I need to enable SSO on my redhat environment. I need to know which rpms needs installation. believe it’s a case of configuring AD to support the single sign-on against the WebSeal instance.i am installing WebSeal 6.1(Tivoli Access Manager WebSeal 6.1).
I have no knowledge regarding this.Can anyone brief me out and help me here how to proceed and what steps should be taken. What should be the prerequisites ?
There is a good writeup on IBM's InfoCenter about how to do this:
TAM 6.0:
TAM 6.1.1:
SAM 7.0:
You have to:
Here are some of my notes that may help. However, I would strongly recommend walking down through the instructions on the InfoCenter site, as they are almost right on.
For step 1, in the linux_i386
directory, install the IBM Kerberos client using:
rpm -i IBMkrb5-client-1.4.0.2-1.i386.rpm
For step 2, the ktpass command you run on your AD controller should look something like:
ktpass -princ HTTP/WEBSEAL_SERVER_NAME_NOTFQDN@ad-domain.org -pass new_password -mapuser WEBSEAL_SERVER_NAME_NOTFQDN -out c:\WEBSEAL_SERVER_NAME_NOTFQD_HTTP.keytab -mapOp set
Transfer that keytab file to your Linux server.
Also make sure the keytab file on the Linux server is chown ivmgr.ivmgr; chmod 600. Otherwise the WebSEAL process won't be able to read it.
For step 3, you will need to edit /etc/krb5/krb5.conf
and configure the KDC, AD realm, and local DNS name. You can use the mkkrb5clnt
utility to help with this:
config.krb5 -r AD-DOMAIN.ORG -c ad-domain.org -s ad-domain.org -d AD-DOMAIN
Edit krb5.conf
and change:
[libdefaults]
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
From my notes, I had you can test the Kerberos configuration using (this is all documented on the infocenter article):
/usr/krb5/bin/kinit webseal@AD-DOMAIN.ORG
Enter the password for the WebSEAL user, then use klist
to check things.
For step 4, just edit the WebSEAL config file and change:
[spnego]
spnego-auth = https
[authentication-mechanisms]
kerberosv5 = /opt/PolicyDirector/lib/libstliauthn.so
If you are clients are configured correctly, as long as their AD account name matches their TAM account name then it will work. You can also have WebSEAL prepend the @DOMAIN.ORG when mapping to a TAM user, which is handy if you are going to have multiple domains setup for SSO. However, you have to have TAM accounts with user@domain.org within your directory to map to.
You can specify what auth level SPNEGO comes in by modifying the [authentication-levels]
section in the WebSEAL config file. That level would be level = kerberosv5
Good luck and have patience. Getting the Kerberos client setup on the Linux box was the most difficult part. It's a bit tricky when it wants capital DNS domain name, lower case DNS domain name, or just the plain vanilla AD domain name.