Single Sign-On for APEX applications using Kerberos
Upcoming SlideShare
Loading in...5

Single Sign-On for APEX applications using Kerberos






Total Views
Views on SlideShare
Embed Views



1 Embed 3 3



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Single Sign-On for APEX applications using Kerberos Single Sign-On for APEX applications using Kerberos Document Transcript

  • business by integration Page 1 of 9 SINGLE SIGN-ON FOR APEX APPLICATIONS USING KERBEROS Author: Niels de Bruijn Version: 3.02 Date: 11.07.2014
  • business by integration Page 2 of 9 1 INTRODUCTION When using Oracle REST Data Services, you use the URL <hostname>/apex/f?p=xxx to get to an APEX application where you normally have to authenticate yourself using username/password credentials. However, most end users of APEX applications have already authenticated themselves by logging on to the Windows domain, so why authenticate a second time to use the first APEX application? Wouldn’t it be nice if you could point your browser to an APEX app and you are instantly authenticated? A secure method to achieve this is to use the Kerberos protocol, which is the same protocol that Windows uses for authentication. In this document we will describe how to install and setup the Apache module mod_auth_kerb in a Linux environment that performs the authentication against a Windows domain controller. In this case, the APEX URL (/apex) will be protected, but you can protect any other web application with this approach that lies behind the Apache web server. Image 1: APEX architecture with Apache and Oracle REST Data Services. In this document we assume that you have setup a Windows domain controller with Active Directory (Windows Server 2003/2008) and you have Windows based client-PCs where you have to authenticate against the Windows domain. Also, make sure you have successfully installed and configured the Oracle Database with APEX 4.2.x and Oracle REST Data Services 2.0.x. Remarks: - It doesn’t matter which operating system you use for Apache. Also, the server doesn’t have to be part of the Windows domain. If you are on Windows Server 2012, you might want to use Web Application Proxy instead of Apache, which has Kerberos authentication built in.
  • business by integration Page 3 of 9 - Use a firewall to restrict the communication with the server through port 443 (HTTPS). - If you are interested to learn about other ways to get SSO in place, have a look at the following blog posting: apex 2 CONFIGURATION OF THE WINDOWS DOMAIN CONTROLLER 2.1 ADD AN ENTRY IN DNS FOR APACHE First add the fully qualified domain name (FQDN) as additional hostname (not as alias) in your internal DNS server. In our example, we entered You can verify this by executing nslookup Remark: if the FQDN was registered as alias, the end user needs to authenticate himself through the Basic Authentication protocol and is requested to enter his username/password combination. 2.2 CREATE A SERVICE USER IN ACTIVE DIRECTORY Add a computer account, like APEX_SSO in Active Directory. Use this account to create a keytab file with which Apache may verify if users are authenticated: ktpass -princ HTTP/ -mapuser "CN=APEX_SSO,CN=Computers,DC=mt-ag,DC=com" -crypto All -ptype KRB5_NT_SRV_HST -pass <password> -out Remarks: - Our domain in this example is called MT-AG.COM and the web address we use to access APEX through Apache is - Run the command as administrator in a command prompt on the domain controller. - The password can be whatever you like it to be.
  • business by integration Page 4 of 9 - The address behind HTTP/ ist the web address entered in the browser by end users. - Although we access APEX by using HTTPS, you still need to specify HTTP behind –princ. - The filename of the keytab-file can be chosen freely. - Windows 2003 Server is not aware of the option –crypto all, so use -crypto RC4- HMAC-NT instead. Copy over the keytab file to the Linux server where you want to install Apache. In our example, this is the directory /opt/httpkeytab. 3 CONFIGURATION OF TOMCAT 7 After installation of Tomcat 7, make sure you add the following attributes in the file server.xml (printed in bold): <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" maxHeaderCount="-1" maxHttpHeaderSize="65536" URIEncoding="UTF-8" … /> Remark: failure to do so may lead to a „Page not found“ message in the browser upon accessing a protected URL or special characters could be displayed wrongly on the page if these are part of the URL. 4 CONFIGURATION OF THE APACHE SERVER 4.1 INSTALL NTP The time on the Apache server should be kept in sync with the domain controller. You can achieve this by installing the NTP service:
  • business by integration Page 5 of 9 yum install ntp Make sure that it starts automatically upon server reboot: chkconfig ntpd on 4.2 INSTALL APACHE WITH MOD_AUTH_KERB By installing the module mod_auth_kerb, Apache will be installed as well: yum install mod_auth_kerb Make sure that Apache starts upon server reboot: chkconfig httpd on This document does not describe how to configure Apache so it can be accessed through Port 443 using a valid SSL server certificate. If you need this, you can find this on the internet. In our example, we assume that you have done this, but it is not required to get Single Sign-On to work. 4.3 CONFIGURE KERBEROS ON THE APACHE SERVER Edit the file /etc/krb5.conf: [logging] Default = FILE:/var/log/krb5libs.log Kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MT-AG.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] MT-AG.COM = { Kdc = admin_server = MT-AG.COM default_domain = MT-AG.COM }
  • business by integration Page 6 of 9 [domain_realm] = MT-AG.COM = MT-AG.COM Remarks: - After Kdc you can also state multiple hostnames, separated by a space. - No reboot of Apache is needed since this configuration is read each time the authentication process takes place. 4.4 PROTECT THE APEX URL IN APACHE Add the following lines to the file /etc/httpd/conf.d/httpd.conf: LoadModule auth_kerb_module /usr/lib64/apache2/ LoadModule proxy_module /usr/lib64/apache2/ LoadModule proxy_http_module /usr/lib64/apache2/ LoadModule headers_module /usr/lib64/apache2/ # Redirect all requests to Oracle REST Data Services # In this case we use HTTP, but you can also use the AJP protocol ProxyPass /apex http://localhost:8080/apex ProxyPassReverse /apex http://localhost:8080/apex # Needed to make sure that the authenticated username is sent by Apache as HTTP header attribute to Oracle REST Data Services RequestHeader set REMOTE-USER %{REMOTE_USER}s # Protect all APEX requests <Location /apex> AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealms MT-AG.COM KrbServiceName HTTP/ Krb5KeyTab /opt/httpkeytab/ require valid-user </Location> # Static files of APEX Alias /i/ "/srv/www/htdocs/images/" Save the file and restart Apache.
  • business by integration Page 7 of 9 5 AUTOMATED AUTHENTIFICATION IN AN APEX APPLICATION Within the APEX application, setup a new authentication scheme that reads out the HTTP header variable „remote-user“. In this setup, the domain name is automatically stripped from the username directly after authentication so using :APP_USER will get you the username only. If you have multiple Windows
  • business by integration Page 8 of 9 domains, this might not be an option to you. In this case, just remove “set_user” of the attribute “Post- Authentication Procedure Name“. After creation, this authentication scheme will automatically be the “current” scheme that APEX uses. Note: if you are using an older version of APEX (< 4.2.3), the Schema Type “HTTP Header Variable” won’t be available. In this case, you will have to write a small PL/SQL function to achieve the same objective. Contact us if you need the code for this. 6 CONFIGURATION OF THE CLIENT PC The web address of Apache should be listed in the intranet zone in Internet Explorer, otherwise you will be prompted to enter your Windows credentials if you try to access your APEX application: When you are using Firefox, go to the URL about:config and set the attribute network.negotiate-auth.trusted-uris to
  • business by integration Page 9 of 9 You can now access your APEX application using either Internet Explorer or Firefox without the need to provide your credentials. Important: make sure that all browser requests aren’t routed through a proxy server. So if your browser was configured to use a proxy server, make sure that an exception for exists, otherwise you will get a “page not found” error, because the Kerberos ticket got lost along the way. 7 WHATS HAPPENING? If you would like to see what’s happening in the background, you can set the log level of Apache to debug and inspect the log files. Edit the file: /etc/httpd/conf/httpd.conf and change the row containing „LogLevel“ to „LogLevel debug“. Save the file and restart Apache. The log files you need to inspect are called access_log and error_log. With the Windows 7 or Windows 8 utility klist on a client pc, you can find out which Kerberos tickets the Windows Domain User currently has. If all was setup correctly, you should see a ticket for in the output. Need help? You can find us here:  Disclaimer: MT AG is not responsible for any damage, outages or loss of profit resulting from the usage of this document.