Configuring IBM Business Automation Workflow to support SSO through Kerberos SPNEGO

You can configure IBM Business Automation Workflow to support single sign-on (SSO) authentication through Kerberos SPNEGO with an FileNet® P8 repository and WebSphere® Application Server.

Before you begin

Before you configure single sign-on for IBM Business Automation Workflow, you must configure your web application server for SPNEGO.
  • Configure your Active Directory domain and configure all of the client workstations as members of the same domain as your Active Directory server. If you have a more complex configuration, you can configure the client workstations as members of a different domain and then cross certify the servers.
  • Install WebSphere Application Server and enable application level security.
  • For WebSphere Application Server Network Deployment systems, install the WebSphere Application Server Network Deployment Manager and configure application level security. Configure your system according to your needs and requirements.
  • Install and configure IBM FileNet P8 Content Platform Engine.
  • Install and configure IBM Content Navigator with SPNEGO. For more information, refer to the following technote Configuring single sign-on for IBM Content Navigator by using SPNEGO/Kerberos (IBM FileNet P8) on WebSphere Application Server.
  • Install IBM Business Automation Workflow.

Procedure

To configure SSO support for IBM Business Automation Workflow by using Kerberos SPNEGO:

  1. Open the IBM Business Automation Workflow configmr.ini file in a text editor. The configmr.ini file can be found in the drive\Program Files\IBM\CaseManagement\configure directory or drive\Program Files (x86)\IBM\CaseManagement\configure directory by default.
  2. Add the following parameters to the configmr.ini file.
    Djava.security.auth.login.config
    The location of the WAS_PROFILE_HOME/properties/wsjaas_client.conf file.
    Dicm.spnego.enable
    Should be set to TRUE.
    Dicm.spnego.serverSPN
    The Kerberos Service server principal name (SPN).
    For example: 
    - Djava.security.auth.login.config=C:/Program Files/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/wsjaas_client.conf
− Dicm.spnego.enable=true
− Dicm.spnego.serverSPN=HTTP/kerwassrv.kertestdomain.com@KERTESTDOMAIN.COM
  3. Optional: AES encryption is the default encryption specification used to generate the Kerberos keytab file on Windows 2008 Server and Windows 2008 Server R2 systems. AES encryption is currently not fully supported by the IBM Business Automation Workflow Case configuration tool . In order to use AES encrypted Kerberos keytabs in your IBM Business Automation Workflow, Windows 2008 Server and Windows 2008 Server R2 users must patch the supported Java™ Runtime Environment (JRE) to support unlimited key strength in the Java Cryptography Extension (JCE) package used by the IBM Business Automation Workflow configuration tool.
    1. Back up the US_export_policy.jar and local_policy.jar files that can be found in the CaseManagerInstallLocation\java\sdk\jre\lib\security directory.
    2. Ensure that the IBM Business Automation Workflow configuration tool is stopped.
    3. Download the unlimited strength encryption security policy files (for WebSphere Application Server only) to the CaseManagerInstallLocation\java\sdk\jre\lib\security directory.
    4. Disable pre-authentication with Kerberos for the LDAP user that is specified as the IBM Content Navigator administrator in the IBM Business Automation Workflow configuration tool. Disable Kerberos pre-authentication for the user account in Microsoft Active Directory that the IBM Business Automation Workflow configuration tool is using to connect to IBM Content Navigator.
  4. Optional: If you are an AES encryption user, you can generate a new Kerberos keytab file to use DES encryption instead of AES encryption specifically for the IBM Business Automation Workflow Case configuration tool . You will also have to create a new corresponding kerberos configuration file for the new keytab file that you have created. Create the keytab file with DES encryption by entering the following command: 
    ktpass -out keyfile_name -princ HTTP/fully_qualified_HTTP_Server_host_name@AD_DOMAIN_NAME 
-pass password -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5
    You must specify the path to the new Kerberos configuration file and keytab file using the java.security.krb5.conf JVM property in the IBM Business Automation Workflow configuration tool configmgr.ini file. For example, if your kerberos configuration file (krb5.ini file) is located in the C:\SSO\ directory, then you need to add the following line to the configmgr.ini file: 
    -Djava.security.krb5.conf=C:/SSO/krb5.ini
  5. Run the IBM Business Automation Workflow configuration tool. Create a new deployment on WebSphere Application Server.
  6. Run all of the configuration and deployment tasks that apply to your IBM Business Automation Workflow system.
  7. Restart the application server where IBM Business Automation Workflow is deployed.
  8. Optional: Highly available cluster systems: In the WebSphere Application Server Network Deployment console, ensure that you add the IBM HTTP server to each of the IBM Business Automation Workflow web applications in the Manage Modules section of the console. Restart the IBM Business Automation Workflow cluster, the IBM HTTP Server, and the node agent for each node in the cluster.

What to do next

If you have already configured your system for case management by using either the Case configuration tool or the Case configuration command line, you should repeat this configuration after you have finished configuring single sign-on (SSO) authentication through Kerberos SPNEGO.