Configuring Liberty

To configure Liberty for use with SPNEGO single sign-on, you have to create the Kerberos service principal name (SPN) and keytab file for the Liberty server that runs the i2 Analyze application, and edit the Liberty configuration to use SPNEGO single sign-on and the Active Directory registry.

Before you begin

To use SPNEGO single sign-on with the Liberty server that is deployed by i2 Analyze (and other Open Liberty servers), each server must use the same LTPA keys file. For more information about LTPA, see the LTPA section of the Open Liberty documentation for single sign-on.

The value that is set for the ltpakeys.password property in the credentials.properties file must match the password that is required to import the keys from the LTPA keys file. If you change the password in the credentials.properties file, you must redeploy i2 Analyze for the password change to take effect.

About this task

If you follow this procedure for a deployment that provides high availability, you must complete each step on every Liberty server in your environment before you move to the next step.

Procedure

  1. Configure Liberty to use SPNEGO single sign-on by using the first two steps in Configuring SPNEGO authentication as a reference.

    1. Create the Kerberos SPN and keytab files on the domain controller.

      Note: Ensure that the host file on the Active Directory server uses the full host name, including the domain name, for the i2 Analyze server. Remove any entries that use only the short name for the i2 Analyze server. The value in the host file must match the value that is used for the SPN.

    2. Configure the server that hosts Liberty, and Liberty itself.

  2. Configure Liberty to use the Microsoft Active Directory registry by using the instructions in Configuring LDAP user registries with Liberty as a reference. (Configuring Open Liberty is identical to configuring IBM WebSphere Liberty here.)

    1. Complete Step 1 to add the features to the i2analyze\deploy\wlp\usr\servers\opal-server\server.xml file.

    2. Complete Step 4 by using the Microsoft Active Directory Server example to populate the <ldapRegistry> element.

      Note: This information does not cover the configuration of Secure Sockets Layer (SSL) between Liberty and Active Directory. Do not include the <ssl> and <keyStore> elements from the example in your server.xml file.

    3. Ensure that the mapping between Active Directory and the i2 Analyze security schema is correct. Add the following code after the <ldapRegistry> element in the server.xml file:

      <federatedRepository>
        <primaryRealm name="">
          <participatingBaseEntry name=""/>
          <groupSecurityNameMapping inputProperty="cn" outputProperty="cn"/>
        </primaryRealm>
      </federatedRepository>

      Populate the empty name attribute values by using the following information:

      • The <primaryRealm> element's name attribute has the same value as the realm attribute of the <ldapRegistry> element.

      • The <participatingBaseEntry> element's name attribute has the same value as the baseDN attribute as the <ldapRegistry> element.

By default, all requests to access protected resources use SPNEGO authentication. If you previously deployed i2 Analyze with basic authentication, you must ensure that the basic registry is not present in the user.registry.xml file.

  1. Using an XML editor, either remove or comment out the complete <basicRegistry> element in the i2analyze\deploy\wlp\usr\shared\config\user.registry.xml file.