Topic
  • 26 replies
  • Latest Post - ‏2015-09-02T05:40:06Z by subhasankar
expert
expert
190 Posts

Pinned topic Maximo 7 with Single Sign on

‏2009-08-31T03:50:47Z |
Hi,

Could anyone help me with procedures to integrate Single Sign with maximo? Do I require any information to be collected from customer before I start integration?

Thanks

-expert.
Updated on 2011-10-05T08:27:18Z at 2011-10-05T08:27:18Z by SystemAdmin
  • Ctibor
    Ctibor
    3 Posts

    Re: Maximo 7 with Single Sign on

    ‏2009-08-31T17:03:43Z  
    Hi expert, this depends on which J2EE server you would like to acomplish this and to what you would like to do SSO?

    I'm assuming Maximo 7.1 running on WAS 6.1, and you would like to do SSO with Active Directory. In that case it's quite easy, because from WAS version 6.1 there is new feature included, called TAI, which can help you do SSO with AD just with configuration using SPNEGO. In fact, you do not need to do any steps in Maximo itself, just WAS.

    Complete setting you can find here in WAS documentation, here is description:
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_SPNEGO_overview.html
    and here setup:
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_SPNEGO_tai.html

    But I suggest you use this whitepaper, which is much better:
    http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065

    Please feel free to contact me with more questions.

    Have a nice day
  • expert
    expert
    190 Posts

    Re: Maximo 7 with Single Sign on

    ‏2009-09-01T06:59:40Z  
    • Ctibor
    • ‏2009-08-31T17:03:43Z
    Hi expert, this depends on which J2EE server you would like to acomplish this and to what you would like to do SSO?

    I'm assuming Maximo 7.1 running on WAS 6.1, and you would like to do SSO with Active Directory. In that case it's quite easy, because from WAS version 6.1 there is new feature included, called TAI, which can help you do SSO with AD just with configuration using SPNEGO. In fact, you do not need to do any steps in Maximo itself, just WAS.

    Complete setting you can find here in WAS documentation, here is description:
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_SPNEGO_overview.html
    and here setup:
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_SPNEGO_tai.html

    But I suggest you use this whitepaper, which is much better:
    http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065

    Please feel free to contact me with more questions.

    Have a nice day
    Hi Ctibor,

    Thanks for your reply.

    A quick Questions..

    Do we need any Single sign on in place or Websphere is shipped with Single Sign on.

    Thanks..

    Have a good day.
  • emoney
    emoney
    3 Posts

    Re: Maximo 7 with Single Sign on

    ‏2009-09-04T15:31:18Z  
    • Ctibor
    • ‏2009-08-31T17:03:43Z
    Hi expert, this depends on which J2EE server you would like to acomplish this and to what you would like to do SSO?

    I'm assuming Maximo 7.1 running on WAS 6.1, and you would like to do SSO with Active Directory. In that case it's quite easy, because from WAS version 6.1 there is new feature included, called TAI, which can help you do SSO with AD just with configuration using SPNEGO. In fact, you do not need to do any steps in Maximo itself, just WAS.

    Complete setting you can find here in WAS documentation, here is description:
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_SPNEGO_overview.html
    and here setup:
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_SPNEGO_tai.html

    But I suggest you use this whitepaper, which is much better:
    http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065

    Please feel free to contact me with more questions.

    Have a nice day
    I am also using Maximo 7 with WAS 6.1. I want to do SSO using x.509 certificate and my companies LDAP. Should I use the same documentation to accomplish this task.

    Thanks a lot.
  • expert
    expert
    190 Posts

    Re: Maximo 7 with Single Sign on

    ‏2009-12-15T03:04:55Z  
    Hi Ctibor,

    Thanks for sharing the documents which helped me to kick start configuration but it is not working me.

    I have configured websphere, IE as per teh documents but when I access teh URL http://<hostname.domain>:9080/snoop it returns me "The page cannot be displayed".

    Please help me to fix this issue.

    Regards,
    Expert.
  • spoirier
    spoirier
    283 Posts

    Re: Maximo 7 with Single Sign on

    ‏2009-12-15T16:11:26Z  
    • expert
    • ‏2009-12-15T03:04:55Z
    Hi Ctibor,

    Thanks for sharing the documents which helped me to kick start configuration but it is not working me.

    I have configured websphere, IE as per teh documents but when I access teh URL http://<hostname.domain>:9080/snoop it returns me "The page cannot be displayed".

    Please help me to fix this issue.

    Regards,
    Expert.
    Hi Expert,
    Are you trying to setup SSO with LDAP / AD? If so, you need to configure many settings in AD, Websphere, and Maximo. This is not an easy process and you must read the entire procedure for YOUR setup. I say your setup as it varies based on Weblogic, Websphere and so on.

    Though there are other posts in this forum that can help you, you need to understand the basics, and people correct me if I am wrong.

    • AD will be setup with your groups and users that you want to be “fed into Maximo
    • These people will have access to your company network based on their access in AD
    • AD will then communicate these groups and users to Webshpere
    • Maximo will then “poll” Websphere, based on a Maximo CRON task, to collect these groups and users
    • The groups stated above will be the security groups in Maximo.
    • The people in the groups will be the USERS in Maximo.
    • You will still need to setup the security privileges in Maximo per group.

    If you search the forum for AD, Active Directory, LDAP, Single Sign on, you will find the other posts with parts of your puzzle.

    Good Luck
  • expert
    expert
    190 Posts

    Re: Maximo 7 with Single Sign on

    ‏2009-12-16T08:41:10Z  
    • spoirier
    • ‏2009-12-15T16:11:26Z
    Hi Expert,
    Are you trying to setup SSO with LDAP / AD? If so, you need to configure many settings in AD, Websphere, and Maximo. This is not an easy process and you must read the entire procedure for YOUR setup. I say your setup as it varies based on Weblogic, Websphere and so on.

    Though there are other posts in this forum that can help you, you need to understand the basics, and people correct me if I am wrong.

    • AD will be setup with your groups and users that you want to be “fed into Maximo
    • These people will have access to your company network based on their access in AD
    • AD will then communicate these groups and users to Webshpere
    • Maximo will then “poll” Websphere, based on a Maximo CRON task, to collect these groups and users
    • The groups stated above will be the security groups in Maximo.
    • The people in the groups will be the USERS in Maximo.
    • You will still need to setup the security privileges in Maximo per group.

    If you search the forum for AD, Active Directory, LDAP, Single Sign on, you will find the other posts with parts of your puzzle.

    Good Luck
    Hi spoirier,

    Thanks for your reply. We are using Websphere, Maximo, AD. All these are configured and we are abled to fetch users and groups from AD to Maximo and it is working weel. Now we are configuring SSO but when I execute the command to verify

    kinit -k -t C:\winnt\host.keytab HTTP/myMaximoServerName@MYDOMAIN.COM (I have spececified the exact names)

    I get the error

    Client not found in Kerberos database. When I asked admin he says there is no such database and only AD is being used.

    Thanks,
    Expert.
  • nshitiy
    nshitiy
    3 Posts

    Re: Maximo 7 with Single Sign on

    ‏2010-01-20T21:28:47Z  
    Hi to all!

    I try to configure Maximo 7.1 with SSO using whitepaper (see Ctibor's post above) but it's not working...

    My steps:
    1) create user ssotest in the AD
    2) map SPN for WAS server to the created user using command
    > setspn -a HTTP/washost.mydomain.com ssotest

    3) generate keytab file using command
    > ktpass -out MXServer.keytab -princ HTTP/washost.mydomain.com@MYDOMAIN.COM -pass password -ptype KRB5_NT_PRINCIPAL

    4) copy keytab file to the WAS server and generate Kerberos configuration file using command in wsadmin console
    > $AdminTask createKrbConfigFile {-krbPath c:\ibm\etc\krb5.conf -realm MYDOMAIN.COM -kdcHost adhost.mydomain.com -dns mydomain.com -keytabPath c:\ibm\etc\MXServer.keytab}

    5) enable websphere security - in my case I have already configured websphere security (Federated Repositories with one AD server used also for configuring SSO)
    6) enable SSO
    7) enable trust association and add property com.ibm.ws.security.spnego.SPN1.hostName=washost.mydomain.com to the Custom Properties for com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl interceptor.

    8) enable SPNEGO at the JVM level for MXServer i.e. add following properties to the Application Servers > MXServer > Process Definition > Java Virtual Machine > Custom Properties:

    com.ibm.security.jgss.debug = ALL
    com.ibm.security.krb5.Krb5Debut = ALL
    com.ibm.ws.security.spnego.isEnabled = true
    java.security.krb5.conf = c:\ibm\etc\krb5.conf

    9) restart websphere
    10) configure browsers at the same way as described in the whitepaper (both IE and Firefox)
    So when server starts up it looks like TAI configuration loading successfully (by the log entries).
    But when I try to serf to the maximo using url http://washost.mydomain.com/maximo SSO is not working and login screen is loading again.
    In the application server logs I see following error:

    SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)ejb/maximo/remote/accesstokenprovider getAccessToken:3 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: maximouser

    Looks like application server is not receiving security token from the client and it marks client as UNAUTHENTICATED. So next authorization for access to the maximo is failed (cause UNAUTHENTICATED is not granted of the maximouser role)...

    Have anybody faced to the same problem?
    Is there anybody who got succeed in configuring SSO for Maximo?

    Thanks in advance for any help!
  • TravisDixon-TCG
    TravisDixon-TCG
    4 Posts

    Re: Maximo 7 with Single Sign on

    ‏2010-07-29T20:06:53Z  
    Has anyone been able to successfully configure Maximo 7.1 with LDAP authentication and authorization with WebSphere SSO? I was able to configure Maximo with LDAP but following the white paper did not yield a SSO configuration. I was expecting to login to my client Windows machine, browse to the Maximo URL (http://sunsinger.tcgtwo.local:9080/maximo and it automatically log me into Maximo. Is that not how it's supposed to work?

    Thanks in advance for your help.

    Travis
  • TravisDixon-TCG
    TravisDixon-TCG
    4 Posts

    Re: Maximo 7 with Single Sign on

    ‏2010-07-30T16:24:57Z  
    I was able to successfully configure my Maximo 7 environment with LDAP and SSO. I followed the white paper the first time and omited the line where you have to turn it on! Make sure that the JVM settings that are identified in the white paper are exactly what is in yours too. Also, you must change the web.xml in C:\IBM\SMP\development\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF to show <auth-method>CLIENT-CERT</auth-method> instead of <auth-method>BASIC</auth-method>. You're best bet is to setup the LDAP authentication first, to where you'll see the dialog prompt login first and then change the web.xml to be the CLIENT-CERT instead.

    Travis
  • cinimod
    cinimod
    1 Post

    Re: Maximo 7 with Single Sign on

    ‏2010-09-14T09:42:11Z  
    I was able to successfully configure my Maximo 7 environment with LDAP and SSO. I followed the white paper the first time and omited the line where you have to turn it on! Make sure that the JVM settings that are identified in the white paper are exactly what is in yours too. Also, you must change the web.xml in C:\IBM\SMP\development\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF to show <auth-method>CLIENT-CERT</auth-method> instead of <auth-method>BASIC</auth-method>. You're best bet is to setup the LDAP authentication first, to where you'll see the dialog prompt login first and then change the web.xml to be the CLIENT-CERT instead.

    Travis
    Hi travis,

    Can you help me configuring SSO in maximo 6? I was already configured kerberos well and configuring LDAP to maximo, setting the spn, creating keytab configuring weblogic server with spnego etc. I didn't encounter any error setting up these steps so When I was trying to connect to the maximo server like http://maximo02.teamg.com:7001/maximo it still requiring to enter the credentials. even although I already modified the web.xml by changing the auth method to CLIENT-CERT. where do you think is the problem? do I forgot something to modify or configure?

    here are the steps that I did:
    1. maximo - account created from AD.
    2. from the properties of this account > account tab I checked the Use DES encryption types for this account.
    3. setspn -a HTTP/maximo02.teamg.com maximo
    4.Ktpass -princ HTTP/maximo02@TEAMG.COM -mapuser maximo -pass mypass -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -out c:\winnt\Host.keytab
    5 I created JAAS login file, krblogin.conf. I stored this file at domain folder of weblogic server
    com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/maximo02@TEAMG.COM" useKeyTab=true
    keyTab="C:\winnt\Host.KeyTab" storeKey=true
    debug=true;
    };
    6. I created krb5.ini and placed it at c:\winnt and copied it at c:\WINDOWS
    libdefaults
    default_realm = TEAMG.COM

    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
    ticket_lifetime=600

    realms
    TEAM.COM = {
    kdc = 192.168.0.114

    admin_server = 192.168.0.114

    default_domain = teamg.com

    }

    domain_realm
    .TEAM.COM = TEAM.COM
    .teamg = TEAM.COM

    appdefaults
    autologin = true
    forward = true
    forwardable = true
    encrypt = true

    7. kinit -k -t C:\bea\user_projects\domains\mxes\Host.keytab HTTP/maximo02.TEAMG.COM
    output was New cache...... C:\Documents and Settings\Administrator\krncc_ad......

    7. I modified the startweblogic.cmd
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.krb5.realm=teamg.com -Djava.security.krb5.kdc=192.168.0.114 -Djava.security.auth.login.config=C:\bea\user_projects\domains\mxes\Krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.debug.DebugMessaging=true -DDebugSecurityAdjudicator=true -Dweblogic.debug.DebugSecurityAtn=true -Dweblogic.debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityATN=true -Dweblogic.StdoutSeverityLevel=64 -Dweblogic.StdoutDebugEnabled=true

    8. I also modified web.xml of maximo
    <auth-method>CLIENT-CERT</authmethod>

    9. I configured the web server by configuring Single Pass Negotiate Identity Asserter
    10. then the web browser client configuration, I added the url from local intranet, select automatic logon only in intranet zone and checked the Enable Integrated Windows Authentication

    Do i forget something to configure? I just don't know where the problem was and how to fix it.

    Thanks for advance,
  • TravisDixon-TCG
    TravisDixon-TCG
    4 Posts

    Re: Maximo 7 with Single Sign on

    ‏2010-09-14T18:02:44Z  
    • cinimod
    • ‏2010-09-14T09:42:11Z
    Hi travis,

    Can you help me configuring SSO in maximo 6? I was already configured kerberos well and configuring LDAP to maximo, setting the spn, creating keytab configuring weblogic server with spnego etc. I didn't encounter any error setting up these steps so When I was trying to connect to the maximo server like http://maximo02.teamg.com:7001/maximo it still requiring to enter the credentials. even although I already modified the web.xml by changing the auth method to CLIENT-CERT. where do you think is the problem? do I forgot something to modify or configure?

    here are the steps that I did:
    1. maximo - account created from AD.
    2. from the properties of this account > account tab I checked the Use DES encryption types for this account.
    3. setspn -a HTTP/maximo02.teamg.com maximo
    4.Ktpass -princ HTTP/maximo02@TEAMG.COM -mapuser maximo -pass mypass -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -out c:\winnt\Host.keytab
    5 I created JAAS login file, krblogin.conf. I stored this file at domain folder of weblogic server
    com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/maximo02@TEAMG.COM" useKeyTab=true
    keyTab="C:\winnt\Host.KeyTab" storeKey=true
    debug=true;
    };
    6. I created krb5.ini and placed it at c:\winnt and copied it at c:\WINDOWS
    libdefaults
    default_realm = TEAMG.COM

    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
    ticket_lifetime=600

    realms
    TEAM.COM = {
    kdc = 192.168.0.114

    admin_server = 192.168.0.114

    default_domain = teamg.com

    }

    domain_realm
    .TEAM.COM = TEAM.COM
    .teamg = TEAM.COM

    appdefaults
    autologin = true
    forward = true
    forwardable = true
    encrypt = true

    7. kinit -k -t C:\bea\user_projects\domains\mxes\Host.keytab HTTP/maximo02.TEAMG.COM
    output was New cache...... C:\Documents and Settings\Administrator\krncc_ad......

    7. I modified the startweblogic.cmd
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.krb5.realm=teamg.com -Djava.security.krb5.kdc=192.168.0.114 -Djava.security.auth.login.config=C:\bea\user_projects\domains\mxes\Krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.debug.DebugMessaging=true -DDebugSecurityAdjudicator=true -Dweblogic.debug.DebugSecurityAtn=true -Dweblogic.debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityATN=true -Dweblogic.StdoutSeverityLevel=64 -Dweblogic.StdoutDebugEnabled=true

    8. I also modified web.xml of maximo
    <auth-method>CLIENT-CERT</authmethod>

    9. I configured the web server by configuring Single Pass Negotiate Identity Asserter
    10. then the web browser client configuration, I added the url from local intranet, select automatic logon only in intranet zone and checked the Enable Integrated Windows Authentication

    Do i forget something to configure? I just don't know where the problem was and how to fix it.

    Thanks for advance,
    I'm assuming that you rebuilt your ears after you made the change to the web.xml file? If you did you should get an error message and not a login prompt. Trying to assist through a forum is almost impossible. I wish the best of luck.

    Travis
  • parak
    parak
    1 Post

    Re: Maximo 7 with Single Sign on

    ‏2010-11-10T16:32:55Z  
    • cinimod
    • ‏2010-09-14T09:42:11Z
    Hi travis,

    Can you help me configuring SSO in maximo 6? I was already configured kerberos well and configuring LDAP to maximo, setting the spn, creating keytab configuring weblogic server with spnego etc. I didn't encounter any error setting up these steps so When I was trying to connect to the maximo server like http://maximo02.teamg.com:7001/maximo it still requiring to enter the credentials. even although I already modified the web.xml by changing the auth method to CLIENT-CERT. where do you think is the problem? do I forgot something to modify or configure?

    here are the steps that I did:
    1. maximo - account created from AD.
    2. from the properties of this account > account tab I checked the Use DES encryption types for this account.
    3. setspn -a HTTP/maximo02.teamg.com maximo
    4.Ktpass -princ HTTP/maximo02@TEAMG.COM -mapuser maximo -pass mypass -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -out c:\winnt\Host.keytab
    5 I created JAAS login file, krblogin.conf. I stored this file at domain folder of weblogic server
    com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/maximo02@TEAMG.COM" useKeyTab=true
    keyTab="C:\winnt\Host.KeyTab" storeKey=true
    debug=true;
    };
    6. I created krb5.ini and placed it at c:\winnt and copied it at c:\WINDOWS
    libdefaults
    default_realm = TEAMG.COM

    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
    ticket_lifetime=600

    realms
    TEAM.COM = {
    kdc = 192.168.0.114

    admin_server = 192.168.0.114

    default_domain = teamg.com

    }

    domain_realm
    .TEAM.COM = TEAM.COM
    .teamg = TEAM.COM

    appdefaults
    autologin = true
    forward = true
    forwardable = true
    encrypt = true

    7. kinit -k -t C:\bea\user_projects\domains\mxes\Host.keytab HTTP/maximo02.TEAMG.COM
    output was New cache...... C:\Documents and Settings\Administrator\krncc_ad......

    7. I modified the startweblogic.cmd
    set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.krb5.realm=teamg.com -Djava.security.krb5.kdc=192.168.0.114 -Djava.security.auth.login.config=C:\bea\user_projects\domains\mxes\Krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.debug.DebugMessaging=true -DDebugSecurityAdjudicator=true -Dweblogic.debug.DebugSecurityAtn=true -Dweblogic.debug.DebugSecurityAtz=true -Dweblogic.Debug.DebugSecurityATN=true -Dweblogic.StdoutSeverityLevel=64 -Dweblogic.StdoutDebugEnabled=true

    8. I also modified web.xml of maximo
    <auth-method>CLIENT-CERT</authmethod>

    9. I configured the web server by configuring Single Pass Negotiate Identity Asserter
    10. then the web browser client configuration, I added the url from local intranet, select automatic logon only in intranet zone and checked the Enable Integrated Windows Authentication

    Do i forget something to configure? I just don't know where the problem was and how to fix it.

    Thanks for advance,
    Hi Cinimod, where you able to fix this issue with Weblogic. Even we are trying to configure SSO for Maximo 7.1 we have done all the chanegs listed below and we get 401 UNAUTHROISED Error. If you can send the document it will nbe great.

    Thnak you.
  • SystemAdmin
    SystemAdmin
    5842 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-06-11T07:14:39Z  
    • nshitiy
    • ‏2010-01-20T21:28:47Z
    Hi to all!

    I try to configure Maximo 7.1 with SSO using whitepaper (see Ctibor's post above) but it's not working...

    My steps:
    1) create user ssotest in the AD
    2) map SPN for WAS server to the created user using command
    > setspn -a HTTP/washost.mydomain.com ssotest

    3) generate keytab file using command
    > ktpass -out MXServer.keytab -princ HTTP/washost.mydomain.com@MYDOMAIN.COM -pass password -ptype KRB5_NT_PRINCIPAL

    4) copy keytab file to the WAS server and generate Kerberos configuration file using command in wsadmin console
    > $AdminTask createKrbConfigFile {-krbPath c:\ibm\etc\krb5.conf -realm MYDOMAIN.COM -kdcHost adhost.mydomain.com -dns mydomain.com -keytabPath c:\ibm\etc\MXServer.keytab}

    5) enable websphere security - in my case I have already configured websphere security (Federated Repositories with one AD server used also for configuring SSO)
    6) enable SSO
    7) enable trust association and add property com.ibm.ws.security.spnego.SPN1.hostName=washost.mydomain.com to the Custom Properties for com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl interceptor.

    8) enable SPNEGO at the JVM level for MXServer i.e. add following properties to the Application Servers > MXServer > Process Definition > Java Virtual Machine > Custom Properties:

    com.ibm.security.jgss.debug = ALL
    com.ibm.security.krb5.Krb5Debut = ALL
    com.ibm.ws.security.spnego.isEnabled = true
    java.security.krb5.conf = c:\ibm\etc\krb5.conf

    9) restart websphere
    10) configure browsers at the same way as described in the whitepaper (both IE and Firefox)
    So when server starts up it looks like TAI configuration loading successfully (by the log entries).
    But when I try to serf to the maximo using url http://washost.mydomain.com/maximo SSO is not working and login screen is loading again.
    In the application server logs I see following error:

    SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)ejb/maximo/remote/accesstokenprovider getAccessToken:3 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: maximouser

    Looks like application server is not receiving security token from the client and it marks client as UNAUTHENTICATED. So next authorization for access to the maximo is failed (cause UNAUTHENTICATED is not granted of the maximouser role)...

    Have anybody faced to the same problem?
    Is there anybody who got succeed in configuring SSO for Maximo?

    Thanks in advance for any help!
    hello nshitiy ;
    I am using Tsrm 7.2.1 with websphere.I have already configured Active directory and is able to fetch the users and the person into my maximo application.
    Now i want to configure SSO.I have already followed the procedure u mentioned in the post.I am able to perform step 7 i.e generation of TAI properties by the procedure u mentioned.But after Restarting the server i am facing the problem The error mentioned in the log files is...
    ---------------------------------------------------------------------------------------------------------6/10/11 19:01:20:564 IST 0000000a ServerCredent E com.ibm.ws.security.spnego.ServerCredential initialize CWSPN0014E: An exception occurred during Kerberos initialization. Failure: org.ietf.jgss.GSSException, major code: 11, minor code: 0
    major string: General failure, unspecified at GSSAPI level
    minor string: Cannot get credential for principal service HTTP/max-dev-app2.shopzone.com@SHOPZONE.COM.
    Please help me out of this problem ..Thanks in advance also share out some useful link or sum doc to help out this issue...
  • venkatapraveen
    venkatapraveen
    15 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-06-15T06:21:05Z  
    • nshitiy
    • ‏2010-01-20T21:28:47Z
    Hi to all!

    I try to configure Maximo 7.1 with SSO using whitepaper (see Ctibor's post above) but it's not working...

    My steps:
    1) create user ssotest in the AD
    2) map SPN for WAS server to the created user using command
    > setspn -a HTTP/washost.mydomain.com ssotest

    3) generate keytab file using command
    > ktpass -out MXServer.keytab -princ HTTP/washost.mydomain.com@MYDOMAIN.COM -pass password -ptype KRB5_NT_PRINCIPAL

    4) copy keytab file to the WAS server and generate Kerberos configuration file using command in wsadmin console
    > $AdminTask createKrbConfigFile {-krbPath c:\ibm\etc\krb5.conf -realm MYDOMAIN.COM -kdcHost adhost.mydomain.com -dns mydomain.com -keytabPath c:\ibm\etc\MXServer.keytab}

    5) enable websphere security - in my case I have already configured websphere security (Federated Repositories with one AD server used also for configuring SSO)
    6) enable SSO
    7) enable trust association and add property com.ibm.ws.security.spnego.SPN1.hostName=washost.mydomain.com to the Custom Properties for com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl interceptor.

    8) enable SPNEGO at the JVM level for MXServer i.e. add following properties to the Application Servers > MXServer > Process Definition > Java Virtual Machine > Custom Properties:

    com.ibm.security.jgss.debug = ALL
    com.ibm.security.krb5.Krb5Debut = ALL
    com.ibm.ws.security.spnego.isEnabled = true
    java.security.krb5.conf = c:\ibm\etc\krb5.conf

    9) restart websphere
    10) configure browsers at the same way as described in the whitepaper (both IE and Firefox)
    So when server starts up it looks like TAI configuration loading successfully (by the log entries).
    But when I try to serf to the maximo using url http://washost.mydomain.com/maximo SSO is not working and login screen is loading again.
    In the application server logs I see following error:

    SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)ejb/maximo/remote/accesstokenprovider getAccessToken:3 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: maximouser

    Looks like application server is not receiving security token from the client and it marks client as UNAUTHENTICATED. So next authorization for access to the maximo is failed (cause UNAUTHENTICATED is not granted of the maximouser role)...

    Have anybody faced to the same problem?
    Is there anybody who got succeed in configuring SSO for Maximo?

    Thanks in advance for any help!
    Hi Nishity,

    Is your problem got solved.I hope u might had solved ur problem.

    If u did not solved yet just make a try of this .

    Go to console page -->Applications-->select MAXIMO.

    Select Security role to User/Group mapping

    Select Maximouser and click All Autheticated .

    Restart MXServer..

    Hope it helps..
  • SystemAdmin
    SystemAdmin
    5842 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-07-27T08:11:10Z  
    • parak
    • ‏2010-11-10T16:32:55Z
    Hi Cinimod, where you able to fix this issue with Weblogic. Even we are trying to configure SSO for Maximo 7.1 we have done all the chanegs listed below and we get 401 UNAUTHROISED Error. If you can send the document it will nbe great.

    Thnak you.
    Hi everyone

    I am trying to setup SSO with Maximo 7 (BS 7.1.1.7) on WebSphere 6.1.11, I followed the instructions in the whitepaper listed earlier and have the SSO user ID mapped to the service principal user in AD. Maximo authentication is setup in WebSphere with a federated repository (AD)

    When I try to log in to Maximo using the IP address or hostname (i.e. http://<ipaddress>/maximo OR http://<hostname>/maximo) with the normal EAR file, I still get the IE login dialog box and can login to the application as normal.

    However when I change the URL to be the FQDN (i.e. http://<fqdn_hostname>/maximo) I still get the IE login box but when entering correct credentials, I get the following error message in the browser and cannot access the app, see attached

    Your browser configuration is correct, but you have not logged into a supported Microsoft(R) Windows(R) Domain.
    Please login to the application using the normal login page.

    In all cases I get the below message in SystemOut.log

    7/27/11 10:03:47:648 CEST 00000047 SecurityColla A SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)ejb/maximo/remote/accesstokenprovider getAccessToken:3 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: maximouser

    Usually this can be resolved by clicking the all authenticated check box when installing the EAR file for maximousers. I have already done this so am a bit confused and think this may be caused by something else
    I rebuilt the EAR file with the<auth-method>CLIENT-CERT</auth-method> is web.xml as mentioned before but then I get an HTTP 403 forbidden screen and no IE dialog

    Can anyone confirm that you do have to change the web.xml auth-method for SSO to work with WebSphere and Maximo ?

    Any help or similar experience appreciated.
    Thanks
  • SystemAdmin
    SystemAdmin
    5842 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-07-27T10:23:50Z  
    Hi everyone

    I am trying to setup SSO with Maximo 7 (BS 7.1.1.7) on WebSphere 6.1.11, I followed the instructions in the whitepaper listed earlier and have the SSO user ID mapped to the service principal user in AD. Maximo authentication is setup in WebSphere with a federated repository (AD)

    When I try to log in to Maximo using the IP address or hostname (i.e. http://<ipaddress>/maximo OR http://<hostname>/maximo) with the normal EAR file, I still get the IE login dialog box and can login to the application as normal.

    However when I change the URL to be the FQDN (i.e. http://<fqdn_hostname>/maximo) I still get the IE login box but when entering correct credentials, I get the following error message in the browser and cannot access the app, see attached

    Your browser configuration is correct, but you have not logged into a supported Microsoft(R) Windows(R) Domain.
    Please login to the application using the normal login page.

    In all cases I get the below message in SystemOut.log

    7/27/11 10:03:47:648 CEST 00000047 SecurityColla A SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)ejb/maximo/remote/accesstokenprovider getAccessToken:3 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: maximouser

    Usually this can be resolved by clicking the all authenticated check box when installing the EAR file for maximousers. I have already done this so am a bit confused and think this may be caused by something else
    I rebuilt the EAR file with the<auth-method>CLIENT-CERT</auth-method> is web.xml as mentioned before but then I get an HTTP 403 forbidden screen and no IE dialog

    Can anyone confirm that you do have to change the web.xml auth-method for SSO to work with WebSphere and Maximo ?

    Any help or similar experience appreciated.
    Thanks
    Really useful whitepaper that I followed for WebSphere/SPNEGO/AD configuration can be found at

    http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065
  • SystemAdmin
    SystemAdmin
    5842 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-07-27T11:05:33Z  
    Really useful whitepaper that I followed for WebSphere/SPNEGO/AD configuration can be found at

    http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065
    The LDAP Configuration flow chart might also be helpful...
    Master Document - LDAP Configurations Flow Chart
    https://www-304.ibm.com/support/docview.wss?rs=3214&uid=swg21303950&context=SSLKT6&cs=utf-8&lang=en&loc=en_US
  • SystemAdmin
    SystemAdmin
    5842 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-08-02T08:46:02Z  
    The LDAP Configuration flow chart might also be helpful...
    Master Document - LDAP Configurations Flow Chart
    https://www-304.ibm.com/support/docview.wss?rs=3214&uid=swg21303950&context=SSLKT6&cs=utf-8&lang=en&loc=en_US
    OK I think I may have found an issue but would appreciate anyone confirming my thinking
    My service principal account which has been created in AD and is used by WAS for authentication has been created in the domain

    global.local
    The AD accounts that the users login with are in the subdomain

    company.global.local

    So my question is will SSO with SPNEGO ever work in this scenario? Do I in fact need the service principal account created in the company.global.local domain as well?
  • SystemAdmin
    SystemAdmin
    5842 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-09-30T16:56:03Z  
    OK I think I may have found an issue but would appreciate anyone confirming my thinking
    My service principal account which has been created in AD and is used by WAS for authentication has been created in the domain

    global.local
    The AD accounts that the users login with are in the subdomain

    company.global.local

    So my question is will SSO with SPNEGO ever work in this scenario? Do I in fact need the service principal account created in the company.global.local domain as well?
    eug, were you able to figure it out. I have a situation where my server is connected to win.company.com, but my accounts are in global.company.com. I am getting the same 403 forbidden error and am thinking of migrating my servers to the global domain, but would rather not do that yet if I don't have to.
  • SystemAdmin
    SystemAdmin
    5842 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-09-30T19:02:04Z  
    eug, were you able to figure it out. I have a situation where my server is connected to win.company.com, but my accounts are in global.company.com. I am getting the same 403 forbidden error and am thinking of migrating my servers to the global domain, but would rather not do that yet if I don't have to.
    I believe there is an issue setting it up with multiple domains (forest). I set it up just fine in my test environment with a single domain.
  • SystemAdmin
    SystemAdmin
    5842 Posts

    Re: Maximo 7 with Single Sign on

    ‏2011-10-05T08:27:18Z  
    I believe there is an issue setting it up with multiple domains (forest). I set it up just fine in my test environment with a single domain.
    Hi there

    I haven't been able to fix yet this but have proved it is an issue with the cross-domain authentication on this particular AD implementation

    SSO now works for me with an account in global.local but unfortunately this is not where the majority of user accounts are. I may have to try and put the SPN in the subdomain to resolve, but I have users in several subdomains which is another problem.
  • bbalwani
    bbalwani
    15 Posts

    Re: Maximo 7 with Single Sign on

    ‏2013-12-11T07:23:19Z  
    Hi there

    I haven't been able to fix yet this but have proved it is an issue with the cross-domain authentication on this particular AD implementation

    SSO now works for me with an account in global.local but unfortunately this is not where the majority of user accounts are. I may have to try and put the SPN in the subdomain to resolve, but I have users in several subdomains which is another problem.

    Hi SystemAdmin can you guide me for SSO what are the thigs I need to do in my scenarion.

    We have TAM and maximo we are uning TAI, can i get a document for this do we need to install and run these software like IBM java, GSkit do we need of pd.perm properties to be generated for SSO can you please guide me on this as i am not getting document for this Maximo 7.5 websphere 7 and tam 7 and TDS 6.3.

     

    Thanks in advance.

  • bbalwani
    bbalwani
    15 Posts

    Re: Maximo 7 with Single Sign on

    ‏2013-12-11T07:23:57Z  
    • parak
    • ‏2010-11-10T16:32:55Z
    Hi Cinimod, where you able to fix this issue with Weblogic. Even we are trying to configure SSO for Maximo 7.1 we have done all the chanegs listed below and we get 401 UNAUTHROISED Error. If you can send the document it will nbe great.

    Thnak you.

    HI Do you ever find a solution can you please give me a documetn for this

     

    can you guide me for SSO what are the thigs I need to do in my scenarion.

    We have TAM and maximo we are uning TAI, can i get a document for this do we need to install and run these software like IBM java, GSkit do we need of pd.perm properties to be generated for SSO can you please guide me on this as i am not getting document for this Maximo 7.5 websphere 7 and tam 7 and TDS 6.3.

     

    Thanks in advance

  • bbalwani
    bbalwani
    15 Posts

    Re: Maximo 7 with Single Sign on

    ‏2013-12-11T07:24:45Z  
    • parak
    • ‏2010-11-10T16:32:55Z
    Hi Cinimod, where you able to fix this issue with Weblogic. Even we are trying to configure SSO for Maximo 7.1 we have done all the chanegs listed below and we get 401 UNAUTHROISED Error. If you can send the document it will nbe great.

    Thnak you.

    HI Do you ever find a solution can you please give me a documetn for this

     

    can you guide me for SSO what are the thigs I need to do in my scenarion.

    We have TAM and maximo we are uning TAI, can i get a document for this do we need to install and run these software like IBM java, GSkit do we need of pd.perm properties to be generated for SSO can you please guide me on this as i am not getting document for this Maximo 7.5 websphere 7 and tam 7 and TDS 6.3.

    What I need to do for bypassing login page.