이 콘텐츠는 선택한 언어로 제공되지 않습니다.
6.3. Removing Browser Configuration for Ticket Delegation (For Upgrading from 6.2)
As part of establishing Kerberos authentication, a principal is given a ticket granting ticket (TGT). Whenever that principal attempts to contact a service or application within the Kerberos domain, the service checks for an active TGT and then requests its own service-specific ticket from the TGT for that principal to access that service.
As part of configuring the web browser used to access the IdM web UI (and any other Kerberos-aware web applications), previous versions of Identity Management required that the TGT delegation be forwarded to the IdM server. This required adding the
delegation-uris parameter to the about:config setup in Firefox:
network.negotiate-auth.delegation-uris .example.com
In Red Hat Enterprise Linux 6.3, Identity Management uses the Kerberos Services for User to Proxy (S4U2Proxy), so this additional delegation step is no longer required.
Updating Existing Configured Browsers
For browsers which have already been configured to use the Identity Management web UI, the delegation-uris setting can be cleared after upgrading to ipa-server-3.0.0 or ipa-client-3.0.0.
There is no need to restart the browser after changing the
delegation-uris setting.
Updating configure.jar for New Browser Configuration
The browser configuration is defined in the configure.jar file. This JAR file is generated when the server is installed and it is not updated with other files when IdM is updated. Any browsers configured will still have the delegation-uris parameter set unnecessarily, even after the IdM server is upgraded. However, the configure.jar file can be updated.
The
preferences.html file in configure.jar sets the delegation-uris parameter. The updated preferences.html file can be added to configure.jar, and then configure.jar can be re-signed and re-deployed on the IdM servers.
Note
Only update the
configure.jar file on the initial IdM server. This is the master server, and it is the only server which has a signing certificate. Then propagate the updated file to the other servers and replicas.
- Update the packages on the initial IdM master server (the first instance). This will bring in the 3.0 UI packages, including the
configure.jarfile. - Back up the existing
configure.jarfile.[root@ipaserver ~]# mv /usr/share/ipa/html/configure.jar /usr/share/ipa/html/configure.jar.old
- Create a temporary working directory.
[root@ipaserver ~]# mkdir /tmp/sign
- Copy the updated
preferences.htmlfile to the working directory.[root@ipaserver ~]# cp /usr/share/ipa/html/preferences.html /tmp/sign
- Use the
signtoolcommand (one of the NSS utilities) to add the newpreferences.htmlfile and re-sign theconfigure.jarfile.[root@ipaserver ~]# signtool -d /etc/httpd/alias -k Signing-Cert -Z /usr/share/ipa/html/configure.jar -e ".html" -p `cat /etc/httpd/alias/pwdfile.txt` /tmp/sign
The-eoption tells the tool to sign only files with a.htmlextension. The-Zoption creates a new JAR file. - Copy the regenerated
configure.jarfile to all other IdM servers and replicas.
