Help Document


[PDF]Help Document - Rackcdn.comhttps://b6b45000d3362c7b69f8-0a7250d8bde19e2e09b93fa07c907bb0.ssl.cf5.rackc...

3 downloads 109 Views 90KB Size

HP Operations Orchestration Software Software Version: 9.00

Procedure and Technical Support Best Practices for Configuring SSO using Active Directory

© George Daflidis-Kotsis – GSD – OO Support - Hewlett-Packard Ltd / 2013

Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notices © Copyright 2010 Hewlett-Packard Development Company, L.P. Trademark Notices All marks mentioned in this document are the property of their respective owners.

ii

Finding or updating documentation on the Web Documentation enhancements are a continual project at Hewlett-Packard Software. You can obtain or update the HP OO documentation set and tutorials at any time from the HP Software Product Manuals web site. You will need an HP Passport to log in to the web site. To obtain HP OO documentation and tutorials Go to the HP Software Product Manuals web site (http://support.openview.hp.com/selfsolve/manuals). Log in with your HP Passport user name and password. OR If you do not have an HP Passport, click New users – please register to create an HP Passport, then return to this page and log in. If you need help getting an HP Passport, see your HP OO contact. In the Product list box, scroll down to and select Operations Orchestration. In the Product Version list, click the version of the manuals that you’re interested in. In the Operating System list, click the relevant operating system. Click the Search button. In the Results list, click the link for the file that you want.

Where to Find Help, Tutorials, and More The HP Operations Orchestration software (HP OO) documentation set is made up of the following: •

Help for Central Central Help provides information to the following: •

Finding and running flows



For HP OO administrators, configuring the functioning of HP OO



Generating and viewing the information available from the outcomes of flow runs

The Central Help system is also available as a PDF document in the HP OO home directory, in the \Central\docs subdirectory. •

Help for Studio Studio Help instructs flow authors at varying levels of programming ability. The Studio Help system is also available as a PDF document in the HP OO home directory, in the \Studio\docs subdirectory.



Animated tutorials for Central and Studio HP OO tutorials can each be completed in less than half an hour and provide basic instruction on the following:

iii



In Central, finding, running, and viewing information from flows



In Studio, modifying flows

The tutorials are available in the Central and Studio subdirectories of the HP OO home directory. •

Self-documentation for operations and flows in the Accelerator Packs and ITIL folders Self-documentation is available in the descriptions of the operations and steps that are included in the flows.

Support For support information, including patches, troubleshooting aids, support contract management, product manuals and more, visit the following site: •

http://support.openview.hp.com

iv

This Document This document provides insight for setting up SSO using OO 9.00 and an Active Directory domain for authentication. With this document an attempt to address various issues encountered when configuring SSO using the instructions included in the Administrator’s Guide, which are vague, to say the least. Certain issues arise, such as how the principal is set up (the procedure explained in the Administrator’s Guide is misleading). Also, it is not made crystal clear that DES authentication is outdated (as it is using a weak 56-bit cipher) and it is only included in the instructions for backward compatibility of Central installation on Linux. These instructions will allow Windows to select a stronger encryption cipher of their choice. This procedure is based on a Windows 2008 R2 Central installation using a Windows 2008 R2 AD domain controller. Setting up SSO works better in Windows 2003, at least as far as the existing instructions are concerned, but since Windows 2003 is EOS by Microsoft, new instructions based on Windows 2008 R2 were required. For the purposes of this document, we will assume a realm/DNS domain called ooemea.com , with the legacy NT Domain name being OOEMEA. The OO Central FQDN used is oo900win-sso.ooemea.com. The KDC’s FQDN will be msad.ooemea.com . Kerberos is case sensitive so anything that appears in CAPS in this document must be defined in CAPS in the actual procedure carried out. Be careful when copy/pasting text from this document as sometimes the characters look normal but are not actually, causing unexplained errors when used as part of a command described in this document.

1

On the Active Directory Domain Controller: •

In the “Active Directory Users & Computers” windows interface create a user, for example with username sso_login making sure that you only check "Password never expires" in the account options.



Execute: ktpass -out mycentral.keytab -princ HTTP/[email protected] -mapuser OOEMEA\sso_login -pass opsware crypto ALL -ptype KRB5_NT_PRINCIPAL Notes: • •

The mycentral part of the mycentral.keytab name can be any given name. It can even be the name of the Central server. Using just sso_login instead of OOEMEA\sso_login will also work.



Copy the mycentral.keytab created above to the Central server machine in the %ICONCLUDE_HOME%\Central\conf\ subdirectory.



In the “Active Directory Users & Computers” windows interface select the sso_login user created above, Right Click and select Properties. o

Go to the Delegation tab and select “Trust this user for delegation to any service (Kerberos only)”.

o

Go to the Account tab and check “Do not require Kerberos preauthentication”.

On Central server machine, as OOEMEA\Administrator: •

Go to %ICONCLUDE_HOME%\Central\conf: o

In jaasLogin.conf add (Use / instead of \ for path delimiter for keyTab):

com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required storeKey=true doNotPrompt=true useKeyTab=true kdc=msad.ooemea.com keyTab="C:/Program Files/Hewlett-Packard/Operations Orchestration/Central/conf/mycentral.keytab" realm="OOEMEA.COM" principal="HTTP/[email protected]" debug=true; };

2



Create krb5.conf containing:

[libdefaults] default_realm = OOEMEA.COM ticket_lifetime = 24000 [realms] OOEMEA.COM = { kdc = msad.ooemea.com admin_server = msad.ooemea.com default_domain = .OOEMEA.COM } [domain_realm] .ooemea.com = OOEMEA.COM ooemea.com = OOEMEA.COM [pam] debug = true Note: Make sure that there is a space before and after each = sign



Copy krb5.conf to C:\Windows\krb5.ini – This is an optional step on some systems. Note: If you need to use a specific cipher (e.g. AES128) you have to add the following two lines in the [libdefaults] section of krb5.conf and krb5.ini: default_tkt_enctypes = aes128-cts-hmac-sha1-96 permitted_enctypes = aes128-cts-hmac-sha1-96



In the Central UI, go to: Administration -> System Configuration -> Authentication. Tick the “Kerberos enabled” checkbox under “Kerberos Settings”



Under the same section, in the “Kerberos5 configuration file” line enter the path to your krb5.conf file, e.g.: /Central/conf/krb5.conf Note: You are not required to fill out any of the other configurables in this section.



Execute: kinit -J-Dsun.security.krb5.debug=true -f sso_login - This step is optional on some systems.



Edit: %ICONCLUDE_HOME%\Central\WEB-INF\applicationContext.xml



o

Locate bean authenticationEntryPoint

o

Change property: loginFormUrl from /static/Login.htm to /static/SSOLogin.htm

Save & restart Central.

3

Configure Browsers (on a computer that belogs to the OOEMEA domain) •

Log on with an AD user to a computer that belogs to the OOEMEA domain. Do not use the machine that Central is installed on.

In IE: •

Add https://*.ooemea.com to the trusted site list for the Local internet zone after logging on as an AD user and running IE. Depending on your permissions, you might have to execute IE using "Run as Administrator". Note: If the test fails, you might need to perform the following: Modify the registry per http://support.microsoft.com/kb/2709891 o

A add the following key-value pairs under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa SuppressExtendedProtection = 2 LmCompatibilityLevel = 3

In FireFox: •

At the Address bar type: about:config



In the next screen click on the “I’ll be careful, I promise” button.



Set the following parameters: o

network.negotiate-auth.delegation-uris = ooemea.com

o

network.negotiate-auth.trusted-uris = ooemea.com

How to test •

A user is needed, that belongs to the OOEMEA domain and also belongs to an OO external group.



Log on using that user to a PC that belongs to the OOEMEA domain. Note: If you use the server that Central is installed on it will not work.



Make sure that the right modifications to the browser used have been made, as described above.



Clear the browser history, especially login sessions & cookies.



Restart the browser.



Point the browser to: https://oo900win-sso.ooemea.com:8443/PAS/app



If SSO works, the browser will directly display the Central UI dashboard and not the login screen.

4