Confluence preparation

Configuring the Authenticator

The following files should be placed in TOMCAT_HOME/kerberos for WAR-installations, /opt/atlassian/confluence/kerberos for Linux- installations and c:\Program Files\Atlassian\Confluence\kerberos for Windows installations. When creating this directory ensure that confluence's java process has access to the directory contents.

authenticator.properties

This file should reflect the user you made for Confluence into the Active Directory.

service.user=confluence
service.password=*********

jaas.config

KerberosNegotiateAuth {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        isInitiator=false;
};

krb5.config

You should change "domain.com" from these examples to reflect the name of your Windows Domain.

[libdefaults]
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
        permitted_enctypes   = rc4-hmac
        default_realm = DOMAIN.COM
        udp_preference_limit = 1
 
[realms]
DOMAIN.COM = {
          kdc = 192.168.1.100
          default_domain = domain.com
}
 
[domain_realm]
        .domain.com = DOMAIN.COM
        domain.com = DOMAIN.COM

Installing the extension to Confluence

Install Integrated Windows Authentication App

Install Integrated Windows Authentication App from the Apps Manager or download from the Atlassian Marketplace Also generate an evaluation license and copy paste in place.

Install Apache Commons network library

Apache commons networking library is needed for the features of this authenticator. In this case copy the commons-net.3.0.1.jar into confluence/WEB-INF/lib. Downloadable library jar can be found here, http://search.maven.org/#browse%7C1683288677

Install the authenticator jar

Copy the iwac-lib-x.y.z.jar into confluence/WEB-INF/lib. This can be downloaded from Polar Shift's download server:

  • for Confluence 5.x versions download iwac-lib-1.x version
Configure Confluence to use the Integrated Windows Authenticator

Edit confluence/WEB-INF/classes/seraph-config.xml.

<!--
    <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>
-->
     <authenticator class="fi.polarshift.confluence.lib.kauth.KerberosAuthenticator"/>

Java 11 compatibility

For Java 11 an extra property needs to be added to confluence/bin/setenv.sh or confluence/bin/setenv.bat file:

CATALINA_OPTS="-Datlassian.org.osgi.framework.bootdelegation.extra=sun.*,com.sun.* $CATALINA_OPTS"

Configuring Confluence

Confluence User Directory

If you have not done it yeat, setup a Directory connection.

Access Control

In Confluence's Administration Console (web UI) you can find Global Permissions under the Security section. Here you can add usage permissions to AD users and groups made in AD preparation.

Log files

IWAC makes log entries via Confluence's own logger. Logs can be found in your installations home-/data-directory in logs/atlassian-confluence.log.

Log level can be set via Confluence's Administration Console and Logging and Profiling . Just add new entry for fi.polarshift.confluenceand set desired level. On DEBUG level authenticator generates a lot of log entries. DEBUG level in not recommended for long time use.

  • No labels