When you use the Simple and Protected GSS-API Negotiation
Mechanism (SPNEGO) trust association interceptor (TAI) for authentication,
and you would like to use alias host name as the host name for the
application server, you must configure a custom property to resolve
the alias host name to the actual hostname for SPNEGO single sign-on.
Then, you can dynamically add or modify an alias name in the DNS without
changing the application server’s configuration. If you enable this
custom property you will no longer need to set alias host names through
the SPNEGO configuration.
About this task
The application server will perform a DNS lookup as an HTTP
request comes in, and if the alias host name is resolved as a host
name that is already configured for SPNEGO single sign-on, the application
server will continue to process it. It is usually not required to
add alias hostname to a SPNEGO account.
Procedure
- Define the actual host name for the com.ibm.ws.security.spnego.SPNx.hostName
variable.
- From administration console, click
- Add or modify the com.ibm.ws.security.spnego.SPNx.hostName
variable. For example:
- Name
- com.ibm.ws.security.spnego.SPNx.hostName
- Value
- real_host_name
This custom property specifies the
actual host name to which the application server can resolve an alias
host name for SPNEGO single sign-on. You can then dynamically add
or modify an alias name in the DNS without changing the configuration
for the application server.
You can optionally define the alias
host name, but you are only required to define the real host name.
The application server resolves the alias host name to real host name
as the HTTP request is received.
- Turn on the Canonical support flag.
- From administration console, click
- Add or modify the com.ibm.websphere.security.krb.canonical_host
variable and set it to "true".
- Name
- com.ibm.websphere.security.krb.canonical_host
- Value
- true
This custom property specifies whether
the application server uses the canonical form of the URL/HTTP host
name in authenticating a client. If you set this custom property to false,
a Kerberos ticket can contain a host name that differs from the HTTP
host name header and the application server might issue the following
message:CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest
If
you set this custom property to true, you can avoid
this error message and allow the application server to authenticate
using the canonical form of the URL/HTTP host name.
- Configure the browser. On the browser for the
client machine, the alias host name needs to be configured as a trusted
host.
- For Internet Explorer:
- Select .
- Select the Security tab.
- Click
- Add the alias host name in this panel.
- For Mozilla Firefox:
- Type About:config in the address bar and
press ENTER to access configuration options.
- Locate the network.negotiate-auth.trusted-uris preference
name, right-click on the preference, and select Modify.
If you do not have this preference, right-click within the panel,
and select .
- Add alias host names in the text box, separating host names with
a comma.
- Ensure that the real host name is added to the keytab file.
Supported configurations: You can configure the
keytab file in two ways:
- If com.ibm.websphere.security.krb.canonical_host is set to "true",
the application server expects the real host name to be in the keytab
files. Aliases are not necessary.
- If com.ibm.websphere.security.krb.canonical_host is set to false
and aliases are defined, aliases need to be present in the keytab
file.
sptcfg