Настройка AD / KDC и получение .keytab
На машине KDC создать аккаунт HTTP_A-DELTA-VM:C:\>setspn -a HTTP/a-delta-vm.domain.ru HTTP_A-DELTA-VM Registering ServicePrincipalNames for CN=HTTP_A-DELTA-VM,OU=Server Computers,OU=SYSTEMS,DC=city,DC=company,DC=ru HTTP/a-delta-vm.domain.ruСгенерировать .keytab для HTTP/a-delta-vm.domain.ru@DOMAIN.RU с созданным пользователем.
C:\>ktpass -princ HTTP/a-delta-vm.domain.ru@DOMAIN.RU -mapuser HTTP_A-DELTA-VM -pass MyPassword -out c:\krb5.keytab Targeting domain controller: gudwin.domain.ru Successfully mapped HTTP/a-delta-vm.domain.ru to HTTP_A-DELTA-VM. Password succesfully set! WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to c:\krb5.HTTP.keytab: Keytab version: 0x502 keysize 72 HTTP/a-delta-vm.domain.ru@DOMAIN.RU ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x11d235ac7c11b937a780c3158eacbc57)
Настройка Linux
- Для простоты все делаем из под root.
- Устанавливаем пакет для работы с Kerberos если он уже не установлен по умолчанию:
Настройка ntpdate
Kerberos чувствителен к синхронизации времени, поэтому необходимо брать время на всех участвующих в работе машинах с одного ntp-сервера.Прописываем в cron (crontab -e) запись= похожую на эту:
или же настраиваем демона ntpd для автоматического обновления (обычно конфигурация хранится в /etc/ntp.conf).
Настраиваем Kerberos клиента на Linux
Копируем на Linux машину krb5.keytab в /kerberos и проверяем с помощью команды
[root@a-delta-vm ~]# klist -k -t /opt/oracle/user_projects/domains/beta/kerberos/krb5.keytab Keytab name: FILE:/opt/oracle/user_projects/domains/beta/kerberos/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 4 01/01/70 03:00:00 HTTP/a-delta-vm.domain.ru@DOMAIN.RU [root@a-delta-vm ~]# kinit -k -t /opt/oracle/user_projects/domains/beta/kerberos/krb5.keytab HTTP/a-delta-vm.domain.ru@DOMAIN.RU* Вывод kinit должен быть пустым
Правим конфигурацию по-умолчанию /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.RU
# default_tkt_enctypes = des-cbc-md5 по-умолчанию подразумевается именно это
# default_tgs_enctypes = des-cbc-md5
ticket_lifetime = 600
[realms]
DOMAIN.RU = {
kdc = gudwin.domain.ru
admin_server = gudwin.domain.ru
default_domain = DOMAIN.RU
}
[domain_realm]
.domain.ru = DOMAIN.RU
domain.ru = DOMAIN.RU
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
Установка Weblogic + Создание домена
Все делаем согласно официальной инструкции и мастерам от Oracle…Настройка WebLogic
Создаем файл конфигурации JAAS
Как вариант назовем его так: kerberos/krb5Login.confcom.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/a-delta-vm.domain.ru@DOMAIN.RU"
doNotPrompt=true
debug=true
useKeyTab=true
keyTab="kerberos/krb5.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/a-delta-vm.domain.ru@DOMAIN.RU"
useKeyTab=true
keyTab="kerberos/krb5.keytab"
storeKey=true
realm="DOMAIN.RU"
debug=true;
};
Прописываем параметры запуска Java.
Для этого можно, например, воспользоваться файлом# Kerberos
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.auth.login.config=kerberos/krb5Login.conf -Djava.security.krb5.realm=DOMAIN.RU -Djava.security.krb5.kdc=gudwin.domain.ru -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true"
export JAVA_OPTIONS
# Kerberos debug
JAVA_OPTIONS="${JAVA_OPTIONS} -Dsun.security.krb5.debug=true -DDebugSecurityAdjudicator=true -Dweblogic.debug.DebugSecurityAtn=true -Dweblogic.debug.DebugSecurityAtz=true"
export JAVA_OPTIONS
Заметки: - java.security.auth.login.config=krb5Login.conf - отсчет пути идет от корня домена
- java.security.krb5.kdc=gudwin.domain.ru - лучше везде использовать один и тот же KDC, даже если их несколько
- параметры из секции Kerberos debug генерируеют огромный лог, поэтому лучше настроить адекватную ротацию, например, через консоль WebLogic:
/Environment/Servers/ /Logging/
Настраиваем Security Realm
Вариант 1. Сделать фэйкового пользователя в WebLogic с логином, который совпадает с логином из AD. Для дальнейшего входа в WebLogic Console c SSO делаем его админом - добавляем в группу Administrators. |
| Добавить пользователся. |
 |
| Добавить пользователя в группу Administrators. |
Вариант 2. Подключить ActiveDirectoryAuthenticator и настроить его на получение пользователей из реальной AD. Добавляем нужного пользователя в Roles and Polices - Realm Roles - Global Roles - Roles - Admin (или делаем то же самое через группы).
Добавляем NegotiateIdentityAsserter
- Добавляем NegotiateIdentityAsserter и снимаем галочку с "Form Based Negotiation Enabled".
Настройки NegotiateIdentityAsserter - Common.
Настройки NegotiateIdentityAsserter - ProviderSpecific.
- Делаем NegotiateIdentityAsserter первым в списке
SecurityRealms - myrealm - Providers - Common. - Перегружаемся
Настраиваем SSO для WebLogic Console
- Правим /opt/oracle/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/web.xml
- Ищем ноду
и меняем ее следующим образом:
CLIENT-CERT, FORM /login/LoginForm.jsp /login/LoginError.jsp
Добавляем для Firefox возможность использовать GSSAPI Kerberos.
- Открываем about:config.
- Ищем параметр network.negotiate-auth.trusted-uris.
- Добавляем DNS сервера через запятую.
Запускаем сервер.
При первом заходе в консоль WebLogic в stdout должно появиться нечто следующее:. . JAVA Memory arguments: -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=48m -XX:MaxPermSize=128m . WLS Start Mode=Development . CLASSPATH=:/opt/oracle/patch_wlw1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/opt/oracle/patch_wls1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/opt/oracle/patch_cie670/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/opt/oracle/patch_alsb1031/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/opt/oracle/jdk160_05/lib/tools.jar:/opt/oracle/wlserver_10.3/server/lib/weblogic_sp.jar:/opt/oracle/wlserver_10.3/server/lib/weblogic.jar:/opt/oracle/modules/features/weblogic.server.modules_10.3.0.0.jar:/opt/oracle/wlserver_10.3/server/lib/webservices.jar:/opt/oracle/modules/org.apache.ant_1.6.5/lib/ant-all.jar:/opt/oracle/modules/net.sf.antcontrib_1.0.0.0_1-0b2/lib/ant-contrib.jar::/opt/oracle/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar:/opt/oracle/wlserver_10.3/server/lib/xqrl.jar:: . PATH=/opt/oracle/wlserver_10.3/server/bin:/opt/oracle/modules/org.apache.ant_1.6.5/bin:/opt/oracle/jdk160_05/jre/bin:/opt/oracle/jdk160_05/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/oracle/jdk160_05/bin:/root/bin . ***************************************************
* To start WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://hostname:port/console *
***************************************************
starting weblogic with Java version: java version "1.6.0_05" Java(TM) SE Runtime Environment (build 1.6.0_05-b13) Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode) Starting WLS with line: /opt/oracle/jdk160_05/bin/java -client -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=48m -XX:MaxPermSize=128m -Xverify:none -da -Dplatform.home=/opt/oracle/wlserver_10.3 -Dwls.home=/opt/oracle/wlserver_10.3/server -Dweblogic.home=/opt/oracle/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/opt/oracle/patch_wlw1030/profiles/default/sysext_manifest_classpath:/opt/oracle/patch_wls1030/profiles/default/sysext_manifest_classpath:/opt/oracle/patch_cie670/profiles/default/sysext_manifest_classpath:/opt/oracle/patch_alsb1031/profiles/default/sysext_manifest_classpath -Djava.security.auth.login.config=kerberos/krb5Login.conf -Djava.security.krb5.realm=DOMAIN.RU -Djava.security.krb5.kdc=gudwin.domain.ru -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true -DDebugSecurityAdjudicator=true -Dweblogic.debug.DebugSecurityAtn=true -Dweblogic.debug.DebugSecurityAtz=true -Dweblogic.Name=AdminServer -Djava.security.policy=/opt/oracle/wlserver_10.3/server/lib/weblogic.policy weblogic.Server
<Mar 10 10, 2010 12:44:09 PM CITY> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) Client VM Version 10.0-b19 from Sun Microsystems Inc.>
<Mar 10 10, 2010 12:44:09 PM CITY> <Info> <Management> <BEA-141107> <Version: WebLogic Server Temporary Patch for 380194 Fri Oct 24 13:20:13 IST 2008 WebLogic Server Temporary Patch for 8408837 Fri Apr 03 17:01:18 EDT 2009 WebLogic Server Temporary Patch for CR378781, CR380313 Fri Sep 19 13:34:16 PDT 2008 WebLogic Server Temporary Patch for CR381056 Mon Oct 06 10:48:50 EDT 2008 WebLogic Server Temporary Patch for CR374413, CR378680 Tue Sep 02 09:55:36 PDT 2008 WebLogic Server Temporary Patch for CR378102 Wed Sep 10 23:28:48 PDT 2008 WebLogic Server Temporary Patch for CR378741 Tue Sep 09 13:08:51 PDT 2008 WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 >
<Mar 10 10, 2010 12:44:10 PM CITY> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Mar 10 10, 2010 12:44:10 PM CITY> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Mar 10 10, 2010 12:44:10 PM CITY> <Notice> <Log Management> <BEA-170019> <The server log file /opt/oracle/user_projects/domains/alpha/servers/AdminServer/logs/AdminServer.log is opened. All server side log events will be written to this file.>
<Mar 10 10, 2010 12:44:13 PM CITY> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STANDBY>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <Log Management> <BEA-170027> <The Server has established connection with the Domain level Diagnostic Service successfully.>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
<Mar 10 10, 2010 12:44:14 PM CITY> <Warning> <Server> <BEA-002611> <Hostname "localhost", maps to multiple IP addresses: 10.10.101.26, 127.0.0.1>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.10.101.26:7001 for protocols iiop, t3, ldap, snmp, http.>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "AdminServer" for domain "alpha" running in Development Mode>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Mar 10 10, 2010 12:44:14 PM CITY> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
<Mar 10 10, 2010 12:44:15 PM CITY> <Warning> <Server> <BEA-002611> <Hostname "a-delta-vm.domain.ru", maps to multiple IP addresses: 10.10.101.26, 127.0.0.1> Mar 10, 2010 12:49:11 PM com.sun.faces.config.ConfigureListener contextInitialized INFO: Initializing Sun's JavaServer Faces implementation (1.2_03-b04-FCS) for context '/console' Mar 10, 2010 12:49:11 PM com.sun.faces.config.ConfigureListener contextInitialized INFO: Completed initializing Sun's JavaServer Faces implementation (1.2_03-b04-FCS) for context '/console' Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is kerberos/krb5.keytab refreshKrb5Config is false principal is HTTP/a-delta-vm.domain.ru@DOMAIN.RU tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): DOMAIN.RU
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): a-delta-vm.domain.ru
>>> KeyTab: load() entry length: 72; type: 23 Added key: 23version: 4 Ordering keys wrt default_tkt_enctypes list Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 3 1 23 16 17. principal's key obtained from the keytab Acquire TGT using AS Exchange Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=gudwin.domain.ru UDP:88, timeout=30000, number of retries =3, #bytes=154
>>> KDCCommunication: kdc=gudwin.domain.ru UDP:88, timeout=30000,Attempt =1, #bytes=154
>>> KrbKdcReq send: #bytes read=146
>>> KrbKdcReq send: #bytes read=146
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 10 12:49:15 CITY 2010 1268214555000
suSec is 748691
error code is 25
error Message is Additional pre-authentication required
realm is DOMAIN.RU
sname is krbtgt/DOMAIN.RU
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 15 AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is DOMAIN.RUHTTPa-delta-vm.domain.ru Pre-Authenticaton: find key for etype = 23 AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=gudwin.domain.ru UDP:88, timeout=30000, number of retries =3, #bytes=237
>>> KDCCommunication: kdc=gudwin.domain.ru UDP:88, timeout=30000,Attempt =1, #bytes=237
>>> KrbKdcReq send: #bytes read=1298
>>> KrbKdcReq send: #bytes read=1298
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/a-delta-vm.domain.ru principal is HTTP/a-delta-vm.domain.ru@DOMAIN.RU EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 11 D2 35 AC 7C 11 B9 37 A7 80 C3 15 8E AC BC 57 ..5....7.......W Added server's keyKerberos Principal HTTP/a-delta-vm.domain.ru@DOMAIN.RUKey Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)= 0000: 11 D2 35 AC 7C 11 B9 37 A7 80 C3 15 8E AC BC 57 ..5....7.......W
[Krb5LoginModule] added Krb5Principal HTTP/a-delta-vm.domain.ru@DOMAIN.RU to Subject Commit Succeeded Found key for HTTP/a-delta-vm.domain.ru@DOMAIN.RU(23) Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 3 1 23 16 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DOMAIN.RU replay cache for ALobanov@DOMAIN.RU is null. object 0: 1268214554007/7713 object 0: 1268214554007/7713
>>> KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 613413366
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Krb5Context setting mySeqNumber to: 285380195
<Mar 10 10, 2010 12:49:21 PM CITY> <Warning> <netuix> <BEA-423420> <Redirect is executed in begin or refresh action. Redirect url is /console/console.portal?_nfpb=true&_pageLabel=HomePage1.>
Комментариев нет:
Отправить комментарий