Friday, June 14, 2013

Pentaho SSO integration with OWF/CAS

Background: Client's UI application is a dashboard consisting of a banner (with navigation bread crumbs & other controls) that calls into a Pentaho dashboard to render dashboard content below the banner. Their application will then be displayed as a widget within Ozone Widget Framework (OWF).

For their development environment & POC, OWF/CAS needed to be installed. Following OWF installation guides (shipped with OWF distribution), we had to create and use a self-signed certificate because they did not have a certificate from a Certificate Authority. The tomcat for OWF/CAS has the keystore specified within $OWF_HOME/certs/keystore.jks. The self-signed cert gets imported into that keystore.

To configure Pentaho, first ensure Pentaho is fully running and operational. OWF/CAS also uses HSQLDB. Therefore, there may be a port conflict between Pentaho HSQLDB and OWF HSQLDB. Easiest thing to do, if possible, is remove Sample data. Follow the instructions on InfoCenter but also delete the data connection definition within the datasource table. If the datasource is NOT deleted, tomcat hangs upon startup when attempting to connect to HSQLDB. NO error message is displayed or shows in log files and tomcat never completes startup.

Second step is to configure Pentaho to use SSL. Once again, for this client, we had to use self-signed certificate. These instructions are also on InfoCenter. After creating and importing the certificate, remember to modify tomcat/conf/server.xml to enable the SSL connector (8443). Once complete, test Pentaho running on 8443.

Third step is to now run the ant script which modifies Pentaho configuration files to perform SSO via CAS. Before proceeding, make a backup of the Pentaho directory or snapshot the VM. Once again, the steps to switch Pentaho to using CAS is documented on InfoCenter. When specifying the cas.authn.provider property, I used 'memory'. I later modified Pentaho to use JDBC to retrieve user details (authorities).

After starting up, navigating to the PUC should result in a redirect to the CAS login page. Enter your credentials as defined within OWF help guides (testUser1, testAdmin1). If using CA certificates, everything 'should' work.

But...if you see the casFailed JSP page on the browser, you may also find the following exception in the log files:

23:19:26,894 ERROR [Cas20ServiceTicketValidator] javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Searching the net, you'll find many blogs or notes on this exception. The gist of them is that communication between 2 servers is not trusted. If CA certificates are used, the certificates would be trusted. But because we used self-signed certs, we have to perform subsequent steps. The certificates within OWF/CAS keystore need to be imported into the Pentaho keystore. List all of the certs in the OWF/CAS keystore using the following command executed from the $OWF_HOME/certs directory:

keytool -list -keystore keystore.jks

Then export the certificates listed using their aliases. For example:

keytool -exportcert -keystore keystore.jks -alias owf -file owf.cer

Now import those certificate files into Pentaho's keystore. Pentaho's keystore is $PENTAHO_HOME/java/lib/security/cacerts. Using the following command, import the OWF/CAS certificates into Pentaho's keystore. Repeat as necessary for each certificate.

keytool -import -keystore cacerts -storepass changeit -noprompt -alias owf -file ${PATH_TO_OWF_CERT_FILES}/owf.cer

Restart Pentaho and integration between OWF/CAS and Pentaho using self-signed certs is complete. Users can now create OWF widgets pointing to Pentaho content (Pentaho User Console, dashboard, report, etc) and the widget will display seamlessly, without requiring the user to log into Pentaho.

No comments: