You use the wsadmin utility to add properties for the Simple
and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association
interceptor (TAI) in the security configuration for WebSphere® Application
Server.
About this task
Deprecated feature: In WebSphere Application Server
Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured
resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO
web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable
fallback to the application login method.
Use the wsadmin utility to configure the
SPNEGO TAI for WebSphere Application Server:
Procedure
- Start WebSphere Application Server.
- Start the command-line utility by running the wsadmin command
from the app_server_root/bin directory.
- Start the command-line utility by running the wsadmin command
from the app_server_root/bin directory from the Qshell command line.
- At the wsadmin prompt, enter the following command:
$AdminTask addSpnegoTAIProperties
You
can use the following parameters with this command:
Option |
Description |
<spnId> |
This parameter is optional. It is the SPN identifier for the
group of custom properties that are to be defined with this command.
If you do not specify this parameter, an unused SPN identifier is
assigned. |
<host> |
This parameter is required. It specifies the host name portion
in the SPN used by the SPNEGO TAI to establish a Kerberos secure context. |
<filter> |
This parameter is optional. It defines the filtering criteria
used by the class specified with the previous attribute. If you do
not specify this parameter, all HTTP requests are subject to SPNEGO
authentication. |
<filterClass> |
This parameter is optional. It specifies the name of the Java™ class used by the SPNEGO TAI to select
which HTTP requests will be subject to SPNEGO authentication. If you
do not specify this paramter, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter,
is used. |
<noSpnegoPage> |
This parameter is optional. It specifies the URL of a resource
that contains the content the SPNEGO TAI will include in the HTTP
response to be displayed by the (browser) client application if it
does not support SPNEGO authentication.If you do not specify the noSpnegoPage paramter then the
default is
used: "<html><head><title>SPNEGO
authentication is not supported.
</title></head>" +
"<body>SPNEGO authentication is
not supported on this client.
</body></html>";
|
<ntlmTokenPage> |
This parameter is optional. It specifies the URL of a resource
that contains the content the SPNEGO TAI will include in the HTTP
response that is to be displayed by the (browser) client application
when the SPNEGO token received by the interceptor (after the challenge-response
handshake) contains a NT LAN manager (NTLM) token instead of the expected
SPNEGO token.If you do not specify the ntlmTokenPage parameter then the default is
used: "<html><head><title>An NTLM
Token was received.</title></head>"
+ "<body>Your browser configuration
is correct, but you have not
logged into a supported Windows
Domain."
+ "<p>Please login to the application
using the normal login page.</html>";
|
<trimUserName> |
This parameter is optional. It specifies whetheror not the
SPNEGO TAI is to remove the suffix of the principal user name, starting
from the @ that precedes the Kerberos realm name. If this parameter
is set to true , the suffix of the principal user
name is removed. If this paramter is set to false ,
the suffix of the principal name is retained. The default value used
is true . |
Results
SPNEGO TAI properties have been added for this WebSphere Application
Server.
Example
- Example 1
- The following example configures the SPNEGO TAI to intercept HTTP
requests that contain
IE 6
in the user agent request
header. The SPNEGO TAI uses the SPN of HTTP/myhost.ibm.com@<default_realm>
to authenticate the request originator.$AdminTask addSpnegoTAIProperties -host myhost.ibm.com -filter user-agent%=IE 6
- Example 2
The following is an example of adding SPNEGOTAIProperties for
SPN1 to use the default filterClass and to intercept all requests
for the host, central01.austin.ibm.com.
wsadmin>$AdminTask addSpnegoTAIProperties -interactive
Add SPNEGO TAI properties
Add SPNEGO TAI configuration properties.
*Host name in Service Principal Name (host): central01.austin.ibm.com
Service Principal Name identifier (spnId): 1
HTTP header filter rule (filter):
Name of class used to filter HTTP requests (filterClass):
SPNEGO not supported browser response (noSpnegoPage):
NTLM Token received browser response (ntlmTokenPage):
Trim User Name browser response (trimUserName):
Add SPNEGO TAI properties
F (Finish)
C (Cancel)
Select [F, C]: [F] f
WASX7278I: Generated command line: $AdminTask addSpnegoTAIProperties {-host central01.austin.ibm.com}
com.ibm.ws.security.spnego.SPN1.hostName=central01.austin.ibm.com
wsadmin>