Skip to main content

Table of Contents

Configuring Tomcat to enable client systems to connect to Pega Platform

Configure Tomcat with SPNEGO libraries so that client systems can connect to Pega Platform.

SPNEGO libraries are not provided with Pega Robot Manager and you must download them separately.

  1. Create the login.conf and krb5.conf files, and add them to the /bin Tomcat folder.

  2. Download the spnego-r7.jar file from the SourceForge website and copy it to the prweb/WEB-INF/lib Tomcat folder.

  3. Modify the web.xml file to intercept REST endpoints to enable negotiation and authentication for RPA calls that are requested by Pega Robot Runtime and Pega Robot Studio from the Pega Platform server.

    Use <filter-mapping> tags only for the endpoints (requested URLs) that are available for the api and SSO service packages.

    By default, SPNEGO uses NTLM on basic authentication modes if there is a failure with using Kerberos. Therefore, you can use <filter-mapping> tags as a generic method to intercept all the incoming traffic to the Pega Platform server. NTLM and basic authentication modes are applied to each request to the Pega Platform server.

  4. Add the following code to the web.xml file to intercept the endpoints that are available for the api and roboticsSSO service packages, providing the appropriate values for parameters such as the spnego-client:

    <filter> <filter-name>SpnegoHttpFilter</filter-name> <filter-class> net.sourceforge.spnego.SpnegoHttpFilter </filter-class> <init-param> <param-name>spnego.allow.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.localhost</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.unsecure.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.login.client.module</param-name> <param-value> spnego-client</param-value> </init-param> <init-param> <param-name>spnego.krb5.conf</param-name> <param-value>krb5.conf</param-value> </init-param> <init-param> <param-name>spnego.login.conf</param-name> <param-value>login.conf</param-value> </init-param> <init-param> <param-name>spnego.allow.delegation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.preauth.username</param-name> <param-value>username</param-value> </init-param> <init-param> <param-name>spnego.preauth.password</param-name> <param-value>password_for_pre_auth_user</param-value> </init-param> <init-param> <param-name>spnego.login.server.module</param-name> <param-value>spnego-server</param-value> </init-param> <init-param> <param-name>spnego.prompt.ntlm</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.logger.level</param-name> <param-value>1</param-value> </init-param> </filter> <filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>/PRRestService/roboticsSSO/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>/api/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>SpnegoHttpFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> <login-config> <auth-method>SPNEGO</auth-method> </login-config>

  5. Configure preauthorization user credentials by doing one of the following actions:

    1. Modify the web.xml file and provide the values for the SPN user name and password in the following parameters:

      <init-param> <param-name>spnego.preauth.username</param-name> <param-value>username_of_pre_auth_user</param-value> </init-param> <init-param> <param-name>spnego.preauth.password</param-name> <param-value>password_for_pre_auth_user</param-value> </init-param>
    2. Modify the spnego-server module in the login.conf file to provide information about the .keytab file.

      For more information, see step 6.c.
  6. Configure the login.conf file by performing the following actions:

    1. Add the following text to the login.conf file:

      spnego-client { required; }; spnego-server { Required useKeyTab=false storeKey=true debug=true isInitiator=false; };
    2. Modify the values for the spnego - client and spnego -server module names to match the values that you provided for the following entries in the web.xml file in step 3:

      <init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client</param-value> </init-param> <init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client</param-value> </init-param>
    3. Configure preauthorization user credentials by setting the following values:

      • useKeyTab=true
      • C:\KerbServ_SPN.keytab is the name and location of the .keytab file.
    4. Configure the krb5.conf file to identify the domain realm name and the IP address of the AD DS system on which the Kerberos Key Distribution Center (KDC) network service runs. Modify the following text, where DOMAINNAME is the domain name of the Kerberos realm, which is the domain over which Kerberos can authenticate users, and KDCMACHINEIP is the IP address of the AD DS.

      [libdefaults] default_realm = DOMAINNAME.COM default_tkt_enctypes = des3 -cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts permitted_enctypes= des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac aes128-cts-hmac-sha1-96 aes128-cts [realms] DOMAINNAME.COM = {kdc = KDCMACHINEIP:88 default_domain = DOMAINNAME.COM} [domain_realm] .domainName = DOMAINNAME.COM domainName = DOMAINNAME.COM
    After setup is complete, you can verify that Pega Platform is configured for SSO using Kerberos by verifying that when a client system makes a request to Pega Platform, the Authorization header starts with Negotiate, followed by a Kerberos ticket.

  • Configuring Active Directory to use Kerberos

    After you create users and systems inside an AD domain, define the Pega Platform server and configure service principal names (SPNs) for users. Kerberos uses SPNs, which uniquely identify service instances, to associate a service with a service logon account.

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us