Configure Alfresco Process Services - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

The Java login files need to be updated with details of the Kerberos configuration and the activiti-ldap.properties updated to enable SSO using Kerberos.

  1. Configure or create the Java configuration file java.login.config located in /java/conf/security. The following is an example of a java.login.config file. The important properties to set are keyTab and principal.
    • keyTab is the location of the keytab file (see Configure Kerberos files) copied to the ACS server
    • principal is in the format HTTP/<host>.<domain>
     Alfresco {
       com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
     AlfrescoHTTP
     {
       com.sun.security.auth.module.Krb5LoginModule required
         storeKey=true
         useKeyTab=true
         doNotPrompt=true
         keyTab="/etc/kerberos.keytab"
         principal="HTTP/alfresco.example.com";
     };
    
       com.sun.net.ssl.client {
         com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
     other {
       com.sun.security.auth.module.Krb5LoginModule sufficient;
     };
    
  2. Edit the following line in the Java security configuration file java.security by default located in java/conf/security/to point to the java.login.config file using the full file path:
     login.config.url.1=file:<installLocation>/java/conf/security/java.login.config
    
  3. Use the following configuration parameters in an activiti-ldap-properties file:
    Property Description
    kerberos.authentication.enabled Sets whether authentication via Kerberos is enabled. This needs to be set to true to setup SSO using Kerberos, for example true.
    kerberos.authentication.principal The Service Principal Name (SPN) to authenticate against, for example HTTP/alfresco.example.com.
    kerberos.authentication.keytab The location of key table file, for example C:/alfresco/alfrescohttp.keytab.
    kerberos.authentication.krb5.conf The location of the Kerberos ini file, for example C:/Windows/krb5.ini.
    kerberos.allow.ldap.authentication.fallback Sets whether to allow sign in from unsupported browsers using LDAP credentials, for example false.
    kerberos.allow.database.authentication.fallback Sets whether to allow sign in from unsupported browsers using database credentials, for example true.
    kerberos.allow.samAccountName.authentication Sets whether authentication can use the short form such as username rather than username@domain.com, for example true.
    security.authentication.use-externalid A setting that enables authentication through Kerberos, for example true.
    ldap.authentication.enabled Sets whether LDAP authentication is enabled. This setting needs to be set to true for SSO to work for Kerberos, for example true.