Previous Topic

Book Contents

Book Index

Next Topic
Sample Kerberos Setup with Valuemation

Prerequisities

  • Valuemation is running on the '/vmweb/vmweb' url.
  • Kerberos, the rewrite module (mod_rewrite) and headers module (mod_headers) are enabled on Apache.
  • Apache is configured to send request for the Valuemation URL to Tomcat (for example, by the 'mode_jk' Tomcat connector).
  • Kerberos module has been configured properly on the Apache.
    • The keytab file is stored in /etc/apache/keytab-vmweb.

Note: The HTTP header used for the username is named 'VM_USER' in this sample setup.

Configuration

To use Kerberos as the authentication module on Apache in front of the Valuemation servlet running on Tomcat, it necessary to:
  1. Setup SSO and configure Valuemation to get the username from the given HTTP header.
    • Set SSO main parameters to following values:

      [VMWeb, VMWebSSOEnabled] = 'true'

      [VMWeb, VMWebSSOType] = 'TrustedRemoteUserName'

      [VMWeb, VMWebSSOUserHTTPHeaderName] = 'VM_USER'

      [VMWeb, VMWebSSOUsers] = ‘*’ (or define the SSO user mapping).
    • Set 'AUTH_TYPE=AuthenticationManagerWEBLogon' in the 'AuthenticationManager.properties' file.
  2. Configure the Apache to protect the Valuemation URL by the Kerberos authentication module and set the defined HTTP header sent to Valuemation by the value of the authenticated user from the Kerberos module.

    Set the '/vmweb/vmweb' Apache location configuration as follows:

    <Location /vmweb/vmweb>

    AuthName "VMWeb Kerberos Login"

    AuthType Kerberos

    Krb5Keytab /etc/apache2/keytab-vmweb

    KrbMethodK5Passwd off

    require valid-user

    RewriteEngine on

    RewriteBase /

    RewriteCond %{REMOTE_USER} !=""

    RewriteRule .* - [E=E_USER:%{REMOTE_USER}]

    RequestHeader set VM_USER %{E_USER}e

    </Location>

    Notes:

    • The first part is the 'Kerberos protection' of the '/vmweb/vmweb' url (with the 'KrbMethodK5Passwd off' basic authentication disabled).
    • The second part gets the authenticated username from the Kerberos module and sets it as a value of HTTP header 'VM_USER'.

Now if you restart Apache and restart Tomcat, SSO should work.

Note:

Kerberos performance optimization:

  • Protect only '/vmweb/login' by Kerberos
  • Define the 'vmweb.servlet.workingpath' to 'vmweb'

The Kerberos authentication adds some communication overhead. Protecting the login url only is a kind of performance enhancement as the consequent request does not need to be validated by Kerberos repeatedly when working with Valuemation.

See Also

SSO by Kerberos on Apache (as a sample of the HTTP header SSO method)

Kerberos Authentication Setup on Apache