What you'll need...

• A Centrified Unix/Linux system running Apache Tomcat (Tomcat6 in this example)
  alternatively, you can follow on JBOSS, Websphere or Weblogic as well.
  Joined to the domain either in zone or workstation mode.
• Apache Tomcat running
• A domain joined PC system to test access from an authenticated Windows system (or a centrified Mac) with a web browser (SPNEGO is not available on Safari)

Implementation Steps

Information gathering

1. Collect the OS version, architecture, version of Centrify adclient and if an SPN for HTTP is registered
   uname -a, adinfo -v and adinfo -C | grep http provide that information
2. Collect the service status, version, architecture and java version.
   “service tomcat(x) status, rpm –qa | grep tomcat and java-versiont” should provide this.
3. Make sure the Tomcat home page (if enabled) is accessible from the Windows client.
4. Obtain the proper version of the J2EE SSO plugin from the Centrify Customer Support Center.
   Based on the information from steps 1 and 2, you can select which package to download. For example, in my CentOS 6.x, 64bit, Tomcat6

$ uname -a
     Linux engcen8.centrifyimage.vms 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

$ java -version
java version "1.7.0_71"
OpenJDK Runtime Environment (rhel-2.5.3.1.el6-x86_64 u71-b14)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)

$ adinfo -v
adinfo (CentrifyDC 5.2.0-218)

$ dzdo adinfo -C | grep http
                           http/engcen8.centrifyimage.vms
                           http/engcen8
$ rpm -qa | grep tomcat
tomcat6-6.0.24-80.el6.x86_64

It looks like my service is running and that is a 64 bit CentOS with Tomcat 6 based on this information,  I will download the package " DirectControl for J2EE App Servers on RHEL 4, 5, 6, Fedora 14, 15, 16, 17 x86_64 " the version is 4.4.4 as of the original post in November 2014.

Installation

Unpack and install the SSO plugin

$ tar xzvf centrify-web-4.4.4-rhel3-x86_64.tgz

The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.

$ dzdo rpm -Uvh centrifydc-web-4.4.4-rhel3-x86_64.rpm

Preparing...                ########################################### [100%]

   1:CentrifyDC-web      ########################################### [100%]

Configuration of the Java Server and Sample Application

Centrify provides a script that allows for the configuration of JBoss, Tomcat, Websphere and Weblogic. These servers can run on Microsoft Windows, so there are versions of the plugin for those platforms too. The script is in /usr/share/centrifydc/java/web and its called configure.pl. All you need to do is follow the prompts to configure Tomcat (options 1-3) and ignore everything about ADFS or certificates at this time (sample truncated output below).

# /configure.pl
=====================================================================
Welcome to Centrify DirectControl for J2EE Servers Configuration.

At any prompt, enter ? for help, or return to accept the default value (shown in brackets []).

Please select what type of J2EE server to configure:
[0] Tomcat.
[1] JBoss.
[2] WebLogic Server.
[3] WebSphere Application Server.
[4] Exit this configuration program.
Enter selection:

[0] > 0

===== Configure Tomcat Server for Centrify =====
[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script

[0] > 1

=== Copy Centrify jar files to Tomcat server ===

Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >
Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >
Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >

You have entered the following:
Tomcat Server directory = /usr/share/tomcat6
Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x

Is this correct (y/n) ?

[y] > y

Copying /usr/share/centrifydc/java/web/scripts/tomcat/centrifydc_jaas.config to /usr/share/tomcat6/c



===== Configure Tomcat Server for Centrify =====

[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script

 
Enter selection:
[0] > 3


=== Copy Centrify jar files to Tomcat server ===

Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >
Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >


Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >

You have entered the following:
Tomcat Server directory = /usr/share/tomcat6
Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x

Is this correct (y/n) ? y

 



===== Configure Tomcat Server for Centrify =====
[0] Run full configuration (all options below).
[1] Copy Centrify jar files to Tomcat server.
[2] Configure Tomcat Server for Centrify.
[3] Setup and deploy Centrify samples.
[4] Configure Tomcat for SSL.
[5] Exit this script

Enter selection:
[0] > 3

 

=== Setup and deploy Centrify samples ===

Enter the directory where Tomcat Server is installed:
[/usr/share/tomcat6] >

Enter the directory where Java SDK is installed:
[/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64] >
 
Enter the Tomcat Server version (7.0.x, 6.0.x, 5.5.x or 5.0.x):
[6.0.x] >

You have entered the following:
 
Tomcat Server directory = /usr/share/tomcat6

Java SDK directory = /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.33.x86_64
Tomcat Server version = 6.0.x
Is this correct (y/n) ?
[y] > y


Do you want to setup the Centrify ADFS samples now (y/n) ?
(You must have the ADFS server's hostname and SSL port to setup the ADFS samples.)
[n] >

 Verify that everything is working as expected

1. Sign-in to a Windows client that is a member of your AD Domain
2. Clear your Kerberos ticket cache by opening a command line and typing "klist purge"
   C:\Users\dwirth>klist purge
   Current LogonId is 0:0x9bb0d
   Deleting all tickets:Ticket(s) purged!
3. Open Internet Explorer and go to Internet Options > Security > Local Intranet > Sites > Advanced and make sure that your browser has the FQDN or the suffix of the SPN for HTTP registered by the server.
   If using Firefox, go to about:config and search for network.automatic-ntlm-auth.trusted-uris, add the SPNs suffix or FQDN there.
   
4. Go browse to http://:PORT/centrifydc-samples.  This will expose the Centrify Sample pages.  Click on Kerberos.  If everything is correct, you should be able to see output that looks like this:
   
5. Now if you inspect your kerberos ticket cache, you'll something like this (truncated):

       C:\Users\dwirth>klist
       Current LogonId is 0:0x9bb0d
       #0>     Client: DWirth @ CENTRIFYIMAGE.VMS
       Server: krbtgt/CENTRIFYIMAGE.VMS @ CENTRIFYIMAGE.VMS
   
       #1>     Client: DWirth @ CENTRIFYIMAGE.VMS
       Server: HTTP/engcen8.centrifyimage.vms @ CENTRIFYIMAGE.VMS

    Ticket # 0 is a Kerberos TGT and #1 is a service ticket that was requested by Diana to access the Apache HTTP service on engcen8.

Using the Java Plugin

The Java plugin has exposed the methods to leverage AD authentication via Centrify. For example, the web.xml file of a server may add directives like these:

     SPNEGO

     CENTRIFYDC
 

The Centrify Java Guide, explains to J2EE Web Admins and developers how to use these directives and methods.

Video Playlist

(7 minutes total playlist)

Appendix: Installing Tomcat6 on CentOS 6.x with Yum.

$ dzdo yum install java-1.6.0-openjdk-devel
$ dzdo yum update
$ dzdo yum install tomcat6 tomcat6-webapps tomcat6-admin-webapps
$ dzdo chkconfig tomcat6 on
$ dzdo service tomcat6 start

 And don’t forget to open the firewall to accept connections over TCP 8080