IBM® Engineering Lifecycle Management application support Kerberos
authentication with Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) single sign-on (SSO)
authentication in WebSphere® Liberty server.
Ensure that the following prerequisites are completed before you configure Engineering Lifecycle Management server for Kerberos/SPNEGO authentication:
- The server that hosts the Engineering Lifecycle Management applications and Reverse Proxy must be a
Domain member of the Domain Controller that are used in the Kerberos/SPNEGO setup.
- Engineering Lifecycle Management Applications are installed and are configured to use LDAP as the
user registry, which is configured with the Active Directory Server, which is hosted on the
Microsoft Windows Domain controller.
- If Engineering Lifecycle Management is on a distributed topology, complete the SSO configuration
through LTPA keys. See, Configuring
Single Sign On (SSO) across Profiles.
- A Kerberos keytab file (krb5.keytab) that is created by mapping the
principal name that matches your planned Public URI for Engineering Lifecycle Management application. See,
Prerequisites for Kerberos Configuration.
- A Kerberos config file that contains details of Kerberos Realm, KDC, and Domain. See, Prerequisites for Kerberos Configuration.
About this task
You can enable single sign-on (SSO) for HTTP requests by using Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) web authentication.
-
To enable the Server hosting Engineering Lifecycle Management application to support
Kerberos/SPNEGO, open the
<JAZZ_INSTALL_DIR>/server/liberty/servers/clm/server.xml file in an editor
and add the spnego-1.0 feature within the featureManager section.
<featureManager>
...
<feature>adminCenter-1.0</feature>
<feature>spnego-1.0</feature>
...
</featureManager>
- To enable the Kerberos configuration, copy the krb5.conf and
krb5.krytab files at the
<JAZZ_INSTALL_DIR>/server/liberty/servers/clm/resources/security location
and add configuration in the server.xml file similar to the following
example.
<spnego id="mySpnego"
canonicalHostName="false"
disableFailOverToAppAuthType=“false”
trimKerberosRealmNameFromPrincipal="true"
includeClientGSSCredentialInSubject="false"
krb5Config="${server.config.dir}/resources/security/krb5.ini"
krb5Keytab="${server.config.dir}/resources/security/kerberos.keytab"
servicePrincipalNames="HTTP/elm.example.com"
authFilterRef="spnegoFilter">
</spnego>
<authFilter id="spnegoFilter">
<userAgent id="MacClients" agent="Mac OS" matchType="notContain"/>
</authFilter>
Note: elm.example.com
is the principal name that is configured as mentioned in the
prerequisites, which matches the public URI. The path to krb5Config and krb5Keytab can be changed to
the location according to your requirement.
You can add more filters according to your
requirements. The example authFilter
above allows fallback authentication for the
clients on macOS, which are not part of the Domain.
If you have configured Engineering Lifecycle Management in a distributed environment with Kerberos configured and without Jazz® Authorization Server, set the following property to false in the SPNEGO tag:
<spnego
... includeCustomCacheKeyInSubject=false ...>
For more information about the SPNEGO attributes, see Spnego Authentication.
- Optional: If you have deployed Engineering Lifecycle Management using the
distributed topology, you must perform Step 1 and Step 2 on all WebSphere Liberty server
servers that host Engineering Lifecycle Management applications, for which you want to configure Single
Sign On.
- Test the Kerberos/SPNEGO authentication by accessing the application URLs on one of the
Client machines, which is a domain member.
- Configure Web Browsers to support Kerberos/SPNEGO. See Configuring SPNEGO Authentication in
- Access the Application URL.
For example:
https://elm.example.com/jts
.
If the server is correctly configured with
Kerberos/SPNEGO, the /jts page should log in automatically with your Windows
credentials.