Enable SSO on redhat Environment

Question

I need to enable SSO on my redhat environment. I need to know which rpms needs installation. believe it’s a case of configuring AD to support the single sign-on against the WebSeal instance.i am installing WebSeal 6.1(Tivoli Access Manager WebSeal 6.1).

I have no knowledge regarding this.Can anyone brief me out and help me here how to proceed and what steps should be taken. What should be the prerequisites ?

Answer 1

There is a good writeup on IBM's InfoCenter about how to do this:

TAM 6.0:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame.doc_6.0/rev/am60_webseal_admin211.htm?path=5_8_1_6_0_6_0_2_1_10_1_2#spnego-cfg-unix

TAM 6.1.1:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame.doc_6.1.1/am611_webseal_admin709.htm?path=5_8_1_3_1_11_1_2#spnego-cfg-unix

SAM 7.0:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_webseal_guide/concept/con_config_win_desktop_sso_unix.html

You have to:

1. Install IBM Kerberos client for WebSEAL
2. Create an entry in AD for the Linux server to auth against
3. Map the Kerberos principal to that AD user (the hardest part)
4. Enable SPNEGO on WebSEAL

Here are some of my notes that may help. However, I would strongly recommend walking down through the instructions on the InfoCenter site, as they are almost right on.

For step 1, in the linux_i386 directory, install the IBM Kerberos client using:

rpm -i IBMkrb5-client-1.4.0.2-1.i386.rpm

For step 2, the ktpass command you run on your AD controller should look something like:

ktpass -princ HTTP/WEBSEAL_SERVER_NAME_NOTFQDN@ad-domain.org -pass new_password -mapuser WEBSEAL_SERVER_NAME_NOTFQDN -out c:\WEBSEAL_SERVER_NAME_NOTFQD_HTTP.keytab -mapOp set

Transfer that keytab file to your Linux server.

Also make sure the keytab file on the Linux server is chown ivmgr.ivmgr; chmod 600. Otherwise the WebSEAL process won't be able to read it.

For step 3, you will need to edit /etc/krb5/krb5.conf and configure the KDC, AD realm, and local DNS name. You can use the mkkrb5clnt utility to help with this:

config.krb5 -r AD-DOMAIN.ORG -c ad-domain.org -s ad-domain.org -d AD-DOMAIN

Edit krb5.conf and change:

[libdefaults]
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc

From my notes, I had you can test the Kerberos configuration using (this is all documented on the infocenter article):

/usr/krb5/bin/kinit webseal@AD-DOMAIN.ORG

Enter the password for the WebSEAL user, then use klist to check things.

For step 4, just edit the WebSEAL config file and change:

[spnego]
spnego-auth = https

[authentication-mechanisms]
kerberosv5 = /opt/PolicyDirector/lib/libstliauthn.so 

If you are clients are configured correctly, as long as their AD account name matches their TAM account name then it will work. You can also have WebSEAL prepend the @DOMAIN.ORG when mapping to a TAM user, which is handy if you are going to have multiple domains setup for SSO. However, you have to have TAM accounts with user@domain.org within your directory to map to.

You can specify what auth level SPNEGO comes in by modifying the [authentication-levels] section in the WebSEAL config file. That level would be level = kerberosv5

Good luck and have patience. Getting the Kerberos client setup on the Linux box was the most difficult part. It's a bit tricky when it wants capital DNS domain name, lower case DNS domain name, or just the plain vanilla AD domain name.