WebLogic Server Single Sign-on function--reprint

Source: Internet
Author: User
Tags access properties ldap ldap protocol ad server setspn

In the latest SP4 version of WebLogic 8.1, the most compelling is in terms of security, providing a single Pass Negotiate Identity that is used with Microsoft Windows clients for single sign-on Assertion Provider. With this provider, you can easily complete a single sign-on that was previously considered technically difficult and Windows clients.

This simple, low-cost SSO solution is believed to be more appealing to most enterprise applications:

    1. Users only need to log on to the Windows domain when the user can be logged in as the identity of users to access all the WebLogic Server, IIS and other applications;
    2. In the subsequent access, the user will not need to re-enter the password, so that the password will not be in clear text in the intranet, security threats from the intranet is reduced (the main network security threat from the enterprise from the intranet), if the intranet enabled SSL is too high cost;
    3. Only one validation is required, so the cost of authentication is reduced, whether it is ad or other relational databases that store user information , LDAP, and so on;
    4. Greatly improve the user experience, improve the quality of IT services, but also improve user productivity

In terms of cost, compare some SSO products, simply say:

    1. No need to add new hardware, no need to buy new software license, and can make full use of most enterprises in the very mature MS ad resources;

      * While some SSO products, not only need to add new hardware, buy license, and mature deployment often involves load balance,failover, etc., the cost rises sharply
    2. No special operation and maintenance personnel, no special technical support personnel to manage the server, the existing IT team can be competent, the cost is further reduced;
    3. The installation configuration is simple, does not need to install the independent software, the operator does not need the specialized knowledge background;
      * Compare some of the ultra-thick documentation manuals for SSO products, as well as training and more

As a result, most SSO product vendors face greater challenges. In the rapid application of security technology, the SSO market fierce competition today, users will have more and more freedom to choose the right SSO solution for their users will ultimately benefit. So we want to thank those who have contributed to the development of these technologies today.

After I got WebLogic 8.1 SP4, I completed the configuration of the single sign-on of WebLogic Web Server and Windows, and the final result was ideal, and the whole configuration process was relatively simple. However, some problems were encountered , plus BEA provides configuration documentation on the site (http://e-docs.bea.com/wls/docs81/secmanage/ sso.html) Many places are not clear, there are even some errors, so I hope that this article to better help you complete the configuration of SSO.

1 preparation
The protagonist of WebLogic single sign-on is Spnego (simple and Protected gss-api negotiation mechanism). The so-called negotiate is the two sides through a certain consultation, determine the final use of the certification agreement. So through spnego, both parties can use Kerberos, or they can use security protocols such as NTLM to accomplish both authentication. The so-called GSS (http://www.ietf.org/rfc/rfc1508.txt) is generic Security Service Api,spnego can be said to be its manifestation, the main purpose is to provide general security services, Ensure portability of applications in different environments.

Because of the close relationship between Spnego and Kerberos, we are more in the position of seeing spnego/kerberos such a combination.

WebLogic's Spnego Identity assertor only supports Kerberos tokens. Through we can understand, SPNEGO token and Kerberos token relationship, as well as SPNEGO token to the underlying Authentication data encapsulation:

(from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-2.asp)
IE will Kerberos token (Service ticket and some authentication required information), encapsulated with Spnego token, and sent to WebLogic Web Server. Web server determines the use of Kerberos through the protocol type defined in Spnego token and then resolves the Kerberos token from Spnego token to complete subsequent validations.

SPNEGO token uses binary ASN.1 encoding (LDAP message in LDAP protocol uses ASN.1 encoding), and encoded binary data is transmitted by BASE64 encoding as visible character. Refer to http://www.faqs.org/rfcs/rfc2478.html for details.

Let's take a quick look at the verification process for Spnego/kerberos:

    1. Users sign in to Windows $ Domain using the user account and password created in AD;
    2. A user sends a request to a Web server to access a restricted resource;
    3. If the user is not authenticated, Web server will return HTTP Code 401 Unauthorized and HTTP Header www-authenticate:negotiate require the client to provide authentication information;
    4. IE gets the service ticket or some other credentials requested from the KDC based on the configured SPN (described later);
    5. IE uses this information to encapsulate the negotiate token sent to the web Server
    6. The WEB server verifies the authentication information submitted by IE using the prepared keytab, or submits the information in the Kerberos token to the KDC for verification;
    7. WebLogic Web server verifies that the appropriate subject is assembled, and then a session is made for this user, the user is logged on successfully

The actual verification process is more complex, the reader can refer to: http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/ Kerberos.mspx

2 environment
Next, we'll take a specific environment as an example to illustrate. We assume that the following deployment logic is available:

Server-side:
* Windows Advance Server (Active Directory)
* Domain: sso.com
* Machine domain: ad-server.sso.com
* RedHat Linux 7.2
* Host Name: WLS

* WebLogic Server 8.1 SP4 (must be SP4)

Client machine:
* Windows Professional
* IE 6.0

Attention:
* Browser IE6.0 and 5.0 and 5.5 will be different in configuration.
* Check if Windows Advance Server has Setspn.exe installed or get and install it from this link.
Http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp
* Ensure that Ktpass.exe exists in Windows Advance Server, you can find it under C:Program filessupport tools, otherwise you will need to get it from the Windows2000 AD Server installation disk.
* Kerberos implementations are case-sensitive, so we use uppercase domain names in our configuration
* By default, the time difference between Windows2000 Ad server and Redhat Linux two hosts running WebLogic cannot exceed 5 minutes (the Kerberos protocol is sensitive to time) or the validation will fail. According to the actual situation, we can shorten this time and get better security.

3 Configuration process
Once the preparation is complete, we can start the specific configuration work.

  1. Configuration on Windows Advance server
    (Note: The following actions use Administrator or equivalent permissions for user action)

    Active Directory is configured in Windows2000 Advance server as a DNS server. Windows2000 Ad Server will enable the KDC (Key distribution Center) on each domain controler, and the KDC consists of two parts, authentication service and ticket Granting Service. We will not say more, in short, we understand that once you have configured the Windows domain Controller (through ad built a Domain) These are already exist and work properly, unless there are special requirements on windows, we do not need more than the configuration, or To enable operations such as KDC.

    * In DNS forWebLogic ServerDNS records are configured on the host computer.

    DNS Name:wls.SSO.COM

    * In AD (domain sso.com) forWebLogic ServerCreate a user account

    Account Number: WLS
    Note that when you create a user account, you cannot select the option for the user to change the password the first time they log on. and need to use the default DES encryption type, this do not modify, other types are not supported by WebLogic.

    and test user account: TESTUSER

    * Create a service Principal Name for user WLS using Setspn.exe

    The SPN will be stored as a user (WLS) attribute, which will be used by IE to determine which service is being accessed and then request the service's ticket from the KDC. Where HTTP is the service type, host can represent all types, we specify HTTP here.

    And if a host, open a number of the same service, then you can set the port to distinguish, specific reference http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/ Techref/en-us/default.asp?url=/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_adspn_how.asp Because I have only one here.WebLogic Server, so there is no designation.

    Here is a sample configuration:
    C:Program Filesresource kit>setspn-a http/wls. Sso.com WLS
    Registering ServicePrincipalNames for cn=wls,cn=users,dc=sso,dc=com
    Http/wls. Sso.com
    Updated Object

    after completion, you can check by command:
    C:Program Filesresource kit>setspn-l WLS
    Registered ServicePrincipalNames for cn=wls,cn=users,dc=sso,dc=com:
    Http/wls
    Http/wls. Sso.com

    C:Program Filesresource kit>

    * Create a Kerberos Service Principal and map to the WLS user
    C:Program filesresource kit>ktpass-princ http/wls. Com-pass * * *-mapus
    Er wls-out c:empwls. Http.keytab
    Successfully mapped http/wls to WLS.
    Key created.
    Output keytab to C:empwls. Http.keytab

    Keytab version:0x502
    KeySize http/wls.com ptype 1 (krb5_nt_principal) VNO 1 etype 0x1 (DES-CBC-CRC) Keylength 8 (0xa7c7e6ab9767fb37)
    Account have been set for des-only encryption.

    WebLogic WEB Server is the Kerberos service, where the generated Service Principal (Kerberos 5 format: name/instance) is specified by-princ, which represents a WebLogic WEB server entity. This is http/wls. COM (domain capitalization), it is very important that Sun krb5loginmodule (provided in JDK1.4) will validate the request submitted by the client through it and keytab. It will be configured in Jaas loginmodule Config entry. The-pass parameter specifies the password of the user WLS, and if you have previously selected the user must change the password for the first time, this is the worst.

    Account have been set for des-only encryption. This information is also important, and if there is no des-only, your WebLogic certification may fail.

    When the above command succeeds, a WLS is generated on the disk. The Http.keytab file, which is very important and must be kept in good custody, is prohibited from access by anyone other than the designated user.
  2. Configuration on the Redhat
    * WLS the file. Http.keytab copy to Linux specified directory
    In a real world, this copy process must be very secure. I recommend using the Linux user who started WebLogic to copy files to the boot WebLogic directory via SFTP, which is convenient for us to configure later.

    Once the copy is complete, delete the original file on the Windows machine immediately. The file property is also modified to be read only by the primary user (Linux users who are the primary user of the startup WebLogic). You can modify the file access properties by using the following command:

    WLS. Http.keytab
    502br>
    Note: If you have more than one keytab, use Ktutil to merge these keytab into a keytab file. The default installation of Redhat does not seem to install krb5-workstation this RPM package (tool Ktutil included in the RPM), if so, need to download the RPM package to install, after the installation is completed/usr/kerberos/directory will have the tools we need, You can download it via this link: http://rpmfind.net/Linux/rpm/redhat/6.2/i386/krb5-workstation-1.1.1-9.i386.html
    Please refer to the relevant documentation for the specific merger process and documentation, for example: http://e-docs.bea.com/wls/docs81/secmanage/sso.html#1101370

    * Configure Jaas Login configruation Entry

    Jaas Login Configuration entry is used by Jaas. WebLogic Negotiate Identity Assertor After the completion of Negotiate token, the final user verification will be done via Krb5loginmodule.

    This verification process is done through the keytab participation we generated earlier and does not require access to the KDC machine. This lowers the cost of KDC authentication.

    com.sun.security.jgss.initiate {com.sun.security.auth.module.Krb5LoginModule required principal= "http/wls.com" Usekeytab=true keytab= "WLS. Http.keytab "Storekey=true;
    };
    com.sun.security.jgss.accept {com.sun.security.auth.module.Krb5LoginModule required principal= "http/wls.com" Usekeytab=true keytab= "WLS. Http.keytab "Storekey=true;
    };

    The Principal in the parameter is the service Principal that we created earlier through Ktpass, and here is "http/wls.com". Keytab points to the keytab file that we generated through ktpass.

    Save the above content as krb5login.conf.
  3. Configuration of the WebLogic
    * Configure single Pass Negotiate Identity assertion Provider for WebLogic

    This configuration is relatively simple, please refer to http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1199872, here is not much to say. Note that the two token type in supported types needs to be selected.

    * Create a Web App

    Create a SSO.War, where in Web. XML specifies that all pages are controlled as restricted resources, the user must be authenticated to be able to access the page.
    <security-constraint>
    <display-name>security Constraint on conversation</display-name>
    <web-resource-collection>
    <web-resource-name>conversation WebService</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>*</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    </login-config>

    AUTH-METHOD Specifies that the authentication method is Client-cert, which is required. Role-name * Indicates that users have at least one EE Security role to access these resources. After the user successfully logs in, the login name is a principal,weblogic will be mapped to a security Role by default. So as long as the user logs in successfully, the/* resource can be accessed. So if the user is not logged in, WLS will ask the user to log in.

    In the JSP file in the war package, for example, index.jsp obtains the current user information through the following code:

    <%=request.getremoteuser ()%>

    If the return is not NULL, the user has successfully logged on, and the return value is the UID of the logged-on user. Deploy the app with WebLogic console to ensure that your app is deployed successfully.

    * Add a user account to the WebLogic console

    The account must be exactly the same as the 1-step account created in AD, which is called testuser, or you can configure an active Directory authentication provider point to AD, but I have no actual action, and you are interested to try it.

    * Modify the Startup WebLogic script to add the following system variables
    -dsun.security.krb5.debug=true
    -Djava.security.krb5.realm=sso.com
    -djava.security.krb5.kdc= Ad-server. Sso.com
    -djava.security.auth.login.config=krb5login.conf-djavax.security.auth.usesubjectcredsonly= False-dweblogic.security.enablenegotiate=true "

    Krb5login.conf is the configuration entry we edited earlier. Ad-server. Sso. COM points to our ad Server. It is easier to add the name to the IP map in the/etc/hosts file. Sun.security.krb5.debug will cause the Krb5loginmodule to output debug information. It is also necessary to remind you that realm parameters (sso.com) need to be capitalized.

    * Restart WebLogic
  4. Configuration of IE browser

    IE browser also needs to be properly configured, we use IE6.0 as an example to illustrate. The main two places need to be configured:

    1. Tools Internet Options-click on "Local Interanet"-click "Site"-Advanced
    Will be *. Sso. COM joins so that when we visit wls.sso.com, IE will access wls.sso.com as a local site.

    2. Tool-internet Options-advanced-security
    Tick before enable Integrated Windows authentication. IE will choose this option by default before 6.0, IE6 is not selected by default.

    Please refer to the configuration of IE in connection http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-1.asp for details.

    When you are finished, restart Windows.

4 Verification
Find a Windows Professional machine (remember not that ad Server, IE will only issue NTLM tokens to Web Server instead of Kerberos tokens, NTLM tokens are not supported by WLS), After you complete the configuration by using the IE configuration method above, add it to the sso.com domain.

Use user testuser login domain, open IE, access http://wls.sso.com:7001/sso/index.jsp

The user's login account will be displayed on the page and the user login dialog will pop up if the failure occurs. It doesn't matter to fail, look at the output of the WebLogic, we have turned on the debug switch, from which the error message we can find is what the reason. Please refer to the Java Gss-api Troubleshooting for details, as follows: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/ Troubleshooting.html

5 Summary
Through the above introduction, I believe you can already successfully configure their own SSO (it can be seen that the whole process is relatively simple, compared to some of the SSO products of the ultra-complex configuration process). Because of the time, this article is written in a relatively hasty, there is inevitably an omission of the place. If there are any errors in the description, please let me know, or if the above configuration is not successful, please tell me. Hope to communicate with you and share the happiness of successfully configuring SSO!

From: http://middleware123.com/weblogic/security/511.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.