You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.
Defining a Kerberos authentication provider
In the application.properties
file, these properties are expected for a Kerberos authentication provider:
application.properties
# Global configuration blueriq.security.login-type = kerberos # Connection blueriq.security.auth-providers.kerberos01.type = kerberos blueriq.security.auth-providers.kerberos01.service-principal-name = HTTP/blueriq.mycompany.com@MYCOMPANY.COM blueriq.security.auth-providers.kerberos01.keytab-location = C:/folder/blueriq.keytab # LDAP blueriq.security.auth-providers.kerberos01.connectionUrl = ldap://something.mycompany.com blueriq.security.auth-providers.kerberos01.userDn = cn=admin,ou=sysadmin,dc=mycompany,dc=com blueriq.security.auth-providers.kerberos01.password = <encryptedvalue_password> blueriq.security.auth-providers.kerberos01.useTls = true # Connection protection (if 'useTls' is true) blueriq.security.auth-providers.kerberos01.tls.trustStoreUrl = file:///D:/location/to/your/certifactions.jks blueriq.security.auth-providers.kerberos01.tls.trustStorePassword = changeit blueriq.security.auth-providers.kerberos01.tls.trustStoreType = jks # Search blueriq.security.auth-providers.kerberos01.referralStrategy = follow blueriq.security.auth-providers.kerberos01.searchSubtree = true # Search user blueriq.security.auth-providers.kerberos01.userSearchBaseDn = OU=users,DC=mycompany,DC=com blueriq.security.auth-providers.kerberos01.userSearchAttribute = userPrincipalName # Search group blueriq.security.auth-providers.kerberos01.groupSearchBaseDn = OU=groups,DC=mycompany,DC=com blueriq.security.auth-providers.kerberos01.groupSearchFilterAttribute = cn blueriq.security.auth-providers.kerberos01.groupSearchFilterPattern = BQ_*, EVE_*,PRO - *,PRO -* # role mapping blueriq.security.auth-providers.kerberos01.role-mapping.ldapGroup1=BlueriqRole1,BlueriqRole2 blueriq.security.auth-providers.kerberos01.role-mapping.ldapGroup2=BlueriqRole3,BlueriqRole4 # Add the kerberos authentication provider to the chain blueriq.security.auth-providers-chain = kerberos01
A great deal of these properties above handle the connection with an LDAP server to retrieve the roles for a user. For a detailed explanation of these properties, please refer to LDAP authentication provider.
Setting up Kerberos
The first three properties defined in the example above are required for Kerberos authentication.
The property service-principal-name
should contain the SPN that was created for the Blueriq Runtime service user in the AD.
The property keytab-location
should point to the keytab file for the SPN that was configured in the previous property.
On the machine running the runtime, a krb5.ini file should be placed in C:\Windows:
[libdefaults] default_realm = MYCOMPANY.COM [realms] MYCOMPANY.COM = { kdc = dc.mycompany.com }
LDAP
Whenever a user is successfully authenticated using Kerberos, its roles are acquired from LDAP. The properties used for the LDAP connection are local to the Kerberos Authentication Provider, and the definitions are the same as the properties for the LDAP Authentication Provider.
When a user is authenticated with Kerberos, its form is test.user@MYCOMPANY.COM
. Make sure that the userSearchAttribute
points to an attribute that has the @MYCOMPANY.COM
suffix attached to the value.
Limitations
- Currently, when using Kerberos as an authentication provider, no other authentication provider on the chain will work.
- Kerberos authentication happens for all URLs in the /server path.
- When a user doesn't have the appropriate roles to start a flow, a 404 error will appear in the browser.
- In browsers, you need to enable Kerberos authentication for the domain or host name where the Blueriq Runtime runs on.
- As always, we advise to use the latest version of Java 8. In Java 8 versions below update 162, Java Cryptographic Extensions (JCE) is not enabled by default. As it is required for some more secure encryption schemes used in Kerberos, you should either use Java 8 update 162 or newer, or manually enable JCE for your installation.