Configuring Oracle® Hyperion Enterprise Performance Management System 11.1.2.x for Kerberos Authentication Knowledge of Kerberos and its configuration at the system level is assumed in this document, as it documents configuration steps needed at the application level. Before you start these procedures, please confirm that the prerequisites for these tasks are completed. Prerequisites Tasks: 1. Corporate Active Directory is configured for Kerberos authentication (http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/de fault.mspx) 2. Windows client machines are configured for Kerberos authentication (http://support.microsoft.com/kb/295017). 3. The Client and Server are in Time Sync with a skew of not more that 5 minutes. (http://technet.microsoft.com/en-us/library/cc780011(WS.10).aspx). 4. Browsers are configured to negotiate using Kerberos tickets: IE (http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm#i110 2444) or Firefox (http://docs.redhat.com/docs/enUS/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-configfirefox.html) 5. IIS is set up if IIS is used as the front-end Web server http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/ e14395/isapi.html#wp101184 and disable Windows Integrated Authentication http://support.microsoft.com/kb/215383 Kerberos Authentication Flow Diagram for EPM System The configuration of EPM System with Kerberos is supported using the WebLogic Negotiate Identity Asserter. The basic communication is as follows: Windows Client Windows Desktop Login Kerberos Ticket EPM OHS Web Server Kerberos Ticket EPM Weblogic Domain Active Directory / KDC Token Authenticate Negotiate Identity Asserter Username Configuration of EPM for Kerberos is done in three steps. EPM Web Application Step 1 - Configure EPM System’s WebLogic domain for Kerberos authentication • • Install all the products you wish to use but only deploy and configure Foundation Services. This will create a WebLogic domain. The default domain name is EPMSystem. Configure the EPMSystem domain for Kerberos authentication a. Create an LDAP Authentication Provider http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/atn.htm #i1216261 b. Create a Negotiate asserter http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/atn.htm #i1208059 Note: Set the JAAS option to OPTIONAL for all of the Authenticators. Refer to http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e139 52/taskhelp/security/SetTheJAASControlFlag.html for more details. c. Create service principals and map them to user objects that represent the WebLogic server and Web Server – http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm #i1101993. Note: An example of a Service Principal, • Create a normal User object in AD – for example EPM_Weblogic, for representing the WLS service running on each of the weblogic servers hosting EPM products. i. While creating the user object, do not select any of the Password options. After creating the object, click properties and select the following option • Reset password after changing the encryption type. An Example of creating the key tab file is given below: ktpass -princ HTTP/[email protected] -pass password -mapuser myhost -out c:\temp\myhost.host.keytab -DesOnly • JDK5 onwards the com.sun.security.jgss.accept package has changed to com.sun.security.jgss.krb5.accept. • Use the Kerberos admin commands like kinit, ktab, create the krb5.ini file as described in http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm#i1103 676 d. Configure WebLogic start scripts http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm #i1102021 i. In windows environments the EPM Managed servers are run as Windows Services. The startup JVM options have to be set as described as follows for each of the EPM Weblogic managed servers. Perform this step for FoundationServices managed server only at this time a. Start the Windows regedit utility. b. Navigate to My Computer -> HKEY_LOCAL_MACHINE->SOFTWARE->Hyperion Solutions ->HyS9FoundationServices and create additional String values for JVMOption shown in Step c. c. Add the Kerberos JVM options as shown d. Modify the JVMOptionCount to reflect the new sum total of JVMOptions by adding 5 to the current OptionCount. e. Configure authorization policies for Active Directory users that will access the EPM products http://download.oracle.com/docs/cd/E12839_01/web.1111/e13747/secejb war.htm#i1242796. Refer to the section – Deploy Diagnostics Web App to test Kerberos Configuration - for an example of how to configure a Policy. Step 2 - Deploy Diagnostics Web Application to test Kerberos configuration EPM System has provided a test Web Application that can be used to test that WebLogic is properly configured for Kerberos authentication. For 11.1.2.0, download the patch 11678653 from http://support.oracle.com and apply it, which contains the Diagnostics Web App SSODiag.war. Launch the EPM domain WebLogic admin console to deploy the reference implementation SSODiag.war Web application to the Foundation Services managed server. Login to WebLogic admin console and choose to install. Pick the SSODiag.war. Choose “Install this deployment as an application”. Deploy the SSODiag.war application to the FoundationServices managed server. Choose Custom Roles and Policies as the security model. Complete the deployment. 1. Configure OHS and add a forwarding request for SSODiag url. 2. Add the following lines into the mod_wl_ohs.conf file located under <EPM_ORACLE_INSTANCE>/httpConfig/ohs/config/OHS/ohs_component directory to forward request to WLS from OHS. Restart the server after making the changes. <LocationMatch ^/SSODiag/> SetHandler weblogic-handler WeblogicCluster HSS_Server_Name:HSS port </LocationMatch> 3. Protect the URL by creating a policy in the WebLogic admin console for the URL http://OHS_server_name:port/SSODiag/krbssodiag krbuser1 is a sample domain user that will access the browser from the Desktop. This can be a AD userid or a AD group. 4. Start the Foundation Services and SSODiag utility. 5. Login as a valid provisioned active directory user into the client machine configured for Kerberos authentication and access the page http://OHS_server_name:port/SSODiag/krbssodiag from a browser. 6. If the Kerberos configuration is done correctly the following page is shown. 7. If the Kerberos configuration is not done correctly the following page is seen. Take corrective steps. After Kerberos Diagnostics Utility is run successfully, go to Step 3 Step 3: Configure and deploy the rest of EPM System to this domain. Configure all EPM System products using the EPM System Configurator and deploy to the EPM domain. Step 4 - Configure EPM products for Kerberos authentication 1. Configure WebLogic start scripts http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm#i1102 021 ◦ In windows environments the EPM Managed servers are run as Windows Services. The startup JVM options have to be set as described as follows for each of the EPM Weblogic managed servers. The example below describes how to for the FoundationServices managed server only. This needs to be performed for each of the Weblogic managed servers. • Start the Windows regedit utility. • Navigate to My Computer -> HKEY_LOCAL_MACHINE>SOFTWARE->Hyperion Solutions ->HyS9FoundationServices and create additional String values for JVMOption shown below • • Add the Kerberos JVM options as shown where the krb5.realm is the actual kerberos domain name, krb5.kds is the domain controller ip address • Modify the JVMOptionCount to reflect the new sum total of JVMOptions by adding 5 to the current OptionCount. The comprehensive list of EPM Weblogic managed servers in windows to perform step b,c and d on is AnalyticProviderServices0, CalcMgr0, DisclosureManagement0, EpmaDataSync0, EpmaWebReports0, ErpIntegrator0, EssbaseAdminServer0, FinancialReporting0, FMWebServices0, FoundationServices0, HpsAlerter0, HpsWebReports0, hsfweb0, Planning0, Profitability0, RaFramework0, WebAnalysis0. If • deployed in compact deployment mode then there would be on EPMSystem0 managed server. Configure authorization policies for Active Directory users that will access the EPM products http://download.oracle.com/docs/cd/E12839_01/web.1111/e13747/secejb war.htm#i1242796. Refer to the section – Deploy Diagnostics Web App to test Kerberos Configuration - for an example of how to configure a Policy. 2. Change the default Security model with which EPM is deployed from DDOnly to CustomRolesAndPolicies . ◦ Edit the <EPM_ORACLE_INSTANCE>/domains/EPMSystem/config /config.xml file. • • • For each of the EPM deployments for each of the EPM weblogic managed servers in the config.xml. The screen shot shows only a partial list of the entries. All EPM managed server entries in the config.xml needs to be modified for the security-dd-model entry and set to CustomRolesAndPolicies (case sensitive). A comprehensive list of EPM Weblogic enterprise application is AIF, APS, CALC, DISCLOSUREMANAGEMENT, EAS, EPMADATASYNCHRONIZER, EPMAWEBTIER, FINANCIALREPORTING, HPSAlerter, HPSWebReports, HSFWEB, PLANNING, PROFITABILITY, RAFRAMEWORK, SHAREDSERVICES, WEBANALYSIS, WORKSPACE. Create a URL protection policy for each of the EPM enterprise applications similar to the one shown for SSODiag deployment. Login to the Weblogic admin console as an admin Click on Deployments. A comprehensive list of EPM Weblogic enterprise application is AIF, APS, CALC, DISCLOSUREMANAGEMENT, EAS, EPMADATASYNCHRONIZER, EPMAWEBTIER, FINANCIALREPORTING, HPSAlerter, HPSWebReports, HSFWEB, PLANNING, PROFITABILITY, RAFRAMEWORK, SHAREDSERVICES, WEBANALYSIS, WORKSPACE. • Pick a particular Enterprise Application such as PLANNING and expand the node and click on the web application HyperionPlanning. • Click the Security tab and choose New Role. If you see the message “If you are using the DD Only security model for this deployment, then you cannot use the Administration Console to modify its security roles.” means that Step 2 was not done for this particular web application. Redo step 2. • Type /* for the Name and click OK • Click on /* link • Choose Add Conditions under Role Conditions: • Choose a predicate list to be a AD group or User and click Next. These are the users who will be granted privileges to access this EPM web application. • Type in the name of the AD group and click Finish. Choose a AD group contains all the users that will access EPM products. Check with your AD admin to get the exact group name. It should match the name in AD. Weblogic will show an error after the Finish button is clicked if the group cannot be found. • Repeat the above steps for creating the policy for each of the webapps mentioned above. Step 5 - Modify the EPM web applications to enable client cert based authentication in weblogic. This step is needed for EPM versions 11.1.2.1.00 or earlier 1. Modify the following web application archives to insert a login-config entry a) The following list of application archives need to be modified. The application archives can be found under <EPM_ORACLE_HOME>/EPMSystemR11/products • DisclosureManagement/AppServer/InstallableApps/common/DisclosureM anagement.ear • Essbase/eas/server/AppServer/InstallableApps/Common/eas.ear • FinancialDataQuality/AppServer/InstallableApps/aif.ear • financialreporting/InstallableApps/HReports.ear • Foundation/AppServer/InstallableApps/common/interop.ear • hsf/AppServer/InstallableApps/hsf.ear • PerformanceScorecard/AppServer/InstallableApps/common/webapps/HPS Alerter.ear • PerformanceScorecard/AppServer/InstallableApps/common/webapps/HPS WebReports.ear • Planning/AppServer/InstallableApps/Common/HyperionPlanning.ear • Profitability/AppServer/InstallableApps/common/profitability.ear b) Extract each of the above ear files using 7zip application c) Open the .war file inside the .ear file using 7zip application d) Open the web.xml file under the WEB-INF folder inside the war file using a text editor e) Go to the end of the file and insert the following lines just above the </webapp> tag • <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> f) Save the file and 7zip will ask if you want to update the archive. Choose Yes g) Close the 7zip application. Step 5 – Enable the security configuration in EPM Shared Services to perform SSO with kerberos enabled Weblogic 1. Launch Shared Services and login as an Administrator user. 2. Add the Active Directory domain that is configured for Kerberos authentication as a User Directory. 3. Ensure that the login attribute is set to the same attribute (such as uid or samAccountName) as set in the weblogic identity authentication provider. 4. Go to the Security Options tab for this Active Directory provider and enable Single Sign-On Configuration and choose the Get Remote User from HTTP Request as the SSO mechanism. Test configuration by logging into Shared Services and ensure Kerberos is properly configured. Copyright © 2011, Oracle and / or its affiliates. All rights reserved. http://www.oracle.com
© Copyright 2024 Paperzz
