For testing purpose, you can setup Maximo 7.6 with SSO configuration.
There are 3 parts to configure SSO.
- Part 1 : Install DNS (Domain Name System) Server and AD (Active Directory) Service
- Part 2 : Install Maximo with Middleware
- Part 3 : Configure SSO using SPNEGO
Part 1 : Install DNS Server and Active Directory.
1. Prepare two physical machines ( you can use 2 VM instances ) having 2012 OS.
One for the DNS Server where AD and Maximo will be installed.
The other for client machine which will belong to the same domain.
** Important point : DNS Server and Client machine should have static IP address.
2. IP setting for two machines.
- IP setting for DNS Server
- IP setting for Client machine
* Perferred DNS Server will be DNS Server IP.
3. Install DNS Server and Active Directory Service on the DNS Server machine.
- Open Add Roles and Features
- Click 'Role-based or feature-based installation'
- Select 'Active Directory Domain Services' and 'DNS Server'
- After installing, you will get 'Post-deployment Configuration' Message for Active Directory Domain Service.
- Click 'Post-deployment Configuration'
- Click 'Add a new forest' . You can set Root domain name as what you want to use. ex. domain.com
- Type password for the Directory Services Restore Mode password. ex. Maximo01
- NetBios domain name will be set as DOMAIN which is coming from the Root domain name (domain.com)
- Finish. You need to restart machine.
Then, you can realize that your machine belongs to 'domain.com' domain.
4. Configure Active Directory structure.
In Active Directory Users and Computers, right-click the domain and go to New → Organizational Unit
Create Maximo, Groups, Users OU like below screenshot.
In Groups OU, add two groups. ( maximousers, maximononusers )
In Users OU, add 3 users ( maxadmin, maxreg, mxintadm) belonging to maximousers group , Domain User group.
It allows 3 users ( maxadmin, maxreg, mxintadm) to log in the computer which is belonging to the domain (DOMAIN).
Now. DNS Server and Active Directory configuration is completed.
5. Configure the client machine in order to make it belong to the same domain (domain.com)
- Log in to the client machine.
- Open Computer/Properties - System properties - Click 'Change' button. Change 'Member of Domain' to 'domain.com'. Restart this client machine.
Now, DNS Server and Client machine was configured. They are in the same domain.
- DNS Server( AD ) : dnsserver.domain.com
- Client : ssoclient.domain.com
* Domain users (maxadmin, mxintadm, maxreg) can log into this client machine( ssoclient.domain.com) like below screenshot.
Part 2 : Now, Install Maximo 7.6 with middleware ( Websphere and DB2 ) on the server machine where DNS Server and AD was installed.
1. Run launchpad64 - Select DB2, Websphere and IBM Maximo Asset Management 7.6 like below screenshot.
2. Accept the license agreements.
3. Confirm parameter and packages.
4. Enter DB2 Installation Information.
5. Enter Web Server Configuration Information
6. Once Installation completed, Tivoli's process automation suite configuration tool screen is opened. Click 'Prepare Websphere Application Server for Configuration'.
7. Configure WebSphere Application Server
8. Configure Application Server Profiles
9. Application Server Advanced Options
10. Configure Administrative Security
11. Apply Deployment Operations.
12. Click Configure a New Deployment
13. Define Deployment Environment
- Check 'Create and Configure the database'
- Check 'Complete configuration of WebSphere for your product'
14. Configure General Product Information
15. Database Instance Information - Configure the DB2 Database
16. Configure the Application Server
17. Configure Application Security
18. Apply Deployment Operations.
19. Finish. You can log into Maximo ( http://dnsserver.domain.com:9080/maximo)
Part 3 : SSO (Single Sign On) configuration usign SPNEGO
SPNEGO, or the Simple and Protected GSSAPI Negotiation Mechanism, enables a straightforward single sign-on (SSO) mechanism for WebSphere in Kerberos environments.
The Windows client must be in the same Active Directory (AD) domain. If you will be configuring SPNEGO on a Windows system, you will still need a separate Windows client to surf from.
For whatever reason, SPNEGO does not work locally on a system.
1. Create a User ID for the Application Server
Please note that the ID you will be creating here is not the same, and cannot be the same as the WebSphere administration ID that you use when you turn on WebSphere Security (usually ‘wasadmin’ in test environments).
The ID that we will be creating here is the ID that the instance of WebSphere itself uses to authenticate to Active Directory.
Ex) wasspnego@domain.com /Maximo01
* Set the password to never expire in your test environment. This will save you the need to regenerate keys (discussed next) because the password never needs changing.
Please remember that if you do change the password for the account, you will also need to regenerate the keys.
2. Assign the Service Principal Name and Create Key File
After the account has been created, we need to map this account to the Kerberos Service Principal Name (SPN) and create a key file that WebSphere can use to log into the domain with.
Please note that SPNs and keytabs are only required for the WebSphere Application Server instance, and not the Windows client users who will be logging in to the domain via the domain sign-on screen.
To create the key,
ktpass -out <keyfile name> -princ HTTP/fully qualified hostname@AD DOMAIN NAME -mapuser <AD user> -pass <password> -ptype KRB5_NT_PRINCIPAL
Ex)
ktpass -out appserver1.keytab -princ HTTP/dnsserver.domain.com@DOMAIN.COM -mapuser wasspnego -pass Maximo01 -ptype KRB5_NT_PRINCIPAL
* Please note that case is very important here. HTTP must be all in capital letters as well as the AD domain name. If you get this wrong, authentication will not work.
If it runs successfully, appserver1.keytab file is created and the Service Principal Name (SPN) is mapped to the AD user ‘wasspnego’.
The keytab file will get shipped to Websphere server which will use this key to authenticate itself in the AD domain as ‘wasspnego’.
Note the ‘User logon name’ field for wasspnego user . It now contains the Service Principal Name (or SPN) of the ID.
3. Set up Kerberos Configuration on the Application Server
- Copy appserver1.keytab to C:\IBM\WebSphere\AppServer\etc\krb5
- Run C:\IBM\WebSphere\AppServer\bin>wsadmin ( wasadmin/Maximo1)
- Run
$AdminTask createKrbConfigFile {-krbPath C:\IBM\WebSphere\AppServer\etc\krb5\krb5.conf -realm DOMAIN.COM -kdcHost dnsserver.domain.com -dns domain.com -keytabPath C:\IBM\WebSphere\AppServer\etc\krb5\appserver1.keytab}
Then, appserver1.keytab and krb5.conf file will be existed in C:\IBM\WebSphere\AppServer\etc\krb5 folder.
4. Enable WebSphere Security : When installing Maximo using J2EE Application Security, it was already enabled.
Go to Websphere Console - Click Security / Global Security in the left panel.
5. Enable SSO
- Go to Websphere Console - Click Security / Global Security in the left panel
- Click Single Sign-on (SSO)
- Check 'Enabled' and enter domain name as 'domain.com'
- Check 'web inbound security attribute propagation' and 'Set security cookies to HTTPOnly to help prevent cross-site scripting attacks'
6. Enable SPNEGO in WebSphere
- Go to Websphere Console - Click Security / Global Security in the left panel
- Click SPNEGO web authentication
- Check 'Dynamically update SPNEGO' and Enable SPNEGO checkbox
- Enter Kerberos configuration file and keytab fine name with full path ( Reference step 3 )
- Click New button to add a new SPNEGO Filter
- Apply Changes ( Double check MXServer/Security Domain/SPNEGO web authentication )
7. Restart Websphere Server.
Now that SPNEGO is enabled on the server.
8. Configure Browsers : need to configure your browsers to send their Kerberos tokens to the server when challenged.
You need to change a couple of settings to the browsers running on your Windows client machines.
- Log into the client machine (ssoclient.domain.com) as maxadmin domain user.
- Open IE browser- Internet options - Security Tab- Local Intranet
- Add *.domain.com - OK
- Click Advanced Tab
- Check 'Enable Integrated Windows Authentication*'
- OK
Now, In IE browser, try to enter http://dnsserver.domain.com:9080/maximo.
Then, Maximo will be automatically logged as maxadmin user.
I hope it will be helpful for you to configure SSO with Maximo.
No comments:
Post a Comment