Configuring Engineering Lifecycle Management Servers for Kerberos/SPNEGO Authentication

IBM® Engineering Lifecycle Management application support Kerberos authentication with Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) single sign-on (SSO) authentication in WebSphere® Liberty server.

Before you begin

Ensure that the following prerequisites are completed before you configure Engineering Lifecycle Management server for Kerberos/SPNEGO authentication:
  • The server that hosts the Engineering Lifecycle Management applications and Reverse Proxy must be a Domain member of the Domain Controller that are used in the Kerberos/SPNEGO setup.
  • Engineering Lifecycle Management Applications are installed and are configured to use LDAP as the user registry, which is configured with the Active Directory Server, which is hosted on the Microsoft Windows Domain controller.
  • If Engineering Lifecycle Management is on a distributed topology, complete the SSO configuration through LTPA keys. See, Configuring Single Sign On (SSO) across Profiles.
  • A Kerberos keytab file (krb5.keytab) that is created by mapping the principal name that matches your planned Public URI for Engineering Lifecycle Management application. See, Prerequisites for Kerberos Configuration.
  • A Kerberos config file that contains details of Kerberos Realm, KDC, and Domain. See, Prerequisites for Kerberos Configuration.

About this task

You can enable single sign-on (SSO) for HTTP requests by using Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication.

Procedure

  1. To enable the Server hosting Engineering Lifecycle Management application to support Kerberos/SPNEGO, open the <JAZZ_INSTALL_DIR>/server/liberty/servers/clm/server.xml file in an editor and add the spnego-1.0 feature within the featureManager section.
    <featureManager>
    ...
    <feature>adminCenter-1.0</feature>
    <feature>spnego-1.0</feature>
    ...
    </featureManager>
  2. To enable the Kerberos configuration, copy the krb5.conf and krb5.krytab files at the <JAZZ_INSTALL_DIR>/server/liberty/servers/clm/resources/security location and add configuration in the server.xml file similar to the following example.
    <spnego id="mySpnego"
    canonicalHostName="false"
    disableFailOverToAppAuthType=“false”
    trimKerberosRealmNameFromPrincipal="true"
    includeClientGSSCredentialInSubject="false"
    krb5Config="${server.config.dir}/resources/security/krb5.ini"
    krb5Keytab="${server.config.dir}/resources/security/kerberos.keytab"
    servicePrincipalNames="HTTP/elm.example.com"
    authFilterRef="spnegoFilter">
    </spnego>
    <authFilter id="spnegoFilter">
    <userAgent id="MacClients" agent="Mac OS" matchType="notContain"/>
    </authFilter>
    Note: elm.example.com is the principal name that is configured as mentioned in the prerequisites, which matches the public URI. The path to krb5Config and krb5Keytab can be changed to the location according to your requirement.

    You can add more filters according to your requirements. The example authFilter above allows fallback authentication for the clients on macOS, which are not part of the Domain.

    If you have configured Engineering Lifecycle Management in a distributed environment with Kerberos configured and without Jazz® Authorization Server, set the following property to false in the SPNEGO tag:

    <spnego ... includeCustomCacheKeyInSubject=false ...>

    For more information about the SPNEGO attributes, see Spnego Authentication.

  3. Optional: If you have deployed Engineering Lifecycle Management using the distributed topology, you must perform Step 1 and Step 2 on all WebSphere Liberty server servers that host Engineering Lifecycle Management applications, for which you want to configure Single Sign On.
  4. Test the Kerberos/SPNEGO authentication by accessing the application URLs on one of the Client machines, which is a domain member.
    1. Configure Web Browsers to support Kerberos/SPNEGO. See Configuring SPNEGO Authentication in
    2. Access the Application URL.
      For example: https://elm.example.com/jts.

      If the server is correctly configured with Kerberos/SPNEGO, the /jts page should log in automatically with your Windows credentials.