Kerberos with Websphere and Hyperion Shared Services 11.1.1.3

This entry was posted in Kerberos WebSphere Workspace on by
I started writing this blog with so much delight….and then when I was about to complete it….feelings got changed…..

I started experimenting with this (hmmmm…..) an year and half ago….I was stuck at a place where Websphere was not able to recognize the authentication send by the browser…..(Kerberos was not working)…..I tried solving it and it didn’t work at all…..the result….I ended up deleting the VMWare image that I was working……

4 months back I thought why not give it a try again……I got help from someone in the IBM forums and he suggested to change some settings and also made a remark that he has not seen anyone using CAPS in the server name…(My server name was all in CAPS….and the keytab that I generated was also in CAPS….similar setup in Weblogic was working fine and I didnt pay attention to this….).

So I changed the keytab setting and setspn to all LOWER case and all on a sudden Websphere kerberos started working!!!!! (but that was only just the beginning)…..Now to implement KERBEROS with Hyperion…..I had to protect the URLs….(for that I had to explode the war files…..and re-build it back….) All the setup was done and Websphere started delegating the authentication…..

To pass the User name and Password in Shared Services I followed EPM Security document and changed the SSO Settings in Shared Services…..It says to use Custom HTTP Header….but this set-up was not working….and I tried all the combinations….and Get Remote User from HTTP Request started working…..Atlast I now have Shared Services configured with Kerberos on Websphere.

Only issue there is when you try to log-off, this calls redirectToIndex.jsp and this in-turn calls index.jsp and because of the Kerberos you’ll logged in back!!!!…. You can edit the jsp and create an html file called logoff.html….. (I’m going to write a document on this soon.)

Now I’ve to do the same for Workspace…..but none of the options given in the document is working….(REMOTE_USER, HTTP_USER,……). I’ve logged an case with Oracle support….and waiting for their answer…..(Let’s hope they come up with an answer…..and I can complete my document).

If someone in the Internet community has done this….can they please let me know…

About Celvin Kattookaran

I’m an EPM Consultant, my primary focus is on Hyperion Planning and Essbase. Some of you from Hyperion Support team might recognize me or have seen my support articles, I was with the WebAnalysis Support Team. I'm an Independent Consultant with “Intekgrate Corporation” based out of Aurora office. I’m from God’s Own Country (Kerala, India), lived in all southern states of India, Istanbul and Johannesburg (and of course United States). I’m core gamer :) and an avid reader. I was awarded Oracle ACE Director for my contributions towards EPM community.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.