Configuring ELM Servers for Kerberos/SPNEGO Authentication

IBM® Engineering Lifecycle Management (ELM) application support Kerberos authentication with Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) single sign-on (SSO) authentication in WebSphere Liberty.

Before you begin

Ensure that the following prerequisites are completed before you configure ELM server for Kerberos/SPNEGO authentication:
  • The server that hosts the ELM applications and Reverse Proxy must be a Domain member of the Domain Controller that are used in the Kerberos/SPNEGO setup.
  • ELM Applications are installed and are configured to use LDAP as the user registry, which is configured with the Active Directory Server, which is hosted on the Microsoft Windows Domain controller.
  • If ELM is on a distributed topology, complete the SSO configuration through LTPA keys. See, Configuring Single Sign On (SSO) across WebSphere Liberty Profiles.
  • A Kerberos keytab file (krb5.keytab) that is created by mapping the principal name that matches your planned Public URI for ELM application. See, Prerequisites for Kerberos Configuration.
  • A Kerberos config file that contains details of Kerberos Realm, KDC, and Domain. See, Prerequisites for Kerberos Configuration.

About this task

You can enable single sign-on (SSO) for HTTP requests by using Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication.

Procedure

  1. To enable the Liberty Server hosting ELM application to support Kerberos/SPNEGO, open the <JAZZ_INSTALL_DIR>/server/liberty/servers/clm/server.xml file in an editor and add the spnego-1.0 feature within the featureManager section.
    <featureManager>
    ...
    <feature>adminCenter-1.0</feature>
    <feature>spnego-1.0</feature>
    ...
    </featureManager>
  2. To enable the Kerberos configuration, copy the krb5.conf and krb5.krytab files at the <JAZZ_INSTALL_DIR>/server/liberty/servers/clm/resources/security location and add configuration in the server.xml file similar to the following example.
    <spnego id="mySpnego"
    canonicalHostName="true"
    disableFailOverToAppAuthType=“false”
    trimKerberosRealmNameFromPrincipal="true"
    includeClientGSSCredentialInSubject="false"
    krb5Config="${server.config.dir}/resources/security/krb5.ini"
    krb5Keytab="${server.config.dir}/resources/security/kerberos.keytab"
    servicePrincipalNames="HTTP/elm.example.com"
    authFilterRef="spnegoFilter" >
    </spnego>
    <authFilter id="spnegoFilter">
    <userAgent id="MacClients" agent="Mac OS" matchType="notContain"/>
    </authFilter>
    Note: elm.example.com is the principal name that is configured as mentioned in the prerequisites, which matches the public URI. The path to krb5Config and krb5Keytab can be changed to the location according to your requirement.

    You can add more filters according to your requirements. The example authFilter above allows fallback authentication for the clients on macOS, which are not part of the Domain.

  3. Optional: If you have deployed ELM using the distributed topology, you must perform Step 1 and Step 2 on all WebSphere Liberty servers that host ELM applications, for which you want to configure Single Sign On.
  4. Test the Kerberos/SPNEGO authentication by accessing the application URLs on one of the Client machines, which is a domain member.
    1. Configure Web Browsers to support Kerberos/SPNEGO. See Configuring SPNEGO Authentication in Liberty
    2. Access the Application URL.
      For example: https://elm.example.com/jts.

      If the Liberty server is correctly configured with Kerberos/SPNEGO, the /jts page should log in automatically with your Windows credentials.