Configuring Apache Tomcat to support Kerberos/SPNEGO authentication for Pega Robot Manager users
This use case demonstrates how to configure Kerberos authentication for Pega Robot Manager users on a Pega Platform implementation that is running on an Apache Tomcat server.
Configuring Active Directory to support Kerberos authentication
Configure Active Directory to enable single sign-on authentication through Kerberos for Pega Robot Manager users.
- On the domain controller server that is running the Active Directory Domain
Services (AD DS), map the Pega Platform server and Pega Platform users to their server and client systems:
Choices Actions Configure SPNs by using a keytab
file.- Open the command window.
- Enter the following command:
ktpass.exe /out c:\KerbServUser_SPN.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass password /crypto all /ptype KRB5_NT_PRINCIPAL /kvno 0
Where:DOMAINNAME.COM is your fully qualified domain name. SERVERHOSTNAME is the name of your Pega Platform system. The keytab file contains the SPN credentials.
You can use the generated
.keytab
file to provide login credentials to Tomcat by modifying theweb.xml
andlogin.conf
files. For more information, see Configuring Tomcat to establish user connectivity to Pega Robot Manager.
Configure SPNs without using a keytab file. - Open the command window.
- Enter the following commands, ensuring that all computers
and users are in the same domain:
Setspn.exe -A HTTP/SERVERHOSTNAME KerbServUser Setspn.exe -A HTTP/[email protected] KerbServUser Setspn.exe -A HTTP/SERVERHOSTNAME.DOMAINNAME.COM KerbServUser Setspn.exe -A HTTP/[email protected] KerbServUser
- In Active Directory, enable delegation for users by selecting the
Trust this user for delegation to any service (Kerberos
only) option.See the following figure for reference:
- Configure the Kerberos policy to use AES-128 bit encryption on the domain
controller server and on the system hosting the Apache Tomcat server.For more information, see the Active Directory provider documentation.
- Enable AES-128 bit encryption for the user.For more information, see the Active Directory provider documentation.
Configuring Tomcat to establish user connectivity to Pega Robot Manager
Configure Tomcat with SPNEGO libraries so that client systems can connect to Pega Platform.
Because Pega Robot Manager does not provide SPNEGO libraries, you must download them separately.- In Tomcat, create the
login.conf
andkrb5.conf
files, and add them to the/bin
folder. - Download the
spnego-r7.jar
file from the SourceForge website and copy the file to theprweb/WEB-INF/lib
Tomcat folder. - Modify the
web.xml
file to intercept REST endpoints, to enable negotiation and authentication for calls that are requested by Pega Robot Runtime and Pega Robot Studio from the Pega Platform server.For more information, see the Apache Tomcat documentation. - Add the following code to the
web.xml
file to intercept the endpoints that are available for the api and roboticsSSO service packages, providing the appropriate values for parameters such as the spnego-client:<filter> <filter-name>SpnegoHttpFilter</filter-name> <filter-class> net.sourceforge.spnego.SpnegoHttpFilter </filter-class><init-param> <param-name>spnego.allow.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.localhost</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.unsecure.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.login.client.module</param-name> <param-value> spnego-client</param-value> </init-param> <init-param> <param-name>spnego.krb5.conf</param-name> <param-value>krb5.conf</param-value> </init-param> <init-param> <param-name>spnego.login.conf</param-name> <param-value>login.conf</param-value> </init-param> <init-param> <param-name>spnego.allow.delegation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.preauth.username</param-name> <param-value>username</param-value> </init-param> <init-param> <param-name>spnego.preauth.password</param-name> <param-value>password_for_pre_auth_user</param-value> </init-param> <init-param> <param-name>spnego.login.server.module</param-name> <param-value>spnego-server</param-value> </init-param> <init-param> <param-name>spnego.prompt.ntlm</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.logger.level</param-name> <param-value>1</param-value> </init-param> </filter> <filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>/api/roboticsSSO/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> <login-config> <auth-method>SPNEGO</auth-method> </login-config>
- Configure pre-authorization user credentials by performing one of the following
actions:
- Modify the
web.xml
file and provide the values for the SPN user name and password in the following parameters:<init-param> <param-name>spnego.preauth.username</param-name> <param-value>username_of_pre_auth_user</param-value> </init-param> <init-param> <param-name>spnego.preauth.password</param-name> <param-value>password_for_pre_auth_user</param-value> </init-param>
- Provide information about the
.keytab
file by modifying thespnego-server
module in thelogin.conf
file.
- Modify the
- Configure the
login.conf
file:- Add the following text to the
login.conf
file:spnego-client {com.sun.security.auth.module.Krb5LoginModule required; }; spnego-server {com.sun.security.auth.module.Krb5LoginModule Required useKeyTab=false storeKey=true debug=true isInitiator=false; };
- Modify the values for the
spnego - client
andspnego -server
module names to match the values that you provided for the following entries in theweb.xml
file in step 3:<init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client</param-value> </init-param> <init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client</param-value> </init-param>
- Configure the
krb5.conf
file to identify the domain realm name and the IP address of the AD DS system on which the Kerberos Key Distribution Center (KDC) network service runs by modifying the following text:Where:[libdefaults] default_realm = DOMAINNAME.COM default_tkt_enctypes = des3 -cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts permitted_enctypes= des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts [realms] DOMAINNAME.COM = {kdc = KDCMACHINEIP:88 default_domain = DOMAINNAME.COM} [domain_realm] .domainName = DOMAINNAME.COM domainName = DOMAINNAME.COM
DOMAINNAME is the domain name of the Kerberos realm, which is the domain over which Kerberos can authenticate users. KDCMACHINEIP is the IP address of the AD DS.
- Add the following text to the
Previous topic Selecting the Kerberos method for authenticating Pega Robot Manager users Next topic Updating the robotics configuration files for single sign-on authentication through Kerberos