IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

Transcription

1 IBM Security Access Manager open mic webcast July 14, 2015 IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions Panelists Gianluca Gargaro L2 Support Engineer Darren Pond L2 Support Engineer Jutta Jaensch L2 Support Engineer Hans Vandeweghe L2 Support Engineer Antti Merihaara L2 Support Engineer Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA Toll-Free: USA Toll: Participant passcode: Slides and additional dial in numbers: NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call IBM Corporation

2 Agenda Windows Desktop SSO and SPNEGO concepts Active Directory and Appliance initial setup Multiple Virtual Host Junctions Multiple Active Directory Domains Multiple Replicated WebSeals Questions 2

3 Windows Desktop SSO and SPNEGO concepts Windows Desktop Single Sign-on is the name we use to define SPNEGO Kerberos authentication in ISAM. SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism. Standardized method to establish a security context. WebSEAL uses the "HTTP Negotiate extension with sub-mechanism Kerberos. 3

4 Active Directory and Appliance initial setup Creating an identity for WebSEAL in an Active Directory domain Mapping a Kerberos principal to an Active Directory user Configuring the embedded Kerberos client Verifying WebSEAL authentication with the keytab file Configure WebSEAL instance Configure browsers 4

5 Active Directory and Appliance initial setup Creating an identity for WebSEAL in an Active Directory domain Create a user with a password that does not need to be changed and that never expires 5

6 Active Directory and Appliance initial setup Mapping a Kerberos principal to an Active Directory user Run ktpass command 6

7 Active Directory and Appliance initial setup Configuring the embedded Kerberos client Open Secure Web Settings > Global Settings > Kerberos Configuration Open the Realms tab to configure the realms section of the corresponding Kerberos configuration file Open the Domains tab to configure the domain_realm section of the corresponding Kerberos configuration file. 7

8 Active Directory and Appliance initial setup Verifying WebSEAL authentication with the keytab file Import keytab file on the appliance Verify SPN on the keytab 8

9 Active Directory and Appliance initial setup Configure Webseal instance Enable kerberos authentication mechanism select keytab from list Define the kerberos service name ( HTTP@... and not HTTP/ ) 9

10 Active Directory and Appliance initial setup Configuring the clients 10

11 Multiple Virtual Host junction Configuration actions within Active Directory System Configuration actions within DNS Configuration actions within ISAM Appliance 11

12 Multiple Virtual Host junction Configuration actions within Active Directory System Create one AD user for all virtual host junctions, e.g. virtual Do not require the user to change password at next log in. Do not set the password to expire. Use ktpass to map Kerberos principal to one AD user and generate keytab files The host name specified to the ktpass command should match the host name that clients use when contacting the WebSEAL server) All virtual host junctions can be mapped to one AD user 12

13 Multiple Virtual Host junction Configuration actions within DNS If you use different IP address - one for each virtual host junction you need to add each host name as (A) record and validate it for forward and reverse resolution. This is preferred when using HTTPS protocol If you use same IP address for all virtual host junctions you need to register only one host name as (A) record (e.g. WebSeal instance) and each virtual host junction host name is registered as alias (CNAME) of this (A) record. This will bring following message into WebSeal message log Requires alternate host name Kerberos principal mapped to AD user as well 13

14 Multiple Virtual Host junction Configuration actions within ISAM Appliance Upload the ktpass generated keytab files and combine to one keytab file Secure Web Settings Kerberos Configuration Keyfiles When using DNS Alias, include the keytab for alternate host name Kerberos principal Configure Default, Realms and Domains 14

15 Multiple Virtual Host junction Configuration actions within ISAM Appliance Create 2 virtual host junctions virtual1.jjtest.com and virtual2.jjtest.com Modify Kerberos Authentication in WebSeal 15

16 Multiple Active Directory Domains Domains Forest and trust relationship Where to create the WebSEAL user and keytab DNS considerations Mapping of AD users to ISAM users 16

17 Multiple Active Directory Domains Active Directory Domains and Forests Trusts Required trust is established for domains that reside within the same forest. All domain trusts in an Active Directory forest are two-way, transitive trusts. A Forest trust needs to be setup between domains residing in 2 separate forests. 17

18 Multiple Active Directory Domains Where to create WebSEAL user and keytab WebSEAL user can be created in any of the trusted domain DC Keytabs need to combined in case of multiple SPNs 18

19 Multiple Active Directory Domains DNS considerations User URL DNS alias (cname) :06: :00I x38CF0969 webseald WARNING wwa spnego authn-spnego.cpp 306 0x7f3d1b DPWWA2409W Reverse lookup for host test.domain-2.com' returned an alternate host name 'wga-wrp1.domain-1.com'. This might prevent SPNEGO authentication from functioning properly 19

20 Multiple Active Directory Domains Mapping of AD users to ISAM users User must exist in ISAM registry and it should be a valid user. In case user-id returned by gss-api does not exist or is not a valid user authentication can t be completed HPDIA0114E Could not acquire a client credential Leverage on Federated Registry Even easier if using basic user support 20

21 Multiple Replicated WebSeals Verify DNS is configured correctly Set Kerberos Domain configuration Match the host name to the ktpass command Enable SPNEGO for a WebSEAL instance Configure the Front End Load Balancer ( FELB ) appliance Configure the Internet Explorer Client 21

22 Multiple Replicated WebSeals Verify DNS is configured correctly Make forward and reverse DNS queries to verify the load balancer s host name is resolved correctly Run nslookup on the client, all the WebSEAL servers, and the Active Directory domain controller 22

23 Multiple Replicated WebSeals Set kerberos domain configuration Set Local DNS Value to match the host name of the load balancer 23

24 Multiple Replicated WebSeals Match the host name to the ktpass command On the Active Directory server run the ktpass command Make sure the host name used by the clients to contact load balanced WebSEAL servers is used to the ktpass command Example ktpass -princ -mapuser IBM\desktopssoid -pass <passwd> -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL -out c:\tmp\openmic.keytab - mapop set 24

25 Multiple Replicated WebSeals Enable SPNEGO for each WebSEAL instance Edit each WebSEAL instance setting the same Kerberos Service Name Transport can be either HTTP, HTTPS or both In case of problem it is ususally easier to troubleshoot with the HTTP protocol 25

26 Multiple Replicated WebSeals Configure the Front End Load Balancer (FELB) appliance Create two virtual servers, one for http and one for https, both of them listen to the IP address that is assigned the SPN defined (openmic.ibm.net) Virtual server can be defined as either layer 4 or 7. With the layer 4 SSL is terminated by the WebSEAL,and with the layer 7 SSL is terminated by the FELB 26

27 Multiple Replicated WebSeals Configure the Internet Explorer Client Add the load balancer s host name to Intranet Sites 27

28 Questions Multiple Replicated for the panel? WebSeals Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the SmartCloud Meetings chat To ask a question after this presentation: You are encouraged to participate in this topic discussion in our IBM developerworks Forum: 28

29 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.