Single Sign On With MS Active Directory-TCS

Single Sign on with MS Active Directory-TCS 31/05/2017, 8+24 PM
Temenos Support Forum (/SitePages/tsf.aspx) Portal Help Inlaks
Customer Support Portal

(/SitePages/Home.aspx)
" MENU Entire Site Enter your keywords here !
Single Sign on with MS Active Directory-TCS

Introduction
T24 Browser is a web application used to access T24. GenerallyT24 Browser requires user credentials like username, password to allow a user to log into T24 browser. With
this enhancement, Single Sign on of T24 Browser with Microsoft Active Directory is implemented.
Application Overview
This document is aimed at providing guidance to configure the Tcserver, TCClient for enabling Single Sign On to T24 Browser with Active Directory server.
Note:
We have implemented using ADAM server.
Schema management for ADAM and Active Directory are same.
ADAM supports both X.500-style and Domain Name System (DNS)-style distinguished names for top-level directory partitions.
# (/SitePages/Home.aspx)
Setting up the System
$ (/SitePages/TicketingSystem.aspx )
! Software required:
1. ADAMSP1_x86_English
% (/TCSPProfileCenter/infodefault.aspx)
2. TCServer (latest version 1.5.2 _17)
& (/Support/DashBoard.aspx)
3. BrowserWeb.war
4. Web Server or Application Server
5. JXplorer
TCServer version should be 1.5 and patch version should be greater than the 1.5.2_16
Download ADAM server from the below hyperlink
http://www.microsoft.com/downloads/details.aspx?familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en (http://www.microsoft.com/downloads/details.aspx?
familyid=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&displaylang=en)
Web server or Application Server can be used.
Web Server – Tomcat 6.0
App Server – JBOSS 4.2.3.GA
Installing ADAM
You can install an ADAM instance either by using the Active Directory Application Mode Setup Wizard or by using the ADAM unattended installation process. In the first
exercise, you use the Active Directory Application Mode Setup Wizard to install ADAM.
Note
To install ADAM, you must log on to your computer using an account that belongs to the local Administrators group.
In this exercise, you first install ADAM, and then you install an ADAM instance by using the Active Directory Application Mode Setup Wizard.
To install ADAM
1. To install ADAM, log on as an administrator, click Start, point to Control Panel, and then click Add or Remove Programs.
2. Click Add/Remove Windows Components.
3. Select the check box next to Active Directory Services, and then click Details.
4. Select the check box next to Active Directory Application Mode (ADAM), click OK, and then clickNext.
5. Review the message that appears. Based on the contents of message, do one of the following:
· If the message "You have successfully completed the Windows Component Wizard" appears, clickFinish.
· If an error message appears, make a note of the error, click Finish, and then review the ADAM event messages in Event Viewer.
To install an ADAM instance by using the Active Directory Application Mode Setup Wizard
1. To start the Active Directory Application Mode Setup Wizard, click Start, point to All Programs, point toADAM, and then click Create an ADAM instance. The first page of
the Active Directory Application Mode Setup Wizard looks like the following:
Was this page helpful? Yes No
https://tcsp.temenos.com/HowTo/SingleSignon.aspx Page 1 of 24
2. On the Welcome to the Active Directory Application Mode Setup Wizard page, click Next.
3. On the Setup Options page, you can choose whether to install a unique ADAM instance or join an existing configuration set. Because you are installing the first ADAM
instance, click A unique instance (as shown in the following), and then click Next. Later, you will create additional ADAM instances and join them in a configuration set.
4. On the Instance Name page, provide a name for the ADAM instance that you are installing. This name is used on the local computer to uniquely identify the ADAM
instance. For this exercise, simply accept the default name of instance1, and then click Next.
5. On the Ports page, specify the communications ports that the ADAM instance uses to communicate. ADAM can communicate using both LDAP and Secure Sockets
Layer (SSL); therefore, you must provide a value for each port. For this exercise, accept the default values of 389 and 636, and then click Next.
Note
If you install ADAM on a computer where either of the default ports is in use, the Active Directory Application Mode Setup Wizard automatically locates the first available
port, starting at 50000. For example, Active Directory uses ports 389 and 636, as well as ports 3268 and 3269 on global catalog servers. Therefore, if you install ADAM on a
domain controller, the Active Directory Application Mode Setup Wizard provides a default value of 50000 for the LDAP port and 50001 for the SSL port.
6. On the Application Directory Partition page, you can create an application directory partition (or naming context) by clicking Yes, create an application directory
partition. Or, you can click No, do not create an application directory partition, in which case you must create an application directory partition manually after
installation. For this exercise, click Yes, create an application directory partition. When you create an application directory partition, you must provide a distinguished
name for the new partition. For this exercise, type O=Temenos,C=IN as the distinguished name (as shown below), and then click Next.
Note
ADAM supports both X.500-style and Domain Name System (DNS)-style distinguished names for top-level directory partitions.
7. On the File Locations page, you can view and change the installation directories for ADAM data and recovery (log) files. By default, ADAM data and recovery files are
installed in %ProgramFiles%\Microsoft ADAM\instancename\data, where instancename represents the ADAM instance name that you specify on theInstance Name page.
For this exercise, click Next to accept the default file locations.
Important
When installing ADAM on a computer running Windows XP, you must install these files on the same logical volume. When installing ADAM on Windows Server 2003 and
Windows Server 2003 R2 in a production environment, it is recommended that you install the files on separate physical disks.
Note
ADAM setup installs program files and administration tools in %windir%\ADAM.
8. On the Service Account Selection page, you select an account to be used as the service account for ADAM. The account that you select determines the security context
in which the ADAM instance runs. Unless you are installing ADAM on a domain controller, the Active Directory Application Mode Setup Wizard defaults to the Network
Service account. For this exercise, click Next to accept the Network service accountdefault. Or, if you are installing ADAM on a domain controller, click This account, and
then select a domain user account to use as the ADAM service account.
adam-sbs-09s
Note
You can change the ADAM service account after ADAM is installed by using the Dsmgmt command-line tool. When you install ADAM on a domain controller, you must
select a domain user account as the ADAM service account.
9. On the ADAM Administrators page, you select a user or group to become the default administrator for the ADAM instance. The user or group that you select will have
full administrative control of the ADAM instance. By default, the Active Directory Application Mode Setup Wizard specifies the currently logged on user. You can change this
selection to any local or domain account or group on your network. For this exercise, click the default value of Currently logged on user, and then click Next.
10. On the Importing LDIF Files page, you can import into the ADAM schema two .ldf files containinguser class object definitions. Importing these user class object
definitions is optional. However, these object definitions are required later in this guide so, you should import these definitions now:
a. Click Import the selected LDIF files for this instance of ADAM.
b. Click MS-InetOrgPerson.LDF, and then click Add.
c. Click MS-User.LDF, and then click Add.
d. Click MS-UserProxy.LDF, click Add, and then click Next.
11. The Ready to Install page gives you an opportunity to review your installation selections. After you click Next, the Active Directory Application Mode Setup Wizard
begins copying files and setting up ADAM on your computer.
12. When the Active Directory Application Mode Setup Wizard finishes installing ADAM, it displays this message: "You have successfully completed the Active Directory
Application Mode Setup Wizard." When theCompleting the Active Directory Application Mode Setup Wizard page appears, click Finish to close the wizard.
Note
If the Active Directory Application Mode Setup Wizard does not complete successfully, an error message describing the reason for the failure appears on the Summary
page.
If an error occurs in the Active Directory Application Mode Setup Wizard before the Summary page, you can review the error message that appears. In addition, you can
click Start, click Run, and type either of the following:
%windir%\Debug\adamsetup.log
%windir%\Debug\adamsetup_loader.log
The Adamsetup.log and Adamsetup_loader.log files contain information that can help you troubleshoot the cause of an ADAM setup failure.
Creating Admin user in ADAM server:

After installing ADAM, create an admin user in the ADAM server. This user will be added to the administrator member and will be used in all ADAM transaction such as
adding, deleting , searching users in ADAM.
Click Start-> All Program ->ADAM->ADAM ADSI EDIT
A new window will appear, connect to the newly created ADAM instance.
In the Connection Settings, Give a name for your Connection eg: T24R09
Server Name : localhost or IP address of the ADAM server
Port: 389 (port mentioned during the installation)
Distinguished Name: Partition Name mentioned during installation
Click Ok to connect to the newly created ADAM instance.
Select your root DN (partition) right click on it , click new -> object .
Create an object CN=USERS of type "container" under your DN
Under CN=USERS, create an object CN=DAS001 of type "user".
Select your group CN=USERS, right click on the newly created user and click on reset Password
Remember the password as it will be used to log into the ADAM server programmatically.
Note:
Don't mention CN=DAS001, mention your name alone like DAS001.
The name can be anything.
If you don't see object type user, then you have not loaded the inetOrgPwerson.ldf file during instance creation.
Now add this newly created user CN=DAS001,CN=USERS,O=Temenos,C=IN as a member of administrator.
Explore your rootDN. click CN=Roles select CN=Administartors right click on it and choose properties.
In the listed properties, select member property and edit. New window will appear .
Choose "Add ADAM Account" and add the newly created user (CN=DAS001,CN=USERS,O=Temenos,C=IN) in the text box and click OK.
You can able to see the newly created user added as an administrator.
Admin user successfully created.
Admin user Test:

Install Jxplorer in your system.
JXplorer is a Java browser designed specifically to interact with the LDAP server.
Install JXplorer.exe in your system .Go by default installation location. Start JXplorer by double click on the Jxplorer.bat (<JXPLORER installation>\JXplorer), you will get a
screen similar to screen shot below.
Base DN: Partition Name
User DN: CN=DAS001,CN=USERS,O=Temenos,C=IN
Password: <Admin password >
Mention all other parameters like Host, port information and click OK. You should successfully get connected to the ADAM instance
T24 Schema:
For storing T24 user records in the ADAM ldap server, import the below ldf file into your ADAM instance.
For importing the ldf file, click Start->All Program->ADAM->choose ADAM Tools Command Prompt.
Copy the above ldf file into C:\Windows\ADAM location.
Type the command and import the ldf file into your ADAM server instance.
Note:
If any problem faced during importing the ldf file, get the latest version and try again.
Now you can check in your ADAM instance whether you got the T24 attributes and objects.
Go To Adam ADSI Edit, select the context, right click connect to. Mention the below parameters and check for the existence of T24 attributes and objects in ADAM server.
In addition to these attributes and objects, One attribute named uniqueMember and Object groupofUniqueNames need to be created.
To create a new attribute, use mmc tool.
mmc- Microsoft Management Console
click Start -> select run ->type mmc in the text box click ok.
A new window will be opened with name console1.click File->click Add/Remove snap in
Click "Add" button in Add/Remove Snap-in window.
Select and add ADAM schema from Add Standalone Snap-in . Close the window after adding it.
Click Ok in Add/Remove Snap-in window.
Now you will get your ADAM Schema in your Console Root. Connect to your ADAM server to create attribute and Objects. Select ADAM Schema, right click choose Change
ADAM server.
Enter your Server name (IP address) and port number of your ADAM server and click OK.
After connecting to your ADAM instance, explore the tree and have a look at the available objects and attributes. First you need to create attribute named uniqueMember.
Select Attribute, right click and choose create.
Enter the below details for attribute "uniqueMember" in create New Attribute window. After entering the details click OK.
Create a Object "groupOfUniqueNames"
Enter the following details in "Create New Schema Class" and click next
Enter the attribute details, click Add button of Optional, select uniqueMember from the "select Schema Object" and click Ok. uniqueMember will be added as an attribute
to the object.
Similarly add attribute "o" to the object groupOfUniqueNames.
Click Finish to create object.
Now check ADAM server for all the T24 objects and attributes.
Now you can store T24 users in the ADAM server.
TCSERVER CONFIGURATION:
Things need to be configured in TCServer for LDAP directory server
1. CLASSPATH entry in .profile
2. Adding JAVA System Properties in .profile
3. Configuring TCServer jaas.config($HOME/tcserver/conf/jaas.config)
4. Configuring ldapMappingConfiguration.properties
($HOME/tcserver/conf/ ldapMappingConfiguration.properties)
5. Configuring EB.LDAP.PARAMETER application
6. Creating Users in T24 server and ADAM server.
7. Configuring tcserver.xml ($HOME/tcserver/conf/TCServer/tcserver.xml)
T24 - CLASSPATH:
Before adding class path entries to the T24 environment, ensure you got the below three jar files in
$HOME/tcserver/lib directory. Then add CLASSPATH entry to point to the following jar files.
1. tcsecurity.jar
2. tcommon.jar
3. log4j-1.2.9.jar
4. bcprov-jdk14-133.jar
T24 - SYSTEM PROPERTIES:

Next we need to add JAVA System Properties to the T24 environment. We can make use JBCJVMOPT to add these entries Add the below JBCJVMOPT ions to the .profile file.
JBCJVMOPT1=-Djava.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
JBCJVMOPT2=-Djava.naming.provider.url=ldap://<LDAP SERVER IP ADDRESS>:<port no>
T24 – JAAS.CONFIG
jaas.config is a configuration file used by TCServer to get the LDAP server information.
Change the impersonnate block alone in jaas.config to match your LDAP server.
Ldap server ip address – you can get the IP address and port number from slapd.bat for openldap server
impersonnate {
com.temenos.tocf.security.Authent.module.GounLoginModule required debug=true
user.provider.url=
"ldap://<ldap server ip address>:<port no >/uid=devT24,ou=t24,ou=application,o=temenos,c=ch"
ldap.security.credential.type="simple"
ldap.server.url="ldap://< ldap server ip address >:<port no>/"
user.provider.login="cn=TManager,c=ch"
user.provider.password="secret"
};
T24 - ldapMappingConfiguration.properties
Location: <T24HOME>/tcserver/conf/ldapMappingConfiguration.properties
ldapMappingConfiguration.properties file describes the Attributes, Objects, Classes used in LDAP server. This property files describes the schema used in the LDAP
directory server. These values are used by class files of tcsecurity.jar file. Map the value with your LDAP server attribute. The Values are case sensitive, make sure it is
exactly the replica of the below content.
# This file contains mapping for LDAP Server in case
# of the LDAP schema doesn't map the recommended Temenos one
# Restriction T24User need to derived from top ldap object
#Object
ldapObjT24User=t24User
ldapObjT24Dniop=dniop
#Attribute
ldapAttrT24UID= temenosT24UserId
ldapAttrT24SON= temenosT24UserSignOnName
ldapAttrT24PWD= temenosT24UserPassword
ldapAttrT24SYSDN= temenosT24UserCorpDN
ldapAttrT24ProfileName=notUsed
ldapAttrT24ExpirationDate=notUsed
ldapAttrT24DepartmentCode=notUsed
ldapAttrT24Company=temenosT24UserCompany
#Used to create new DN: needed because some directory server doesn't used attribute name but always CN????
ldapIndexT24UID=t24userid
ldapIndexT24Organisation=cn
#Standard Ldap Object
ldapAttrOrganistion=o
ldapAttrUniqueMember=uniquemember
ldapAttrCN=cn
ldapAttrDN=dn
ldapAttrUserPWD=userPassword
ldapAttrUserUID=uid
ldapAttrUserPKCS12=usercertificate;binary
#Configure the caching usage
ldapGounCreation=true
ldapADAM=true
EB.LDAP.PARAMETER:
Create two records in EB.LDAP.PARAMETER application SYSTEM and T24.
T24 users will be created in the LDAP server based on the value of root DN in SYSTEM record.
Screen shot of SYSTEM record is shown. T24 user will be created in the O=Microsoft,C=US branch .
Created T24 user in LDAP server should have entry with USER id and an additional node named dniop.
Additional entry dniop should have a property named "uniqueMember" with value
uniqueMember = <LDAP.DN>, <rootDN of corporate branch>
LDAP.DN – value mentioned while creating user.
rootDN – value of corporate branch mentioned in the root DN field of T24 record in EB.LDAP.PARAMETER application.
EB.LDAP.PARAMETER T24 record represents corporate branch. Root DN value should point your corporate branch.
Note:
Values of HostName, Port, Root.DN , USER.DN ,PASSWORD should map to your LDAP set up.
Reference:
Kindly refer the guide "TC14-install-Security-Service-guide" to create EB.API records for Active Directory.
Creating T24 users in LDAP:

Create T24 user with user id VINOD04
While creating user, mention LDAP.ID to be T24 and LDAP.DN value to be CN=VINOD3
CN=VINOD3 represents corporate user.
Commit and authorise the record.
Check whether you got the user created in LDAP server.
Set the password for the corporate user CN=VINOD03 by right click on the user, choose option Reset Password and enter the new password
Ensure you got the value for all the attributes mentioned in the ldapMappingConfiguration.properties for the T24 user created in ldap server.
ldapAttrT24UID= temenosT24UserId
ldapAttrT24SON= temenosT24UserSignOnName
ldapAttrT24PWD= temenosT24UserPassword
ldapAttrT24SYSDN= temenosT24UserCorpDN
In dniop entry
ldapAttrUniqueMember=uniquemember
T24 – tcserver.xml:
After creating users, configure the tcserver.xml to use impersonation.
Finally tcserver.xml needs to be configured if LDAP directory server is used.
For this, we need to create an ADAPTER, and a LISTENER.
In tcserver.xml
1. you need to add a new tag <SECURITY_CONFIG>in the global part of <TCSERVER>
2. Create a new APAPTER and LISTENER.
<TCSERVER>
<SECURITY_CONFIG><PATH to configured jaas.config></SECURITY_CONFIG>
<ADAPTER id="T24 ">
<MAX_SESSION> 5 </MAX_SESSION>
<MIN_SESSION> 0 </MIN_SESSION>
<TIMEOUT>30</TIMEOUT>
<LOGIN_CONTEXT>impersonnate</LOGIN_CONTEXT>
<STARTIN>/glodev/Pareas/karupiah/TestBase/TestBase.run</STARTIN>
<JBASEPATH>/glosoft/TAFC_R09_GA</JBASEPATH>
<PROGRAM>path to your tss</PROGRAM>
<PARAMETER>OFS SOURCE</PARAMETER>
</ADAPTER>
<LISTENER Name="<any name>" type="tcp" active="true">
<ADAPTERID>T24</ADAPTERID>
<PORT><any port ></PORT>
</LISTENER>
</TCSERVER>
TCCLIENT CONFIGURATION:
Things need to be configured in TCClient for LDAP directory server
1. Configuring TCClient jaas.config(<WEBSERVERHOME>/webapps/BrowserWeb/WEB-INF/conf/jaas.config)
2. Configuring channels.xml
(WEBSERVERHOME/webapps/BrowserWeb/WEB-INF/conf/channels.xml)
TCC – JAAS.CONFIG:
jaas.config is a configuration file used by TCClient to communicate with the LDAP server information.
Change the information in jaas.config to match your LDAP server.
login {
com.temenos.tocf.security.Authent.module.TClientLDAPLoginModule required debug="true"
ldap.security.credential.type = "simple"
user.provider.url="ldap://<IP ADDRESS : PORT NO>/<corporate branch root DN>"
user.provider.login="cn=TManager,c=ch"
user.provider.password="secret"
ldap.server.url="ldap://<IP ADDRESS : PORT NO>/"
};
TCC – CHANNELS.XML:
Channels.xml will be used by TCClient to communicate with T24 server on external user login.
Add SECURITY_CONFIG tag to the root CHANNELS tag.
Add LOGIN_CONTEXT tag with "login" as the value .
Web server will use this SECURITY_CONFIG and LOGIN_CONTEXT value to identify to locate jaas.config .
<CHANNELS>
<SECURITY_CONFIG>WEBSERVERHOME\webapps\BrowserWeb\WEB-INF\conf\jaas.config</SECURITY_CONFIG>
<CHANNEL>
<NAME>browser.1</NAME>
<LOGIN_CONTEXT>login</LOGIN_CONTEXT>
<TIMEOUT>120</TIMEOUT>
<ADAPTER>
<TYPE>tcp</TYPE>
<PORT><!—PORT NUMBER --></PORT>
<SUPPLIER>
<INITIATOR>
<HOSTNAME><!—SERVER IP ADDRESS ></HOSTNAME>
</INITIATOR>
</SUPPLIER>
<CONSUMER>
<MAX_SESSION>5</MAX_SESSION>
<ACCEPTOR>
<BACKLOG>30</BACKLOG>
</ACCEPTOR>
</CONSUMER>
</ADAPTER>
</CHANNEL>
</CHANNELS>
Configuring Authentication in Tomcat and JBOSS server:

The purpose of the JNDIRealm implementation is to provide a mechanism by which web servers can acquire information needed to authenticate web application users,
and define their security roles, from a directory server or other service accessed via JNDI APIs.
JNDIRealm configuration should be done in server.xml. Configure the realm definition inside the engine root tag. Comment the other realm configuration definition in your
server.xml file.
JNDIRealm configuration will go in hand with BASIC or FORM authentication, to authenticate the users against the directory servers configured using the Realm definition.
JNDIRealm is an implementation of the Tomcat 6 Realm interface that looks up users in an LDAP directory server accessed by a JNDI provider (typically, the standard LDAP
provider that is available with the JNDI API classes).
connectionURL = Directory Server name or IP address
connectionName = Admin user of the LDAP server
conectionPassword = Password of the admin user
userBase = The base element for user searches performed using the userSearch expression
userSearch = The LDAP filter expression to use when searching for a user in the directory.{0} is the placeholder will be replaced by the username typed in the FORM or
BASIC authentication screens.
userRoleName=Access to T24 Browser is restricted to users(Corporate Branch) belong to the department "t24user".
Note:
userRoleName="department"
department property can be changed to any valid attribute.
In our case we don't have "role" attribute for corporate entries, so we have used an arbitrary attribute "department".
Refer the below hyperlink for complete configuration of JNDI Realm
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm (http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm)
The below configuration will authenticate the users against their corporate branch.
TOMCAT 6.0:
Configure the server.xml with this realm definition in this location of your <Tomcat_home>/conf/server.xml Tomcat
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://10.92.3.59:389"
connectionName="CN=DAS001,CN=USERS,O=Temenos,C=IN"
connectionPassword="example"
userBase="O=Temenos,C=IN"
userSearch="(cn={0})"
/>
JBOSS:
The same can be done in JBOSS server in this location
<JBOSS_SERVER>\server\default\deploy\jboss-web.deployer\server.xml
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://10.92.3.59:389"
connectionName="CN=DAS001,CN=USERS,O=Temenos,C=IN"
connectionPassword="example"
userBase="O=Temenos,C=IN"
userSearch="(cn={0})"
/>
In addition to this configuration, configure login-config.xml file in the location
<JBOSS_HOME>\server\default\conf\login-config.xml
<application-policy name = "other">
<authentication>
<login-module code = "com.temenos.tocf.security.Authent.module.TClientLDAPLoginModule"
flag = "required" >
<module-option name="user.provider.url">ldap://10.92.3.59:389/O=Temenos,C=IN</module-option>
<module-option name="ldap.security.credential.type">simple</module-option>
<module-option name="user.provider.login">CN=DAS001,CN=USERS,O=Temenos,C=IN</module-option>
<module-option name="user.provider.password">example</module-option>
<module-option name="ldap.server.url">ldap://10.92.3.59:389/</module-option>
</login-module>
</authentication>
</application-policy>
Linking corporate users and T24 users:

Corporate users and T24 users resides in two different branches.
User access T24 Browser, will enter the corporate credentials in the login screen.
When creating T24 users using USER application, mention the LDAP.DN information to be corporate user DN.
Example:
Corporate user: CN=Administrator, CN=ASIA,CN=temenosgroup,CN=COM
While creating a T24 user for this administrator, mention the LDAP.DN to be CN=Administrator.
External Identity Role Definition:

Before creating T24 user in the LDAP, create external identity users in the corporate branch.
Select your corporate branch, create a user.
After creating, right click on the created user, select properties.
Set a password for your newly created user. You will be entering this Password when you log into the T24 Browser.
Edit the property department and mention the value to be "t24user"
If the external identity user doesn't have the value "t24user", T24 access will be denied.
"t24user" is the user's role restricted in accessing the T24 Browser. This value is configurable.
When changing the value, change the value in <role-name> tag of <security-role> and <auth-constraint> tag of web.xml.
<security-role>
<role-name>t24user</role-name>
</security-role>
<auth-constraint>
</auth-constraint>
Note:
Here we have used "department" property since ADAM does not have "role" property for users.
Configuring Browser Web:

Configure the T24 Browser Web application to enable Single sign On with Active directory.
BASIC or FORM authentication can be enabled for single sign on with active Directory.
BASIC Authentication:
Remove the comments from the web.xml of BrowserWeb

FORM Authentication:
Remove the comments from the web.xml of BrowserWeb

Remove the comment on the error page tag. This change is common for both BASIC and FORM authentication.
<!—
<error-page>
<exception-type>com.temenos.t24browser.exceptions.GenericAuthenticationException</exception-type>
<location>/jsps/customMessage.jsp</location>
</error-page>
-->
Request will be intercepted by the filter GenericWebAuthenitcationFilter.java, uncomment the filter and filter-mapping definition of GenericWebAuthenitcationFilter.java

With the changes, the T24 Browser request will be intercepted by the filter and single sign on will be enabled.
ldap.config is a property file located in BrowserWeb/ WEB-INF/conf folder used by the filter to create the DN.
CN=<userid>,<root DN of corporate branch>
<userid> will be replaced by username
Mention the location of ldap.config file in the system property.
Property Name: ARC_CONFIG_PATH
Property Value: <server home >/webapps/BrowserWeb/WEB-INF/conf/ldap.config
Single Sign on using BASIC Authentication:

We need to login to T24 using T24 Browser with single sign on mechanism.
Configure the web.xml based on the instruction above.
Type the url in the address bar of any browser, new login screen will pop up
Enter the corporate credentials for the user VINOD3 and click OK.
Since its first time login, you need to change the T24 password. Change the password and click the go button.
You will be directed to the home page of T24 browser.
Single sign on with FORM authentication:

Similarly configure the web.xml to enable FORM based authentication.
Type the url to access T24 Browser.
New FORM login page will be displayed, enter the corporate credentials click sign in button. you will logged into the T24.
If the credentials are wrong error page will displayed.
COPYRIGHT © 2016 TEMENOS HEADQUARTERS SA

(http://www.temenos.com/)
Best viewed in Internet Explorer 10 & above

Single Sign On With MS Active Directory-TCS

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Single Sign On With MS Active Directory-TCS

Hochgeladen von

Copyright:

Verfügbare Formate

Single Sign on with MS Active Directory-TCS 31/05/2017, 8+24 PM

Temenos Support Forum (/SitePages/tsf.aspx) Portal Help Inlaks

Customer Support Portal

" MENU Entire Site Enter your keywords here !

Single Sign on with MS Active Directory-TCS

We have implemented using ADAM server.

Schema management for ADAM and Active Directory are same.

Download ADAM server from the below hyperlink

Web server or Application Server can be used.

Web Server – Tomcat 6.0

App Server – JBOSS 4.2.3.GA

2. Click Add/Remove Windows Components.

Was this page helpful? Yes No

ADAM setup installs program ﬁles and administration tools in %windir%\ADAM.

b. Click MS-InetOrgPerson.LDF, and then click Add.

c. Click MS-User.LDF, and then click Add.

d. Click MS-UserProxy.LDF, click Add, and then click Next.

Creating Admin user in ADAM server:

Click Start-> All Program ->ADAM->ADAM ADSI EDIT

Server Name : localhost or IP address of the ADAM server

Port: 389 (port mentioned during the installation)

Distinguished Name: Partition Name mentioned during installation

Click Ok to connect to the newly created ADAM instance.

Create an object CN=USERS of type "container" under your DN

Under CN=USERS, create an object CN=DAS001 of type "user".

Don't mention CN=DAS001, mention your name alone like DAS001.

The name can be anything.

Now add this newly created user CN=DAS001,CN=USERS,O=Temenos,C=IN as a member of administrator.

Admin user successfully created.

Admin user Test:

Base DN: Partition Name

User DN: CN=DAS001,CN=USERS,O=Temenos,C=IN

Password: <Admin password >

Copy the above ldf ﬁle into C:\Windows\ADAM location.

To create a new attribute, use mmc tool.

mmc- Microsoft Management Console

Click "Add" button in Add/Remove Snap-in window.

Click Ok in Add/Remove Snap-in window.

Create a Object "groupOfUniqueNames"

Similarly add attribute "o" to the object groupOfUniqueNames.

Click Finish to create object.

Now you can store T24 users in the ADAM server.

1. CLASSPATH entry in .proﬁle

2. Adding JAVA System Properties in .proﬁle

3. Configuring TCServer jaas.config($HOME/tcserver/conf/jaas.config)

5. Conﬁguring EB.LDAP.PARAMETER application

6. Creating Users in T24 server and ADAM server.

7. Conﬁguring tcserver.xml ($HOME/tcserver/conf/TCServer/tcserver.xml)

T24 - SYSTEM PROPERTIES:

JBCJVMOPT2=-Djava.naming.provider.url=ldap://<LDAP SERVER IP ADDRESS>:<port no>

com.temenos.tocf.security.Authent.module.GounLoginModule required debug=true

"ldap://<ldap server ip address>:<port no >/uid=devT24,ou=t24,ou=application,o=temenos,c=ch"

ldap.server.url="ldap://< ldap server ip address >:<port no>/"

# This ﬁle contains mapping for LDAP Server in case

# of the LDAP schema doesn't map the recommended Temenos one

# Restriction T24User need to derived from top ldap object

#Standard Ldap Object

#Conﬁgure the caching usage

uniqueMember = <LDAP.DN>, <rootDN of corporate branch>

LDAP.DN – value mentioned while creating user.

Creating T24 users in LDAP:

CN=VINOD3 represents corporate user.

Commit and authorise the record.

Conﬁguring Authentication in Tomcat and JBOSS server:

Linking corporate users and T24 users:

External Identity Role Deﬁnition:

Conﬁguring Browser Web:

Single Sign on using BASIC Authentication:

Single sign on with FORM authentication: