Configuring Apache Tomcat to support Kerberos/SPNEGO authentication for Pega Robot Manager users
This use case demonstrates how to configure Kerberos authentication for Pega Robot Manager users on a Pega Platform implementation
that is running on an Apache Tomcat server. Configure Active Directory to enable single sign-on authentication through Kerberos
for Pega Robot Manager users. The keytab file contains the SPN
credentials. You can use the generated
Configure Tomcat with SPNEGO libraries so that client systems can connect
to Pega Platform.Configuring Active Directory to support Kerberos authentication
Choices Actions Configure SPNs by using a keytab
file.ktpass.exe /out c:\KerbServUser_SPN.keytab /mapuser [email protected] /princ
HTTP/[email protected] /pass password
/crypto all /ptype
KRB5_NT_PRINCIPAL /kvno 0
.keytab
file to provide login
credentials to Tomcat by modifying the
web.xml
and
login.conf
files. For more
information, see Configuring Tomcat to establish user connectivity to Pega Robot Manager.Configure SPNs without using a keytab file. Setspn.exe -A HTTP/SERVERHOSTNAME KerbServUser
Setspn.exe -A HTTP/[email protected] KerbServUser
Setspn.exe -A HTTP/SERVERHOSTNAME.DOMAINNAME.COM KerbServUser
Setspn.exe -A HTTP/[email protected] KerbServUser
Configuring Tomcat to establish user connectivity to Pega Robot Manager
login.conf
and
krb5.conf
files, and add them to the
/bin
folder.spnego-r7.jar
file from the
SourceForge website and copy the file to the
prweb/WEB-INF/lib
Tomcat folder.web.xml
file to intercept REST
endpoints,
to enable negotiation and authentication for calls that are requested by
Pega Robot Runtime and Pega Robot Studio from the Pega Platform
server.web.xml
file to intercept
the endpoints that are available for the api and
roboticsSSO service packages, providing the appropriate
values for parameters such as the
spnego-client:<filter> <filter-name>SpnegoHttpFilter</filter-name> <filter-class> net.sourceforge.spnego.SpnegoHttpFilter </filter-class><init-param> <param-name>spnego.allow.basic</param-name> <param-value>true</param-value> </init-param>
<init-param> <param-name>spnego.allow.localhost</param-name> <param-value>true</param-value> </init-param>
<init-param> <param-name>spnego.allow.unsecure.basic</param-name> <param-value>true</param-value> </init-param>
<init-param> <param-name>spnego.login.client.module</param-name> <param-value> spnego-client</param-value> </init-param>
<init-param> <param-name>spnego.krb5.conf</param-name> <param-value>krb5.conf</param-value> </init-param>
<init-param> <param-name>spnego.login.conf</param-name> <param-value>login.conf</param-value> </init-param>
<init-param> <param-name>spnego.allow.delegation</param-name> <param-value>true</param-value> </init-param>
<init-param> <param-name>spnego.preauth.username</param-name> <param-value>username</param-value> </init-param>
<init-param> <param-name>spnego.preauth.password</param-name> <param-value>password_for_pre_auth_user</param-value> </init-param>
<init-param> <param-name>spnego.login.server.module</param-name> <param-value>spnego-server</param-value> </init-param>
<init-param> <param-name>spnego.prompt.ntlm</param-name> <param-value>true</param-value> </init-param>
<init-param> <param-name>spnego.logger.level</param-name> <param-value>1</param-value> </init-param> </filter>
<filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>/api/roboticsSSO/*</url-pattern> </filter-mapping>
<filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>
<login-config> <auth-method>SPNEGO</auth-method> </login-config>
web.xml
file and provide the values for
the SPN user name and password in the following
parameters:<init-param> <param-name>spnego.preauth.username</param-name>
<param-value>username_of_pre_auth_user</param-value> </init-param>
<init-param> <param-name>spnego.preauth.password</param-name> <param-value>password_for_pre_auth_user</param-value> </init-param>
.keytab
file by
modifying the spnego-server
module in the
login.conf
file.login.conf
file:login.conf
file:spnego-client {com.sun.security.auth.module.Krb5LoginModule required; };
spnego-server {com.sun.security.auth.module.Krb5LoginModule Required useKeyTab=false storeKey=true debug=true isInitiator=false; };
spnego - client
and
spnego -server
module names to match the values
that you provided for the following entries in the
web.xml
file in step 3:<init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client</param-value> </init-param>
<init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client</param-value>
</init-param>
krb5.conf
file to identify the
domain realm name and the IP address of the AD DS system on which the
Kerberos Key Distribution Center (KDC) network service runs by modifying
the following text: [libdefaults] default_realm = DOMAINNAME.COM default_tkt_enctypes = des3 -cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts permitted_enctypes= des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts [realms] DOMAINNAME.COM = {kdc = KDCMACHINEIP:88 default_domain = DOMAINNAME.COM} [domain_realm] .domainName = DOMAINNAME.COM domainName = DOMAINNAME.COM
Previous topic Selecting the Kerberos method for authenticating Pega Robot Manager users Next topic Updating the robotics configuration files for single sign-on authentication through Kerberos