Pre-Requisite:

1. Kerberos authentication scheme has to exist. This is usually pre-configured OAM authentication scheme. It should have Authentication Level - "2", Challenge Method - "WNA", Challenge Direct URL - "/oam/server" and Authentication Module- "Kerberos".
2. The default authentication scheme name is "KerberosScheme", this name can be changed.
3. The DNS name has to be resolvable on the OAM Server.
4. The DNS name with referrals to AD have to be resolvable on OAM Server. Ensure nslookup work for the referrals.

Pre-Install:

1. AD team to produce keytab file on the AD server by running ktpass command.
2. Provide OAM Hostname to AD Team.
3. Receive from AD team the following:
   
   • Keypass file produced when running the ktpass command
   • ktpass username
   • ktpass password
4. Copy the keytab file to convenient location in OAM install tree and rename the file if desired. For instance where oam-policy.xml file resides. i.e. /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt

Configure WNA Authentication on OAM Server:

1. Create config file krb.config and set the environment variable to the path to this file:
   KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
   The variable KRB_CONFIG has to be set in the profile for the user that OAM java container(i.e. Wbelogic Server) runs as, so that this setting is available to the OAM server. i.e. "applmgr" user.
2. In the krb.conf file specify:
   [libdefaults]
   default_realm= NOA.ABC.COM
   dns_lookup_realm= true
   dns_lookup_kdc= true
   ticket_lifetime= 24h
   forwardable= yes
   
   [realms]
   NOA.ABC.COM={
   kdc=hub21.noa.abc.com:88
   admin_server=hub21.noa.abc.com:749
   default_domain=NOA.ABC.COM
   
   [domain_realm]
   .abc.com=ABC.COM
   abc.com=ABC.COM
   .noa.abc.com=NOA.ABC.COM
   noa.abc.com=NOA.ABC.COM
   
   Where hub21.noa.abc.com is load balanced DNS VIP name for AD Server and NOA.ABC.COM is the name of the domain.
3. Create authentication policy to WNA protect the resource( i.e. EBSR12) and choose the "KerberosScheme" as authentication scheme.
   Login to OAM Console => Policy Configuration Tab => Browse Tab => Shared Components => Application Domains => IAM Suite => Authentication Policies => Create
   Name: ABC WNA Auth Policy
   Authentication Scheme: KerberosScheme
   Failure URL: http://hcm.noa.abc.com/cgi-bin/welcome
   
4. Edit System Configuration for Kerberos
   
   • System Configuration Tab => Access Manager Settings => expand Authentication Modules => expand Kerberos Authentication Module => double click on Kerberos
   • Edit "Key Tab File" textbox - put in /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt
   • Edit "Principal" textbox - put in HTTP/[email protected]
   • Edit "KRB Config File" textbox - put in /fa-gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
   • Cilck "Apply"
   • In the script setting environment for the WLS server where OAM is deployed set the variable:
     KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf
     
5. Re-start OAM server and OAM Server Container( Weblogic Server)