CITSmart auto-login -SSO

9 min

branchs sso (itsm) spnego 1 0 (artifactory) create user ad access " create user " in users and computers of the active directory , as in the image below 2\ create a password 3\ click on the right side of the mouse, in the button user/properties 4\ select the " this account supports 256 bit encryption " option, apply it, and check " ok ", as below 5\ open the adsi edit then, connect in the ad , click on users and locate the user newly created, as below 6\ right click and select the properties option then, search for the serviceprincipalname (spn); 7\ add http/hom itsm centralit com br , click on " ok ", as in the image below 8\ open the cmd as administrator and put the following commands remember that the first sets the spn and the second creates the keytab (which will be used in the wildfly) setspn s http/hom itsm centralit com br citsmart2 ktpass / princ http/hom itsm centralit com br /mapuser citsmart2 /pass central\@123 /ptype krb5 nt principal/outcitsmart2 keytab /crypto all 9\ making the steps above, the ad will be configured configure the wildfly server copy the war generated from the branch sso ; copy the file krb5 conf (validate the information according to the ad) to the folder standalone/configuration (wildfly) ```sh \[libdefaults] default tkt enctypes = aes256 cts hmac sha1 96 aes128 cts hmac sha1 96 rc4 hmac default tgs enctypes = aes256 cts hmac sha1 96 aes128 cts hmac sha1 96 rc4 hmac permitted enctypes = aes256 cts hmac sha1 96 aes128 cts hmac sha1 96 rc4 hmac \[realms] ``` ```sh citgosrv004 cit local = { kdc = citsmartsrv citsmartsrv bigdata team com default domain = citsmartsrv citsmartsrv bigdata team com } ``` ```sh \[domain realm] citsmartsrv citsmartsrv bigdata team com = citsmartsrv citsmartsrv bigdata team com ``` copy the file login conf (validate the information according to the ad) to the folder standalone / configuration (wildfly) ```sh custom client { com sun security auth module krb5loginmodule required storekey=true usekeytab=true keytab="file ///opt/wildfly 12 0 0 final/standalone/configuration/lightkeytab keytab" principal=http/light desenvolvimento citsmartcloud com\\@citsmartsrv bigdata team com; }; ``` copy the lightkeytab keytab file (generated by the command in ad) to the standalone / configuration (wildfly) folder; fix standalone xlm by adding the following information in \\\<system properties> ```java \\\<property name="sun security krb5 debug" value="true"/\\> \\\<property name="java security krb5 kdc" value="citsmartsrv bigdata team com"/\\> \\\<property name="java security krb5 realm"value="citsmartsrv bigdata team com"/\\> \\\<property name="java security krb5 conf"value="/opt/wildfly 12 0 0 final/standalone/configuration/krb5 conf"/\\> \\\<property name="java security auth login config"value="/opt/wildfly 12 0 0 final/standalone/configuration/login conf"/\\> \\\<property name="krb keytab"value="/opt/wildfly 12 0 0 final/standalone/configuration/lightkeytab keytab"/\\> \\\<property name="krb principal"value="http/light desenvolvimento citsmartcloud com\\@citsmartsrv bigdata team com"/\\> ``` in \\\<security domains> ```java \\\<security domain name="spnego server"\\> \\\<authentication\\> \\\<login module code="com sun security auth module krb5loginmodule"flag="required"\\> \\\<module option name="storekey" value="true"/\\> \\\<module option name="usekeytab" value="true"/\\> \\\<module option name="keytab" value="\\${krb keytab}"/\\> \\\<module option name="principal" value="\\${krb principal}"/\\> \\\<module option name="isinitiator" value="false"/\\> \\\</login module\\> \\\</authentication\\> \\\</security domain\\> \\\<security domain name="spnego" cache type="default"\\> \\\<authentication\\> \\\<login module code="kerberos" flag="required"\\> \\\<module option name="storekey" value="true"/\\> \\\<module option name="refreshkrb5config" value="true"/\\> \\\<module option name="usekeytab" value="true"/\\> \\\<module option name="donotprompt" value="true"/\\> \\\</login module\\> \\\</authentication\\> \\\</security domain\\> ``` if you do not have changed the jar of the policy of java (jce java cryptography extension), download the files and put in jdk/jre/lib/security/policy/limited and jdk/jre/lib/security/policy/unlimited; import (synchronize) users of ldap in itsm ⚠️ attention ! the dn alias should be the same as the network domain (example cit\user), than the dn alias = cit, as below ⚠️ attention ! it is recommended to read the following support materials https //ss64 com/nt/setspn html https //ss64 com/nt/setspn html and http //spnego sourceforge net/ http //spnego sourceforge net/