Single Sign-On for APEX applications using Kerberos
-
Upload
niels-de-bruijn -
Category
Technology
-
view
1.087 -
download
24
description
Transcript of Single Sign-On for APEX applications using Kerberos
![Page 1: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/1.jpg)
business by integration
Page 1 of 9
SINGLE SIGN-ON
FOR APEX APPLICATIONS
USING KERBEROS
Author: Niels de Bruijn
Version: 4.02
Date: 4-DEC-2014
![Page 2: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/2.jpg)
business by integration
Page 2 of 9
1 INTRODUCTION
When using Oracle REST Data Services, you use the URL <hostname>/apex/f?p=xxx to get to an
APEX application where you normally have to authenticate yourself using username/password
credentials. However, most end users of APEX applications have already authenticated themselves by
logging on to the Windows domain, so why authenticate a second time to use the first APEX
application? Wouldn’t it be nice if you could point your browser to an APEX app and you are instantly
authenticated? A secure method to achieve this is to use the Kerberos protocol, which is the same
protocol that Windows uses for authentication. In this document we will describe how to install and
setup the Apache module mod_auth_kerb in a Linux environment that performs the authentication
against a Windows domain controller. In this case, the APEX URL (/apex) will be protected, but you
can protect any other web application with this approach that lies behind the Apache web server.
Image 1: APEX architecture with Apache and Oracle REST Data Services.
In this document we assume that you have setup a Windows domain controller with Active Directory
(Windows Server 2003/2008) and you have Windows based client-PCs where you have to
authenticate against the Windows domain. Also, make sure you have successfully installed and
configured the Oracle Database with Oracle Application Express 4.2.x and Oracle REST Data
Services 2.0.x.
Remarks:
![Page 3: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/3.jpg)
business by integration
Page 3 of 9
- It doesn’t matter which operating system you use for Apache. Also, the server doesn’t have to
be part of the Windows domain. If you are on Windows Server 2012, you might want to use
Web Application Proxy instead of Apache, which has Kerberos authentication built in.
- Use a firewall to restrict the communication with the server through port 443 (HTTPS).
- For Linux/Unix environments, you can use Samba 4 as Domain Controller.
- If you are interested to learn about other ways to get SSO in place, have a look at the
following blog posting: http://wphilltech.com/options-for-windows-native-authentication-with-
apex
2 CONFIGURATION OF THE WINDOWS DOMAIN CONTROLLER
2.1 ADD AN ENTRY IN DNS FOR APACHE
First add the fully qualified domain name (FQDN) as additional hostname (not as alias) in your internal
DNS server. In our example, we entered apex.mt-ag.com. You can verify this by executing
nslookup apex.mt-ag.com.
Remark: if the FQDN was registered as alias, the end user needs to authenticate himself through the
Basic Authentication protocol and is requested to enter his username/password combination.
2.2 CREATE A SERVICE USER IN ACTIVE DIRECTORY
Add a computer account, like APEX_SSO in Active Directory.
Use this account to create a keytab file with which Apache may verify if users are authenticated:
ktpass -princ HTTP/[email protected] -mapuser
"CN=APEX_SSO,CN=Computers,DC=mt-ag,DC=com" -crypto All -ptype
KRB5_NT_SRV_HST -pass <password> -out c:\http_apex.mt-ag.com.keytab
Remarks:
![Page 4: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/4.jpg)
business by integration
Page 4 of 9
- Although it is possible to use a user account, we recommend the usage of a computer
account, since with this account type it is not possible to logon on a client pc that is registered
in a windows domain.
- Our domain in this example is called MT-AG.COM and the web address we use to access
APEX through Apache is https://apex.mt-ag.com.
- Run the command as administrator in a command prompt on the domain controller.
- The password can be whatever you like it to be.
- The address apex.mt-ag.com behind HTTP/ ist the web address entered in the browser by
end users.
- Although we access APEX by using HTTPS, you still need to specify HTTP behind –princ.
- The filename of the keytab-file can be chosen freely.
- Windows 2003 Server is not aware of the option –crypto all, so use -crypto RC4-
HMAC-NT instead.
Copy over the keytab file to the Linux server where you want to install Apache. In our example, this is
the directory /opt/httpkeytab.
3 CONFIGURATION OF TOMCAT 7
After installation of Tomcat 7, make sure you add the following attributes in
the file server.xml (printed in bold):
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
maxHeaderCount="-1" maxHttpHeaderSize="65536" URIEncoding="UTF-8" … />
Remark: failure to do so may lead to a „Page not found“ message in the browser upon accessing a
protected URL or special characters could be displayed wrongly on the page if these are part of the
URL.
![Page 5: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/5.jpg)
business by integration
Page 5 of 9
4 CONFIGURATION OF THE APACHE SERVER
4.1 INSTALL NTP
The time on the Apache server should be kept in sync with the domain controller. You can achieve this
by installing the NTP service:
yum install ntp
Make sure that it starts automatically upon server reboot:
chkconfig ntpd on
4.2 INSTALL APACHE WITH MOD_AUTH_KERB
By installing the module mod_auth_kerb, Apache will be installed as well:
yum install mod_auth_kerb
Make sure that Apache starts upon server reboot:
chkconfig httpd on
This document does not describe how to configure Apache so it can be accessed through Port 443
using a valid SSL server certificate. If you need this, you can find this on the internet. In our example,
we assume that you have done this, but it is not required to get Single Sign-On to work.
4.3 CONFIGURE KERBEROS ON THE APACHE SERVER
Edit the file /etc/krb5.conf:
[logging]
Default = FILE:/var/log/krb5libs.log
Kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MT-AG.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
![Page 6: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/6.jpg)
business by integration
Page 6 of 9
[realms]
MT-AG.COM = {
kdc = mt-ag.com
admin_server = MT-AG.COM
default_domain = MT-AG.COM
}
[domain_realm]
.mt-ag.com = MT-AG.COM
mt-ag.com = MT-AG.COM
Remarks:
- After Kdc you can also state multiple hostnames, separated by a space.
- No reboot of Apache is needed since this configuration is read each time the authentication
process takes place.
4.4 PROTECT THE APEX URL IN APACHE
Add the following lines to the file /etc/httpd/conf/httpd.conf:
LoadModule auth_kerb_module /etc/httpd/modules/mod_auth_kerb.so
LoadModule proxy_module /etc/httpd/modules/mod_proxy.so
LoadModule proxy_http_module /etc/httpd/modules/mod_proxy_http.so
LoadModule headers_module /etc/httpd/modules/mod_headers.so
# Protect all APEX specific requests
<Location /apex>
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms MT-AG.COM
KrbServiceName HTTP/[email protected]
Krb5KeyTab /opt/httpkeytab/http_apex.mt-ag.com.keytab
require valid-user
# When using mod_proxy, the variable REMOTE_USER isn’t passed to Tomcat,
so explicitly set a new variable here.
RewriteEngine On
# RewriteCond %{LA-U:REMOTE_USER} (.+)$
# If you don’t want to remove the domain name, just disable the following
line and enable the line before this comment.
RewriteCond %{REMOTE_USER} (.+)@.*
RewriteRule . - [E=RU:%1]
RequestHeader set APEX_USER %{RU}e
# Weiterleiten von Anfragen an Oracle REST Data Services
# Die Weiterleitung kann entweder mit HTTP(S) oder mittels AJP
![Page 7: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/7.jpg)
business by integration
Page 7 of 9
stattfinden
ProxyPass /apex http://localhost:8080/apex
ProxyPassReverse /apex http://localhost:8080/apex
</Location>
# Static files of APEX
Alias /i/ "/srv/www/htdocs/images/"
Save the file and restart Apache.
5 AUTOMATED AUTHENTIFICATION IN AN APEX APPLICATION
Within the APEX application, setup a new authentication scheme that reads out the HTTP header
variable „APEX_USER“.
Wenn APEX_USER is empty, the user will be redirected to a static HTML page (index.html) hosted by
Apache. This page will inform the user that he or she is currently not logged on to the Windows
domain.
Note: if you are using an older version of APEX (< 4.2.3), the Schema Type “HTTP Header Variable”
won’t be available. In this case, you will have to write a small PL/SQL function to achieve the same
objective. Contact us if you need the code for this.
6 CONFIGURATION OF THE CLIENT PC
The web address of Apache should be listed in the intranet zone in Internet Explorer, otherwise you
will be prompted to enter your Windows credentials if you try to access your APEX application:
![Page 8: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/8.jpg)
business by integration
Page 8 of 9
When you are using Firefox, go to the URL about:config and set the attribute
network.negotiate-auth.trusted-uris to mt-ag.com.
You can now access your APEX application using either Internet Explorer or Firefox without the need
to provide your credentials.
Important: make sure that all browser requests aren’t routed through a proxy server. So if your
browser was configured to use a proxy server, make sure that an exception for apex.mt-ag.com
exists, otherwise you will get a “page not found” error, because the Kerberos ticket got lost along the
way.
7 WHATS HAPPENING?
![Page 9: Single Sign-On for APEX applications using Kerberos](https://reader036.fdocuments.net/reader036/viewer/2022081715/549bf7e1b479599b318b45f1/html5/thumbnails/9.jpg)
business by integration
Page 9 of 9
If you would like to see what’s happening in the background, you can set the log level of Apache to
debug and inspect the log files.
Edit the file: /etc/httpd/conf/httpd.conf and change the row containing „LogLevel“ to
„LogLevel debug“. Save the file and restart Apache.
The log files you need to inspect are called access_log and error_log.
With the Windows 7 or Windows 8 utility klist on a client pc, you can find out which Kerberos tickets
the Windows Domain User currently has. If all was setup correctly, you should see a ticket for
apex.mt-ag.com in the output.
Still need help? You can find us here: https://apex.mt-ag.com.
8 OTHER USEFUL LINKS
Weitere hilfreiche Infos:
http://blog.hallowelt.biz/wp-content/uploads/SSO_mit_mod_auth_kerb_v3.pdf
SSO configured in Tomcat instead of Apache:
https://community.oracle.com/message/12748733
More SSO options:
http://wphilltech.com/options-for-windows-native-authentication-with-apex
Disclaimer:
MT AG is not responsible for any damage, outages or loss of profit resulting from the usage of this document.