HP Service Health Reporter Configuring SHR to use Windows AD Authentication

Transcription

1 Technical white paper HP Service Health Reporter Configuring SHR to use Windows AD Authentication For the Windows Operation System Software Version 9.3x Table of Contents Introduction... 2 Motivation... 2 Overview... 2 Configuring AD authentication for SHR... 2 Setting up a service account... 2 Configure the service account rights... 3 Register Service Principle Name (SPN)... 5 Configure SIA to use the service account... 5 Configure the AD plug-in... 6 Configure Tomcat web.xml file for Infoview and CMC to enable manual AD login... 9 Configure the bsclogin.conf and krb5.ini files... 9 Configure the Tomcat Java option Configuring SHR Administration UI for AD authentication References Click here to verify the latest version of this document

2 Introduction This document aims at providing the steps to configure AD authentication for Business Objects using Kerberos to allow the role based security for users while accessing SHR reports, universes and Administration UI. Motivation In customer s environment, may be users are authenticated by AD authentication. It is possible to extend the same AD authentication for all the SHR users to who access SHR content. Overview Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography where a user authenticates to an authentication server that creates a ticket. This ticket is actually sent to the application which can recognize the ticket and the user is granted access. This document Refers: SHRBOSERVER - Business Objects Server installed along SHR. ADSERVER - Active Directory Server configured to integrate the users/groups with SHR BO Repository. ADBO_USER Windows AD Service Account used to run Business Objects services. BOBJCMS/SHRBOSERVER Service Principle Name (SPN) to run BO Services using Domain User account. The following steps illustrates to configure Windows AD authentication for SHR Business Objects using Kerberos. a) Setting up a service account b) Configure the service account rights c) Register Service Principle Name (SPN) d) Configure SIA to use the service account e) Configure the AD plug-in f) Configure Tomcat web.xml file for Infoview and CMC to enable manual AD login g) Configure the bsclogin.conf and krb5.ini files h) Configure the Tomcat Java option i) Configure SHR Administration UI for AD authentication Configuring AD authentication for SHR Setting up a service account To configure Business Objects Enterprise using Kerberos and Windows AD authentication, we require a service account which should be a domain account that has been trusted for delegation. We can either use an existing domain account or create a new domain account. The service account will be used to run the Business Objects Enterprise servers.

3 Create a new AD service account on the domain controller or use an existing account; this document refers to ADBO_USER as service account. Check =Password never expires. Should a password expire the functionality dependant on that account will fail. Go to the properties of the newly created service account and choose Trust this user for delegation to any service (Kerberos only) under the Delegation tab. Configure the service account rights In order to support the Active Directory authentication, you must grant the service account the rights to act as part of the operating system and log on as a service. This must be done on SHR Business Objects server (as an example: SHRBOSERVER) where the Server Intelligence Agent Service is running.

4 Configuring Steps are as below: 1. Go to Start->Administrative Tools -> Local Security Policy 2. Then Local Policies and then click User Rights Assignment. 3. Double click Act as a part of Operating System and click Add User or Group button. 4. Add the user account (ADBO_USER) that has been trusted for delegation and click OK. 5. Double click Logon as a service and click Add and click Add User or Group button. 6. Add the user account that has been trusted for delegation and click OK. Adding the Service account to the Administrators Group On the SHRBOSERVER machine, right-click My Computer and then click Manage. Go to Configuration > Local Users and Groups > Groups. Right-click Administrators and then click Add to Group Click Add and enter the logon name of the service account. Click Check Names to ensure the account resolves. Click Ok and then click OK again.

5 Register Service Principle Name (SPN) Business Objects Services uses the Kerberos protocol for mutual authentication in a network, you must create a Service Principal Name (SPN) for the Business Objects services if you configure it to run as a domain user account. The SETSPN utility is a program that allows managing the Service Principal Name (SPN) for service accounts in Active Directory. Run the following utility with required parameters on command window : SETSPN.exe A BOBJCMS /HOSTNAME serviceaccount Note: Replace HOSTNAME with the fully qualified domain name of the machine running the CMS service, for example SHRBOSERVER.XYZ.com. Replace service account with the name of the service account that runs the CMS service. In this case, the service account is ADBO_USER. Example: SETSPN.exe A BOBJCMS /SHRBOSERVER.XYZ.com ADBO_USER Upon successful registration of SPN, one should receive the following message: Registering ServicePrincipalNames for CN=ServiceCMS, CN=Users, DC=DOMAIN, DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object To list the set of registered SPNs, run the following command: SETSPN.exe L ADBO_USER Configure SIA to use the service account 1. In order to support Kerberos, Server Intelligence Agent(SIA) must be configured in CCM to log on as the service account: 2. To configure a Server Intelligence Agent on SHRBOSERVER 3. Start the CCM. 4. Stop the Server Intelligence Agent. 5. Double-click the Server Intelligence Agent and the Properties dialog box is displayed. 6. On the Properties tab: In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, and click OK. 7. Start the server again.

6 Configure the AD plug-in In order to support Kerberos, we have to configure the Windows AD security plug-in the CMC to use Kerberos authentication. To configure the Windows AD security plug-in for Kerberos: Go to the Authentication management page of the CMC and Click the Windows AD tab. Formatted: Font: HP Simplified Light, 9 pt, Not Bold, Font color: Black Ensure that the Windows Active Directory Authentication is enabled check box is selected. In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name. Enter the credentials that have read access to Active Directory in the Name and Password fields.

7 Notes: Use the format Domain\Account in the Name field LIKE XYZ\ADBO_USER. Enter the default domain in the Default AD Domain field. Use FQDN format and enter the domain in uppercase, here it is XYZ.COM In the Mapped AD Member Group area, enter the name of an AD group whose users require access to Business Objects Enterprise, and then click Add. In the Authentication Options area, select Use Kerberos authentication. In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account which was created. In this case, BOBJCMS/SHRBOSERVER.XYZ.COM Mapped AD Member Groups: If a group is in the default domain it can be usually be added with just the group name. If it s in another domain or another forest then it will need to be added in domain\group or DN format. Once added hit update and the groups will appear as above (secwinad: DN) regardless of how they were entered (group, domain\group, or DN). To add all users from the default domain, we just need to specify domain users as the group name.

8 Authentication Options Kerberos must be selected for manual AD or AD SSO. Choose Use Kerberos Authentication The Service Principal Name or SPN MUST be the value created for the service account that runs the SIA/CMS via setspn (discussed in point 6 of this doc). Ensure there are no typos or white spaces before or after the SPN. Enable Single Sign On Disabled, not required for manual AD authentication New Alias Options determine how the user will be created if an existing user with the same name (LDAP/NT/Enterprise) already exists. Alias Update Options determine if users will be added when pressing the update button or only after they have logged into CMC/client tools. New User Options should be determined by your licensing options that can be viewed in CMC/license Keys. Choose New Users are created as concurrent users as that is supported option for BO license within SHR. Check the Import Full Name and Address and Give AD attribute binding priority over LDAP attribute binding in the Attribute binding options and click the Update button. Verify users/groups are added by going to CMC/users and groups. Finally, Click on Update button. Upon successful updation of AD plugin users/groups would get synced to the BO repository. Formatted: Font: Not Bold

9 Configure Tomcat web.xml file for Infoview and CMC to enable manual AD login The Authentication dropdown in the Infoview/CMC login page is hidden by default. To enable the dropdown box Open the file %PMDB_HOME%/BOWebServer/webapps/InfoViewApp/WEB-INF/web.xml Set the authentication.visible flag to true. Set the authentication.default to secwinad. Save the changes. Formatted: Font: HP Simplified, Not Bold Configure the bsclogin.conf and krb5.ini files The two files bsclogin.conf and Krb5.ini should be created under the c:\winnt folder on the SHR server. Create the bsclogin.conf file bsclogin.conf is used to load the java login module and trace login requests. This file needs to be created with the below content : com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.krb5loginmodule required debug=true; Create the Krb5.ini file krb5.ini is used to configure the KDC s (Kerberos Key Distribution Center aka domain controllers) that will be used for the java login requests

10 The default krb5.ini text from below has to be copied and then edited for your environment. [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_kdc = true dns_lookup_realm = true default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac udp_preference_limit = 1 [realms] MYDOMAIN.COM = { kdc = DCHOSTNAME.MYDOMAIN.COM default_domain = MYDOMAIN.COM There are 4 bolded values that need to be changed in the above text. Replace MYDOMAIN.COM with the same domain of your service account. All DOMAIN info must be in ALL CAPS. The default_realm value must EXACTLY match the default domain value entered into the top of the AD page in the CMC. Replace MYDCHOSTNAME with the hostname of a domain controller. As an example, e DCHOSTNAME is ADSERVER.DC4SHR.XYZ.COM Configure the Tomcat Java option Stop the Tomcat service on SHR server Go to Start-> Programs->Tomcat->Tomcat Configuration Add the below to java options under the Java tab : -Djava.security.auth.login.config=c:\winnt\bscLogin.conf -Djava.security.krb5.conf=c:\winnt\krb5.ini Restart the Tomcat server. Note: Once the AD users are able to login to SHR Infoview page, based on the users role provide them the permissions to access the SHR folders, universes and connections so that they are able to refresh SHR reports. For more details on, how to create report User Accounts and Groups and Access Level Restrictions SHR - Managing User Accounts and Groups:

11 Configuring SHR Administration UI for AD authentication AD Authentication for SHR Admin UI is supported only SHR9.31 onwards. Please make sure that SHR is upgraded to SHR9.31 before you make the following changes. Make the following changes to %PMDB_HOME%/data/config.prp Set bo.authtype=secwinad Add the following to specify the location of the files bsclogin.conf and Krb5.ini java.security.auth.login.config=<absolute path for bslogin config file> java.security.krb5.conf=<absolute path for krb5 ini file> Example: java.security.krb5.conf=c\:\\winnt\\krb5.ini java.security.auth.login.config=c\:\\winnt\\bsclogin.conf Restart the service: SHR_PMDB_Platform_Administrator

12 References 8db2cac73f8c?QuickLink=index&overridelayout=true&