You are not logged in. Click here to log in.

codebeamer Application Lifecycle Management (ALM)

Search In Project

Search inClear

Tags:  not added yet
Kerberos SSO integration is no longer supported. You can use OpenID Connect (OAuth2) or SAML as alternative authentication methods.

Hosts

  • Windows Domain Controller (Active Directory, AD/LDAP server): winssoad.winssodom.local
  • codeBeamer server (and Apache server) - joined to AD: win7000.winssodom.local
  • Windows client - joined to AD: host name not relevant

Install Apache 2.2

Download and install You must login to see this link. Register now, if you have no user account yet. with typical settings on the machine hosting codeBeamer server. (Default installation folder C:\Program Files (x86)\Apache Software Foundation\Apache2.2)

Note: "The Kerberos module is created for specifically this installer."

Install Kerberos module for Apache

Download You must login to see this link. Register now, if you have no user account yet. and copy to folder C:\Program Files (x86)\Apache Software Foundation\Apache2.2\modules on the machine hosting codeBeamer server.

Instal MIT Kerberos

Download and install You must login to see this link. Register now, if you have no user account yet. with typical settings on the machine hosting codeBeamer server.

Create and install a Kerberos token (keytab)

  • Create an account on AD server: cbssokerb
  • Create a keytab on AD server: open up a command prompt window and run the following command: ktpass -princ HTTP/win7000.winssodom.local@winssodom.local -mapuser cbssokerb -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass * -out c:\cbssokerb.keytab
  • Enter password for account cbssokerb
  • Copy the generated keytab file to Apache config folder: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab

Configure MIT Kerberos

  • Edit the file C:\ProgramData\MIT\Kerberos5\krb.ini and add the following text: [libdefaults] debug=true default_realm = WINSSODOM.LOCAL dns_lookup_kdc = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] WINSSODOM.LOCAL = { kdc = WINSSOAD.winssodom.local admin_server = WINSSOAD.winssodom.local default_domain = winssodom.local } [domain_realm] .winssodom.local = WINSSODOM.LOCAL [login] krb4_convert = true krb4_get_tickets = false

Configure Apache

Edit the file C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\httpd.conig and...

  • Enable the following standard modules (either copy/paste the following block, or uncomment them in their original locations, but ensure not loading them twice): #LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so #LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so #LoadModule authz_default_module modules/mod_authz_default.so #LoadModule headers_module modules/mod_headers.so #LoadModule rewrite_module modules/mod_rewrite.so
  • Load the non-standard (currently installed) Kerberos module: LoadModule auth_kerb_module modules/mod_auth_kerb.so
  • Configure virtual host(s): <VirtualHost *:80> <Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests On ProxyPreserveHost On ProxyPass /cb http://localhost:8080/cb ProxyPassReverse /cb http://localhost:8080/cb ServerName win7000.winssodom.local <Location /cb> Order allow,deny Allow from all AuthType Kerberos KrbServiceName HTTP AuthName "Domain login" KrbAuthRealms WINSSODOM.LOCAL Krb5KeyTab "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab" require valid-user KrbLocalUserMapping On KrbMethodNegotiate On KrbMethodK5Passwd Off # Below directives puts logon name of authenticated user into http header X-User-Global-ID RequestHeader unset X-User-Global-ID RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule /cb.* - [E=RU:%1,L,NS] RequestHeader set X-User-Global-ID %{RU}e # Remove domain suffix to get the simple logon name RequestHeader edit X-User-Global-ID "@WINSSODOM.LOCAL$" "" </Location> </VirtualHost>

Restart Apache server

Go to Windows Service Manager and restart Apache2.2 service

Other Tasks

The following steps are similar as described in
  • Configure codeBeamer to use AD
  • Enabling SSO in codeBeamer System Administration
  • Enabling Kerberos Authentication in Client
  • Open codeBeamer with Kerberos SSO

SSL

To serve codebeamer over https, certificate generation is required for apache. This can be done with the bundled openssl with apache:

Enter the openssl.exe in the cli with the command: "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe"

Generate the certificate which is valid for a year:

req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.key -out certificate.crt -config "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\openssl.cnf"

provide organisation info if needed.

  • Almost the same config as for HTTP but with additional certificate information, first 5 lines
    Listen 443
    <VirtualHost *:443>
        ServerName ap.winssodom.local
        SSLEngine on
        SSLCertificateFile c:\certificate.crt
        SSLCertificateKeyFile c:\privatekey.key
    
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>
        ProxyRequests On
        ProxyPreserveHost On
        ProxyPass /cb http://localhost:8080/cb
        ProxyPassReverse /cb http://localhost:8080/cb
        ServerName ap.winssodom.local
    	<Location /cb>
                    Order allow,deny
                    Allow from all
                    AuthType Kerberos
                    KrbServiceName HTTP
                    AuthName "Domain login"
                    KrbAuthRealms WINSSODOM.LOCAL
                    Krb5KeyTab "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab"
                    require valid-user
                    KrbLocalUserMapping On
                    KrbMethodNegotiate  On
                    KrbMethodK5Passwd   Off
    
                    # Below directives puts logon name of authenticated user into http header X-User-Global-ID
                    RequestHeader unset X-User-Global-ID
                    RewriteEngine On
                    RewriteCond   %{LA-U:REMOTE_USER} (.+)
                    RewriteRule   /cb.* - [E=RU:%1,L,NS]
                    RequestHeader set X-User-Global-ID %{RU}e
    
                    # Remove domain suffix to get the simple logon name
                    RequestHeader edit X-User-Global-ID "@WINSSODOM.LOCAL$" ""
    
    	</Location>
    </VirtualHost>