChallengeIdentity(Unknown Source)

    at com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionServiceImpl.java:112)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)

    at java.lang.reflect.Method.invoke(Method.java:611)

    -----------------------

    Workaround :

    There are few known issues where in the JAAS config does not get picked up causing SSO to fail in IBM JDK.

    Since the JAAS config specified is not picked up it always looks for the default keytab name (krb5.keytab) and its default location (/u01/CR-root/).

    As a workaround add the following parameter in your krb5.conf file :

    default_keytab_name = /refresh/CR-root/Oracle/Middleware3/user_projects/domains/kerberos_AIX/kerberos_aix_rc4.keytab

    OR

    Rename your keytab ( kerberos_aix_rc4.keytab ) to "krb5.keytab" and place it in user home.( In this case it is /u01/CR-root/ ).

    < Additonal Info >

    Kerberos SSO issue when WLS is running on AIX box (using IBM JDK) (Doc ID 2021655.1)


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha