4.8.4.2. eXo Platform server configuration

To make easy for integrating SPNEGO, eXo Platform provides the SPNEGO extension that you can get its source code here.

Note

As said earlier, the eXo Platform configuration should be done on the Machine 2 on which eXo Platform is running.

Intergating SPNEGO with eXo Platform Tomcat

  1. Build the SPNEGO extension, then copy the .jar file to $PLATFORM_TOMCAT_HOME/lib.

  2. Append this login module into the bottom of the $PLATFORM_TOMCAT_HOME/conf/jaas.conf file.

    
spnego-server {
    
        com.sun.security.auth.module.Krb5LoginModule required
    
        storeKey=true
    
        doNotPrompt=true
    
        useKeyTab=true
    
        keyTab="/etc/krb5.keytab"
    
        principal="HTTP/server.example.com@EXAMPLE.COM"
    
        useFirstPass=true
    
        debug=true
    
        isInitiator=false;
    
    };

    Note

    On Windows environment, you should change the path of keytab. For example, if this file is put into the D drive, it should be: keyTab="D:/server.keytab".

  3. Configure SSO for eXo Platform by appending these configurations into the $PLATFORM_TOMCAT_HOME/gatein/conf/configuration.properties file.

    
# SSO
    
    gatein.sso.enabled=true
    
    gatein.sso.filter.spnego.enabled=true
    
    gatein.sso.callback.enabled=false
    
    gatein.sso.skip.jsp.redirection=false
    
    gatein.sso.login.module.enabled=true
    
    gatein.sso.login.module.class=org.gatein.security.sso.spnego.SPNEGOSSOLoginModule
    
    gatein.sso.filter.login.sso.url=/@@portal.container.name@@/spnegosso
    
    gatein.sso.filter.initiatelogin.enabled=false
    
    gatein.sso.valve.enabled=false
    
    gatein.sso.filter.logout.enabled=false

  4. On Windows environment, rename $PLATFORM_TOMCAT_HOME/bin/setenv-customize.sample.bat into $PLATFORM_TOMCAT_HOME/bin/setenv-customize.bat, then add the following to the setenv-customize.bat file.

    SET "CATALINA_OPTS=%CATALINA_OPTS% -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=$ADMACHINE_NAME.example.com"

    Note

    $ADMACHINE_NAME is name of the machine that has Active Directory installed.

  5. Start eXo Platform.

Intergating SPNEGO with eXo Platform JBoss

  1. Build the SPNEGO extension, then copy the .jar file to $PLATFORM_JBOSS_HOME/standalone/deployments/platform.ear/lib.

  2. Add the login module "spnego-server" as the child of the <security-domains> section of the $PLATFORM_JBOSS_HOME/standalone/configuration/standalone-exo.xml file.

    
<security-domain name="spnego-server" cache-type="default">
    
        <authentication>
    
            <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
    
                <module-option name="storeKey" value="true"/>
    
                <module-option name="doNotPrompt" value="true"/>
    
                <module-option name="useKeyTab" value="true"/>
    
                <module-option name="keyTab" value="/etc/krb5.keytab"/>
    
                <module-option name="principal" value="HTTP/server.example.com@EXAMPLE.COM"/>
    
                <module-option name="useFirstPass" value="true"/>
    
                <module-option name="debug" value="true"/>
    
                <module-option name="isInitiator" value="false"/>
    
            </login-module>
    
        </authentication>
    
    </security-domain>

    Note

    On Windows environment, you should change the path of keytab. For example, if this file is put into the D drive, it should be: keyTab="D:/server.keytab".

  3. Uncomment the below login module in standalone-exo.xml, then change ${gatein.sso.login.module.enabled} and ${gatein.sso.login.module.class} into #{gatein.sso.login.module.enabled} and #{gatein.sso.login.module.class} respectively. 

    
<login-module code="org.gatein.sso.integration.SSODelegateLoginModule" flag="required">
    
        <module-option name="enabled" value="#{gatein.sso.login.module.enabled}"/>
    
        <module-option name="delegateClassName" value="#{gatein.sso.login.module.class}"/>
    
        <module-option name="portalContainerName" value="portal"/>
    
        <module-option name="realmName" value="gatein-domain"/>
    
        <module-option name="password-stacking" value="useFirstPass"/>
    
    </login-module>

  4. Configure SSO for eXo Platform by appending these configurations into the $PLATFORM_JBOSS_HOME/standalone/configuration/gatein/configuration.properties file.

    
# SSO
    
    gatein.sso.enabled=true
    
    gatein.sso.filter.spnego.enabled=true
    
    gatein.sso.callback.enabled=false
    
    gatein.sso.skip.jsp.redirection=false
    
    gatein.sso.login.module.enabled=true
    
    gatein.sso.login.module.class=org.gatein.security.sso.spnego.SPNEGOSSOLoginModule
    
    gatein.sso.filter.login.sso.url=/@@portal.container.name@@/spnegosso
    
    gatein.sso.filter.initiatelogin.enabled=false
    
    gatein.sso.valve.enabled=false
    
    gatein.sso.filter.logout.enabled=false

  5. Start eXo Platform by using the command:

    • ./standalone.sh -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=server.example.com -b server.example.com (on Linux)

    • standalone.bat -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=$AD_MACHINE_NAME.example.com -b server.example.com (on Windows)

      Note

      $AD_MACHINE_NAME is name of the machine that has Active Directory installed.

Next, move to the final step to configure the client (browser you are using).

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus