-
1. Re: SPNEGO SSO Problems...
mposolda Aug 18, 2010 6:24 PM (in response to ranman17)Hi Ranjith,
here is my notes to your questions:
1. This looks like a typo in documentation. Correct file should be $GATEIN_SSO_HOME/spnego/gatein.ear/lib/spnego-<VERSION>-epp-GA.jar instead of $GATEIN_SSO_HOME/spnego/gatein.ear/lib/sso-spnego.jar.
2. You will need to modify the file deploy/gatein.ear/META-INF/gatein-jboss-beans.xml and it should contain only 2 login modules (org.gatein.sso.spnego.SPNEGOLoginModule and org.gatein.sso.agent.login.SPNEGORolesModule). Other login modules (PortalLoginModule, SharedStateLoginModule, ...) need to be removed for SPNEGO integration.
3. Another typo in documentation. Correct location should be $EPP5_HOME/jboss-as/server/<SERVER_TYPE>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl
4. server.local.network should point to your KDC server. And the setup assumes that this is also the server where EPP5 will be executed. You can use this wiki http://community.jboss.org/wiki/SettingupyourKerberosDevelopmentEnvironment to prepare Kerberos environment for SPNEGO integration. You will need to add server.local.network to your /etc/hosts or DNS server as mentioned in wiki. (This wiki page is also refered from step #1).
5. Another typo in documentation. Correct command should be
sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c <SERVER_TYPE> -b server.local.network
where <SERVER_TYPE> points to server configuration where you made all the previous steps (step #1 - step #9).For example if you made it in "default" configuration, the you will need to use
sudo ./run.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -c default -b server.local.networkThanks for reporting all problems in documentation. I hope that documentation for EPP 5.0.1 will be updated according to your notes. Integration of EPP5 with SPNEGO is not as easy. The best way is to start with wiki page for Kerberos setup ( http://community.jboss.org/wiki/SettingupyourKerberosDevelopmentEnvironment ) and then do the steps described in reference guide. Another informations which can help with integration are on page https://docspace.corp.redhat.com/docs/DOC-38222 but this is internal RedHat page. If you have EPP5 subscription, you can contact EPP support team to access informations on this page.
Hope this helps,
Marek -
2. Re: SPNEGO SSO Problems...
ranman17 Aug 18, 2010 7:56 PM (in response to mposolda)Thanks for the information. It will be useful for lot of users setting this up.
One more question, I am planning to use the central kerberos server and EPP will run on a different machine. Not sure what should I use for the following?
SERVER.LOCAL.NETWORK and LOCAL.NETWORK.
For example, if my kerberos server is : kerberos.sample.com
EPP Server : myepp.sample.com
Thanks,
Ranjith.
-
3. Re: SPNEGO SSO Problems...
ranman17 Aug 19, 2010 1:57 AM (in response to ranman17)Another question is that I could see the web.war in the below directory structure but not sure if we need to edit the file in the war file. It's not a directory. Should be recreate the war with the updated UIBannerPortlet.gtmpl?
3. Another typo in documentation. Correct location should be $EPP5_HOME/jboss-as/server/<SERVER_TYPE>/deploy/gatein.ear/web.war/groovy/groovy/webui/component/UIBannerPortlet.gtmpl
Thanks,
Ranjith.
-
4. Re: SPNEGO SSO Problems...
mposolda Aug 19, 2010 3:18 AM (in response to ranman17)Wiki and EPP5 reference guide assumes that you are using same server for Kerberos and EPP5 (server.local.network). So I think it will be easiest for you to start with this setup and have integration up and running with both kerberos and EPP5 on one server kerberos.sample.com. After you have it up and running, you can extend and use different server for EPP5.
LOCAL.NETWORK points to your Kerberos realm and server.local.network is server with kerberos. You can look to Kerberos documentation for more informations, it will be very useful for you to know more about Kerberos before doing this integration.
Your second question:
The content of UIBannerPortlet.gtmpl inside web.war should be updated according to documentation. You can do it various ways:
1)
- Unpack web.war to some temporary dir
- Edit file UIBannerPortlet.gtmpl inside this directory
- Pack the temporary directory and replace existing web.war in $EPP5_HOME/jboss-as/server/default/deploy/gatein.ear
2) If you are using linux, then you can use utility "mc". You are able to edit content insided WAR archives and other archives without need to unpack them and pack them back.
i am preferring the step #2 (direct edit of WAR file content with mc or some other utility). It's much faster.
Hope this helps,
Marek
-
5. Re: SPNEGO SSO Problems...
ranman17 Aug 19, 2010 3:53 AM (in response to mposolda)Thanks again for the prompt reply.
I was looking at the document and it did not explictly mentioned that the EPP and the Kerberos server has to be installed on the same machine? Also, I don't think anyone would want to install EPP and the AD/kerberos on the same machine. Is there any document related to the setup instrcutions where EPP and the Kerberos/AD is installed on different machines? I looked to search the documentation specific to this set up and could only find the above mentioned url and nothing else. Just wondering if anyone had set up in different machines (EPP and Kerberos) and had this working successfully? If yes, can someone please share the specifics in implementing this.
Thanks,
Ranjith.
-
6. Re: SPNEGO SSO Problems...
ranman17 Aug 19, 2010 8:23 PM (in response to ranman17)Could you also please clarify what needs to be filled in for the following in step #7 in the above document?
Add the following filters to the top of the Filter chain in the
web.xml
file:/*
<!-- This should point to your SSO authentication server -->
<param-name>LOGIN_URL</param-name>*/
Is it http://localhost:8080/portal?
Thanks,
Ranjith.
-
7. Re: SPNEGO SSO Problems...
ranman17 Aug 23, 2010 3:08 AM (in response to ranman17)I would really appreciate if someone who have done this integeration can share the steps and any problems encountered during the integeration. I am stuck with lot of steps mentioned in the above doc. Any help on this is very much appreciated.
Thanks,
Ranjith.
-
8. Re: SPNEGO SSO Problems...
mposolda Aug 23, 2010 4:18 AM (in response to ranman17)Hi,
you don't need to change LOGIN_URL because it indicates only parameter name. Parameter value should be "/portal/private/classic", which is default EPP page.
You can change this value to other portal page if you want.
Marek -
9. Re: SPNEGO SSO Problems...
ranman17 Aug 23, 2010 10:46 AM (in response to mposolda)I am getting the following message in the server logs after configuring all the steps mentioned in the doc.
[SPNEGOLoginModule] Unsupported negotiation mechanism 'NTLM'.
Once the portal is up and running, afer clicking the 'Sign In" link, it gives the above message. Anyone has encountered the above error?
Thanks,
Ranjith.