Thursday, December 06, 2007

How to setup WNA with Oracle

Just a short note on how to set up Windows Native Authentication (WNA) with Oracle Internet Directory (OID), V10.1.2.2 (patched 10G Rel 2).
Of course, it requires you have your setup done, that is, OID is in place, it synchronises with Actice Directory (from AD to OID minimal, or two way), and the external authentication plugin works. Maybe I will publish on those steps and update this entry with the links. (I did, I did! See this entry on OID AD sync in 10.1.4)
  1. Create an account in Active Directory for your Single Sign On server. The accout is the short name, i.e. login.home.local should be created in AD as login.
  2. Generate a keytab file for this account on the AD machine; take care, the process is highly case-sensitive!

    ktpass -princ HTTP/login.home.local@BORTEL.AD.LOCAL -pass <ad_passwd> -ptype KRB5_NT_PRINCIPAL +desonly -crypto des-cbc-md5 -mapuser login -out login.keytab


    The entry, following the "-princ" flag is uppercase "HTTP/", followed by the fully qualified domain name (FQDN) of your Single Sign On server in lower case, followed by "@YOUR_AD_DOMAIN", where your Active Directory entry should be in uppercase.
  3. Transfer the generated keytab file (in this example, login.keytab) in binary(!) mode to your Single Sign On server. the location is
    $ORACLE_HOME/j2ee/OC4J_SECURITY/config
  4. Create the Kerberos configuration file, krb5.conf. Many Unixes locate the file in /etc. The contents of the file:

    [libdefaults]
    default_realm = BORTEL.AD.LOCAL

    [realms]
    BORTEL.AD.LOCAL = {
    kdc = pdc01.bortel.ad.local:88
    }

    [domain_realm]
    .home.local = BORTEL.AD.LOCAL

    Don't be fooled with the "LOCAL" stuff; default_realm is the Active Directory realm (domain, in Windows terminology), the realms entry tells how your AD server is called, and on what port it listens - port 88 is the default for Kerberos.
    The last line is very important: it explains the mapping between your default OID context and AD - mind the leading dot. The login account, created in step 1 is login@BORTEL.AD.LOCAL, so users can be found 'under' BORTEL.AD.LOCAL. Similar for OID: the corresponding entries for other users can be found in OID under dc=home, dc=local.
    Your setup will differ, and your AD domain probably has an internal named domain, whereas your OID probably has "company_name.com".
  5. Check time on AD and SSO servers; time should be (almost) the same!
  6. Test your Kerberos config:

    kinit –k –t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/login.keytab HTTP/login.home.local

    It should not respond with anything, just give back the cursor.

    I did get the following error, though:

    kinit: KRB5 error code 52 while getting initial credentials"
    The solution is listed in Microsoft KB832572, and is simply setting the 'Do not require Kerberos preauthentication' option with AD for the 'login' account. It's located under Account options on the Account details tab - last entry (you will need to scroll down in the option).
  7. Make a copy of the configuration files for safekeeping:
    cp $ORACLE_HOME/sso/conf/policy.properties $ORACLE_HOME/sso/conf/policy.properties.org
    cp $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml.org
    cp $ORACLE_HOME/opmn/conf/opmn.xml $ORACLE_HOME/opmn/conf/opmn.xml.org
    cp $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml.org
    cp $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml.org
    cp $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml.org
  8. Run the ssoca shell:
    cd $ORACLE_HOME/sso/bin
    ./ssoca
    [snip]
    Usage5: To configure the Single Sign-On server to enable Windows Native Authentication, do:
    java -jar ossoca.jar wna -mode sso -oh -ad_realm -kdc_host_port -keytab -ssohost -oid -verbose
    where:
    oh = Oracle Home Path, AD_realm = Active Directory Realm Name, kdc = Kerberos KDC in the format "hostname:port", keytab = path of the keytab file that you created for the SSO server, sso_host = SSO server hostname with domain, oid_server = OID server in the format "ldap://oid.acme.com:389"

    The actual command will become:
    ./ssoca wna –mode sso –oh $ORACLE_HOME \
    –ad_realm BORTEL.AD.LOCAL –kdc_host_port pdc01.bortel.ad.local:88 \
    -keytab $ORACLE_HOME/j2ee/OC4J_SECURITY/config/login.keytab \
    –verbose

  9. Test your WNA - you should now be able to go to the OIDDAS pages without being asked to login.

2 comments:

rhippert said...

Is the krb5.conf file displayed above for a Windows OS box? I'm trying to configure on a Solaris box, and it definitely doen't like the eauals sign in the syntax shown above. Any help would be appreciated. Thanks

Frank said...

kerberos is a pretty standard protocol, and these files originated from a HP-UX box, and I used them on Linux (RHAS 4.7).
Defenately not MS Windows, although MS Win uses the same syntax.
You might have spotted the forward slashes - not a MS Win thingy ;)