You must configure Active Directory and WebSphere for your
Kerberos delegation to work.
About this task
The WebSphere® node
agent that hosts the
Tivoli® Federated
Identity Manager runtime
needs to run under a special account in Active Directory in order
to have permission to obtain Kerberos tickets for other users and
a constrained set of targets. Before your Kerberos delegation trust
chain can work, you must complete the following tasks:
- Create the account.
- Set the appropriate options.,
- Modify the WebSphere service
to use the account.
The following instructions describe how to complete these tasks.
- Verify that DNS is configured correctly on the Active Directory
domain controller.
The DNS server must be configured
for both forward and reverse lookups. Each host in the Active Directory
domain must be configured to use the Domain Controller's DNS server.
To verify, use nslookup commands for both hostname and
IP address on computers in the domain. The results of the nslookup commands
should show that the domain part of the resolved name is the domain
of the domain controller.
- Ensure that Time Services are running on all
machines in the Active Directory domain and that the clocks of all
machines are synchronized.
- Verify that the Windows Server 2003 system (or multiple systems,
when deployed in a WebSphere cluster)
is configured into an Active Directory domain. The server
can optionally be a domain controller.
- Verify that all domain controllers in the domain are running
at the Windows Server 2003
functional level. To do this:
- Open the Active Directory Users and Computers control
panel.
- Right-click on the domain and select Raise
Domain Function Level.
- Select Windows Server 2003 and click OK.
The Raise Domain Functional Level window is displayed. It should
contain the messages: Current domain functional level
Windows Server 2003
This domain is operating at the highest possible functional level.
- On the domain controller, create a user in Active Directory
for delegation. The WebSphere server
that hosts the Tivoli Federated
Identity Manager runtime
runs as this user identity.
- Create a user. For example, tfimdeleguser. You can use a different user identity. This user name will be
used in these instructions.
- Select the Password never expires check
box.
Note: You can optionally set the password
to expire. If you do, then when you change it in the future, you will
also need to reset the password for the WebSphere node agent Windows service.
- On the domain controller, add the tfimdeleguser user
to the Domain administrative group. To verify the settings:
- Select Active Directory Users and Computer.
- For the domain, click Users and
click Domain Admins.
- Select the Members tab. Verify
that the tfimdeleguser is listed as a group member.
- Ensure that the Microsoft Support
Tools are installed on the domain controller. For example
to obtain the Windows Server
2003 Service Pack 1 32-bit Support Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
- On the domain controller, create an service principal name
(SPN) for the user tfimdeleguser. To
complete this task::
- Open a command prompt on the domain controller where
the support tools are installed.
- Enter the setspn command.
The syntax for the command is:
setspn -A tfim/<tfim_delegation_user> <tfim_delegation_user>
For example:
setspn -A tfim/tfimdeleguser tfimdeleguser
- On the domain controller, go to Active Directory
Users and Computers and open the properties for the user tfimdeleguser.
- Select the Delegation tab.
Note: If you do not see the Delegation tab,
return to the previous step and ensure that the setspn command runs
successfully.
- Select the Trust this user for delegation
to specified services only radio button.
- Select the Use any authentication protocol radio
button.
- Click the Add button
on the Delegation tab.
- Add the target services to which tfimdeleguser can delegate. These are the target services for constrained delegation. In
this example, the IIS Web server runs as the user.
- Click the Users or Computers button
to search for particular services.
- Select the domain user (service) that runs as the IIS
server for the WebSEAL Kerberos junction.
When you are finished, the Delegation tab
should show a target service in the window Services to
which this account can present delegated credentials.
For example, the window could show a Service Type of HTTP,
with User or Computer showing a host and domain name such as mydataserver.example.com
Select the HTTP/mydataserver.example.com entry.
Press OK to continue.
- Add the tfimdeleguser to the Windows Authorization Access Groups object. To do this:
- Open the Active Directory Users and Computers panel.
- Select the Builtin object under
the domain.
- Locate the Windows Authorization Access Groups object.
- Right click and select Properties.
Select the Members tab.
- Click Add and add the delegation
user (in our example, tfimdeleguser) as a member.
- Grant the delegation user (tfimdeleguser) the Act
as part of the operating system privilege.
The
actual process that must run as a Windows service
depends on the WebSphere environment:
- The service name in a standalone environment is the WebSphere Application Server
running the Tivoli Federated
Identity Manager runtime
- The service name in a cluster environment is the WebSphere Application server
running the WebSphere node
agent for the Tivoli Federated
Identity Manager runtime.
Note: For a cluster environment, this step must be repeated
on all machines hosting a node member of WebSphere cluster running the Tivoli Federated
Identity Manager runtime.
To do
this:- Access the menu appropriate for your deployment:
- On the domain controller, select .
- On a non-domain controller computer, select .
- Expand Local Policies.
- Select .
- Right-click and select Properties.
- Click the Define these policy settings check
box.
- Click Add user or group to add
the delegation user (tfimdeleguser) to the list of users authorized
to act as part of the operating system.
- Click OK.
- Grant the delegation user (tfimdeleguser) the necessary
privileges:
- When the Tivoli Federated
Identity Manager application
is running on a member of the domain, grant the user the permission Log
on as a service privilege on the local machine.
- When the Tivoli Federated
Identity Manager application
is running on the domain controller, grant the user the permission Log
on as a service privilege on the domain controller
- Return to the Security Policy menu opened in the previous
step.
- Select .
- Right-click and select Properties.
- Click the Define these policy settings check
box.
- Click Add user or group to add
the delegation user (tfimdeleguser) to the list of users authorized
to act as part of the operating system.
- Click OK.
- Enable the WebSphere process
that runs the Tivoli Federated
Identity Manager application
to run as a Windows service.
Use the wasservice command. Default
location:
C:\Program Files\IBM\WebSphere\AppServer\bin
Example command:
C:\Program Files\IBM\WebSphere\AppServer\bin>wasservice -add ndagentwinser
-servername nodeagent
-profilePath "C:\Program Files\IBM\WebSphere\AppServer\profiles\Custom01"
-wasHome "C:\Program Files\IBM\WebSphere\AppServer"
-logfile "c:\Program Files\IBM\WebSphere\AppServer\profiles\
Custom01\logs\ws_startserver.log"
-logRoot "c:\Program Files\IBM\WebSphere\AppServer\profiles\
Custom01\logs\nodeagent"
-restart true
Example output from the command:
Adding Service: ndagentwinser
Config Root:
C:\Program Files\IBM\WebSphere\AppServer\profiles\Custom01\config
Server Name: nodeagent
Profile Path: C:\Program Files\IBM\WebSphere\AppServer\profiles\Custom01
Was Home: C:\Program Files\IBM\WebSphere\AppServer\
Start Args:
Restart: 1
IBM WebSphere Application Server V6.1
- ndagentwinser service successfully added
To
obtain a usage message for the wasservice command, enter:
> WASService.exe
without any arguments.
- If running in a cluster environment, modify
the WebSphere service
from the previous step to start as the delegation user (tfimdeleguser)
- Open the Services control
panel and locate either the service for the Tivoli Federated
Identity Manager runtime or the Tivoli Federated
Identity Manager runtime node agent for
a cluster environment.
- Select the LogOn tab.
- Specify the delegation user tfimdeleguser.
- Specify the password for the delegation user.
- Click OK.
- Restart the WebSphere nodeagent.
This step is required to ensure that the Websphere node
manager start the managed nodes under the new identity.
- Log on to the WebSphere console.
- Select for a standalone
environment or for a cluster environment.
- Select the check box for the server or cluster to be
restarted and press the Stop button for a standalone
environment or the Ripplestart button for a
cluster environment.
- In a standalone environment, after the server has been
stopped, select the check box for the server or cluster to be restarted
and press the Start button.