SPNEGO TAI configuration requirements (deprecated)

The configuration that is used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) on each selected application server is governed by various system requirements.

Deprecated feature:

In WebSphere® Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO Web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.

depfeat
The following list of configuration requirements highlights those attributes, properties, qualities, restrictions, exclusions, inclusions, and dependencies that you need to be aware of when planning a WebSphere Application Server configuration that incorporates the use of the SPNEGO TAI.
Table 1. SPNEGO TAI requirements.

This table lists the SPNEGO TAI configuration requirements.

Function item Description
SPNEGO TAI The SPNEGO TAI is a server side solution in WebSphere Application Server. Client-side applications are responsible for generating the SPNEGO token for use by the SPNEGO TAI.
Microsoft® Windows® Windows 2000 or Windows 2003 servers with Active Directory domain and its associated Kerberos key distribution center (KDC) is required.
Client application (browser or .NET client) A browser (client application) or .NET client that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478 is required.
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) SPNEGO authentication, as defined in IETF RFC 2478 is used.
Internet browsers
  • Use Microsoft Internet Explorer version 5.5 or higher
  • Use Mozilla Firefox version 1.0
Kerberos Level Kerberos version 5 is required.
WebSphere Application Server Version 7.0 is required.
Java™ SDK level Java 6.0 SDK is required.
Encryption Types RC4-HMAC encryption is only supported when using a Windows 2003 Server as Kerberos key distribution center (KDC) and is not supported with a Windows 2000 Server.
J2EE client Client application (browser or .NET client) A browser (client application) or .NET client that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478 is required.



Related concepts
Single sign-on for HTTP requests using SPNEGO TAI (deprecated)
Related tasks
Creating a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)
Configuring the JVM
Related reference
SPNEGO TAI custom properties configuration (deprecated)
SPNEGO TAI JVM configuration custom properties (deprecated)
Using the ktab command to manage the Kerberos keytab file
The Simple and Protected GSS-API Negotiation Mechanism (IETF RFC 2478)
Single Sign-on Using Kerberos in Java
Related information
Configuring WebSphere Application Server and enabling the SPNEGO TAI (deprecated)
Reference topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 11:50:58 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-base-iseries&topic=rsec_SPNEGO_config_facts
File name: rsec_SPNEGO_tai_reqs.html