When you use the Simple and Protected GSS-API Negotiation
Mechanism (SPNEGO) trust association interceptor (TAI) for authentication,
and you would like to use alias host name as the host name for the
application server, you must configure a custom property to resolve
the alias host name to the actual hostname for SPNEGO single sign-on.
Then, you can dynamically add or modify an alias name in the DNS without
changing the application server's configuration. If you enable
this custom property you will no longer need to set alias host names
through the SPNEGO configuration.
About this task
The application server will perform a DNS lookup as an HTTP
request comes in, and if the alias host name is resolved as a host
name that is already configured for SPNEGO single sign-on, the application
server will continue to process it. It is usually not required to
add alias hostname to a SPNEGO account.
Procedure
- Define the actual host name for the com.ibm.ws.security.spnego.SPNx.hostName
variable.
- From administration console, click
- Add or modify the com.ibm.ws.security.spnego.SPNx.hostName
variable. For example:
- Name
- com.ibm.ws.security.spnego.SPNx.hostName
- Value
- real_host_name
This custom property
specifies the actual host name to which the application server can
resolve an alias host name for SPNEGO single sign-on. You can then
dynamically add or modify an alias name in the DNS without changing
the configuration for the application server.
You can optionally
define the alias host name, but you are only required to define the
real host name. The application server resolves the alias host name
to real host name as the HTTP request is received.
- Turn on the Canonical support flag.
- From administration console, click
- Add or modify the com.ibm.websphere.security.krb.canonical_host
variable and set it to "true".
- Name
- com.ibm.websphere.security.krb.canonical_host
- Value
- true
This custom property
specifies whether the application server uses the canonical form of
the URL/HTTP host name in authenticating a client. If you set this
custom property to false, a Kerberos ticket can contain
a host name that differs from the HTTP host name header and the application
server might issue the following message:CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest
If you set this custom property to true, you
can avoid this error message and allow the application server to authenticate
using the canonical form of the URL/HTTP host name.
- Configure the browser. On the browser for the
client machine, the alias host name needs to be configured as a trusted
host.
- For Internet Explorer:
- Select .
- Select the Security tab.
- Click
- Add the alias host name in this panel.
- For Mozilla Firefox:
- Type About:config in the address bar and
press ENTER to access configuration options.
- Locate the network.negotiate-auth.trusted-uris preference name, right-click on the preference, and select Modify. If you do not have this preference, right-click
within the panel, and select .
- Add alias host names in the text box, separating host names with
a comma.
- Ensure that the real host name is added to the keytab file.
Supported configurations: You can configure the
keytab file in two ways:
- If com.ibm.websphere.security.krb.canonical_host is set to "true",
the application server expects the real host name to be in the keytab
files. Aliases are not necessary.
- If com.ibm.websphere.security.krb.canonical_host is set to false
and aliases are defined, aliases need to be present in the keytab
file.
sptcfg