Summary

Synopsis

The following steps are performed for each server that will run FlexNet Code Insight 6.8.x or 6.10.x with Single Sign. Additional/Required Materials include the attached .zip which includes: Readme, palamida_metadata.sh,palamida_metadata.bat,palamida_replace.vbs, and sp_metadata_template.xml.

Discussion

How to Prepare a Server for Palamida SSO

The following steps are performed for each server that will run Palamida 6.8.x or 6.10.x with Single Sign-on:

1. Create a keystore and certificate for HTTPS
2. Use the same or another keystore for SSO or use the default keystore provided with the Palamida product
3. Create Service Provider (SP) metadata
4. Configure the Identity Provider (IdP)
5. Configure the Palamida Product

Keystore

The steps below create a keystore that can be used for HTTPS and optionally for SSO. See the Appendix for the changes required to server.xml to define an HTTPS port.

Creating a Keystore

The keytool command examples below reference:

Enter appropriate names for these placeholders.

To create a keystore and alias, enter:

keytool -genkey -alias myKey -keyalg RSA -sigalg SHA256withRSA -validity 3600 -keysize 2048 -keystore myKeystore.jks

You will be prompted for a keystore password. For "What is your first and last name?", enter myHost. This should be a fully qualified hostname, e.g. myserver.palamida.com. When prompted for a password for the key, hit return to use the same password as for the keystore.

To generate a CSR into a file myKey.csr, enter:

keytool -certreq -keyalg RSA -alias myKey -file myKey.csr -keystore myKeystore.jks

Request a 2048-bit certificate from your Certificate Authority, sending the CSR contained in the file.

To import the certificate, enter:

keytool -import -trustcacerts -alias myKey -file myCertificate.p7b -keystore myKeystore.jks

You receive the certificate from the authority in a p7b file. Use that file in place of myCertificate.p7b above.

If there are additional required certificates, import them by:

keytool -import -trustcacerts -file certificateFile -keystore myKeystore.jks

Self-signed Certificate

The following command creates a self-signed certificate and private key named myself and stores it in keystore self_keystore.jks. The password for the private key is Password123 and the password for the keystore is Password123:

keytool -genkey -keyalg RSA -sigalg SHA256withRSA -alias myself -keypass Password123 -keystore self_keystore.jks -storepass Password123 -validity 3600 -keysize 2048

Default Service Provider

If you do not require signing and encryption for SSO, you can use the default keystore and simplified SP metadata setup. Any machine can be used to create the metadata.

For Windows, place in a directory:

palamida_metadata.bat
palamida_replace.vbs
sp_metadata_template.xml

then run:

palamida_metadata.bat "entity_id" "server_url" SPMetadata.xml

For Linux, place in a directory:

palamida_metadata.sh
sp_metadata_template.xml

then run:

bash ./palamida_metadata.sh  entity_id  server_url  SPMetadata.xml

Where:

entity_id   uniquely identifies the Palamida server for the IdP
server_url  https://<host>:<port>

Note that port is an https port and server_url does not contain /palamida.

Examples:

palamida_metadata.bat "ww:xx:yy:zz" "https://myhost.intranet.palamida.com:8443"  SPMetadata.xml

bash ./palamida_metadata.sh ww:xx:yy:zz https://myhost.intranet.palamida.com:8443  SPMetadata.xml

Custom Service Provider

The section applies when you want to use a certificate when communicating between the SP and IdP. The Spring Security SAML Extension web application generates SP metadata according to your input. To configure the application, locate the keyManager bean definition in the file:

<palamidaInstallPath>/tomcat/webapps/spring-security-saml2-sample/WEB-INF/securityContext.xml

The definition is similar to:

<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
        <constructor-arg value="classpath:security/myKeystore.jks"/>
        <constructor-arg type="java.lang.String" value="myKeystorePassword"/>
        <constructor-arg>
            <map>
                <entry key="myAlias" value="myAliasPassword"/>
            </map>
        </constructor-arg>
        <constructor-arg type="java.lang.String" value="myAlias"/>
    </bean>

Set myKeystore, myKeystorePassword, myAlias and myAliasPassword to your values in securityContext.xml.

Copy myKeystore.jks to:

<palamidaInstallPath>/tomcat/webapps/spring-security-saml2-sample/WEB-INF/classes/security

To run the web application, enter: http://<hostname>:<port>/spring-security-saml2-sample

Click through Metadata Administration > Login > Generate new service provider metadata.

The input values are:

Generate the metadata and save the text box under the Metadata label to SPMetadata.xml. Save the text box under the Configuration label to Extended.xml. If you want signing but not encryption, edit SPMetadata.xml and find the tag for encryption. This should be the second tag. Carefully remove everything between and </md:KeyDescriptor> inclusive.

Identity Provider

Send SPMetadata.xml to the responsible party for configuring the IdP. Receive IdP metadata from the IdP. This could come through email or by downloading from the IdP server. In any case, save the data as IDPMetadata.xml.

Palamida Product

If you used the Default SP Metadata procedure, go to Config.

The keyManager bean definition references:

myKeystore.jks the keystore file myKeystorePassword the keystore file password myAlias the alias or key entry in the file myAliasPassword the alias password

To configure the product for your keystore, set the following values in /config/core/core.sso.properties:

saml.keystore=file:///c:/<path>/myKeystore.jks
saml.keystore.password=myKeystorePassword
saml.keystore.alias=myAlias
saml.keystore.alias.password=myAliasPassword

You saved the file Extended.xml when you generated the metadata. For each property in the second of ExtendedMetadata.xml that differs from saml.metadata.property in core.sso.properties, replace and uncomment that property. For example, for:

<property value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" name="signingAlgorithm"/>

Set

saml.metadata.signingAlgorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Place myKeystore.jks in the location you specified for saml.keystore.

Config

1. Place SPMetadata.xml and IDPMetadata.xml in /config/core/security directory. You may need to create this directory.

2. Create /config/core/env.properties and set:

   spring.profiles.active=sso

3. If SSO fails for a user, an attempt will be made to authenticate the user from the database and if that fails, through LDAP. If you wish to disable database authentication, do not define users in the database. This implies no rows in the PAS_USER table where EXTERNALID is null. If you wish to disable LDAP authentication, set ldap.enabled=false in core.ldap.properties. To turn off SSO login, remove env.properties. ?

Appendix A. SSL: Please refer to this link on setting up SSL for more details and information

To configure the Product for SSL, obtain a keystore with a certificate. Copy the file /tomcat/https to /tomcat/conf. Modify /tomcat/conf/server.xml as follows to provide the following details:

port="myPort", e.g. port="8443" keystoreFile="myKeystore.jks" keystorePass="myPassword" keyAlias="myAlias" keyPass="myKeyPassword" (needed below only if different from keystore password)

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
        port="myPort"
        minSpareThreads="25"
        enableLookups="false"
        disableUploadTimeout="true"
        acceptCount="100"
        maxThreads="150"
        maxHttpHeaderSize="8192"
        scheme="https"
        secure="true"
        SSLEnabled="true"
        keystoreFile="myKeystore.jks"
        keyAlias="myAlias"
        keystorePass="myPassword"
        clientAuth="false"
        sslProtocol="TLS"/>

Also set redirectPort for:

<Connector port="8888" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443" />

Place the keystore in /tomcat.