When you use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust
association interceptor (TAI) for authentication, and you would like to use alias host name as the
host name for the application server, you must configure a custom property to resolve the alias host
name to the actual hostname for SPNEGO single sign-on. Then, you can dynamically add or modify an
alias name in the DNS without changing the application server configuration. If you enable this
custom property you will no longer need to set alias host names through the SPNEGO
configuration.
About this task
The application server will perform a DNS lookup as an HTTP
request comes in, and if the alias host name is resolved as a host
name that is already configured for SPNEGO single sign-on, the application
server will continue to process it. It is usually not required to
add alias hostname to a SPNEGO account.
Procedure
- Define the actual host name for the com.ibm.ws.security.spnego.SPNx.hostName
variable.
- From administration console, click
- Add or modify the com.ibm.ws.security.spnego.SPNx.hostName
variable.
For example:
- Name
- com.ibm.ws.security.spnego.SPNx.hostName
- Value
- real_host_name
This custom property specifies the
actual host name to which the application server can resolve an alias
host name for SPNEGO single sign-on. You can then dynamically add
or modify an alias name in the DNS without changing the configuration
for the application server.
You can optionally define the alias
host name, but you are only required to define the real host name.
The application server resolves the alias host name to real host name
as the HTTP request is received.
- Turn on the Canonical support flag.
- From administration console, click
- Add or modify the com.ibm.websphere.security.krb.canonical_host
variable and set it to "true".
- Name
- com.ibm.websphere.security.krb.canonical_host
- Value
- true
This custom property specifies whether
the application server uses the canonical form of the URL/HTTP host
name in authenticating a client. If you set this custom property to
false,
a Kerberos ticket can contain a host name that differs from the HTTP
host name header and the application server might issue the following
message:
CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest
If you set this custom property to true,
you can avoid this error message and allow the application server
to authenticate using the canonical form of the URL/HTTP host name.
- Configure the browser.
On the browser for the
client machine, the alias host name needs to be configured as a trusted
host.
- For Mozilla Firefox:
- Type About:config in the address bar and
press ENTER to access configuration options.
- Locate the network.negotiate-auth.trusted-uris preference
name, right-click on the preference, and select Modify.
If you do not have this preference, right-click within the panel,
and select .
- Add alias host names in the text box, separating host names with
a comma.
- Ensure that the real host name is added to the keytab file.
config: You can configure the
keytab file in two ways:
- If com.ibm.websphere.security.krb.canonical_host is set to "true",
the application server expects the real host name to be in the keytab
files. Aliases are not necessary.
- If com.ibm.websphere.security.krb.canonical_host is set to false
and aliases are defined, aliases need to be present in the keytab
file.