How to configure EPM Foundation Services 11 - BOOM Americas

Configuring OracleВ® Hyperion Enterprise Performance
Management System 11.1.2.x for Kerberos
Authentication
Knowledge of Kerberos and its configuration at the system level is assumed in this
document, as it documents configuration steps needed at the application level. Before you
start these procedures, please confirm that the prerequisites for these tasks are completed.
Prerequisites Tasks:
1. Corporate Active Directory is configured for Kerberos authentication
(http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/de
fault.mspx)
2. Windows client machines are configured for Kerberos authentication
(http://support.microsoft.com/kb/295017).
3. The Client and Server are in Time Sync with a skew of not more that 5 minutes.
(http://technet.microsoft.com/en-us/library/cc780011(WS.10).aspx).
4. Browsers are configured to negotiate using Kerberos tickets: IE
(http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm#i110
2444) or Firefox (http://docs.redhat.com/docs/enUS/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-configfirefox.html)
5. IIS is set up if IIS is used as the front-end Web server http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/
e14395/isapi.html#wp101184 and disable Windows Integrated Authentication http://support.microsoft.com/kb/215383
Kerberos Authentication Flow Diagram for EPM System
The configuration of EPM System with Kerberos is supported using the WebLogic
Negotiate Identity Asserter. The basic communication is as follows:
Windows Client
Windows Desktop Login
Kerberos Ticket
EPM OHS Web Server
Kerberos
Ticket
EPM Weblogic Domain
Active Directory /
KDC
Token
Authenticate
Negotiate Identity
Asserter
Username
Configuration of EPM for Kerberos is done in three steps.
EPM Web Application
Step 1 - Configure EPM System’s WebLogic domain for
Kerberos authentication
•
•
Install all the products you wish to use but only deploy and configure Foundation
Services. This will create a WebLogic domain. The default domain name is
EPMSystem.
Configure the EPMSystem domain for Kerberos authentication
a. Create an LDAP Authentication Provider http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/atn.htm
#i1216261
b. Create a Negotiate asserter http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/atn.htm
#i1208059
Note: Set the JAAS option to OPTIONAL for all of the
Authenticators. Refer to
http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e139
52/taskhelp/security/SetTheJAASControlFlag.html for more
details.
c. Create service principals and map them to user objects that represent the
WebLogic server and Web Server –
http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm
#i1101993.
Note:
An example of a Service Principal,
• Create a normal User object in AD – for example EPM_Weblogic, for
representing the WLS service running on each of the weblogic servers hosting
EPM products.
i.
While creating the user object, do not select any of the
Password options. After creating the object, click properties
and select the following option
•
Reset password after changing the encryption type.
An Example of creating the key tab file is given below:
ktpass -princ HTTP/myhost@Example.CORP -pass password -mapuser myhost
-out c:\temp\myhost.host.keytab -DesOnly
•
JDK5 onwards the com.sun.security.jgss.accept package has changed to
com.sun.security.jgss.krb5.accept.
•
Use the Kerberos admin commands like kinit, ktab, create the krb5.ini file as
described in
http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm#i1103
676
d. Configure WebLogic start scripts http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm
#i1102021
i.
In windows environments the EPM Managed servers are run
as Windows Services. The startup JVM options have to be set
as described as follows for each of the EPM Weblogic
managed servers. Perform this step for FoundationServices
managed server only at this time
a.
Start the Windows regedit utility.
b. Navigate to My Computer ->
HKEY_LOCAL_MACHINE->SOFTWARE->Hyperion
Solutions ->HyS9FoundationServices and create
additional String values for JVMOption shown in Step c.
c. Add the Kerberos JVM options as shown
d. Modify the JVMOptionCount to reflect the new sum total
of JVMOptions by adding 5 to the current OptionCount.
e. Configure authorization policies for Active Directory users that will
access the EPM products http://download.oracle.com/docs/cd/E12839_01/web.1111/e13747/secejb
war.htm#i1242796. Refer to the section – Deploy Diagnostics Web App to
test Kerberos Configuration - for an example of how to configure a Policy.
Step 2 - Deploy Diagnostics Web Application to test Kerberos
configuration
EPM System has provided a test Web Application that can be used to test that WebLogic
is properly configured for Kerberos authentication.
For 11.1.2.0, download the patch 11678653 from http://support.oracle.com and apply it, which
contains the Diagnostics Web App SSODiag.war.
Launch the EPM domain WebLogic admin console to deploy the reference
implementation SSODiag.war Web application to the Foundation Services managed
server.
Login to WebLogic admin console and choose to install.
Pick the SSODiag.war.
Choose “Install this deployment as an application”.
Deploy the SSODiag.war application to the FoundationServices managed server.
Choose Custom Roles and Policies as the security model.
Complete the deployment.
1. Configure OHS and add a forwarding request for SSODiag url.
2. Add the following lines into the mod_wl_ohs.conf file located under
<EPM_ORACLE_INSTANCE>/httpConfig/ohs/config/OHS/ohs_component
directory to forward request to WLS from OHS. Restart the server after making
the changes.
<LocationMatch ^/SSODiag/>
SetHandler weblogic-handler
WeblogicCluster HSS_Server_Name:HSS port
</LocationMatch>
3. Protect the URL by creating a policy in the WebLogic admin console for the URL
http://OHS_server_name:port/SSODiag/krbssodiag
krbuser1 is a sample domain user that will access the browser from the Desktop. This can
be a AD userid or a AD group.
4. Start the Foundation Services and SSODiag utility.
5. Login as a valid provisioned active directory user into the client machine
configured for Kerberos authentication and access the page
http://OHS_server_name:port/SSODiag/krbssodiag from a browser.
6. If the Kerberos configuration is done correctly the following page is shown.
7. If the Kerberos configuration is not done correctly the following page is seen.
Take corrective steps.
After Kerberos Diagnostics Utility is run successfully, go to Step 3
Step 3: Configure and deploy the rest of EPM System to this
domain.
Configure all EPM System products using the EPM System Configurator and deploy
to the EPM domain.
Step 4 - Configure EPM products for Kerberos authentication
1. Configure WebLogic start scripts http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm#i1102
021
в—¦ In windows environments the EPM Managed servers are run as Windows
Services. The startup JVM options have to be set as described as follows
for each of the EPM Weblogic managed servers. The example below
describes how to for the FoundationServices managed server only. This
needs to be performed for each of the Weblogic managed servers.
• Start the Windows regedit utility.
• Navigate to My Computer -> HKEY_LOCAL_MACHINE>SOFTWARE->Hyperion Solutions
->HyS9FoundationServices and create additional String values
for JVMOption shown below
•
•
Add the Kerberos JVM options as shown where the krb5.realm
is the actual kerberos domain name, krb5.kds is the domain
controller ip address
•
Modify the JVMOptionCount to reflect the new sum total of
JVMOptions by adding 5 to the current OptionCount.
The comprehensive list of EPM Weblogic managed servers in windows to
perform step b,c and d on is AnalyticProviderServices0, CalcMgr0,
DisclosureManagement0, EpmaDataSync0, EpmaWebReports0,
ErpIntegrator0, EssbaseAdminServer0, FinancialReporting0,
FMWebServices0, FoundationServices0, HpsAlerter0, HpsWebReports0,
hsfweb0, Planning0, Profitability0, RaFramework0, WebAnalysis0. If
•
deployed in compact deployment mode then there would be on
EPMSystem0 managed server.
Configure authorization policies for Active Directory users that will
access the EPM products http://download.oracle.com/docs/cd/E12839_01/web.1111/e13747/secejb
war.htm#i1242796. Refer to the section – Deploy Diagnostics Web App to
test Kerberos Configuration - for an example of how to configure a Policy.
2. Change the default Security model with which EPM is deployed from DDOnly to
CustomRolesAndPolicies .
в—¦ Edit the
<EPM_ORACLE_INSTANCE>/domains/EPMSystem/config
/config.xml file.
•
•
•
For each of the EPM deployments for each of the EPM weblogic managed
servers in the config.xml. The screen shot shows only a partial list of the
entries. All EPM managed server entries in the config.xml needs to be
modified for the security-dd-model entry and set to
CustomRolesAndPolicies (case sensitive). A comprehensive list of EPM
Weblogic enterprise application is AIF, APS, CALC,
DISCLOSUREMANAGEMENT, EAS, EPMADATASYNCHRONIZER,
EPMAWEBTIER, FINANCIALREPORTING, HPSAlerter,
HPSWebReports, HSFWEB, PLANNING, PROFITABILITY,
RAFRAMEWORK, SHAREDSERVICES, WEBANALYSIS,
WORKSPACE.
Create a URL protection policy for each of the EPM enterprise
applications similar to the one shown for SSODiag deployment. Login to
the Weblogic admin console as an admin
Click on Deployments. A comprehensive list of EPM Weblogic enterprise
application is AIF, APS, CALC, DISCLOSUREMANAGEMENT, EAS,
EPMADATASYNCHRONIZER, EPMAWEBTIER,
FINANCIALREPORTING, HPSAlerter, HPSWebReports, HSFWEB,
PLANNING, PROFITABILITY, RAFRAMEWORK,
SHAREDSERVICES, WEBANALYSIS, WORKSPACE.
•
Pick a particular Enterprise Application such as PLANNING and expand
the node and click on the web application HyperionPlanning.
•
Click the Security tab and choose New Role. If you see the message “If
you are using the DD Only security model for this deployment, then you
cannot use the Administration Console to modify its security roles.”
means that Step 2 was not done for this particular web application. Redo
step 2.
•
Type /* for the Name and click OK
•
Click on /* link
•
Choose Add Conditions under Role Conditions:
•
Choose a predicate list to be a AD group or User and click Next. These are
the users who will be granted privileges to access this EPM web
application.
•
Type in the name of the AD group and click Finish. Choose a AD group
contains all the users that will access EPM products. Check with your AD
admin to get the exact group name. It should match the name in AD.
Weblogic will show an error after the Finish button is clicked if the group
cannot be found.
•
Repeat the above steps for creating the policy for each of the webapps mentioned
above.
Step 5 - Modify the EPM web applications to enable client cert
based authentication in weblogic. This step is needed for
EPM versions 11.1.2.1.00 or earlier
1. Modify the following web application archives to insert a login-config entry
a) The following list of application archives need to be modified. The application
archives can be found under
<EPM_ORACLE_HOME>/EPMSystemR11/products
• DisclosureManagement/AppServer/InstallableApps/common/DisclosureM
anagement.ear
• Essbase/eas/server/AppServer/InstallableApps/Common/eas.ear
• FinancialDataQuality/AppServer/InstallableApps/aif.ear
• financialreporting/InstallableApps/HReports.ear
• Foundation/AppServer/InstallableApps/common/interop.ear
• hsf/AppServer/InstallableApps/hsf.ear
• PerformanceScorecard/AppServer/InstallableApps/common/webapps/HPS
Alerter.ear
• PerformanceScorecard/AppServer/InstallableApps/common/webapps/HPS
WebReports.ear
• Planning/AppServer/InstallableApps/Common/HyperionPlanning.ear
• Profitability/AppServer/InstallableApps/common/profitability.ear
b) Extract each of the above ear files using 7zip application
c) Open the .war file inside the .ear file using 7zip application
d) Open the web.xml file under the WEB-INF folder inside the war file using a
text editor
e) Go to the end of the file and insert the following lines just above the </webapp> tag
•
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
f) Save the file and 7zip will ask if you want to update the archive. Choose Yes
g) Close the 7zip application.
Step 5 – Enable the security configuration in EPM Shared
Services to perform SSO with kerberos enabled Weblogic
1. Launch Shared Services and login as an Administrator user.
2. Add the Active Directory domain that is configured for Kerberos
authentication as a User Directory.
3. Ensure that the login attribute is set to the same attribute (such as uid or
samAccountName) as set in the weblogic identity authentication provider.
4. Go to the Security Options tab for this Active Directory provider and enable
Single Sign-On Configuration and choose the Get Remote User from HTTP
Request as the SSO mechanism.
Test configuration by logging into Shared Services and ensure Kerberos is properly
configured.
Copyright В© 2011, Oracle and / or its affiliates. All rights reserved.
http://www.oracle.com