000028172 - KB-1265 - Implementing SSO with Aveksa

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000028172
Applies ToAffected Versions: All Versions
Resolution

Enabling SSO (Single Sign On) authentication to work with the Aveksa appliance requires the modification


of the either the V3.6.x Tomcat or V4.x Jboss server.xml file and the creation of a new authentication source in the UI.
For ACM 3.6.x:




1a. Modify the file: /usr/bin/tomcat/conf/server.xml
Modify the Tomcat server.xml by adding the proxy (proxyName variable) to the ssl connection for port 8443, the


entry will be the last line in connection entry and should be similar to the example shown below:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS"

keystoreFile="/usr/bin/tomcat/webapps/aveksa/WEB-INF/certificates/serverui.keystore"

keystorePass="Av3k5a15num83r0n3" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH

_RC4_128_MD5,SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_DH_anon_WITH_RC4_128_MD

5,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SH

A,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_25

6_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_

DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_anon_WITH_C

AMELLIA_128_CBC_SHA,TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_RC4_128_SHA,SSL_CK_RC4_128_WITH_MD5,SSL_CK_RC4_12

8_EXPORT40_WITH_MD5,SSL_CK_RC2_128_CBC_WITH_MD5,SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,SSL_CK_IDEA_128_CBC_WITH_MD5,SSL_CK_DES

_192_EDE3_CBC_WITH_MD5"

proxyName="access.yourCompany.com/aveksa"

/>


 


For ACM 4.x


 


1b. Modify the file: /home/oracle/jboss/server/default/deploy/jboss-web.deployer/server.xml


 


Similiar to 3.6.x, modify the JBOSS server.xml by adding the proxy (proxyName variable) to the ssl connection


for port 8443, the entry will be the last line in connection entry and should be similar to the example shown below:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="8443" address="${jboss.bind.address}"
protocol="HTTP/1.1" SSLEnabled="true" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/deploy/aveksa.ear/aveksa.war/WEB-INF/certificates/serverui.keystore"
keystorePass="Av3k5a15num83r0n3" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_FORTEZZA_KEA_
WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_DH_anon_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_
CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DH
_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_C
AMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_anon_
WITH_CAMELLIA_128_CBC_SHA,TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_RC4_128_SHA,SSL_CK_RC4_128_WITH_MD5,SSL_CK_RC4_128_EXPORT40_WITH_
MD5,SSL_CK_RC2_128_CBC_WITH_MD5,SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,SSL_CK_IDEA_128_CBC_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5"


proxyName="access.yourCompany.com/aveksa"

/>


 




2. Create a new authentication source
For either baseline version, to add the new authentication source login as the AveksaAdmin user, navigate to


the Admin Tab. Select the Authentication sub-tab and click Create Authentication Source. Create the


new authentication source using the following parameters:

Parameter Entry


Authentication Source Name YourCompany_WEBSSO

SSO Authenticator Yes

UserNameHeader a-user

IPAddresses

UnifiedUserColumn UNIQUE_ID

RedirectURL https://accessq.yourcompany.com?%redirecturl%

LogOffURL https://accessq.yourcompany.com/logout

IgnoreCase true

Attachments

    Outcomes