9 Replies Latest reply on Aug 23, 2010 10:46 AM by ranman17

    SPNEGO SSO Problems...

    ranman17

      I am trying to set up the SPNEGO SSO for the jboss epp 5.0 platform portal and am facing couple of issues in following through the below documentation.

       

      http://www.redhat.com/docs/en-US/JBoss_Enterprise_Portal_Platform/5.0.0/html/Reference_Guide/sect-Reference_Guide-SSO_Single_Sign_On-SPNEGO_Simple_and_Protected_GSSAPI_Negotiation_Mechanism.html

       

       

      1. Cannot find the following jar in jboss-epp5.0 directory structure (step #4 in the above document).

       

      $GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-spnego.jar

       

      2. The following section says to uncomment a section in the below xml file, but the file does not contain any specifics of

      the info that needs to be uncommented. Do we need to add it?(step #5)?

       

      Modifying deploy/gatein.ear/META-INF/gatein-jboss-beans.xml  to match the following

       

      3. Cannot find the following directory structure (step #8):

       

      gatein.war/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl

       

       

      4. Not very clear as to what to use for 'server.local.network". Is it the machine name where the jboss app is deployed?

       

       

      5. After all the configuration is done, the document says to start the server by running the below command.

       

      ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c spnego -b server.local.network

       

      The above will throw an error as there is no configuration for spnego ( as spnego is not a server configuration allowed).

       

       

      Could you please let us know if there is any latest document that I could follow in setting this up?

        • 1. Re: SPNEGO SSO Problems...
          mposolda

          Hi Ranjith,

          here is my notes to your questions:

           

          1. This looks like a typo in documentation. Correct file should be $GATEIN_SSO_HOME/spnego/gatein.ear/lib/spnego-<VERSION>-epp-GA.jar instead of $GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-spnego.jar.

           

          2. You will need to modify the file deploy/gatein.ear/META-INF/gatein-jboss-beans.xml and it should contain only 2 login modules (org.gatein.sso.spnego.SPNEGOLoginModule and org.gatein.sso.agent.login.SPNEGORolesModule). Other login modules (PortalLoginModule, SharedStateLoginModule, ...) need to be removed for SPNEGO integration.

           

          3. Another typo in documentation. Correct location should be $EPP5_HOME/jboss-as/server/<SERVER_TYPE>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl

           

          4. server.local.network should point to your KDC server. And the setup assumes that this is also the server where EPP5 will be executed. You can use this wiki http://community.jboss.org/wiki/SettingupyourKerberosDevelopmentEnvironment to prepare Kerberos environment for SPNEGO integration. You will need to add server.local.network to your /etc/hosts or DNS server as mentioned in wiki. (This wiki page is also refered from step #1).

           

          5. Another typo in documentation. Correct command should be
          sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c <SERVER_TYPE> -b server.local.network
          where <SERVER_TYPE> points to server configuration where you made all the previous steps (step #1 - step #9).

           

          For example if you made it in "default" configuration, the you will need to use
          sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c default -b server.local.network

           

          Thanks for reporting all problems in documentation. I hope that documentation for EPP 5.0.1 will be updated according to your notes. Integration of EPP5 with SPNEGO is not as easy. The best way is to start with wiki page for Kerberos setup ( http://community.jboss.org/wiki/SettingupyourKerberosDevelopmentEnvironment ) and then do the steps described in reference guide. Another informations which can help with integration are on page https://docspace.corp.redhat.com/docs/DOC-38222 but this is internal RedHat page. If you have EPP5 subscription, you can contact EPP support team to access informations on this page.

           

          Hope this helps,
          Marek

          • 2. Re: SPNEGO SSO Problems...
            ranman17

            Thanks for the information. It will be useful for lot of users setting this up.

             

            One more question, I am planning to use the central kerberos server and EPP will run on a different machine. Not sure what should I use for the following?

             

            SERVER.LOCAL.NETWORK and LOCAL.NETWORK.

             

            For example, if my kerberos server is : kerberos.sample.com

            EPP Server : myepp.sample.com

             

            Thanks,

            Ranjith.

            • 3. Re: SPNEGO SSO Problems...
              ranman17

              Another question is that I could see the web.war in the below directory structure but not sure if we need to edit the file in the war file. It's not a directory. Should be recreate the war with the updated  UIBannerPortlet.gtmpl?

               

              3. Another typo in documentation. Correct location should be  $EPP5_HOME/jboss-as/server/<SERVER_TYPE>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl

               

              Thanks,

              Ranjith.

              • 4. Re: SPNEGO SSO Problems...
                mposolda

                Wiki and EPP5 reference guide assumes that you are using same server for Kerberos and EPP5 (server.local.network). So I think it will be easiest for you to start with this setup and have integration up and running with both kerberos and EPP5 on one server kerberos.sample.com. After you have it up and running, you can extend and use different server for EPP5.

                 

                LOCAL.NETWORK points to your Kerberos realm and server.local.network is server with kerberos. You can look to Kerberos documentation for more informations, it will be very useful for you to know more about Kerberos before doing this integration.

                 

                Your second question:

                 

                The content of UIBannerPortlet.gtmpl inside web.war should be updated according to documentation. You can do it various ways:

                1)

                - Unpack web.war to some temporary dir

                - Edit file UIBannerPortlet.gtmpl inside this directory

                - Pack the temporary directory and replace existing web.war in $EPP5_HOME/jboss-as/server/default/deploy/gatein.ear

                 

                2) If you are using linux, then you can use utility "mc". You are able to edit content insided WAR archives and other archives without need to unpack them and pack them back.

                 

                i am preferring the step #2 (direct edit of WAR file content with mc or some other utility). It's much faster.

                 

                Hope this helps,

                Marek

                • 5. Re: SPNEGO SSO Problems...
                  ranman17

                  Thanks again for the prompt reply.

                   

                  I was looking at the document and it did not explictly mentioned that the EPP and the Kerberos server has to be installed on the same machine?  Also, I don't think anyone would want to install EPP and the AD/kerberos on the same machine. Is there any document related to the setup instrcutions where EPP and the Kerberos/AD is installed on different machines? I looked to search the documentation specific to this set up and could only find the above mentioned url and nothing else.  Just wondering if anyone had set up in different machines (EPP and Kerberos) and had this working successfully? If yes, can someone please share the specifics in implementing this.

                   

                  Thanks,

                  Ranjith.

                  • 6. Re: SPNEGO SSO Problems...
                    ranman17

                    Could you also please clarify what needs to be filled in for the following in step #7 in the above document?

                     

                    Add the following filters to the top of the Filter chain in the web.xml file:

                     

                    /*

                     

                            <!-- This should point to your SSO authentication server -->                                                                                              
                            <param-name>LOGIN_URL</param-name>

                     

                    */

                     

                    Is it http://localhost:8080/portal?

                     

                    Thanks,

                    Ranjith.

                    • 7. Re: SPNEGO SSO Problems...
                      ranman17

                      I would really appreciate if someone who have done this integeration can share the steps and any problems encountered during the integeration. I am stuck with lot of steps mentioned in the above doc. Any help on this is very much appreciated.

                       

                      Thanks,

                      Ranjith.

                      • 8. Re: SPNEGO SSO Problems...
                        mposolda
                        Hi,
                        you don't need to change LOGIN_URL because it indicates only parameter name. Parameter value should be "/portal/private/classic", which is default EPP page.
                        You can change this value to other portal page if you want.

                        Marek
                        • 9. Re: SPNEGO SSO Problems...
                          ranman17

                          I am getting the following message in the server logs after configuring all the steps mentioned in the doc.

                           

                          [SPNEGOLoginModule] Unsupported negotiation mechanism 'NTLM'.

                           

                          Once the portal is up and running, afer clicking the 'Sign In" link, it gives the above message. Anyone has encountered the above error?

                           

                          Thanks,

                          Ranjith.