If you are using LDAP, you can configure SSO (single sign-on). This enables access to all ARIS runnables as soon as a user has logged in once to the domain.
Kerberos is a network authentication, allowing nodes to communicate using an invisible network and to securely make their identity known to each other. Kerberos is the recommended method for user authentication in Microsoft® Windows networks. In addition, it is widely used with Linux operating systems and is designed for use with all major platforms. It is designed to provide a strong authentication for client/server applications, like web applications where the browser is the client. It is also the recommended way to authenticate users in a MS Windows network and it replaces the outdated and relatively insecure NT LAN Manager (NTLM).
Please contact your LDAP administrator before you change any configuration.
Prerequisite
Server
Client
The following steps must be taken to use SSO:
Procedure
You configured SSO on client side.
Creating a technical user
A technical user is used to validate Kerberos tickets against the Microsoft® Active Directory Domain Services. This user must be created in the Microsoft® Active Directory Domain Services and a keytab file must be created for this user.
A keytab file contains a list of keys and principals. It is used to log on the technical user to the Microsoft® Active Directory Domain Services without being prompted for a password. The most common use of keytab files is to allow scripts to authenticate against the Microsoft® Active Directory Domain Services without human interaction or storing a password in a plain text file. Anyone with read permission on a keytab can use all of the keys contained so you must restrict and monitor permissions on any keytab file you create. The keytab must be recreated when the password of the technical user changes.
A keytab file can be created by passing the following parameters to the ktab.exe JRE command line tool:
ktab -a <TECHUSER_USER_PRINCIPAL_NAME> -n 0 -append -k umc.keytab - for example ktab –a aristechuser@MYDOMAIN.COM –n0 –append –k umc.keytab.
Configuration options in ARIS Administration
You need to configure SSO for the servers.
You have the Technical configuration administrator function privilege.
Procedure
If you do not have a Kerberos configuration file, take the kbr5.conf from your installation media under Add-ons\Kerberos. Name it, for example, krb5.conf, add the following lines, and adjust the configuration to meet your requirements.
[libdefaults]
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 aes128-cts aes128-cts-hmac-sha1-96 aes256-cts aes256-cts-hmac-sha1-96 rc4-hmac arcfour-hmac arcfour-hmac-md5
If the Service Principal Name in the keytab is, for example, mypc01@MY.DOMAIN.COM, the values of the property com.company.aris.umc.kerberos.servicePrincipalName must contain the Service Principal Name exactly as specified in the keytab file.
Example: MYDOMAIN.COM.
The debug output of the program that the user wishes to log into is saved in the file system.out of the respective program. For user management, for example, this is located in the directory <ARIS installation directory/work_umcadmin_m/base/logs.
You have configured SSO using Kerberos in ARIS Administration.
Client configuration
Configure the browser settings to allow SSO. SSO has been tested with the following browsers:
You need to empty the Kerberos ticket cache of each client first, in order to avoid obsolete tickets if Microsoft® Active Directory Domain Services were changed. Delete the Kerberos ticket cache by executing the command klist.exe purge. If the purge program is not available on the client computer, you can also simply log off the client computer from the domain and log in again.
Microsoft® Internet Explorer®
Microsoft® Internet Explorer® supports Kerberos authentication only if the ARIS Server is part of your local intranet.
Procedure
Mozilla Firefox®
In Mozilla Firefox®, you can define trustworthy sites using the computer name, IP address, or a combination of both. You can use wildcards.
Procedure
If you prefer to use an encryption stronger than AES 128bit and this is allowed in your country, replace the JCE Policy file of the JDK of your ARIS Server with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6. This allows unlimited key length.
If you cannot replace the Policy files, but still want to use SSO, you need to apply a procedure allowed by the JDK for encrypting Kerberos tickets, for example, AES 128bit.