martinsticzay
IS-IT--Management
Hello,
I'm trying to solve the problem with the Single Sign On on Apache Tomcat running on IBM AIX 7.1. I've already tried the OpenText support, but i was told that this problem is probably somewhere at configuration of Tomcat or AIX.
Funny thing is, that the same Tomcat configuration worked properly on HP UX operating system.
So, the trace is:
We are trying to set up Single Sign On for OpenText OTDS 10.2.1 from web client of OpenText TCP 10.2.1 (system by OpenText) and can't even set up valid path for Kerberos keytab file.
Structure:
adpra050: Windows AD server as Kerberos server,
wcc71502: AIX 7.1 running Tomcat 6 that has krb5Login configuration and a keytab file. OTDS and application server for TCP 10.2.1 resides on this host.
adpra098: Windows server 2008 for TCP web client.
The aim is that Tomcat will use the keytab only, not the whole AIX system. Now neither Tomcat can use the keytab file properly. What was working in HP-UX configuration (instead of AIX), is not working on AIX.
To set up SSO we requested a krb5kt file from the domain admin.
The file was tested by using
kinit -k -t /appl/earchive/otex/RCS_102/krb5kt HTTP/wcc71502.vsskb.cz which produced a Kerberos ticket and saved it to user's home.
Files used to configure Kerberos for Tomcat:
/etc/krb5/krb5.conf
in /appl/earchive/otex/RCS_102/ (Catalina_home):
krb5kt
conf/krb5.conf
conf/jaas.conf
bin/setenv.sh to set path to jaas.conf
Despite all efforts to pass the keytab file we always get this error in logs:
rcs.log:
javax.security.auth.login.LoginException: Bad JAAS configuration: bad URL krb5kt Error java.net.MalformedURLException: no protocol: krb5kt
ums.log:
ixos.sec.sso.CheckerContext - Error in method 'buildToken4Invalidate(tokenString)'
ixos.sec.sso.CheckerException: session with id wtCJdTDkZWt84J4lLq3VYSZhB+LGX6DMD68R2+d5 is unknown at ixos.sec.sso.modules.DBSessionPersistence.getSession(DBSessionPersistence.java:360)
at ixos.sec.sso.modules.UMSSessionStore.getSession(UMSSessionStore.java:125)
directory.access.log:
2016-04-28 14:20:34,210 WARN [SMessage Receive Queue Popper 2] otx.OTDSAccess : OTDS.Access - ,2016/04/28 14:20:34 CEST,0,0,Authentication Service,Failure Access,28,Initial authentication failed,Unknown User,,Authentication failure [UNKNOWN]: Unknown User from host 10.144.10.121 with address 10.144.10.121 for resource 8975d99f-78f0-451c-8535-4042d88faed8
The user is not recognized any time when SSO is tried to be used (when Login.aspx is open in the browser).
Any help in how to correctly supply the krb5kt path is appreciated.
Thank you.
Martin.
I'm trying to solve the problem with the Single Sign On on Apache Tomcat running on IBM AIX 7.1. I've already tried the OpenText support, but i was told that this problem is probably somewhere at configuration of Tomcat or AIX.
Funny thing is, that the same Tomcat configuration worked properly on HP UX operating system.
So, the trace is:
We are trying to set up Single Sign On for OpenText OTDS 10.2.1 from web client of OpenText TCP 10.2.1 (system by OpenText) and can't even set up valid path for Kerberos keytab file.
Structure:
adpra050: Windows AD server as Kerberos server,
wcc71502: AIX 7.1 running Tomcat 6 that has krb5Login configuration and a keytab file. OTDS and application server for TCP 10.2.1 resides on this host.
adpra098: Windows server 2008 for TCP web client.
The aim is that Tomcat will use the keytab only, not the whole AIX system. Now neither Tomcat can use the keytab file properly. What was working in HP-UX configuration (instead of AIX), is not working on AIX.
To set up SSO we requested a krb5kt file from the domain admin.
The file was tested by using
kinit -k -t /appl/earchive/otex/RCS_102/krb5kt HTTP/wcc71502.vsskb.cz which produced a Kerberos ticket and saved it to user's home.
Files used to configure Kerberos for Tomcat:
/etc/krb5/krb5.conf
in /appl/earchive/otex/RCS_102/ (Catalina_home):
krb5kt
conf/krb5.conf
conf/jaas.conf
bin/setenv.sh to set path to jaas.conf
Despite all efforts to pass the keytab file we always get this error in logs:
rcs.log:
javax.security.auth.login.LoginException: Bad JAAS configuration: bad URL krb5kt Error java.net.MalformedURLException: no protocol: krb5kt
ums.log:
ixos.sec.sso.CheckerContext - Error in method 'buildToken4Invalidate(tokenString)'
ixos.sec.sso.CheckerException: session with id wtCJdTDkZWt84J4lLq3VYSZhB+LGX6DMD68R2+d5 is unknown at ixos.sec.sso.modules.DBSessionPersistence.getSession(DBSessionPersistence.java:360)
at ixos.sec.sso.modules.UMSSessionStore.getSession(UMSSessionStore.java:125)
directory.access.log:
2016-04-28 14:20:34,210 WARN [SMessage Receive Queue Popper 2] otx.OTDSAccess : OTDS.Access - ,2016/04/28 14:20:34 CEST,0,0,Authentication Service,Failure Access,28,Initial authentication failed,Unknown User,,Authentication failure [UNKNOWN]: Unknown User from host 10.144.10.121 with address 10.144.10.121 for resource 8975d99f-78f0-451c-8535-4042d88faed8
The user is not recognized any time when SSO is tried to be used (when Login.aspx is open in the browser).
Any help in how to correctly supply the krb5kt path is appreciated.
Thank you.
Martin.
