AnsweredAssumed Answered

Kerberos setup with cluster and load balancer

Question asked by loftux Moderator on Jun 10, 2015
Latest reply on Sep 1, 2015 by steven.okennedy
I'm setting up a 4.2.4 cluster with two nodes (node1.example.comn, node2.example.com). Each have alfresco and share running.
Users access an apache front-end that acts as a load balancer (alfresco.example.com) using Apache.

The goal is to have users SSO when accessing the loadbalancer.

I've been able to create the ticket and get SSO working when accessing the nodes directly, both for http and cifs. What I still struggle with is to getting SSO working from load balancer.

What I have tried is in java.login.config

Alfresco {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

AlfrescoCIFS {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/cifsnode1.keytab"
   principal="cifs/node1.example.com";
};

AlfrescoHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/httpnode1.keytab"
   principal="HTTP/node1.example.com";
};

ShareHTTP
{
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey=true
   useKeyTab=true
   doNotPrompt=true
   keyTab="/etc/sharehttp.keytab"
   principal="HTTP/alfresco.example.com";
};

com.sun.net.ssl.client {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

other {
   com.sun.security.auth.module.Krb5LoginModule sufficient;
};

When I got Share SSO working I hade the same keytab for Share as for repo HTTP. When involving the load balancer I tested if it would work if I use a third account fro ShareHTTP (HTTP/alfresco.example.com) as this matches the url users access.

In share-config-custom.xml, there is in the Kerberos config section the setting endpoint-spn, this should be the principal for node1/node2, i.e. HTTP/node1.example.com@EXAMPLE.COM if I am correct?

Is there any specific setting that needs to be in apache configuration for it to forward kerberos tickets? The load balancer uses ajp.

Outcomes