Search:     Advanced search

How to configure SSO( Single Sign On) with Maximo 7.6

Article ID: 314
Last updated: 15 Oct, 2015
Add comment
Views: 1543
Comments: 0
Posted: 15 Oct, 2015
by: MaximoKB A.
Updated: 15 Oct, 2015
by: MaximoKB A.

 For testing purpose, you can setup Maximo 7.6 with SSO configuration.

There are 3 parts to configure SSO.

-  Part 1 : Install DNS (Domain Name System)  Server and AD (Active Directory) Service

-  Part 2 : Install Maximo with Middleware

-  Part 3 : Configure SSO using SPNEGO

 

 

Part 1 :  Install DNS Server and Active Directory.

1. Prepare two physical machines (  you can use 2 VM instances )  having 2012 OS.

One for the DNS Server where AD and Maximo will be installed.

The other for client machine which will belong to the same domain.

** Important point :  DNS Server and Client machine should have static IP address.

 

2. IP setting for two machines.

- IP setting for DNS Server

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- IP setting for Client machine

*  Perferred DNS Server will be DNS Server IP.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Install  DNS Server and Active Directory Service on the DNS Server machine.

- Open Add Roles and Features

image

 

 

 

 

 

 

 

 

 

- Click  'Role-based or feature-based installation'

image 

 

 

 


 

 

 

 

 

 

 

 

-  Select 'Active Directory Domain Services' and 'DNS Server'

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-  After installing,  you will get  'Post-deployment Configuration' Message for Active Directory Domain Service.

image

 

 

 

 

 

-  Click 'Post-deployment Configuration'

-  Click 'Add a new forest' .  You can set  Root domain name as what you want to use. ex. domain.com

image

 

 

 

 

 

 

 

 

 

 

- Type password for the Directory Services Restore Mode password. ex. Maximo01

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- NetBios domain name will be set as DOMAIN which is coming from the Root domain name (domain.com)

image

 

 

 

 

 

 

 

 

 

 

- Finish. You need to restart machine.

 

Then, you can realize that your machine belongs to 'domain.com' domain.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

4. Configure Active Directory structure.

In Active Directory Users and Computers, right-click the domain and go to New → Organizational Unit

Create Maximo, Groups, Users OU like below screenshot.

image

 

 

 

 

 

 

 

 

 

 

 

 

In Groups OU,   add two groups. (  maximousers, maximononusers )

image

 

 

 

 

 

 

 

 

 

 

 

 

In Users OU,  add 3 users ( maxadmin, maxreg, mxintadm)  belonging to maximousers group , Domain User group.

image

 

 

 

 

 

 

 

 

It allows 3 users ( maxadmin, maxreg, mxintadm)  to log in the computer which is belonging to the domain (DOMAIN).

Now. DNS Server and Active Directory configuration is completed.

 

5. Configure the client machine in order to make it belong to the same domain (domain.com)

- Log in to the client machine.

- Open Computer/Properties - System properties - Click 'Change' button.   Change 'Member of Domain' to 'domain.com'.  Restart this client machine.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now,  DNS Server and Client machine was configured.  They are in the same domain.

- DNS Server( AD ) :  dnsserver.domain.com

- Client : ssoclient.domain.com

* Domain users (maxadmin, mxintadm, maxreg) can log into this client machine( ssoclient.domain.com) like below screenshot.

image

 

 

 

 

 

 

 

 

 

 

 

 

Part 2 :  Now,  Install Maximo 7.6 with middleware ( Websphere and DB2 ) on the server machine where DNS Server and AD was installed.

1. Run launchpad64 -  Select  DB2, Websphere and IBM Maximo Asset Management 7.6 like below screenshot.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

image

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Accept the license agreements.

3. Confirm parameter and packages.

4. Enter DB2 Installation Information.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5.  Enter Web Server Configuration Information

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6. Once Installation completed,  Tivoli's process automation suite configuration tool  screen is opened.image Click 'Prepare Websphere Application Server for Configuration'.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

7. Configure WebSphere Application Server

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

8.  Configure Application Server Profiles

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

9. Application Server Advanced Options

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

10. Configure Administrative Security

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

11. Apply Deployment Operations.

image

 

 

 

 

 

 

 

 

12.  Click Configure a New Deployment

image

 

 

 

 

 

 

 

 

 

 

13. Define Deployment Environment

- Check 'Create and Configure the database'

- Check 'Complete configuration of WebSphere for your product'

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

14. Configure General Product Information
image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

15. Database Instance Information - Configure the DB2 Database

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

16. Configure the Application Server

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

17.  Configure Application Security

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

18.  Apply Deployment Operations.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

19. Finish.  You can log into Maximo ( http://dnsserver.domain.com:9080/maximo)

 

Part 3 : SSO (Single Sign On) configuration usign SPNEGO

 

SPNEGO, or the Simple and Protected GSSAPI Negotiation Mechanism, enables a straightforward  single sign-on (SSO) mechanism for WebSphere in Kerberos environments.

The Windows client must be in the same Active Directory (AD) domain. If you will be configuring SPNEGO on a Windows system, you will still need a separate Windows client to surf from.

For whatever reason, SPNEGO does not work locally on a system.

 

1. Create a User ID for the Application Server

Please note that the ID you will be creating here is not the same, and cannot be the same as the  WebSphere administration ID that you use when you turn on WebSphere Security (usually ‘wasadmin’ in test environments).

The ID that we will be creating here is the ID that the instance of WebSphere itself uses to authenticate to Active Directory.

Ex) wasspnego@domain.com /Maximo01

image

 

 

 

 

 

 

 

 

 

 

 

* Set the password to never expire in your test environment. This will save you the need to regenerate keys (discussed next) because the password never needs changing.

Please remember that if you do change the password for the account, you will also need to regenerate the keys.

 

2. Assign the Service Principal Name and Create Key File

After the account has been created, we need to map this account to the Kerberos Service Principal Name (SPN) and create a key file that WebSphere can use to log into the domain with.
Please note that SPNs and keytabs are only required for the WebSphere Application Server instance, and not the Windows client users who will be logging in to the domain via the domain sign-on screen.

 

To create the key,

ktpass -out <keyfile name>  -princ HTTP/fully qualified hostname@AD DOMAIN NAME -mapuser <AD user> -pass <password> -ptype KRB5_NT_PRINCIPAL

Ex)

ktpass -out appserver1.keytab -princ HTTP/dnsserver.domain.com@DOMAIN.COM  -mapuser wasspnego -pass Maximo01 -ptype KRB5_NT_PRINCIPAL

 

* Please note that case is very important here. HTTP must be all in capital letters as well as the AD domain name. If you get this wrong, authentication will not work.

If  it runs successfully,  appserver1.keytab file is created and the Service Principal Name (SPN) is mapped to the AD user ‘wasspnego’.

The keytab file will get shipped to Websphere server which will use this key to authenticate itself in the AD domain as ‘wasspnego’.

Note the ‘User logon name’ field for wasspnego user . It now contains the Service Principal Name (or SPN) of the ID.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Set up Kerberos Configuration on the Application Server

- Copy appserver1.keytab to C:\IBM\WebSphere\AppServer\etc\krb5

- Run C:\IBM\WebSphere\AppServer\bin>wsadmin  ( wasadmin/Maximo1)

- Run

$AdminTask createKrbConfigFile {-krbPath C:\IBM\WebSphere\AppServer\etc\krb5\krb5.conf -realm DOMAIN.COM -kdcHost dnsserver.domain.com -dns domain.com -keytabPath C:\IBM\WebSphere\AppServer\etc\krb5\appserver1.keytab}

 

Then, appserver1.keytab  and krb5.conf  file will be existed in C:\IBM\WebSphere\AppServer\etc\krb5 folder.

 

4. Enable WebSphere Security :  When installing Maximo using J2EE Application Security,  it was already enabled.
Go to Websphere Console - Click Security / Global Security in the left panel.

 

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. Enable SSO

- Go to Websphere Console - Click Security / Global Security in the left panel
- Click Single Sign-on (SSO)
- Check 'Enabled'  and enter domain name as 'domain.com'
- Check 'web inbound security attribute propagation' and 'Set security cookies to HTTPOnly to help prevent cross-site scripting attacks'

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6. Enable SPNEGO in WebSphere

- Go to Websphere Console - Click Security / Global Security in the left panel

- Click  SPNEGO web authentication

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- Check  'Dynamically update SPNEGO'  and Enable SPNEGO checkbox

- Enter Kerberos configuration file  and keytab fine name with full path ( Reference step 3 )

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-  Click New button to add a new SPNEGO Filter

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-  Apply Changes  ( Double check MXServer/Security Domain/SPNEGO web authentication )

 

7.  Restart Websphere Server. 

Now that SPNEGO is enabled on the server.

 

8. Configure Browsers :   need to configure your browsers to send their Kerberos tokens to the server when challenged.

You need to change a couple of settings to the browsers running on your Windows client machines.

 

-  Log into the client machine (ssoclient.domain.com)  as  maxadmin domain user.

- Open IE browser- Internet options -  Security Tab- Local Intranet

-  Add  *.domain.com - OK

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

-  Click  Advanced Tab

-  Check 'Enable Integrated Windows Authentication*'

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

- OK

 

Now, In IE browser,  try to enter  http://dnsserver.domain.com:9080/maximo. 

Then, Maximo will be automatically logged as maxadmin user.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I hope it will be helpful for you to configure SSO with Maximo.

Written By: Rachel Hong, IBM Australia

Reference : IBM developerWorks

Added By: Admin MaximoKB

This article was:   Helpful | Not Helpful

 

Add comment

Also listed in
folder Articles By Contributors -> maximoKB Moderator

Prev   Next
Maximo/ioT/REST : Automatically detect a Tank water level and...     Admin Demos

RSS

Welcome to the Maximo KB Site

Powered by www.maximokb.com