![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_MIT-Kerberos.jpg\")
<\/p>\n<\/p>\n
In my previous blog, I described the process to install a Kerberos Client and how to Kerberized Alfresco<\/a>. In this blog, I will continue in the same way and present another application that could be configured to use the Kerberos MIT KDC: Liferay. Liferay is a very popular and a leader in Open Source solution for enterprise web platform (Intranet\/Extranet\/Internet web sites). Liferay could be bundled with several application servers like Tomcat, JBoss, Glassfish, but it could also be installed from scratch (deployment of a war file) with a lot of existing application servers.<\/p>\n For this blog, I will need the following properties\/variables:<\/p>\n Please be aware that some configurations below may not be appropriate for production environment. For example, I don’t configure Apache to run as a different user like “www” or “apache”, I don’t specify the installation directory for Apache or Kerberos, aso…<\/p>\n Actual test configuration:<\/p>\n This version of Liferay doesn’t have a default connection to a Linux KDC so everything should be done from scratch. The first thing to do is to add an Apache httpd in front of Liferay, if there is not already one, to process Kerberos requests. This part is described very quickly without extensive explanations because we don’t need all the functionalities of Apache. Of course you can, if you want, add some other configurations to the Apache httpd to manage for example an SSL certificate, the security of your application or other very important features of Apache… So first let’s check that the Tomcat used by Liferay is well configured for Kerberos with an Apache front-end:<\/p>\n To verify that, just take a look at the file server.xml:<\/p>\n Then download Apache httpd from the Apache web site (or use yum\/apt-get), extract the downloaded file and go inside of the extracted folder to install this Apache httpd with some default parameters:<\/p>\n <\/p>\n This will install Apache httpd 2.4.10 under \/usr\/local\/apache2. There could be some errors during the execution of “.\/configure” or “make” or “make install” but these kind of issues are generally well known and so the solutions to these issues could be found everywhere on Internet. An installation with the command apt-get will put the configuration file (named apache2.conf not httpd.conf) under \/etc\/apache2\/ so please adapt the description below to your environment.<\/p>\n Once Apache httpd is installed, it must be configured to understand and use Kerberos for all incoming requests:<\/p>\n <\/p>\n The next step is to build the mod_auth_kerb and mod_jk. The build of mod_auth_kerb requires an already installed Kerberos client in this Liferay server. As seen below, my Kerberos client on this server is under \/usr\/local. Moreover, the buid of mod_jk may requires to specify the apxs binary used by Apache, that’s why there is the “–with-apxs” parameter:<\/p>\n <\/p>\n The module auth_mod_kerb doesn’t need extra configuration but it’s not the case of the mod_jk for which we will need to define several elements like log file and level, JkMount parameters which defines http requests that should be sent to the AJP connector, aso:<\/p>\n Finally, the last configuration for Apache httpd is to configure a krb5.conf file for the Kerberos client to know where the KDC is located:<\/p>\n Once this is done, there is one step to execute on the KDC side for the configuration of Kerberos. Indeed, there is a configuration above in the file mod_kerb.conf that shows a keytab file named krb5lif.keytab. By default, this file doesn’t exist so we must create it! From the KDC host server, execute the following commands to create a new service account for Liferay and then create the keytab for this service account:<\/p>\n From now on, all configurations required by Apache & Tomcat to handle Kerberos tickets are done. The only remaining step and certainly the most complicated is to configure Liferay to understand and use this kind of authentication. For that purpose, a Liferay Hook must be created (in eclipse using the Liferay Plugin for example). Let’s name this Liferay Project created with the liferay-plugins-sdk-6.1.1: “custom-hook”. For the configuration below, I will suppose that this project is at the following location: “C:\/liferay-plugins-sdk-6.1.1\/hooks\/custom-hook\/” and this location is abbreviated to %CUSTOM_HOOK%. You will find at the bottom of this blog a link to download the files that should be in this custom-hook. Feel free to use it!<\/p>\n To create a new authentication method, the first step is to create and edit the file %CUSTOM_HOOK%\/docroot\/WEB-INF\/liferay-hook.xml as follow:<\/p>\n Then, create and insert in the file %CUSTOM_HOOK%\/docroot\/WEB-INF\/src\/portal.properties the following lines:<\/p>\n And finally, the last step is to create the Java Class %CUSTOM_HOOK%\/docroot\/WEB-INF\/src\/com\/liferay\/portal\/security\/auth\/KerberosAutoLogin with the following content. This class is used to retrieve the Kerberos principal from the Kerberos Ticket received by Apache and then transforms this principal to log the user in Liferay. Please be aware that this code can probably not be used as such because it’s specific to our company: the screenName used in Liferay is equal to the principal used in the KDC. That’s why there is some logger.info in the code: to help you to find the good relation between the Liferay screenName and the KDC principal.<\/p>\n\n
\n
\n
[root ~]# vi \/opt\/liferay-6.1.1\/tomcat-7.0.27\/conf\/server.xml\n
![\"1.png\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/1.png\" "\\"1.png\\"")
<\/a><\/pre>\n[root ~]# cd \/opt\n[root opt]# wget http:\/\/mirror.switch.ch\/mirror\/apache\/dist\/\/httpd\/httpd-2.4.10.tar.gz\n[root opt]# tar -xvf httpd-2.4.10.tar.gz\n[root opt]# cd httpd-2.4.10\n[root httpd-2.4.10]# .\/configure\n[root httpd-2.4.10]# make\n[root httpd-2.4.10]# make install<\/pre>\n
[root httpd-2.4.10]# vi \/usr\/local\/apache2\/conf\/httpd.conf\n # Add at the end of the file\n Include \/opt\/liferay-6.1.1\/tomcat-7.0.27\/conf\/mod_jk.conf\n\u00a0\u00a0\u00a0 Include \/usr\/local\/apache2\/conf\/mod_kerb.conf\n\n[root httpd-2.4.10]# vi \/usr\/local\/apache2\/conf\/mod_kerb.conf\n # New file for the configuration of the module \"mod_auth_kerb\" and Kerberos\n\u00a0\u00a0\u00a0 ServerAdmin root@localhost\n\u00a0\u00a0\u00a0 # The FQDN of the host server\n\u00a0\u00a0\u00a0 ServerName lif01.example.com:80\n\n # Of course, find the location of the mod_auth_kerb and replace it there if\n # it's not the same\n\u00a0\u00a0\u00a0 LoadModule auth_kerb_module \/usr\/local\/apache2\/modules\/mod_auth_kerb.so\n\n \u2039Location \/\u203a\n\u00a0\u00a0\u00a0 AuthName \"EXAMPLE.COM\"\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 AuthType Kerberos\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 Krb5Keytab \/etc\/krb5lif.keytab\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 KrbAuthRealms EXAMPLE.COM\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 KrbMethodNegotiate On\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 KrbMethodK5Passwd On\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 require valid-user\n\u00a0\u00a0\u00a0 \u2039\/Location\u203a<\/pre>\n
[root httpd-2.4.10]# cd ..\n[root opt]# wget http:\/\/sourceforge.net\/projects\/modauthkerb\/files\/mod_auth_kerb\/mod_auth_kerb-5.4\/mod_auth_kerb-5.4.tar.gz\/download\n[root opt]# tar -xvf mod_auth_kerb-5.4.tar.gz\n[root opt]# cd mod_auth_kerb-5.4\n[root mod_auth_kerb-5.4]# .\/configure --with-krb4=no --with-krb5=\/usr\/local --with-apache=\/usr\/local\/apache2\n[root mod_auth_kerb-5.4]# make\n[root mod_auth_kerb-5.4]# make install\n\n[root mod_auth_kerb-5.4]# cd ..\n[root opt]# wget http:\/\/mirror.switch.ch\/mirror\/apache\/dist\/tomcat\/tomcat-connectors\/jk\/tomcat-connectors-1.2.40-src.tar.gz\n[root opt]# tar -xvf tomcat-connectors-1.2.40-src.tar.gz\n[root opt]# cd tomcat-connectors-1.2.40-src\/native\n[root native]# .\/configure --with-apxs=\/usr\/local\/apache2\/bin\/apxs --enable-api-compatibility\n[root native]# make\n[root native]# make install<\/pre>\n
[root native]# cd ..\/..\n[root opt]# vi \/opt\/liferay-6.1.1\/tomcat\/conf\/mod_jk.conf\n LoadModule jk_module \/usr\/local\/apache2\/modules\/mod_jk.so\n\u00a0\u00a0\u00a0 JkWorkersFile \/opt\/liferay-6.1.1\/tomcat-7.0.27\/conf\/workers.properties\n\u00a0\u00a0\u00a0 JkLogFile \/usr\/local\/apache2\/logs\/mod_jk.log\n\u00a0\u00a0\u00a0 JkLogLevel debug\n\u00a0\u00a0\u00a0 JkLogStampFormat \"[%a %b %d %H:%M:%S %Y]\"\n\u00a0\u00a0\u00a0 # JkOptions indicate to send SSL KEY SIZE,\n\u00a0\u00a0\u00a0 JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories\n\u00a0\u00a0\u00a0 # JkRequestLogFormat set the request format\n\u00a0\u00a0\u00a0 JkRequestLogFormat \"%w %V %T\"\n\u00a0\u00a0\u00a0 JkMount \/ ajp13\n\u00a0\u00a0\u00a0 JkMount \/* ajp13\n\n[root opt]# vi \/opt\/liferay-6.1.1\/tomcat\/conf\/workers.properties\n\u00a0\u00a0\u00a0 # Define 1 real worker named ajp13\n\u00a0\u00a0\u00a0 worker.list=ajp13\n\u00a0\u00a0\u00a0 worker.ajp13.type=ajp13\n\u00a0\u00a0\u00a0 worker.ajp13.host=localhost\n\u00a0\u00a0\u00a0 worker.ajp13.port=8009\n\u00a0\u00a0\u00a0 worker.ajp13.lbfactor=50\n\u00a0\u00a0\u00a0 worker.ajp13.cachesize=10\n\u00a0\u00a0\u00a0 worker.ajp13.cache_timeout=600\n\u00a0\u00a0\u00a0 worker.ajp13.socket_keepalive=1\n\u00a0\u00a0\u00a0 worker.ajp13.socket_timeout=300<\/pre>\n
[root opt]# vi \/etc\/krb5.conf\n\u00a0\u00a0\u00a0 [libdefaults]\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default_realm = EXAMPLE.COM\n\n\u00a0\u00a0\u00a0 [realms]\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 EXAMPLE.COM = {\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 kdc = kdc01oel.example.com:88\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 admin_server = kdc01oel.example.com:749\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 default_domain = example.com\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 }\n\n\u00a0\u00a0\u00a0 [domain_realm]\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 .example.com = EXAMPLE.COM\n\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 example.com = EXAMPLE.COM<\/pre>\n[root opt]# kadmin\n Authenticating as principal root\/admin@EXAMPLE.COM with password.\n Password for root\/admin@EXAMPLE.COM:\u00a0 ##Enter here the root admin password##\n\nkadmin:\u00a0 addprinc HTTP\/lif01.example.com@EXAMPLE.COM\n WARNING: no policy specified for HTTP\/lif01.example.com@EXAMPLE.COM; defaulting to no policy\n Enter password for principal \"HTTP\/lif01.example.com@EXAMPLE.COM\":\u00a0 ##Enter a new password for this service account##\n Re-enter password for principal \"HTTP\/lif01.example.com@EXAMPLE.COM\":\u00a0 ##Enter a new password for this service account##\n Principal \"HTTP\/lif01.example.com@EXAMPLE.COM\" created.\n\nkadmin:\u00a0 ktadd -k \/etc\/krb5lif.keytab HTTP\/lif01.example.com@EXAMPLE.COM\n Entry for principal HTTP\/lif01.example.com@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5lif.keytab.\n Entry for principal HTTP\/lif01.example.com@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5lif.keytab.\n Entry for principal HTTP\/lif01.example.com@EXAMPLE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:\/etc\/krb5lif.keytab.\n Entry for principal HTTP\/lif01.example.com@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:\/etc\/krb5lif.keytab.\n\nkadmin:\u00a0 exit\n\n[root opt]# scp \/etc\/krb5lif.keytab root@lif01.example.com:\/etc\/\n root@lif01.example.com's password:\n krb5lif.keytab [====================================\u203a] 100% 406 0.4KB\/s 00:00\n[root opt]# exit<\/pre>\n
![\"liferay-hook.png\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/liferay-hook.png\" "\\"liferay-hook.png\\"")
<\/a><\/pre>\n # This line defines the new auto login authentication used by Liferay\n\u00a0\u00a0\u00a0 auto.login.hooks=com.liferay.portal.security.auth.KerberosAutoLogin<\/pre>\n
![\"AutoLogin.png\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/AutoLogin.png\" "\\"AutoLogin.png\\"")
<\/a><\/p>\n