Configure Single Sign On for Cloud Control 13c against Active Directory
Posted by Dirk Nachbar on Monday, August 21, 2017
In many cases you want to use your Microsoft Active Directory Login to be authenticated against your Oracle Cloud Control 13c.
Here is a step by step solution how to implement Single Sign On for your Oracle Cloud Control against Microsoft Active Directory.
Lets assume following Environment:
Connect to the Windows Server Hosting your Active Directory and execute following steps
Name the to be created Service Account = your Cloud Control Server
Afterwards transfer the above created keytab file named krb5.keytab to your Cloud Control 13c Server.
Now connect to your Server which is Hosting your Oracle Cloud Control 13c and perform following steps.
After the restart of your OMS, connect to the WebLogic Server Console of your Oracle Cloud Control 13c, usually its the SSL Port 7101 (https://<CloudControlServer>:7101/console )
Select in the Domain Structure "Security Realms" and navigate to "Providers / Authentication"
Open the Authentication Provider EM_AD_Provider and navigate to "Configuration / Provider Specific"
Align following Attributes (activate at first in the Change Center the "Lock & Edit" Mode):
Original Attributes:
EXTRA_JAVA_PROPERTIES="-Djavax.management.builder.initial=weblogic.management.jmx.mbeanserver.WLSMBeanServerBuilder ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
and add below this 2 lines following block:
Now configure the SSO for the OMS
After that perform a restart of your OMS:
Now, when you are connecting the first time to the Cloud Control 13c and logging in with your AD-User, there will be automatically created the SSO User within your Cloud Control 13c and you can connect with your AD-User and corresponding AD-Password.
Here is a step by step solution how to implement Single Sign On for your Oracle Cloud Control against Microsoft Active Directory.
Lets assume following Environment:
- AD Domain = DEMO.COM
- Microsoft AD Server = adserver.demo.com
- AD LDAP Port = 389
- Cloud Control 13c Server = cloudcontrol13c.demo.com
Windows Steps
Connect to the Windows Server Hosting your Active Directory and execute following steps
1. Create a corresponding Service Account for the Oracle Management Server (OMS) in your Active Directory:
Name the to be created Service Account = your Cloud Control Server
dsadd user="cn=<ServiceAccountName>,cn=users,dc=<Domain>,dc=<TLD>" -disabled no -pwd <Password for ServiceAccountName> -canchpwd no -mustchpwd no -pwdneverexpirer yes # For Example dsadd user="cn=cloudcontrol13c,cn=users,dc=demo,dc=com" -disabled no -pwd Welcome1 -canchpwd no -mustchpwd no -pwdneverexpirer yes
2. Create a keytab file:
ktpass -princ HTTP/<ServiceAccountName>.<Domain>.<TLD>@;.<Domain>.<TLD> -mapuser <ServiceAccountName> -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab # For Example: ktpass -princ HTTP/cloudcontrol13c.demo.com@DEMO.COM -mapuser cloudcontrol13c -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
Afterwards transfer the above created keytab file named krb5.keytab to your Cloud Control 13c Server.
Cloud Control Steps
Now connect to your Server which is Hosting your Oracle Cloud Control 13c and perform following steps.
1. Create the Active Directory Authentication Provider
emctl config auth ad -ldap_host "<AD-Servername>" -ldap_port "<LDAP-PORT>" \ ldap_principal "cn=<ServiceAccountName>,cn=users,dc=<Domain>,dc=<TLD>" -ldap_credential "<Password for ServiceAccountName>" \ -user_base_dn "cn=users,dc=<Domain>,dc=<TLD>" -Group_base_dn "cn=groups,dc=<Domain>,dc=<TLD>" \ -sysman_pwd "<SYSMAN Password>" # For Example: emctl config auth ad -ldap_host "adserver.demo.com" -ldap_port "389" \ ldap_principal "cn=cloudcontrol13c,cn=users,dc=demo,dc=com" -ldap_credential "Welcome1" \ -user_base_dn "cn=users,dc=demo,dc=com" -Group_base_dn "cn=groups,dc=demo,dc=com" \ -sysman_pwd "Welcome1" # Now restart your OMS emctl stop oms -all emctl start oms
After the restart of your OMS, connect to the WebLogic Server Console of your Oracle Cloud Control 13c, usually its the SSL Port 7101 (https://<CloudControlServer>:7101/console )
Select in the Domain Structure "Security Realms" and navigate to "Providers / Authentication"
Open the Authentication Provider EM_AD_Provider and navigate to "Configuration / Provider Specific"
Align following Attributes (activate at first in the Change Center the "Lock & Edit" Mode):
Original Attributes:
- All Users Filter: <empty>
- User From Name Filter: (&cn=%u) (objectclass=user))
- User Name Attribute: cn
- User Object Class: user
- All Users Filter: (&(sAMAccountName=*) (objectclass=user))
- User From Name Filter: (&(sAMAccountName=%u) (objectclass=user))
- User Name Attribute: sAMAccountName
- User Object Class: user
2. Create the JAAS Configuration File krb5Login.conf
The next step is to create the required JAAS Configuration File krb5Login.conf within the DOMAIN_HOME of your Cloud Control 13c.# for Oracle (SUN) JDK
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/cloudcontrol13c.demo.com@DEMO.COM"
useKeyTab=true keyTab=/etc/krb5.keytab
storeKey=true debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/cloudcontrol13c.demo.com@DEMO.COM"
useKeyTab=true keyTab=/etc/krb5.keytab
storeKey=true debug=true;
};
# For IBM JDK (under AIX)
com.ibm.security.jgss.krb5.initiate {
com.ibm.security.auth.module.Krb5LoginModule REQUIRED
principal="http/cloudcontrol13c.demo.com"
useKeytab="FILE:/etc/krb5.keytab"
credsType=initiator
debug=true;
};
com.ibm.security.jgss.krb5.accept {
com.ibm.security.auth.module.Krb5LoginModule REQUIRED
principal="http/cloudcontrol13c.demo.com"
useKeytab="FILE:/etc/krb5.keytab"
credsType=acceptor
debug=true;
};
3. Align setDomainEnv.sh
Now we need to align the setDomainEnv.sh in the DOMAIN_HOME/bin directory. Search for the 2 lines:EXTRA_JAVA_PROPERTIES="-Djavax.management.builder.initial=weblogic.management.jmx.mbeanserver.WLSMBeanServerBuilder ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
and add below this 2 lines following block:
if [ "${SERVER_NAME}" = "EMGC_OMS1" ] ; then
EXTRA_JAVA_PROPERTIES="-Djava.security.krb5.realm=%lt;Domain>.<TLD> -Djava.security.krb5.kdc=<AD-Servername> -Djava.security.auth.login.config=<Path to krb5Login.conf>/krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
fi
# For Example:
if [ "${SERVER_NAME}" = "EMGC_OMS1" ] ; then
EXTRA_JAVA_PROPERTIES="-Djava.security.krb5.realm=DEMO.COM -Djava.security.krb5.kdc=adserver.demo.com -Djava.security.auth.login.config=/u00/app/oracle/product/gc_inst_13cR1/user_projects/domains/GCDomain/krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
fi
5. Configure Single Sign On within OMS
The next step is to create an external role within OMS, this external role must be named exactly the same as your corresponding AD Group for the OMS Usersemcli create_role -name="oracle_dba" -type="EXTERNAL_ROLE" -desc="Active Directory Group for oracle_dba"
Now configure the SSO for the OMS
emctl set property -name oracle.sysman.core.security.sso.type -value "OTHER" emctl set property -name oracle.sysman.core.security.auth.is_external_authentication_enabled -value "true" emctl set property -name oracle.sysman.emSDK.sec.DirectoryAuthenticationType -value "SSO" emctl set property -name oracle.sysman.core.security.auth.autoprovisioning -value "true"
After that perform a restart of your OMS:
emctl stop oms -all emctl start oms
Now, when you are connecting the first time to the Cloud Control 13c and logging in with your AD-User, there will be automatically created the SSO User within your Cloud Control 13c and you can connect with your AD-User and corresponding AD-Password.
Categories: Enterprise Manager 13c, Oracle WebLogic Server 12c
