Pre-Requisite:
Kerberos authentication scheme has to exist. This is usually pre-configured OAM authentication scheme. It should have Authentication Level - "2", Challenge Method - "WNA", Challenge Direct URL - "/oam/server" and Authentication Module- "Kerberos".
The default authentication scheme name is "KerberosScheme", this name can be changed.
The DNS name has to be resolvable on the OAM Server.
The DNS name with referrals to AD have to be resolvable on OAM Server. Ensure nslookup work for the referrals.
Pre-Install:
AD team to produce keytab file on the AD server by running ktpass command.
Provide OAM Hostname to AD Team.
Receive from AD team the following:
Keypass file produced when running the ktpass command
ktpass username
ktpass password
Copy the keytab file to convenient location in OAM install tree and rename the file if desired. For instance where oam-policy.xml file resides. i.e. /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt
Configure WNA Authentication on OAM Server:
Create config file krb.config and set the environment variable to the path to this file:
KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
The variable KRB_CONFIG has to be set in the profile for the user that OAM java container(i.e. Wbelogic Server) runs as, so that this setting is available to the OAM server. i.e. "applmgr" user.
In the krb.conf file specify:
[libdefaults]
default_realm= NOA.ABC.COM
dns_lookup_realm= true
dns_lookup_kdc= true
ticket_lifetime= 24h
forwardable= yes
[realms]
NOA.ABC.COM={
kdc=hub21.noa.abc.com:88
admin_server=hub21.noa.abc.com:749
default_domain=NOA.ABC.COM
[domain_realm]
.abc.com=ABC.COM
abc.com=ABC.COM
.noa.abc.com=NOA.ABC.COM
noa.abc.com=NOA.ABC.COM
Where hub21.noa.abc.com is load balanced DNS VIP name for AD Server and NOA.ABC.COM is the name of the domain.
Create authentication policy to WNA protect the resource( i.e. EBSR12) and choose the "KerberosScheme" as authentication scheme.
Login to OAM Console => Policy Configuration Tab => Browse Tab => Shared Components => Application Domains => IAM Suite => Authentication Policies => Create
Name: ABC WNA Auth Policy
Authentication Scheme: KerberosScheme
Failure URL: http://hcm.noa.abc.com/cgi-bin/welcome
Edit System Configuration for Kerberos
System Configuration Tab => Access Manager Settings => expand Authentication Modules => expand Kerberos Authentication Module => double click on Kerberos
Edit "Key Tab File" textbox - put in /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt
Edit "Principal" textbox - put in HTTP/
[email protected]
Edit "KRB Config File" textbox - put in /fa-gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
Cilck "Apply"
In the script setting environment for the WLS server where OAM is deployed set the variable:
KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
Re-start OAM server and OAM Server Container( Weblogic Server)
