Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Kerberos is a network authentication protocol that uses "tickets" for authentication as an alternative to user name usernames and password passwords for authentication. Profound UI supports using Kerberos for single sign on access.

Info
Setting up Kerberos in your environment is well beyond the scope of this document. You can find instructions on how to set up Kerberos here.

If you use Kerberos in your environment, examples of the directives needed to configure it in Profound UI are already provided in your httpd.conf configuration file of your instance, but they are commented out. To enable Kerberos, open your httpd.conf file for editing. You can do so from a command line by entering:


Code Block
EDTF '/www/profoundui/conf/httpd.conf'

Removing IBM i Profile Authentication Directives

First, you will need to find and comment out the following directives:

...

These directives tell the web server to use IBM i user names and passwords for authentication. Comment these These lines can be commented out by inserting the # symbol at the beginning of each line.

Enabling the Kerberos Directives

Next, you will look for these need to find and uncomment the following directives:

Code Block
none
none
# Use this section for Kerberos authentication.
#<DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI000(3.{3})\.PGM">
#    Require valid-user
#    AuthType KERBEROS
#    PasswdFile %%KERBEROS%%
#    UserID %%CLIENT%%
#    ProfileToken On
#</DirectoryMatch>

#<LocationMatch "^/profoundui/auth/(.*)">
#    Require valid-user
#    AuthType KERBEROS
#    PasswdFile %%KERBEROS%%
#    UserID %%CLIENT%%
#    ProfileToken On
#</LocationMatch>

and uncomment all but the first line Lines are uncommented by removing the # symbols before each line. Be sure to leave any comments commented out, though, so they do not cause errors in the configuration. The first line of the above code block is a comment and should remain commented out. 

Tip
The <LocationMatch> directive above is matching URLs with /auth/ in the path only. You may need or want to change this depending on other configurations and directives you have set. For example, to have Kerberos log your user into Genie automatically, with the above directive set for the server, you'll want your user to go to http://host:port/profoundui/auth/genie. If your user was to navigate to Genie without /auth/ in the URL path, they will be taken to the log in screen.

...