Infrastructure at your Service

Middleware Team

Documentum upgrade project: Configuring NTLM SSO for D2 3.1 SP1

The Documentum D2 3.1 SP1 release is kind of a mix between D2 4.1 APIs (using D2FS in backend) and D2 3.1 front-end. It needs SSO to be fully implemented and the configuration has to be applied for 3.1 as well as for D2FS. For D2FS, the same configuration applies whether you are using the NT Lan Manager (NTLM) or Kerberos authentication.

If you want to implement Kerberos Single Sign On instead of NTLM, have a look at this blog post: https://www.dbi-services.com/index.php/blog/entry/kerberos-sso-with-documentum-d2-31-sp1

1. NTLM configuration for D2 3.1 SP1

The D2 3.1 documentation explains how to configure NTLM for D2 3.1 SP1.
Referring to the D2 3.1 installation guide, you can see the following:

Locate the file « shiro.ini » used by D2 applications and add the following lines:

[main]

D2-NTLM=eu.c6.d2.web.filters.authc.D2NtlmHttpAuthenticationFilter

D2-NTLM.domainController=<domain controller>

D2-NTLM.domainName=<domain name>

D2-NTLM.domainUser=<domain user to authentify>

D2-NTLM.domainPassword=<user’s passwords>

D2-NTLM.docbases=<docbase1,superUser1,password1,domain1|docbase2,…>

[urls]

/** = D2-NTLM

 

“docbaseX”: corresponds to a docbase using NTLM
“loginX”: corresponds to a supersuser login of “docbaseX”
“passwordX”: corresponds to an encrypted password of the superuser of “docbaseX”.

In our case, the file is located in the following path: <Tomcat root>/webapps/D2-Client/WEB-INF/classes/
At first look, everything is there. However, some clarifications are very welcome.

About Active directory connection:

  • <domain controller>: enter the domain controller IP address
  • <domain name>: This is the active directory domain. You must write “InternalDom” for “InternalDomuserloginname” user principal name.
  • <domain user to authentify>: User name for the authentication concerning the domain controller. You must write “userloginname” for “InternalDomuserloginname” user principal name.

About Documentum repository connection:

  • <docbaseX>: enter the name of the docbase
  • <superUserX>: enter a user name which is a super user for docbaseX
  • <passwordX>: enter encoded password for related super user name

2. NTLM configuration for D2FS

2.1 D2 3.1 SP1

You must be aware – at least since patch 02 for D2 3.1 SP1 – that the way to store the password for the related super user name has changed.
Referring to D2 4.1 installation guide, you can see the following:

If d2fs-trust.properties does not exist, create the file in the webapps/D2/WEB-INF/classes/ folder using a text editor. Open d2fs-trust.properties in the folder webapps/D2/WEB-INF/classes/ and add following lines:

*.user=<administrator user>

*.password=<encoded password>

*.domain=<your domain> [not mandatory]

#or for each repository

<repository>.user=<administrator user>

<repository>.password=<encoded password>

<repository>.domain=<your domain>

 

  • Repository corresponds to the repository.
  • User and password are the username and password of an inline Super User account in the
  • repository.
  • Domain means the domain of the repository and can be left out for inline accounts.

In our case, the file is located in the following path: <Tomcat root>/webapps/D2-Client/WEB-INF/classes/

Everything is there. However, again, some clarifications are welcome:

  • <repository>: replace it with the name of the docbase
  • <administrator user>: enter a user name which is a super user for docbaseX.
  • <encoded password>: enter the password for the related super user name.
  • <domain>: Active directory domain You must write “InternalDom” for “InternalDomuserloginname” user principal name.

2.2 D2 3.1 SP1 P02

Since this release of D2, you must store the <encoded password> in the D2 lockbox.
Make sure you have installed the lockbox functionality properl, and that it is already working between D2 and its Java Method Server.
Then you can remove all lines related to passwords in the d2fs-trust.properties files:

*.user=<administrator user>

*.domain=<your domain> [not mandatory]

#or for each repository

<repository>.user=<administrator user>

<repository>.domain=<your domain>

Then, you can execute the following command:

java -classpath “<Tomcat root>webappsD2-ClientWEB-INFlib*” com.emc.common.java.crypto.SetLockboxProperty <D2 lockbox path>D2FS-trust.<Repository name>.password <user password>

Where:

  • <Tomcat root>: Root path of the tomcat instance
  • <D2 lockbox path>: Folder path where the D2.lockbox is stored
  • <Repository name>: Name of the repository
  • <user password>: Clear password of super user name setup in d2fs-trust.properties file

Make sure “D2FS” is in uppercase.

3. Working Example with lockbox

We will now see a few examples of working configurations. Obviously, this setup may not be the only one working to achieve the goal for Single Sign On authentication. You are also certainly able to identify where some adaptation can be performed.

Suppose we have following environment (with the following information):
MS domain controller address : “10.0.0.1”
MS domain name: “InternalDomain”
MS domain user principal name: “InternalDomainDomUser”
MS domain user password: “DomPasswd”

Tomcat root: “C:Tomcat”
Lockbox file location: “C:Lockboxd2.lockbox”

First repository name: “DCTMRepo1”
Second repository name: “DCTMRepo2”

Ensure that you have stopped all D2-Client application instances on the application server, as well as for the D2-Config.

3.1 Inline super user creation

The user you are going to create must have the following attributes:

– State: Active

– Name: SSOAdmin

– Login Name: SSOAdmin

– Login Domain: InternalDomain

– Password: RepoPasswd

– User Source: Inline Password

– Privileges: Superuser

– Extended Privileges: None

– Client Capability: Consumer

Create a user for all repositories. In this example, we will see it as given that the same has be done for both repositories.

3.2 Shiro.ini file content

First, we must encode the password of the MS domain user name and the SSOAdmin:

java -classpath “C:TomcatwebappsD2-ClientWEB-INFlib*” com.emc.d2.api.utils.GetCryptedPassword DomPasswd

UCmaB39fRLM6gRj/Gy3MJA==

java -classpath “C:TomcatwebappsD2-ClientWEB-INFlib*” com.emc.d2.api.utils.GetCryptedPassword RepoPasswd

8RLQerkftOBCedjQNEz57Q==

Then, we can fill in the file:

D2-NTLM=eu.c6.d2.web.filters.authc.D2NtlmHttpAuthenticationFilter

D2-NTLM.domainController=10.0.0.1

D2-NTLM.domainName=InternalDomain

D2-NTLM.domainUser=DomUser

D2-NTLM.domainPassword=UCmaB39fRLM6gRj/Gy3MJA==

D2- NTLM.docbases=DCTMRepo1,SSOAdmin,8RLQerkftOBCedjQNEz57Q==,InternalDomain|DCTMRepo2,SSOAdmin,8RLQerkftOBCedjQNEz57Q==,InternalDomain

[urls]

/** = D2-NTLM

 

3.3 d2fs-trust.properties file content

DCTMRepo1.user=SSOAdmin

DCTMRepo1.domain=InternalDomain

DCTMRepo2.user=SSOAdmin

DCTMRepo2.domain=InternalDomain

 

3.4 D2.lockbox password store

 

java -classpath “C:TomcatwebappsD2-ClientWEB-INFlib*” com.emc.common.java.crypto.SetLockboxProperty C:LockboxD2FS-trust.DCTMRepo1.password RepoPasswd

java -classpath “C:TomcatwebappsD2-ClientWEB-INFlib*” com.emc.common.java.crypto.SetLockboxProperty C:LockboxD2FS-trust.DCTMRepo2.password RepoPasswd

That’s it. Restart the D2-Client application and test it.
Thanks for reading!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Middleware Team
Middleware Team