Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

6.3. Removing Browser Configuration for Ticket Delegation (For Upgrading from 6.2)

As part of establishing Kerberos authentication, a principal is given a ticket granting ticket (TGT). Whenever that principal attempts to contact a service or application within the Kerberos domain, the service checks for an active TGT and then requests its own service-specific ticket from the TGT for that principal to access that service.
As part of configuring the web browser used to access the IdM web UI (and any other Kerberos-aware web applications), previous versions of Identity Management required that the TGT delegation be forwarded to the IdM server. This required adding the delegation-uris parameter to the about:config setup in Firefox: 
network.negotiate-auth.delegation-uris .example.com
In Red Hat Enterprise Linux 6.3, Identity Management uses the Kerberos Services for User to Proxy (S4U2Proxy), so this additional delegation step is no longer required.
Updating Existing Configured Browsers

For browsers which have already been configured to use the Identity Management web UI, the delegation-uris setting can be cleared after upgrading to ipa-server-3.0.0 or ipa-client-3.0.0.

There is no need to restart the browser after changing the delegation-uris setting.
Updating configure.jar for New Browser Configuration

The browser configuration is defined in the configure.jar file. This JAR file is generated when the server is installed and it is not updated with other files when IdM is updated. Any browsers configured will still have the delegation-uris parameter set unnecessarily, even after the IdM server is upgraded. However, the configure.jar file can be updated.

The preferences.html file in configure.jar sets the delegation-uris parameter. The updated preferences.html file can be added to configure.jar, and then configure.jar can be re-signed and re-deployed on the IdM servers.

Note

Only update the configure.jar file on the initial IdM server. This is the master server, and it is the only server which has a signing certificate. Then propagate the updated file to the other servers and replicas.
  1. Update the packages on the initial IdM master server (the first instance). This will bring in the 3.0 UI packages, including the configure.jar file.
  2. Back up the existing configure.jar file. 
    [root@ipaserver ~]# mv /usr/share/ipa/html/configure.jar /usr/share/ipa/html/configure.jar.old
  3. Create a temporary working directory. 
    [root@ipaserver ~]# mkdir /tmp/sign
  4. Copy the updated preferences.html file to the working directory. 
    [root@ipaserver ~]# cp /usr/share/ipa/html/preferences.html /tmp/sign
  5. Use the signtool command (one of the NSS utilities) to add the new preferences.html file and re-sign the configure.jar file. 
    [root@ipaserver ~]# signtool -d /etc/httpd/alias -k Signing-Cert -Z /usr/share/ipa/html/configure.jar -e ".html" -p `cat /etc/httpd/alias/pwdfile.txt` /tmp/sign
    The -e option tells the tool to sign only files with a .html extension. The -Z option creates a new JAR file.
  6. Copy the regenerated configure.jar file to all other IdM servers and replicas.