You can configure IBM Business Automation
Workflow to
support single sign-on (SSO) authentication through Kerberos SPNEGO
with an FileNet® P8 repository
and WebSphere® Application
Server.
Before you begin
Before you configure single sign-on for IBM Business Automation
Workflow, you
must configure your web application server for SPNEGO.
- Configure your Active Directory domain and configure all of the client workstations as members
of the same domain as your Active Directory server. If you have a more complex configuration, you
can configure the client workstations as members of a different domain and then cross certify the
servers.
- Install WebSphere Application
Server and enable application level security.
- For WebSphere Application
Server Network Deployment systems, install the WebSphere Application
Server Network Deployment Manager and configure application level
security. Configure your system according to your needs and requirements.
- Install and configure IBM
FileNet P8
Content Platform Engine.
- Install and configure IBM Content
Navigator with SPNEGO. For more
information, refer to the following technote Configuring single
sign-on for IBM Content Navigator by using SPNEGO/Kerberos
(IBM
FileNet P8) on WebSphere Application
Server.
- Install IBM Business Automation
Workflow.
Procedure
To configure SSO support for IBM Business Automation
Workflow by using Kerberos SPNEGO:
-
Open the IBM Business Automation
Workflow configmr.ini file
in a text editor. The configmr.ini file can be
found in the drive\Program Files\IBM\CaseManagement\configure directory
or drive\Program Files (x86)\IBM\CaseManagement\configure directory
by default.
-
Add the following parameters to the configmr.ini file.
- Djava.security.auth.login.config
- The location of the WAS_PROFILE_HOME/properties/wsjaas_client.conf file.
- Dicm.spnego.enable
- Should be set to TRUE.
- Dicm.spnego.serverSPN
- The Kerberos Service server principal name (SPN).
For example:
- Djava.security.auth.login.config=C:/Program Files/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/wsjaas_client.conf
− Dicm.spnego.enable=true
− Dicm.spnego.serverSPN=HTTP/kerwassrv.kertestdomain.com@KERTESTDOMAIN.COM
- Optional:
AES encryption is the default encryption
specification used to generate the Kerberos keytab file on Windows 2008 Server and Windows 2008 Server R2 systems.
AES encryption is currently not fully supported by the IBM Business Automation
Workflow Case configuration tool . In
order to use AES encrypted Kerberos keytabs in your IBM Business Automation
Workflow, Windows 2008 Server and Windows 2008 Server R2 users must patch the
supported Java™ Runtime Environment
(JRE) to support unlimited key strength in the Java Cryptography Extension (JCE) package used
by the IBM Business Automation
Workflow configuration
tool.
-
Back up the US_export_policy.jar and local_policy.jar files
that can be found in the CaseManagerInstallLocation\java\sdk\jre\lib\security directory.
-
Ensure that the IBM Business Automation
Workflow configuration
tool is stopped.
-
Download the unlimited strength encryption security policy files (for WebSphere Application
Server only) to the CaseManagerInstallLocation\java\sdk\jre\lib\security directory.
-
Disable pre-authentication with Kerberos for the LDAP
user that is specified as the IBM Content
Navigator administrator
in the IBM Business Automation
Workflow configuration
tool. Disable Kerberos pre-authentication for the user account in Microsoft Active Directory
that the IBM Business Automation
Workflow configuration
tool is using to connect to IBM Content
Navigator.
- Optional:
If you are an AES encryption user,
you can generate a new Kerberos keytab file to use DES encryption
instead of AES encryption specifically for the IBM Business Automation
Workflow Case configuration tool . You
will also have to create a new corresponding kerberos configuration
file for the new keytab file that you have created. Create the keytab
file with DES encryption by entering the following command:
ktpass -out keyfile_name -princ HTTP/fully_qualified_HTTP_Server_host_name@AD_DOMAIN_NAME
-pass password -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5
You
must specify the path to the new Kerberos configuration file and keytab
file using the
java.security.krb5.conf
JVM property
in the
IBM Business Automation
Workflow configuration
tool
configmgr.ini file. For example, if your
kerberos configuration file (
krb5.ini file) is
located in the
C:\SSO\ directory, then you need
to add the following line to the
configmgr.ini file:
-Djava.security.krb5.conf=C:/SSO/krb5.ini
-
Run the IBM Business Automation
Workflow configuration
tool. Create a new deployment on WebSphere Application
Server.
-
Run all of the configuration and deployment tasks that
apply to your IBM Business Automation
Workflow system.
-
Restart the application server where IBM Business Automation
Workflow is deployed.
- Optional:
Highly available cluster systems:
In the WebSphere Application
Server Network
Deployment console, ensure that you add the IBM HTTP server to each of the IBM Business Automation
Workflow web applications in the
Manage Modules section of the console. Restart the IBM Business Automation
Workflow cluster, the IBM HTTP Server, and the node agent
for each node in the cluster.
What to do next
If you have already configured your system for case management by using either the Case
configuration tool or the Case configuration command line, you should repeat this configuration
after you have finished configuring single sign-on (SSO) authentication through Kerberos
SPNEGO.