Add SPNEGO TAI properties using the wsadmin utility (deprecated)

Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Implement single sign-on to minimize web user authentications > Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated) > Configure WAS and enabling the SPNEGO TAI (deprecated)

Add SPNEGO TAI properties using the wsadmin utility (deprecated)

You use the wsadmin utility to add properties for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) in the security configuration for WAS.
Deprecated feature:
In WAS Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method. depfeat
Verify that end-user desktop browsers are configured to support SPNEGO authentication, that the SPNEGO TAI is enabled, that the JVM property is set and, that WAS is configured to enable the operation of the SPNEGO TAI. Use the wsadmin utility to configure the SPNEGO TAI for WAS:

Procedure
Start WAS.

Start the command-line utility by running the wsadmin.sh command from the WAS_HOME/bin directory.
At the wsadmin.sh prompt, run:
$AdminTask addSpnegoTAIProperties
You can use the following parameters with this command:
Option Description
<spnId> This parameter is optional. It is the SPN identifier for the group of custom properties that are to be defined with this command. If not specified, an unused SPN identifier is assigned.
<host> This parameter is required. It specifies the host name portion in the SPN used by the SPNEGO TAI to establish a Kerberos secure context.
<filter> This parameter is optional. It defines the filtering criteria used by the class specified with the above attribute. If not specified, all HTTP requests are subject to SPNEGO authentication.
<filterClass> This parameter is optional. It specifies the name of the Java class used by the SPNEGO TAI to select which HTTP requests will be subject to SPNEGO authentication. If you do not specify this paramter, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<noSpnegoPage>
This parameter is optional. It specifies the URL of a resource that contains the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if it does not support SPNEGO authentication.
If you do not specify the noSpnegoPage paramter then the default is used:
"
<html>
<head>
<title>SPNEGO
authentication is not supported.

</title>
</head>" +
"
<body>SPNEGO authentication is
not supported on this client.

</body>
</html>";
<ntlmTokenPage>
This parameter is optional. It specifies the URL of a resource that contains the content the SPNEGO TAI will include in the HTTP response that is to be displayed by the (browser) client application when the SPNEGO token received by the interceptor (after the challenge-response handshake) contains a NT LAN manager (NTLM) token instead of the expected SPNEGO token.
If you do not specify the ntlmTokenPage parameter then the default is used:
"
<html>
<head>
<title>An NTLM
Token was received.
</title>
</head>"
+ "
<body>Your browser configuration is correct, but we have not logged into a supported Windows
Domain."
+ "
<p>Please login to the application using the normal login page.
</html>";
<trimUserName> This parameter is optional. It specifies whetheror not the SPNEGO TAI is to remove the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. If this parameter is set to true, the suffix of the principal user name is removed. If this paramter is set to false, the suffix of the principal name is retained. The default value used is true.
Results
SPNEGO TAI properties have been added for this WAS.

Example

Example 1
The following example configures the SPNEGO TAI to intercept HTTP requests that contain IE 6 in the user agent request header. The SPNEGO TAI uses the SPN of HTTP/myhost.ibm.com@ <default_realm> to authenticate the request originator.
$AdminTask addSpnegoTAIProperties -host myhost.ibm.com -filter user-agent%=IE 6
Example 2
The following is an example of adding SPNEGOTAIProperties for SPN1 to use the default filterClass and to intercept all requests for the host, central01.austin.ibm.com.
wsadmin>$AdminTask addSpnegoTAIProperties -interactive
Add SPNEGO TAI properties
Add SPNEGO TAI configuration properties.

*Host name in Service Principal Name (host): central01.austin.ibm.com
Service Principal Name identifier (spnId): 1
HTTP header filter rule (filter):
Name of class used to filter HTTP requests (filterClass):
SPNEGO not supported browser response (noSpnegoPage):
NTLM Token received browser response (ntlmTokenPage):
Trim User Name browser response (trimUserName):

Add SPNEGO TAI properties
F (Finish)
C (Cancel)

Select [F, C]: [F] f
WASX7278I: Generated command line: $AdminTask addSpnegoTAIProperties {-host central01.austin.ibm.com}
com.ibm.ws.security.spnego.SPN1.hostName=central01.austin.ibm.com
wsadmin>
Configure WAS and enabling the SPNEGO TAI (deprecated)

Related

SPNEGO TAI custom properties configuration (deprecated)

+
Search Tips | Advanced Search

Option	Description
<spnId>	This parameter is optional. It is the SPN identifier for the group of custom properties that are to be defined with this command. If not specified, an unused SPN identifier is assigned.
<host>	This parameter is required. It specifies the host name portion in the SPN used by the SPNEGO TAI to establish a Kerberos secure context.
<filter>	This parameter is optional. It defines the filtering criteria used by the class specified with the above attribute. If not specified, all HTTP requests are subject to SPNEGO authentication.
<filterClass>	This parameter is optional. It specifies the name of the Java class used by the SPNEGO TAI to select which HTTP requests will be subject to SPNEGO authentication. If you do not specify this paramter, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
<noSpnegoPage>	This parameter is optional. It specifies the URL of a resource that contains the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if it does not support SPNEGO authentication. If you do not specify the noSpnegoPage paramter then the default is used: " <html> <head> <title>SPNEGO authentication is not supported. </title> </head>" + " <body>SPNEGO authentication is not supported on this client. </body> </html>";
<ntlmTokenPage>	This parameter is optional. It specifies the URL of a resource that contains the content the SPNEGO TAI will include in the HTTP response that is to be displayed by the (browser) client application when the SPNEGO token received by the interceptor (after the challenge-response handshake) contains a NT LAN manager (NTLM) token instead of the expected SPNEGO token. If you do not specify the ntlmTokenPage parameter then the default is used: " <html> <head> <title>An NTLM Token was received. </title> </head>" + " <body>Your browser configuration is correct, but we have not logged into a supported Windows Domain." + " <p>Please login to the application using the normal login page. </html>";
<trimUserName>	This parameter is optional. It specifies whetheror not the SPNEGO TAI is to remove the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. If this parameter is set to true, the suffix of the principal user name is removed. If this paramter is set to false, the suffix of the principal name is retained. The default value used is true.