HP Service Health Reporter Configuring SHR to use Windows AD Authentication

Similar documents
Windows AD Single Sign On

Configuring Kerberos Manual Authentication and/or SSO in Distributed Environments (requires XI 3.1 SP3 or later)

BusinessObjects Enterprise XI Release 2

Configuring Kerberos based SSO in Weblogic Application server Environment

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

How to Integrate an External Authentication Server

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

HP Operations Orchestration Software

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

TIBCO Spotfire Connecting to a Kerberized Data Source

Secure Web services with WebSphere Application Server and Microsoft Windows Communication Foundation

Pentaho, Linux, and Microsoft Active Directory Authentication with Kerberos

CA SiteMinder Federation Standalone

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

BusinessObjects Enterprise XI

HP Operations Orchestration Software

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

Comodo Certificate Manager

Pyramid 2018 Kerberos Guide Guidelines and best practices for how deploy Pyramid 2018 with Kerberos

DoD Common Access Card Authentication. Feature Description

VMware Identity Manager Administration

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

Security Provider Integration Kerberos Authentication

Migrating vrealize Automation 6.2 to 7.2

RSA NetWitness Logs. Microsoft Network Policy Server. Event Source Log Configuration Guide. Last Modified: Thursday, June 08, 2017

Installing the DITA CMS Eclipse Client

Installing the DITA CMS Eclipse Client

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2017 R1 Update Rollup 1

SSO Plugin. Integrating Business Objects with BMC ITSM and HP Service Manager. J System Solutions. Version 3.

Implementing Cross-Domain Kerberos Constrained Delegation Authentication An AirWatch How-To Guide

Deploying F5 with Citrix XenApp or XenDesktop

Managing Administrators

Deploying F5 with Citrix XenApp or XenDesktop

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

ZENworks 11 Support Pack 4 User Source and Authentication Reference. October 2016

POC Installation Guide for McAfee EEFF v4.2.x using McAfee epo 4.6 and epo New Deployments Only Windows Deployment

Managing External Identity Sources

White Paper. Export of Fabasoft Folio Objects to a Relational Database. Fabasoft Folio 2017 R1 Update Rollup 1

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

Security Provider Integration: Kerberos Server

PASSPORTAL PLUGIN DOCUMENTATION

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

SSO Plugin. Integrating Business Objects with BMC ITSM and HP Service Manager. J System Solutions. Version 5.

TIBCO ActiveMatrix BPM Single Sign-On

SAML-Based SSO Configuration

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Using ANM With Virtual Data Centers

Remote Support Security Provider Integration: RADIUS Server

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Implementing Cross- Domain Kerberos Constrained Delegation Authentication. VMware Workspace ONE UEM 1810

The Directory Schema Is Not Accessible Because The Logon Attempt Failed

Configuring Kerberos

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

USER MANAGEMENT IN APPSYNC

LDAP/AD v1.0 User Guide

SSO Plugin. J System Solutions. Troubleshooting SSO Plugin - BMC AR System & Mid Tier.

Advanced On-Prem SSRS 2017 for Non-AD Users. Dr. Subramani Paramasivam MVP & Microsoft Certified Trainer DAGEOP, UK

Active Directory Attacks and Detection

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

IWA Integration Kit. Version 3.1. User Guide

Using the Horizon vrealize Orchestrator Plug-In

Integrating a directory server

AD Sync Client Install Guide. Contents

HP Operations Orchestration Software

TUT Integrating Access Manager into a Microsoft Environment November 2014

Okta Integration Guide for Web Access Management with F5 BIG-IP

Configure the Identity Provider for Cisco Identity Service to enable SSO

Spencer Harbar. Kerberos Part One: No ticket touting here, does SharePoint add another head?

Configuring Cisco TelePresence Manager

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

ACS 5.x: LDAP Server Configuration Example

Microsoft Unified Access Gateway 2010

Integrating AirWatch and VMware Identity Manager

Configuring LDAP Authentication for HPE OBR

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Blue Coat Security First Steps. Solution for Integrating Authentication using IWA BCAAA

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

edp 8.2 Info Sheet - Integrating the ediscovery Platform 8.2 & Enterprise Vault

Setup Service Account in AD

Security Provider Integration Kerberos Server

Security Provider Integration RADIUS Server

Live Data Connection to SAP Universes

Modules Installation and Updating - SharePoint Page 0 of 23

HP Service Health Reporter

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Web Collaborative Reviewer Installation Guide

Cisco VCS Authenticating Devices

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Authorized Send Installation and Configuration Guide Version 3.5

Active Directory as a Probe and a Provider

APM Cookbook: Single Sign On (SSO) using Kerberos

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Troubleshooting Single Sign-On

Powerful and Frictionless Storage Administration

Transcription:

Technical white paper HP Service Health Reporter Configuring SHR to use Windows AD Authentication For the Windows Operation System Software Version 9.3x Table of Contents Introduction... 2 Motivation... 2 Overview... 2 Configuring AD authentication for SHR... 2 Setting up a service account... 2 Configure the service account rights... 3 Register Service Principle Name (SPN)... 5 Configure SIA to use the service account... 5 Configure the AD plug-in... 6 Configure Tomcat web.xml file for Infoview and CMC to enable manual AD login... 9 Configure the bsclogin.conf and krb5.ini files... 9 Configure the Tomcat Java option... 10 Configuring SHR Administration UI for AD authentication... 11 References... 12 Click here to verify the latest version of this document

Introduction This document aims at providing the steps to configure AD authentication for Business Objects using Kerberos to allow the role based security for users while accessing SHR reports, universes and Administration UI. Motivation In customer s environment, may be users are authenticated by AD authentication. It is possible to extend the same AD authentication for all the SHR users to who access SHR content. Overview Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography where a user authenticates to an authentication server that creates a ticket. This ticket is actually sent to the application which can recognize the ticket and the user is granted access. This document Refers: SHRBOSERVER - Business Objects Server installed along SHR. ADSERVER - Active Directory Server configured to integrate the users/groups with SHR BO Repository. ADBO_USER Windows AD Service Account used to run Business Objects services. BOBJCMS/SHRBOSERVER Service Principle Name (SPN) to run BO Services using Domain User account. The following steps illustrates to configure Windows AD authentication for SHR Business Objects using Kerberos. a) Setting up a service account b) Configure the service account rights c) Register Service Principle Name (SPN) d) Configure SIA to use the service account e) Configure the AD plug-in f) Configure Tomcat web.xml file for Infoview and CMC to enable manual AD login g) Configure the bsclogin.conf and krb5.ini files h) Configure the Tomcat Java option i) Configure SHR Administration UI for AD authentication Configuring AD authentication for SHR Setting up a service account To configure Business Objects Enterprise using Kerberos and Windows AD authentication, we require a service account which should be a domain account that has been trusted for delegation. We can either use an existing domain account or create a new domain account. The service account will be used to run the Business Objects Enterprise servers.

Create a new AD service account on the domain controller or use an existing account; this document refers to ADBO_USER as service account. Check =Password never expires. Should a password expire the functionality dependant on that account will fail. Go to the properties of the newly created service account and choose Trust this user for delegation to any service (Kerberos only) under the Delegation tab. Configure the service account rights In order to support the Active Directory authentication, you must grant the service account the rights to act as part of the operating system and log on as a service. This must be done on SHR Business Objects server (as an example: SHRBOSERVER) where the Server Intelligence Agent Service is running.

Configuring Steps are as below: 1. Go to Start->Administrative Tools -> Local Security Policy 2. Then Local Policies and then click User Rights Assignment. 3. Double click Act as a part of Operating System and click Add User or Group button. 4. Add the user account (ADBO_USER) that has been trusted for delegation and click OK. 5. Double click Logon as a service and click Add and click Add User or Group button. 6. Add the user account that has been trusted for delegation and click OK. Adding the Service account to the Administrators Group On the SHRBOSERVER machine, right-click My Computer and then click Manage. Go to Configuration > Local Users and Groups > Groups. Right-click Administrators and then click Add to Group Click Add and enter the logon name of the service account. Click Check Names to ensure the account resolves. Click Ok and then click OK again.

Register Service Principle Name (SPN) Business Objects Services uses the Kerberos protocol for mutual authentication in a network, you must create a Service Principal Name (SPN) for the Business Objects services if you configure it to run as a domain user account. The SETSPN utility is a program that allows managing the Service Principal Name (SPN) for service accounts in Active Directory. Run the following utility with required parameters on command window : SETSPN.exe A BOBJCMS /HOSTNAME serviceaccount Note: Replace HOSTNAME with the fully qualified domain name of the machine running the CMS service, for example SHRBOSERVER.XYZ.com. Replace service account with the name of the service account that runs the CMS service. In this case, the service account is ADBO_USER. Example: SETSPN.exe A BOBJCMS /SHRBOSERVER.XYZ.com ADBO_USER Upon successful registration of SPN, one should receive the following message: Registering ServicePrincipalNames for CN=ServiceCMS, CN=Users, DC=DOMAIN, DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object To list the set of registered SPNs, run the following command: SETSPN.exe L ADBO_USER Configure SIA to use the service account 1. In order to support Kerberos, Server Intelligence Agent(SIA) must be configured in CCM to log on as the service account: 2. To configure a Server Intelligence Agent on SHRBOSERVER 3. Start the CCM. 4. Stop the Server Intelligence Agent. 5. Double-click the Server Intelligence Agent and the Properties dialog box is displayed. 6. On the Properties tab: In the Log On As area, deselect the System Account check box. Enter the user name and password for the service account. Click Apply, and click OK. 7. Start the server again.

Configure the AD plug-in In order to support Kerberos, we have to configure the Windows AD security plug-in the CMC to use Kerberos authentication. To configure the Windows AD security plug-in for Kerberos: Go to the Authentication management page of the CMC and Click the Windows AD tab. Formatted: Font: HP Simplified Light, 9 pt, Not Bold, Font color: Black Ensure that the Windows Active Directory Authentication is enabled check box is selected. In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name. Enter the credentials that have read access to Active Directory in the Name and Password fields.

Notes: Use the format Domain\Account in the Name field LIKE XYZ\ADBO_USER. Enter the default domain in the Default AD Domain field. Use FQDN format and enter the domain in uppercase, here it is XYZ.COM In the Mapped AD Member Group area, enter the name of an AD group whose users require access to Business Objects Enterprise, and then click Add. In the Authentication Options area, select Use Kerberos authentication. In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account which was created. In this case, BOBJCMS/SHRBOSERVER.XYZ.COM Mapped AD Member Groups: If a group is in the default domain it can be usually be added with just the group name. If it s in another domain or another forest then it will need to be added in domain\group or DN format. Once added hit update and the groups will appear as above (secwinad: DN) regardless of how they were entered (group, domain\group, or DN). To add all users from the default domain, we just need to specify domain users as the group name.

Authentication Options Kerberos must be selected for manual AD or AD SSO. Choose Use Kerberos Authentication The Service Principal Name or SPN MUST be the value created for the service account that runs the SIA/CMS via setspn (discussed in point 6 of this doc). Ensure there are no typos or white spaces before or after the SPN. Enable Single Sign On Disabled, not required for manual AD authentication New Alias Options determine how the user will be created if an existing user with the same name (LDAP/NT/Enterprise) already exists. Alias Update Options determine if users will be added when pressing the update button or only after they have logged into CMC/client tools. New User Options should be determined by your licensing options that can be viewed in CMC/license Keys. Choose New Users are created as concurrent users as that is supported option for BO license within SHR. Check the Import Full Name and Email Address and Give AD attribute binding priority over LDAP attribute binding in the Attribute binding options and click the Update button. Verify users/groups are added by going to CMC/users and groups. Finally, Click on Update button. Upon successful updation of AD plugin users/groups would get synced to the BO repository. Formatted: Font: Not Bold

Configure Tomcat web.xml file for Infoview and CMC to enable manual AD login The Authentication dropdown in the Infoview/CMC login page is hidden by default. To enable the dropdown box Open the file %PMDB_HOME%/BOWebServer/webapps/InfoViewApp/WEB-INF/web.xml Set the authentication.visible flag to true. Set the authentication.default to secwinad. Save the changes. Formatted: Font: HP Simplified, Not Bold Configure the bsclogin.conf and krb5.ini files The two files bsclogin.conf and Krb5.ini should be created under the c:\winnt folder on the SHR server. Create the bsclogin.conf file bsclogin.conf is used to load the java login module and trace login requests. This file needs to be created with the below content : com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.krb5loginmodule required debug=true; Create the Krb5.ini file krb5.ini is used to configure the KDC s (Kerberos Key Distribution Center aka domain controllers) that will be used for the java login requests

The default krb5.ini text from below has to be copied and then edited for your environment. [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_kdc = true dns_lookup_realm = true default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac udp_preference_limit = 1 [realms] MYDOMAIN.COM = { kdc = DCHOSTNAME.MYDOMAIN.COM default_domain = MYDOMAIN.COM There are 4 bolded values that need to be changed in the above text. Replace MYDOMAIN.COM with the same domain of your service account. All DOMAIN info must be in ALL CAPS. The default_realm value must EXACTLY match the default domain value entered into the top of the AD page in the CMC. Replace MYDCHOSTNAME with the hostname of a domain controller. As an example, e DCHOSTNAME is ADSERVER.DC4SHR.XYZ.COM Configure the Tomcat Java option Stop the Tomcat service on SHR server Go to Start-> Programs->Tomcat->Tomcat Configuration Add the below to java options under the Java tab : -Djava.security.auth.login.config=c:\winnt\bscLogin.conf -Djava.security.krb5.conf=c:\winnt\krb5.ini Restart the Tomcat server. Note: Once the AD users are able to login to SHR Infoview page, based on the users role provide them the permissions to access the SHR folders, universes and connections so that they are able to refresh SHR reports. For more details on, how to create report User Accounts and Groups and Access Level Restrictions SHR - Managing User Accounts and Groups: https://hpln.hp.com/node/19476/attachment

Configuring SHR Administration UI for AD authentication AD Authentication for SHR Admin UI is supported only SHR9.31 onwards. Please make sure that SHR is upgraded to SHR9.31 before you make the following changes. Make the following changes to %PMDB_HOME%/data/config.prp Set bo.authtype=secwinad Add the following to specify the location of the files bsclogin.conf and Krb5.ini java.security.auth.login.config=<absolute path for bslogin config file> java.security.krb5.conf=<absolute path for krb5 ini file> Example: java.security.krb5.conf=c\:\\winnt\\krb5.ini java.security.auth.login.config=c\:\\winnt\\bsclogin.conf Restart the service: SHR_PMDB_Platform_Administrator

References http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40f4abf5-4d67-2e10-e48b- 8db2cac73f8c?QuickLink=index&overridelayout=true&50968377367535 http://blogs.hexaware.com/business-objects-boogle/windows-ad-authentication-for-business-objects-using-kerberos/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback