vastool
vastool is a command line program that allows you to configure various components of Authentication Services, access information stored in Active Directory, and perform a variety of tasks such as the creation of user accounts and keytabs.
vastool is located at /opt/quest/bin/vastool. In order to run vastool, you must specify vastool options, a command to run, and the options for that specific command.
While vastool supports a wide variety of commands, the following are of most use when installing Single Sign-on for Java with Authentication Services or adjusting its configuration:
- service: manage service accounts in Active Directory
- info domain: display the Active Directory domain to which this host is joined
- info site: display the name of the local Active Directory site
Configuring Single Sign-on to use the Authentication Services HOST SPN
One of the simplest ways to configure Single Sign-on for Java to run on a Authentication Services enabled host is to set up your configuration so that Single Sign-on for Java can authenticate using the HOST principal installed when you join a Authentication Services-enabled machine to the Active Directory domain.
To configure Single Sign-on for Java to run on a Authentication Services enabled host
- Run the application server with sufficient permissions to access the host keytab /etc/opt/quest/vas/host.keytab (usually root permissions).
-
When you configure Single Sign-on for Java, set:
idm.keytab to the path of the Authentication Services HOST keytab -- for example: /etc/opt/quest/vas/host.keytab
idm.principalAtRealm to HOST/appservhost1.example.com@EXAMPLE.COM
Configuring Single Sign-on to use an Authentication Services HTTP service principal
It is also possible to use vastool to add an account for Single Sign-on for Java rather than using the HOST principal. The major benefit of this approach is that it allows you to run the application server as an unprivileged user.
To use vastool to add an account for Single Sign-on for Java
- Run the following command to create the service:
vastool -u <Adminuser> service create HTTP/appservhost1.example.com
where
<Adminuser> is a domain user with sufficient permissions to create accounts.
This generates output similar to the following:
Successfully created service
HTTP/appservhost1.example.com@EXAMPLE.COM
and generates the keytab:
/etc/opt/quest/vas/HTTP.keytab
- Update the permissions on the service keytab so that the application using the service has appropriate access to it. For example, modify the permissions on
/etc/opt/quest/vas/HTTP.keytab
so it is readable by the process running the application server.
Thus:
chown appserverowner /etc/opt/quest/vas/HTTP.keytab
- When you configure Single Sign-on for Java, set:
- idm.keytab to the path of the Authentication Services HTTP keytab created above for example:
/etc/opt/quest/vas/HTTP.keytab
- idm.principalAtRealm to the account created above, in a format which follows this pattern:
appservhost1-HTTP@EXAMPLE.COM
- idm.keytab to the path of the Authentication Services HTTP keytab created above for example:
Enabling delegation
If you want to allow operations via Single Sign-on for Java to use delegated credentials on behalf of clients, you will need to enable delegation operations for all relevant service accounts in Active Directory.
|
|
Note: Delegation operations require that:
|
