57.9 Configuring WNA For Use With DCC

The Kerberos authentication protocol provides a mechanism for mutual authentication between entities before a secure network connection is established.

This section provides information on how to configure Windows Native Authentication and Kerberos to use the DCC with Access Manager. It contains the following topics.

Note:

See Understanding Credential Collection and Login for details on DCC.

57.9.1 Initializing the Kerberos Protocol

You can initialize Access Manager for the Kerberos protocol.

To initialize:

Run the ktpass command on the Windows data store, substituting the appropriate values for service, realm, user and user password.
```
ktpass -princ <SPN>@<REALM> -pass <Password> -mapuser <UserName> 
 -out <Keytab file name>
```
For example:
```
ktpass -princ HTTP/adc.example1.com@EXAMPLE.COM -pass Welcome1 -mapuser anil@example.com -out foobar2.keytab
```
This command creates an SPN and associates it with the local service account created in the previous step.

Note:

Only RC4-HMAC encryption is supported; do not use DES encryption.
Copy the keytab output generated by the ktpass command and leave it at an appropriate location on the DCC host machine.

Modify the /etc/krb5.conf file on the DCC host machine accordingly.

For example:

[loggings]
 default = FILE:/scratch/anikukum/krb/krb5libs.log
 kdc = FILE:/scratch/anikukum/krb/krb5kdc.log
 admin_server = FILE:/scratch/anikukum/krb/krbadmin.log

[libdefaults]
 default_realm = EXAMPLE.COM
 ticket_lifetime = 24h
 forwardable = yes
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac
 permitted_enctypes = rc4-hmac
 clockskew = 3600
 
[realms]
 EXAMPLE.COM = {
  kdc = adc.example1.com
  admin_server = adc.example1.com
  default_domain = EXAMPLE.COM
 }
 
[domain_realm]
example.com = EXAMPLE.COM.example.com = EXAMPLE.COM

Note:

For multiple domain Active Directory environments, add entries for each domain as documented below.

[realms]
 EXAMPLE.COM = {
  kdc = adc.example1.com
  admin_server = adc.example1.com
  default_domain = EXAMPLE.COM
 }
 
 SPRITE.COM = {
  kdc = lmsib.sprite.com
  admin_server = lmsib.sprite.com
  default_domain = SPRITE.COM
 }
 
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
sprite.com = SPRITE.COM
.sprite.com = SPRITE.COM

Run the kinit command on the DCC host machine to obtain a Kerberos ticket.

kinit  -k -t <keytab file>  <SPN>@<Realm>

For example:

kinit -k -t foobar1.keytab HTTP/adc.example1.com@EXAMPLE.COM

Validate the Kerberos ticket on the DCC host machine using the klist command.
```
klist
```

57.9.2 Configuring Access Manager

You can configure Access Manager to use the Kerberos Authentication Module.

To configure:

Modify the Challenge Method of the Kerberos authentication scheme to WNA, if applicable.
1. In the Oracle Access Management Console, click Application Security at the top of the window.
2. In the Launch Pad tab, click Authentication Schemes in the Access Manager section.
3. Search for KerberosScheme and click Edit.
4. Change the Challenge Redirect URL to DCC WebGate URL.
  
  For example, http://<DCC-WebGate-Hostname>:<Port>/
5. Click Apply and close the page.
Configure the User Identity Store for LDAP Authentication Module to the configured Windows data store.
1. In the Oracle Access Management Console, click Application Security at the top of the window.
2. In the Launch Pad tab, click Authentication Modules in the Access Manager section.
3. Search for LDAP and click Edit.
4. Change the User Identity Store to, for example, Active Directory.
5. Click Apply and close the page.
Configure the Application Domain protecting the resource to use the Kerberos authentication scheme.

Before accessing the protected resource ensure that its URL is added to the local intranet Site of Security. Additionally, check the Enable Integrated Windows Authentication option under Security in the Advance tab.