Chatta subito con l'assistenza
Chat con il supporto

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

vastool

vastool is a command line program that allows you to configure various components of Authentication Services, access information stored in Active Directory, and perform a variety of tasks such as the creation of user accounts and keytabs.

vastool is located at /opt/quest/bin/vastool. In order to run vastool, you must specify vastool options, a command to run, and the options for that specific command.

While vastool supports a wide variety of commands, the following are of most use when installing Single Sign-on for Java with Authentication Services or adjusting its configuration:

  • service: manage service accounts in Active Directory
  • info domain: display the Active Directory domain to which this host is joined
  • info site: display the name of the local Active Directory site

Configuring Single Sign-on to use the Authentication Services HOST SPN

One of the simplest ways to configure Single Sign-on for Java to run on a Authentication Services enabled host is to set up your configuration so that Single Sign-on for Java can authenticate using the HOST principal installed when you join a Authentication Services-enabled machine to the Active Directory domain.

To configure Single Sign-on for Java to run on a Authentication Services enabled host

  1. Run the application server with sufficient permissions to access the host keytab /etc/opt/quest/vas/host.keytab (usually root permissions).
  2. When you configure Single Sign-on for Java, set:

    idm.keytab to the path of the Authentication Services HOST keytab -- for example: /etc/opt/quest/vas/host.keytab

    idm.principalAtRealm to HOST/appservhost1.example.com@EXAMPLE.COM

Configuring Single Sign-on to use an Authentication Services HTTP service principal

It is also possible to use vastool to add an account for Single Sign-on for Java rather than using the HOST principal. The major benefit of this approach is that it allows you to run the application server as an unprivileged user.

To use vastool to add an account for Single Sign-on for Java

  1. Run the following command to create the service:

    vastool -u <Adminuser> service create HTTP/appservhost1.example.com

    where

    <Adminuser> is a domain user with sufficient permissions to create accounts.

    This generates output similar to the following:

    Successfully created service

    HTTP/appservhost1.example.com@EXAMPLE.COM

    and generates the keytab:

    /etc/opt/quest/vas/HTTP.keytab

  2. Update the permissions on the service keytab so that the application using the service has appropriate access to it. For example, modify the permissions on

    /etc/opt/quest/vas/HTTP.keytab

    so it is readable by the process running the application server.

    Thus:

    chown appserverowner /etc/opt/quest/vas/HTTP.keytab

  3. When you configure Single Sign-on for Java, set:
    • idm.keytab to the path of the Authentication Services HTTP keytab created above for example:

      /etc/opt/quest/vas/HTTP.keytab

    • idm.principalAtRealm to the account created above, in a format which follows this pattern:

      appservhost1-HTTP@EXAMPLE.COM

Enabling delegation

If you want to allow operations via Single Sign-on for Java to use delegated credentials on behalf of clients, you will need to enable delegation operations for all relevant service accounts in Active Directory.

Note: Delegation operations require that:

  1. If you want a client’s request to be able to use services with delegated credentials, the “Account is sensitive and cannot be delegated” option or its equivalent must be turned off on the client’s account.
  2. Where Constrained Delegation or Protocol Transition operations are required, the Single Sign-on for Java configuration parameter idm.allowS4U must have a value set to true. For more information, see Appendix: Configuration Parameters.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione