Configure Single Sign On for Cloud Control 13c against Active Directory

Posted by Dirk Nachbar on Monday, August 21, 2017
In many cases you want to use your Microsoft Active Directory Login to be authenticated against your Oracle Cloud Control 13c.

Here is a step by step solution how to implement Single Sign On for your Oracle Cloud Control against Microsoft Active Directory.

Lets assume following Environment:

  • AD Domain = DEMO.COM
  • Microsoft AD Server = adserver.demo.com
  • AD LDAP Port = 389
  • Cloud Control 13c Server = cloudcontrol13c.demo.com

Windows Steps


Connect to the Windows Server Hosting your Active Directory and execute following steps

1. Create a corresponding Service Account for the Oracle Management Server (OMS) in your Active Directory:


Name the to be created Service Account = your Cloud Control Server
dsadd user="cn=<ServiceAccountName>,cn=users,dc=<Domain>,dc=<TLD>" -disabled no -pwd <Password for ServiceAccountName> -canchpwd no -mustchpwd no -pwdneverexpirer yes

# For Example
dsadd user="cn=cloudcontrol13c,cn=users,dc=demo,dc=com" -disabled no -pwd Welcome1 -canchpwd no -mustchpwd no -pwdneverexpirer yes

2. Create a keytab file:


ktpass -princ HTTP/<ServiceAccountName>.<Domain>.<TLD>@;.<Domain>.<TLD> -mapuser <ServiceAccountName> -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab

# For Example:
ktpass -princ HTTP/cloudcontrol13c.demo.com@DEMO.COM -mapuser cloudcontrol13c -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab

Afterwards transfer the above created keytab file named krb5.keytab to your Cloud Control 13c Server.

Cloud Control Steps


Now connect to your Server which is Hosting your Oracle Cloud Control 13c and perform following steps.

1. Create the Active Directory Authentication Provider


emctl config auth ad -ldap_host "<AD-Servername>" -ldap_port "<LDAP-PORT>" \
ldap_principal "cn=<ServiceAccountName>,cn=users,dc=<Domain>,dc=<TLD>" -ldap_credential "<Password for ServiceAccountName>" \
-user_base_dn "cn=users,dc=<Domain>,dc=<TLD>" -Group_base_dn "cn=groups,dc=<Domain>,dc=<TLD>" \
-sysman_pwd "<SYSMAN Password>"

# For Example:
emctl config auth ad -ldap_host "adserver.demo.com" -ldap_port "389" \
ldap_principal "cn=cloudcontrol13c,cn=users,dc=demo,dc=com" -ldap_credential "Welcome1" \
-user_base_dn "cn=users,dc=demo,dc=com" -Group_base_dn "cn=groups,dc=demo,dc=com" \
-sysman_pwd "Welcome1"

# Now restart your OMS
emctl stop oms -all
emctl start oms

After the restart of your OMS, connect to the WebLogic Server Console of your Oracle Cloud Control 13c, usually its the SSL Port 7101 (https://<CloudControlServer>:7101/console )
Select in the Domain Structure "Security Realms" and navigate to "Providers / Authentication"


Open the Authentication Provider EM_AD_Provider and navigate to "Configuration / Provider Specific"



Align following Attributes (activate at first in the Change Center the "Lock & Edit" Mode):

Original Attributes:
  • All Users Filter: <empty>
  • User From Name Filter: (&cn=%u) (objectclass=user))
  • User Name Attribute: cn
  • User Object Class: user
New Attributes:
  • All Users Filter: (&(sAMAccountName=*) (objectclass=user))
  • User From Name Filter: (&(sAMAccountName=%u) (objectclass=user))
  • User Name Attribute: sAMAccountName
  • User Object Class: user
Save the modifications and Activate them in the Change Center.

2. Create the JAAS Configuration File krb5Login.conf

The next step is to create the required JAAS Configuration File krb5Login.conf within the DOMAIN_HOME of your Cloud Control 13c.

# for Oracle (SUN) JDK
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/cloudcontrol13c.demo.com@DEMO.COM"
    useKeyTab=true keyTab=/etc/krb5.keytab
    storeKey=true debug=true;
};
com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    principal="HTTP/cloudcontrol13c.demo.com@DEMO.COM"
    useKeyTab=true keyTab=/etc/krb5.keytab
    storeKey=true debug=true;
};

# For IBM JDK (under AIX)
com.ibm.security.jgss.krb5.initiate {
    com.ibm.security.auth.module.Krb5LoginModule REQUIRED
    principal="http/cloudcontrol13c.demo.com"
    useKeytab="FILE:/etc/krb5.keytab"
    credsType=initiator
    debug=true;
};
com.ibm.security.jgss.krb5.accept {
    com.ibm.security.auth.module.Krb5LoginModule REQUIRED
    principal="http/cloudcontrol13c.demo.com"
    useKeytab="FILE:/etc/krb5.keytab"
    credsType=acceptor
    debug=true;
};

3. Align setDomainEnv.sh

Now we need to align the setDomainEnv.sh in the DOMAIN_HOME/bin directory. Search for the 2 lines:
EXTRA_JAVA_PROPERTIES="-Djavax.management.builder.initial=weblogic.management.jmx.mbeanserver.WLSMBeanServerBuilder ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
and add below this 2 lines following block:

if [ "${SERVER_NAME}" = "EMGC_OMS1" ] ; then
     EXTRA_JAVA_PROPERTIES="-Djava.security.krb5.realm=%lt;Domain>.<TLD> -Djava.security.krb5.kdc=<AD-Servername> -Djava.security.auth.login.config=<Path to krb5Login.conf>/krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true ${EXTRA_JAVA_PROPERTIES}"
     export EXTRA_JAVA_PROPERTIES
fi

# For Example:
if [ "${SERVER_NAME}" = "EMGC_OMS1" ] ; then
     EXTRA_JAVA_PROPERTIES="-Djava.security.krb5.realm=DEMO.COM -Djava.security.krb5.kdc=adserver.demo.com -Djava.security.auth.login.config=/u00/app/oracle/product/gc_inst_13cR1/user_projects/domains/GCDomain/krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true ${EXTRA_JAVA_PROPERTIES}"
     export EXTRA_JAVA_PROPERTIES
fi

5. Configure Single Sign On within OMS

The next step is to create an external role within OMS, this external role must be named exactly the same as your corresponding AD Group for the OMS Users

emcli create_role -name="oracle_dba" -type="EXTERNAL_ROLE" -desc="Active Directory Group for oracle_dba"

Now configure the SSO for the OMS

emctl set property -name oracle.sysman.core.security.sso.type -value "OTHER"
emctl set property -name oracle.sysman.core.security.auth.is_external_authentication_enabled -value "true"
emctl set property -name oracle.sysman.emSDK.sec.DirectoryAuthenticationType -value "SSO"
emctl set property -name oracle.sysman.core.security.auth.autoprovisioning -value "true"

After that perform a restart of your OMS:

emctl stop oms -all
emctl start oms

Now, when you are connecting the first time to the Cloud Control 13c and logging in with your AD-User, there will be automatically created the SSO User within your Cloud Control 13c and you can connect with your AD-User and corresponding AD-Password.