Using an alias host name for SPNEGO TAI or SPENGO web authentication using the administrative console (deprecated)

When you use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for authentication, and you would like to use alias host name as the host name for the application server, you must configure a custom property to resolve the alias host name to the actual hostname for SPNEGO single sign-on. Then, you can dynamically add or modify an alias name in the DNS without changing the application server's configuration. If you enable this custom property you will no longer need to set alias host names through the SPNEGO configuration.

Before you begin

You must have completed the steps as described in Creating a single sign-on for HTTP requests using the SPNEGO TAI (deprecated) and Configuring WebSphere Application Server and enabling the SPNEGO TAI (deprecated) before these settings will have an effect. This configuration requires a working SPNEGO-TAI single sign-on environment.

About this task

The application server will perform a DNS lookup as an HTTP request comes in, and if the alias host name is resolved as a host name that is already configured for SPNEGO single sign-on, the application server will continue to process it. It is usually not required to add alias hostname to a SPNEGO account.

Procedure

  1. Define the actual host name for the com.ibm.ws.security.spnego.SPNx.hostName variable.
    1. From administration console, click Global security > Web and SIP security > Trust association > Interceptors > com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl > Custom Properties
    2. Add or modify the com.ibm.ws.security.spnego.SPNx.hostName variable. For example:
      Name
      com.ibm.ws.security.spnego.SPNx.hostName
      Value
      real_host_name

      This custom property specifies the actual host name to which the application server can resolve an alias host name for SPNEGO single sign-on. You can then dynamically add or modify an alias name in the DNS without changing the configuration for the application server.

      You can optionally define the alias host name, but you are only required to define the real host name. The application server resolves the alias host name to real host name as the HTTP request is received.

  2. Turn on the Canonical support flag.
    1. From administration console, click Global security > Custom properties
    2. Add or modify the com.ibm.websphere.security.krb.canonical_host variable and set it to "true".
      Name
      com.ibm.websphere.security.krb.canonical_host
      Value
      true
      This custom property specifies whether the application server uses the canonical form of the URL/HTTP host name in authenticating a client. If you set this custom property to false, a Kerberos ticket can contain a host name that differs from the HTTP host name header and the application server might issue the following message:
      CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest

      If you set this custom property to true, you can avoid this error message and allow the application server to authenticate using the canonical form of the URL/HTTP host name.

  3. Configure the browser. On the browser for the client machine, the alias host name needs to be configured as a trusted host.
    • For Internet Explorer:
      1. Select Tools > Internet options.
      2. Select the Security tab.
      3. Click Local intranet > Sites > Advanced
      4. Add the alias host name in this panel.
    • For Mozilla Firefox:
      1. Type About:config in the address bar and press ENTER to access configuration options.
      2. Locate the network.negotiate-auth.trusted-uris preference name, right-click on the preference, and select Modify. If you do not have this preference, right-click within the panel, and select New > string.
      3. Add alias host names in the text box, separating host names with a comma.
  4. Ensure that the real host name is added to the keytab file.
    Supported configurations Supported configurations: You can configure the keytab file in two ways:
    • If com.ibm.websphere.security.krb.canonical_host is set to "true", the application server expects the real host name to be in the keytab files. Aliases are not necessary.
    • If com.ibm.websphere.security.krb.canonical_host is set to false and aliases are defined, aliases need to be present in the keytab file.
    sptcfg



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 6:15:55 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-express-dist&topic=tsec_SPNEGO_add_alias
File name: tsec_SPNEGO_add_alias.html