You can use the Jython or Jacl scripting languages to configure
security with the wsadmin tool. The commands and parameters in the
SpnegoTAICommands group can be used to create and manage configurations
that are used by the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) trust association interceptor (TAI).
Deprecated feature: In WebSphere® Application Server Version 6.1, a
trust association interceptor (TAI) that uses the Simple and Protected
GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate
HTTP requests for secured resources was introduced. This function
was deprecated in WebSphere Application Server Version
7.0. SPNEGO web authentication has taken its place to provide dynamic
reload of the SPNEGO filters and to enable fallback to the application
login method.
depfeat
The SpnegoTAICommands command group for the AdminTask object includes
the following commands:
addSpnegoTAIProperties
The
addSpnegoTAIProperties command adds properties in the configuration of
the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust
association interceptor (TAI) for the application server.
Target object
None
Parameters and return values
- -spnId
- This is the SPN identifier for the group of custom properties
that are to be defined with this command. If you do not specify this
parameter, an unused SPN identifier is assigned. (String, optional)
- -host
- Specifies the host name portion in the SPN used by the SPNEGO
TAI to establish a Kerberos secure context. (String, required)
- -filter
- Defines the filtering criteria used by the class specified with
the above attribute. If no filter is specified, all HTTP requests
are subject to SPNEGO authentication. (String, optional)
- -filterClass
- Specifies the name of the Java class
used by the SPNEGO TAI to select which HTTP requests will be subject
to SPNEGO authentication. If no filter class is specified, the default
filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used.
(String, optional)
- -noSpnegoPage
- Specifies the URL of a resource that contains the content the
SPNEGO TAI will include in the HTTP response to be displayed by the
(browser) client application if it does not support SPNEGO authentication.
(String, optional).
If you do not specify the noSpnegoPage attribute
then the default is used:
"<html><head><title>SPNEGO authentication is not supported.</title></head>" +
"<body>SPNEGO authentication is not supported on this client.</body></html>";
- -ntlmTokenPage
- Specifies the URL of a resource that contains the content the
SPNEGO TAI will include in the HTTP response to be displayed by the
(browser) client application when the SPNEGO token received by the
interceptor after the challenge-response handshake contains a NT LAN
manager (NTLM) token instead of the expected SPNEGO token. (String,
optional).
If you do not specify the ntlmTokenPage attribute then
the default is used:
"<html><head><title>An NTLM Token was received.</title></head>" + "<body>Your browser configuration
is correct, but you have not logged into a supported Windows Domain." + "<p>Please login to the application
using the normal login page.</html>";
- -trimUserName
- Specifies whether (true) or not (false)
the SPNEGO TAI is to remove the suffix of the principal user name,
starting from the @ that precedes the Kerberos realm
name. If this attribute is set to true, the suffix of the principal
user name is removed. If this attribute is set to false,
the suffix of the principal name is retained. The default value used
is true. (String, optional)
Examples
Batch
mode example usage:
Using Jacl:
$AdminTask addSpnegoTAIProperties -host myhost.ibm.com -filter user-agent%=IE 6
Using Jython string:
AdminTask.addSpnegoTAIProperties ('[-host myhost.ibm.com -filter user-agent%=IE 6]')
Using Jython list:
AdminTask.addSpnegoTAIProperties (['-host', 'myhost.ibm.com', '-filter', 'user-agent%=IE', '6'])
Interactive mode example usage:
Using Jacl:
$AdminTask addSpnegoTAIProperties -interactive
Using Jython string:
AdminTask.addSpnegoTAIProperties ('[-interactive]')
Using Jython list:
AdminTask.addSpnegoTAIProperties ['-interactive'])
deleteSpnegoTAIProperties
The
deleteSpnegoTAIProperties command deletes properties in the configuration
of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
trust association interceptor (TAI) for
WebSphere Application Server.
Target object
None
Parameters and return values
- -spnId
- The SPN identifier for the group of custom properties that are
to be deleted with this command. If you do not specify this parameter,
all SPNEGO TAI custom properties are deleted. (String, optional)
Examples
Batch
mode example usage:
Using Jacl:
$AdminTask deleteSpnegoTAIProperties {-spnId 2}
Using Jython string:
AdminTask.deleteSpnegoTAIProperties ('[-spnId 2]')
Using Jython list:
AdminTask.deleteSpnegoTAIProperties (['-spnId', '2'])
Interactive mode example usage:
Using Jacl:
$AdminTask deleteSpnegoTAIProperties -interactive
Using Jython string:
AdminTask.deleteSpnegoTAIProperties ('[-interactive]')
Using Jython list:
AdminTask.deleteSpnegoTAIProperties ['-interactive'])
modifySpnegoTAIProperties
The
modifySpnegoTAIProperties command modifies the properties in the configuration
of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
trust association interceptor (TAI) for
WebSphere Application Server.
Target object
None
Parameters and return values
- -spnId
- The SPN identifier for the group of custom properties that are
to be defined with this command. (String, required)
- -host
- Specifies the host name portion in the SPN used by the SPNEGO
TAI to establish a Kerberos secure context. (String, optional)
- -filter
- Defines the filtering criteria used by the class specified with
the above attribute. (String, optional)
- -filterClass
- Specifies the name of the Java class
used by the SPNEGO TAI to select which HTTP requests will be subject
to SPNEGO authentication. If no class is specified, all HTTP requests
will be subject to SPNEGO authentication. (String, optional)
- -noSpnegoPage
- Specifies the URL of a resource that contains the content the
SPNEGO TAI will include in the HTTP response to be displayed by the
(browser) client application if it does not support SPNEGO authentication.
(String, optional)
- -ntlmTokenPage
- Specifies the URL of a resource that contains the content the
SPNEGO TAI will include in the HTTP response to be displayed by the
(browser) client application when the SPNEGO token received by the
interceptor after the challenge-response handshake contains a NT LAN
manager (NTLM) token instead of the expected SPNEGO token. (String,
optional)
- -trimUserName
- Specifies whether (true) or not (false)
the SPNEGO TAI is to remove the suffix of the principal user name,
starting from the "@" that precedes the Kerberos realm name.
If this attribute is set to true, the suffix of the principal user
name is removed. If this attribute is set to false,
the suffix of the principal name is retained. The default value used
is true. (String, optional)
Examples
Batch
mode example usage:
Using Jacl:
$AdminTask modifySpnegoTAIPROPERTIES -spnId 1 -filter host==myhost.company.com
Using Jython string:
AdminTask.modifySpnegoTAIPROPERTIES ('[-spnId 1 -filter host==myhost.company.com]')
Using Jython list:
AdminTask.modifySpnegoTAIPROPERTIES (['-spnId', '1', '-filter', 'host==myhost.company.com'])
Interactive mode example usage:
Using Jacl:
$AdminTask modifySpnegoTAIProperties -interactive
Using Jython string:
AdminTask.modifySpnegoTAIProperties ('[-interactive]')
Using Jython list:
AdminTask.modifySpnegoTAIProperties ['-interactive'])
showSpnegoTAIProperties
The
showSpnegoTAIProperties command displays the properties in the configuration
of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
trust association interceptor (TAI) for
WebSphere Application Server.
Target object
None
Parameters and return values
- -spnId
- The service principal name (SPN) identifier for the group of custom
properties that are to be displayed with this command. If you do not
specify this parameter, all SPNEGO TAI custom properties are displayed.
(String, optional)
Examples
Batch
mode example usage:
Using Jacl:
$AdminTask showSpnegoTAIProperties -spnId 1
Using Jython string:
AdminTask.showSpnegoTAIProperties ('[-spnId 1]')
Using Jython list:
AdminTask.showSpnegoTAIProperties (['-spnId', '1'])
Interactive mode example usage:
Using Jacl:
$AdminTask showSpnegoTAIProperties -interactive
Using Jython string:
AdminTask.showSpnegoTAIProperties ('[-interactive]')
Using Jython list:
AdminTask.showSpnegoTAIProperties ['-interactive'])
createKrbConfigFile
The
createKrbConfigFile command creates the Kerberos
configuration file for use with the Simple and Protected GSS-API Negotiation
Mechanism (SPNEGO) trust association interceptor (TAI) for
WebSphere Application Server.
Target object
None
Parameters and return values
- -krbPath
- Provides the fully qualified file system location of the Kerberos
configuration (krb5.ini or krb5.conf) file. (String, required)
- -realm
- Provides the Kerberos realm name. The value of this attribute
is used by the SPNEGO TAI to form the Kerberos service principal name
for each of the hosts specified with the property com.ibm.ws.security.spnego.SPN<id>.hostname
(String, required)
- -kdcHost
- Provides the host name of the Kerberos Key Distribution Center
(KDC). (String, required)
- -kdcPort
- Provides the port number of the KDC. The default value, if not
specified, is 88. (String, optional)
- -dns
- Provides the default domain name service (DNS) that is used to
produce a fully qualified host name. (String, required)
- -keytabPath
- Provides the file system location of the Kerberos keytab file.
(String, required)
- -encryption
- Identifies the list of supported encryption types, separated by
a space. The specified value is used for the default_tkt_enctypes
and default_tgs_enctypes. The default encryption types, if not specified,
are des-cbc-md5 and rc4-hmac. (String, optional)
Examples
Interactive
mode example usage:
Using Jacl:
$AdminTask createKrbConfigFile -interactive
Using Jython string:
AdminTask.createKrbConfigFile ('[-interactive]')
Using Jython list:
AdminTask.createKrbConfigFile ['-interactive'])