KNIME Server 4download.knime.org/server/4.4/KNIME_Server_Enterprise_Setup_Guid… · The KNIME...

KNIMEServer4.4EnterpriseSetupGuide

KNIMEServer4.4–EnterpriseSetupGuide(lastchanged2016-12-05)

©Copyright,KNIME.comAG,Zurich,Switzerland.

c

TABLEOFCONTENTSIntroduction....................................................................................................................................4EnterpriseUserAuthentication.......................................................................................................4

ConfiguringanLDAPconnectionforKNIMEServer............................................................................5Quickstart........................................................................................................................................5ADvancedTroubleshooting.............................................................................................................5SetupApacheDirectoryStudiotobrowseyourLDAPdirectory.....................................................7BrowseLDAPTree...........................................................................................................................9Determinewhetherusersarecheckedbybindmode,orcomparisonmode...............................11Groupaccess.................................................................................................................................13CombinedRealm...........................................................................................................................14EncryptedLDAP.............................................................................................................................16Troubleshooting............................................................................................................................16

ConfiguringSingle-Sign-OnwithKerberosandLDAP........................................................................17ActiveDirectoryConfiguration......................................................................................................17TomeeServerConfiguration.........................................................................................................19ClientConfiguration......................................................................................................................24Troubleshooting............................................................................................................................26



4

KN IME SERVER 4 .4

ENTERPR ISE SETUP GUIDE

INTRODUCTIONTheKNIMEServerenterprisesetupguidecoversadvancedtopicsofaKNIMEserverdeployment,setupandconfigurationinanenterpriseenvironment.IfyouarelookingtoinstalltheKNIMEServeryoushouldfirstconsulttheKNIMEServerInstallationQuickstartGuide.ForguidesonconnectingtotheKNIMEServerfromtheKNIMEAnalyticsPlatform,orusingtheKNIMEWebPortalpleaserefertotheguides:KNIMEExplorerUserGuideandKNIMEWebPortalUserGuide.ForallregularadministrationconfigurationoptionsandabasicunderstandingoftheKNIMEserverpleaseconsulttheKNIMEServerAdministrationGuide.Inthefollowingitisassumedthatyouhaveaknowledgeofallthingscoveredinthepreviouslymen-tionedguides.

ENTERPRISEUSERAUTHENTICATIONUserauthenticationinanenterpriseenvironmentisusuallydonethroughsomecentralizedservice.ThemostusedserviceisLDAP.LDAPauthenticationistherecommendedauthenticationinanycasewhereanLDAPserverisavailable.IfyouarefamiliarwithyourLDAPconfigurationyoucanaddthedetailsduringinstallationtime,oredittheserver.xmlfilepostinstallation.IfyouareunfamiliarwithyourLDAPsettings,youmayneedtocontactyourLDAPadministrator,orusetheconfigurationde-tailsforanyotherTomcatbasedsysteminyourorganization.ThisdocumentcontainsaquickstartguideforsettingupLDAP.Anotherpossibilityofuserauthenticationissingle-sign-on.KNIMEServercanbeconfiguredtosup-portKerberosauthenticationincombinationwithLDAP.ThisdocumentalsocontainsaguideforasimpleKerberossetup.



5

CONFIGURINGANLDAPCONNECTIONFORKNIMESERVERKNIMEServermanagesalluserauthenticationbythebuiltinmechanismsofApacheTomcat.There-forethemostcomprehensivedocumentationforconfiguringauthenticationcanbefoundhere:https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.htmlSpecificallyforinformationaboutLDAP(alsoActiveDirectory)configuration,seehere:https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealmTerminology.ThroughoutthisdocumentwerefertoestablishinganLDAPconnection,LDAPaccountetc.SinceoneofthepopularwaystomanageuserauthenticationisMicrosoftActiveDirectory,andthissupportsLDAP,youmaywanttosubstituteLDAPaccountforActiveDirectoryaccount.

QUICKSTARTInmostcasesitshouldbepossibletocontactyourlocalLDAP/ActiveDirectoryadministratortheyshouldbeabletoprovidethenecessaryinformation.Youcanaskforthefollowing:

1) DotheyalreadyhaveconfigurationdetailsforaTomcatserver?Ifso,thisconnectioninfor-mationcanbereused.

2) LDAPConnectioninformation(Hostname,Port,isTLS/SSLused?).3) Whethertheyareusingbindmode,orcomparisonmode.4) Howthegroupinformationisstored.

Theywillneedtoprovideconfigurationthatcanfitintoatemplatelikethis:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://localhost:389" userPattern="uid={0},ou=people,dc=mycompany,dc=com" roleBase="ou=groups,dc=mycompany,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" />

Thisinformationisaddedtotheserver.xmlfilewhichisfoundin<apache-tomee>/conf/server.xml.ArestartoftheApacheTomeeprocessandKNIMEServerisrequiredforthechangestotheconfigu-rationfiletotakeeffect.

ADVANCEDTROUBLESHOOTINGTheremainingsectionsofthisdocumentationisaguideonhowtosetupanLDAPconnectionforKNIMEServer.Thisisonlyintendedasawaytogatherrelatedinformationintooneplace.ThisguideisnotascomprehensiveasthedocumentationforeitherLDAPorTomcat.ThefirstprerequisiteisApacheDirectoryStudio,orsomeotherLDAPconfigurationtool.WeuseApacheDirectoryStudiotodothetesting(https://directory.apache.org/studio/).Thebenefitofusingthistoolisthatitisopensource,freetodownload,worksonWindows/Linux/Mac,soacustomercandownloadthesoftwareanddoqueriestogetstarted.



6

Wewillfollowthreebasicsteps:1) LDAPConnectioninformation(Hostname,Port,SSL?).2) Whethertheyareusingbindmode,orcomparisonmode.3) Howthegroupinformationisstored.

LDAPConnectioninformation(Hostname,Port,SSL):ToestablishaconnectiontoanLDAPserveryou’llneedtoknow:TheLDAPserverhostname(orIP).WhethertheserverusesSSLsecuredconnectionsornot.Whichportisbeingused.Defaultportsare(389forldap(unencrypted,orencryptedbyTLS),636forldaps(sslsecured)).



7

SETUPAPACHEDIRECTORYSTUDIOTOBROWSEYOURLDAPDIRECTORY

SETUPCONNECTIONTOSERVER

ADDINTHECONNECTIONDETAILSOFYOURLDAPSERVER



8

SETUPCONNECTIONTOLDAPSERVER

Notethatwedon’tuseauthenticationhere.Typically,youwillneedtoauthenticate,andinmostcasesthiscanbeyourLDAPusernameandpassword.

SETUPCONNECTION

Youcanclick‘FetchBaseDNs’toautopopulatetheanswers.InourexampletheBaseDNisdc=example,dc=com.Thiswillvary,forexampleknime.commightusetheBaseDNdc=knime,dc=com.



9

FINALIZECONNECTION

Youcanleavethethenextpageasis,andclickFinish.

BROWSELDAPTREETheLDAPBrowserisnowpopulated,andyoucanbeginbrowsingtheLDAPdirectory.



10

DETERMINEINFORMATIONREQUIREDFORKNIME/TOMCATLDAPCONFIGURATION

FirstrefertothetomcatdocumentationonLDAP(http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html/#JNDIRealm).Thedocumentationisverycomprehensive,Idistilledsomeofthekeypointsbelow.Forfulldetailsrefertothetomcatdocumentation.Basicallyweneedtoconstructsomethingthatlookslike:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://52.50.222.127:389" userPattern= TOBEDETERMINED roleBase= TOBEDETERMINED roleName= TOBEDETERMINED roleSearch= TOBEDETERMINED />

WealreadyknowtheconnectionURL,sincethiswasrequiredtosetupApacheDirectoryStudio.NextweneedtodeterminetheuserBaseproperty.ThefirstiteminthetreeisusuallytheBaseDN,whichwilldefinetheuserBaseproperty.

Youcanbrowsethetreetofindtheusers.Inourcaseou=People.Expandingthesubtreeshowsthelistofusers.Inourcasetherearefourusers(ec2-user,ldapuser1,ldapuser2,ldapuser3).



11

DETERMINEWHETHERUSERSARECHECKEDBYBINDMODE,ORCOMPARISONMODE

BINDMODE

Inourcase,ifusersloginase.g.ldapuser1(theusernameisthesameasthekey).WealreadyknowthebaseDN,andlookingattheuserinformationweseethattheuidistheusernamethatwewanttousetoauthenticate.SowecanconstructtheuserPattern.

UsetheuserPattern:uid={0},ou=people,dc=example,dc=comSotheexamplewouldlooklike:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://52.50.222.127:389" userPattern="uid={0},ou=people,dc=example,dc=com" roleBase=TOBEDETERMINED roleName=TOBEDETERMINED roleSearch=TOBEDETERMINED />

Notethatwestilldon’tknowhowtospecifyroleBase,roleName,roleSearch.We’llcomebacktothatlater.



12

COMPARISONMODE

Inthiscasethereisnoone-to-onemappingbetweentheloginnameandtheusername,wewanttousee.g.theemailaddresscategory.Inthisexamplethatis‘[email protected]’.

Toperformthiskindoflogin,weneedcomparisonmode:HerethebaseDNisneededforuserBase,andwealsoneedtodefineuserSearch.Herewearesearchingformail.<Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="cn=Manager,dc=example,dc=com" connectionPassword="secret" connectionURL="ldap://52.50.222.127:389" userBase="ou=people,dc=example,dc=com" userSearch="(mail={0})" userRoleName="memberOf" roleBase= TOBEDETERMINED roleName= TOBEDETERMINED roleSearch= TOBEDETERMINED />



13

GROUPACCESSNowthatusersareauthenticated,weneedtoconfigurethegroupsthathaveaccess:ForthatwewillneedtheroleBaseandtheroleNameparameters.Youcanbrowsetheou=Grouptreeformoreinformation.Herelet’staketheexamplethatthehrpeoplegroupshouldbeabletoaccesstheKNIMEServer.

Intheexample,valueismemberthatwewanttosearchforis‘member’.



14

Whichleadstotheconfiguration:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://52.50.222.127:389" userBase="ou=people,dc=example,dc=com" userSearch="(mail={0})" userRoleName="memberOf" roleBase= "ou=Group,dc=example,dc=com" roleName= "cn" roleSearch= "(member={0})" />

Thereisasecondpossibilitywheregroupmembershipisstoredintheuserdata(thisisuncommon,andnotcoveredinthisguide.SeethefullTomcatdocumentation).Nestedroles(wherearole/groupcancontainotherroles/groups)arealsopossible,inwhichcaseaddtheroleNestedparameter.E.g.Group‘IT’,containssomeusernames,plus‘Windows’,‘UNIX’,‘Mac’groups.Thosegroupsmayalsocontainsub-groups.HopefullyyounowhavethedetailsthatyouneedtoconnectKNIMEServertoLDAP.

ACTIVEDIRECTORYEXAMPLEIfyouareusingActiveDirectoryasyouruserdatabaseandstickedtothedefaultstructure,thefol-lowingconfigurationservesasagoodstartingpoint:<Realm className="org.apache.catalina.realm.JNDIRealm" connectionName="cn=Manager,dc=example,dc=com" connectionPassword="secret" connectionURL="ldap://52.50.222.127:389" userSubtree="true" userBase="cn=Users,dc=domain,dc=com" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="cn=Users,dc=domain,dc=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true" roleNested="true"/>

Youhavetoadjustthethreehighlightedconnectionparameters,aswellasthetwodcvaluesintheuserBaseandroleBase.Theotherparameterscanusuallybeusedastheyare.

COMBINEDREALMItispossibletosetupacombinedrealmwhereboththeuserdatabaseandLDAPauthenticationareusedinparallel.Generallythisisnotrecommended,butcanbeusefulfordebuggingandinitialset-up/testing.Theexamplebelowshowshowthismightwork.<Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> <Realm className="org.apache.catalina.realm.JNDIRealm"



15

connectionURL="ldap://52.50.222.127:389" userBase="ou=people,dc=example,dc=com" userSearch="(mail={0})" userRoleName="memberOf" roleBase="ou=Group,dc=example,dc=com" roleName="cn" roleSearch="(member={0})"/> </Realm>



16

ENCRYPTEDLDAPIncaseyouareusingencryptedLDAPauthenticationandyourLDAPserverisusingaself-signedcer-tificate,Tomcatwillrefuseit.InthiscaseyouneedtoaddtheLDAPserver’scertificatetotheglobalJavakeystore,whichislocatedin<jredirectory>/lib/security/cacerts:keytool-import-v-noprompt-trustcacerts-file<servercertificate>-keystore<jre>/lib/security/cacerts-storepasschangeitAlternatively,youcancopythecacertsfile,addyourservercertificate,andaddthefollowingtwosystempropertiesto<tomeedirectory>/conf/catalina.properties:javax.net.ssl.trustStrore=<copiedkeystore>javax.net.ssl.keyStorePassword=changeit

TROUBLESHOOTINGInsomecasesyouwillwanttoextractadditionallogfileinformationabouttheLDAPauthenticationprocess.Inthiscaseyoucaneditapache-tomee*/conf/logging.propertiestoadd:org.apache.catalina.realm.level=ALLorg.apache.catalina.realm.useParentHandlers=trueorg.apache.catalina.authenticator.level=ALLorg.apache.catalina.authenticator.useParentHandlers=trueOnceyouhavemadethechangesyouwillneedtorestarttheapache-tomeeprocess/service.Whenyouhavesuccessfullydebuggedyourproblem,don’tforgettocommentoutorremovetheselinesfromthelogging.propertiesfile,asitwillcreateunnecessarilylargelogfiles.



17

CONFIGURINGSINGLE-SIGN-ONWITHKERBEROSANDLDAPSingle-Sign-OncanbeconfiguredfortheKNIMEServer.ThisincludestheWebPortal,butalsoalloth-erservices(REST,SOAP,etc.)theKNIMEServerprovides.ThetechnologyusedtoachievethisisKerberos,whichisanetworkprotocolusedforauthenticationbythemeansofticketsandstrongencryption.InthefollowingitisassumedthatyouarefamiliarwiththebasicconceptsofKerberosandLDAP,asexplainedinthesectionbefore.Youcanfindcom-prehensivedocumentationforthelatestversionofKerberoshere.ThissectionprovidesastepbystepguideforsettingupKerberosauthenticationbythemeansofanActiveDirectoryserviceandWindowsclients.Othersetupsarepossibleandmayrequiredifferentprocedurestobefunctional.Pleasealsonotethateverysystemwilldeviateincertainaspectsfromthisguide,somakeadjust-mentswherenecessary.Kerberosrequiressetupforallthreepartiesinvolved:theKerberosandLDAPservice(ActiveDirecto-ry),theTomEEserverrunningKNIMEServer,andtheclients.

ACTIVEDIRECTORYCONFIGURATIONThefirststepistosetuptheActiveDirectorycorrectly.ItisassumedthatyoualreadyhaveanActiveDirectorydomainwithusersandcorrectgroupsforKNIMEServerusagesetup.Additionalstepsspe-cifictoKerberosare:

1. CreateatechnicaluserfortheTomEEserverinLDAP.

2. AssociateaServicePrincipalName(SPN)onwiththenewlycreateduserfortheTomEEserv-er.Todoso,openaWindowsPowerShellandenter:

setspn -s HTTP/TOMEE_FQDN@REALM TECHNICAL_USER Intheabovecommand,replace

• TOMEE_FQDNwiththefullyqualifieddomainname(FQDN)ofthemachinethatrunsKNIMEServer(andthustheTomEEserver),

• REALMwiththeKerberosrealmofyourActiveDirectoryinstallation,• andTECHNICAL_USERwiththenameofthetechnicaluseryouhavecreatedin

thepreviousstep.

Note:ItisimportantthatfortheTOMEE_FQDNtheDNS(FQDNtoIP)aswellasreverseDNS(IPtoFQDN)entriescanresolvedbythedomaincontrolleraswellallclients.

3. Makesurethattherightencryptionmethodsareactiveonthedomaincontroller.GotoAdministrativeTools->LocalSecurityPolicyBrowsetoSecuritySettings/LocalPolicies/SecurityOptionsFindtheentryNetworksecurity:ConfigureencryptiontypesallowedforKerberos



18

Ifthevalueisnotdefinedallencryptiontypesareallowed.Ifitisdefined,makesureitcon-tainsatleastthemethods:RC4_HMAC,AES128,AES256andFutureEncryptionTypes.

4. OpenaWindowsPowerShellandcreateakeytabfileusingthefollowingcommand.Adjustthevaluesaccordingtoyoursettings:

ktpass /out PATH/tomcat.keytab /mapuser TECHNICAL_USER@REALM /princ HTTP/TOMEE_FQDN@REALM /Pass +rndPass /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL

ThecreatedkeytabfileneedstobecopiedtotheTomEEserverlater.

5. Openthe“UserProperties”intheActiveDirectoryforthetechnicalTomEEuseryouhavecreated.Gotothe“Account”tab.Makesurethefollowingsettingsareset:

1. Passwordneverexpires=true2. Usercannotchangepassword=true3. ThisaccountsupportsKerberosAES128bitencryption=true4. ThisaccountsupportsKerberosAES256bitencryption=true5. UseKerberosDESencryptionforthisaccount=shouldpreferablybefalse

Thengotothe“Delegation”tabandsettheradiobuttonto:

6. Trustthisuserfordelegationtoanyservice(Kerberosonly)



19

TOMEESERVERCONFIGURATION

1. InstalltheKNIMEServerasoutlinedintheKNIMEServerInstallationQuickstartGuide.

2. MakeappropriateconfigurationadjustmentsasexplainedintheKNIMEServerAdministra-tionGuide.

3. SetupLDAPauthenticationintheserver.xmltoconnecttoyourActiveDirectory,asdescribed

intheprevioussection.NotethatitmightbenecessarytocreateatemporarylistingusertoperformtheLDAPlookups.Thisstepisoptional,butrecommendedtotestthatthebasicLDAPauthorizationisfunctional.

4. VerifythattheenvironmentvariablesJAVA_HOMEandCATALINA_HOMEareproperlyde-

fined.JAVA_HOMEshouldpointtotheJDK8homedirectory,containingthebinfolder,andCATALINA_HOMEshouldpointtotheTomEEdirectorycontainingit’sbinfolder.

a. OnWindowsthiscanbedoneinControlPanel->System->Advancedsystemsettings

b. ClickonEnvironmentVariablesc. IntheSystemVariablesgroupcheckfortheexistenceofJAVA_HOMEand

CATALINA_HOME.Createoradjustthevaluesaccordingly.a. OnLinuxcreateorchangethevaluesin/etc/sysconfig/tomcat

5. OnceaworkingstandardLDAPsetuphasbeenverified,makeabackupofthecontentsof

CATALINA_HOME/confbycopyingittoCATALINA_HOME/conf_ldap

6. OnWindowsuserregedittosettheregistrykeysettinginHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parametersaddthekeyallowtgtsessionkey(REG_DWORD)andsetthevalueto1.



20

7. OnWindowsmakesurethattherightencryptionmethodsforKerberosareactive.GotoAdministrativeTools->LocalSecurityPolicyBrowsetoSecuritySettings/LocalPolicies/SecurityOptionsFindtheentryNetworksecurity:ConfigureencryptiontypesallowedforKerberos

Ifthevalueisnotdefinedallencryptiontypesareallowed.Ifitisdefined,makesureitcon-tainsatleastthemethods:RC4_HMAC,AES128,AES256andFutureEncryptionTypes.

8. InstalltheJavaCryptographyExtension(JCE)UnlimitedStrengthJurisdictionPolicyfilesfor

JDK8.a. Downloadthearchivefrom

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html



21

b. CreateabackupofthesecuritypolicyfilesintheJava8JRElocations(jre/lib/security,andjdk/jre/lib/security)

c. ExtractthearchiveintoyourJava8JRElocations(jre/lib/security,andjdk/jre/lib/security)replacingthefilesinthosedirectories.

9. CopythepreviouslycreatedkeytabfilefortheSPNtoalocationofyourchoosing.Recom-

mendedwouldbe<CATALINA_HOME>/conf/

10. Createakrb5.inforkrb5.conffilein<CATALINA_HOME/conf/Thecontentsofthefileshouldlooklike:

[libdefaults] default_realm=REALM default_keytab_name="CATALINA_BASE/conf/tomcat.keytab" default_txt_enctypes=aes256-cts-hmac-shal-96,aes128-cts-hmac-shal-96 default_tgs_enctypes=aes256-cts-hmac-shal-96,aes128-cts-hmac-shal-96 forwardable=true [realms] REALM={ kdc=DOMAIN_CONTROLLER_FQDN:88 } [domain_realm] yourdomain.com=REALM .yourdomain.com=REALM

Adjustthevaluesaccordingtoyourconfiguration.IfyouwanttouseadifferentlocationorfilenameforthisfileyoucandosobydefiningtheJavasystemproperty-Djava.security.krb5.conf=PATH_TO_KRB_CONF(inCATALI-NA_HOME/conf/system.properties)



22

11. Createoreditthefile<CATALINA_HOME>/conf/jaas.confThecontentsofthefileshouldlooklike:

com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/TOMEE_FQDN@REALM" keyTab="CATALINA_HOME/conf/tomcat.keytab" storeKey=true useKeyTab=true useTicketCache=true isInitiator=true refreshKrb5Config=true moduleBanner=true storePass=true; }; com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/TOMEE_FQDN@REALM" keyTab="CATALINA_HOME/conf/tomcat.keytab" storeKey=true useKeyTab=true useTicketCache=true isInitiator=true refreshKrb5Config=true moduleBanner=true storePass=true; };

Adjustthevaluesaccordingtoyourconfiguration.Notethatthelocationtothekeytabfilemighthavetobegivenasanabsolutepath.IfyouwanttouseadifferentlocationorfilenameforthisfileyoucandosobydefiningtheJavasystemproperty-Djava.security.auth.login.conf=PATH_TO_LOGIN_CONFInKerberosdocumentationthisfileisoftenreferredtoasthelogin.conf

12. AddthefollowingpropertytothelistofJVMsystempropertiesatstartup.Usuallytheycanbedefinedin<CATALINA_HOME>/conf/system.properties:-Djavax.security.auth.useSubjectCredsOnly=false

13. ConfiguretheKNIMEServerAuthenticatorvalve:a. Navigateto<CATALINA_HOME>/conf/Catalina/localhost/b. Edittheknime.xmlfile(thenameofthefileisequaltothecontextrootthatwasset

intheKNIMEServerinstaller,thedefaultisknime,iftheknime.warfilewasrenamedtorenamed.war,thexmlfilewillbecalledrenamed.xml)

c. Findtheline

<Valve className="com.knime.enterprise.tomcat.authenticator. KnimeServerAuthenticator" enableSpnego="false" basicAuthPaths="/rest,/webservices" formAuthPaths="/" />

d. Changeitto



23

<Valve className="com.knime.enterprise.tomcat.authenticator. KnimeServerAuthenticator" enableSpnego="true" basicAuthPaths=”/rest,/webservices” />

e. Bydefault,theRESTandSOAPwebservicesaresetuptousebasicHTTPauthentica-

tion.IfyouwanttouseSingle-Sign-OnalsofortheRESTand/orSOAPwebservices,e.g.ifyouareusingaRESTclientthatsupportsKerberos,adjustthebasicAuthPathsattributeaccordingly.Itisacommaseparatedlistofpathsoverwritingthedefaultauthenticationmethod.DeletingtheattributeenablesKerberosforallservices.ForexampleifRESTissupposedtobeusedwithSingle-Sign-Ontheattributewouldlooklikethis:basicAuthPaths=”/webservices”

14. Modifytheserver.xmlandadjusttheJNDIRealmsettingstoconnecttoyourLDAP.Ifyou

havesuccessfullytestedsetupinstep3,itissufficienttoremovetheconnectionNameandconnectionPasswordattributes.PleasenotethatwithKerberostheconnectionNameandconnectionPasswordattributesareignored.AlsotheuseoftheuserPatternisnotsupportedbyTomcatwhenusingKerberos.UseuserBaseincombinationwithuserSearchinstead.Therealmdefinitioncouldlooklikethis:

<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://dc.domain.com:3268" userSubtree="true" userBase="cn=Users,dc=domain,dc=com" userSearch="(sAMAccountName={0})" userRoleName="memberOf" roleBase="cn=Users,dc=domain,dc=com" roleName="cn" roleSearch="(member={0})" roleSubtree="true" roleNested="true"/>

IfyouareusingKerberosinacombinedrealm,makesuretheJNDIRealmconnectingtoyourLDAPisfirstinthelistofrealms.

15. RestarttheKNIMEServerforthechangestotakeeffect.InspectthelogfilesinCATALI-

NA_HOME/logstomakesurethattherearenoerrormessagesrelatingtoyourchanges.



24

CLIENTCONFIGURATIONClientconfigurationrequiresonlytwosteps.Theclientmachineneedstobepartofthedomain,andtheenduserloggedintothatdomain.AllbrowsersusedbytheclientneedtohaveKerberosauthenticationenabled.

ENABLINGKERBEROSAUTHENTICATIONININTERNETEXPLORER

1. Openthe“InternetOptions”menuandbrowsetothe“Advanced”tab.

Thesetting“EnableIntegratedWindowsAuthentication”needstobechecked.

2. Browsetothe“Security”tab,select“LocalIntranet”andclickonthe“Sites”button.

3. Clickon“Advanced”andaddtheURLoftheKNIMEServertothelistofwebsitesinthezone.

4. Clickon“CustomLevel”andcheckthatinLocalIntranetSecurityLevel->UserAuthenticationissetto“AutomaticlogononlyinIntranetzone”



25

5. ItmightbenecessarytoalsoaddtheKNIMEServertothelistoftrustedsites.Todoso,goto“TrustedSites”andclickonthe“Sites”button.AddtheURLoftheKNIMEServertothelistofwebsitesinthezone.

6. CheckthattheTrustedSitesSecurityLevel->UserAuthenticationissetto“Automaticlog-on

withcurrentusernameandpassword”.

ENABLEKERBEROSAUTHENTICATIONINFIREFOX

6. StartFirefoxandtypeabout:configintheaddressbar.

7. Ignorethewarningbyclickingonthe“I’llbecareful,Ipromise!”button.



26

8. Findtheappropriatesettingsbytypingnetwork.negotiate-authinthesearchfield.

Changethenetwork.negotiate-auth.delegation-urisandnetwork.negotiate-auth.trusted-uristocon-taintheURLoftheKNIMEServer.Itmightbeenoughtojustenteryourdomain.

TROUBLESHOOTINGAKerberossetupisusuallyverycomplexandneedspreciseconfiguration.Errormessagesareoftentimescryptic.TodebugaKerberossetupitisveryhelpfultoenableadditionalloggingfortheauthenticationintheTomEEserver.Todosoyoucanconfigureafewthings.

1. ToenableloggingintheKrb5modules,addorenablethefollowingtwolinesinbothsectionofthejaas.conf(orlogin.confin<CATALINA_HOME>/conf):

debug=true moduleBanner=true

Notethatthedebugoutputisonlyprintedtoconsole.

2. ToincreasethedebugoutputoftheKerberosimplementationinJavaaddthefollowingsys-tempropertyonstartup(canbedoneinsystem.propertiesfilein<CATALINA_HOME>/conf):

-Dsun.security.krb5.debug=true



27

3. Adddebuggingforauthenticationandrealmmodulesbyaddingtothelogging.propertiesfilein<CATALINA_HOME>/conf.Forclarityallauthenticationoutputcanbeloggedintoasepa-ratefile.

[…] 4auth.org.apache.juli.FileHandler.level = FINE 4auth.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 4auth.org.apache.juli.FileHandler.prefix = auth. […] org.apache.catalina.realm.level = ALL org.apache.catalina.realm.handlers = 4auth.org.apache.juli.FileHandler org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.handlers = 4auth.org.apache.juli.FileHandler com.knime.enterprise.tomcat.handlers = 4auth.org.apache.juli.FileHandler com.knime.enterprise.tomcat.level = DEBUG org.apache.juli.logging.UserDataHelper.CONFIG = INFO_ALL org.apache.coyote.http11.level = DEBUG org.apache.coyote.http11.handlers = 4auth.org.apache.juli.FileHandler



28

KNIME.comAGTechnoparkstrasse18005Zurich,Switzerlandwww.knime.cominfo@knime.comKNIMEisaregisteredtrademarkofKNIMEGmbH,Konstanz,Germany.Allothertrademarksarethepropertyoftheirrespectiveowners.

KNIME Server 4download.knime.org/server/4.4/KNIME_Server_Enterprise_Setup_Guid… · The KNIME...

Documents

Transcript of KNIME Server 4download.knime.org/server/4.4/KNIME_Server_Enterprise_Setup_Guid… · The KNIME...