Home

 

Enable a trust association interceptor for SPNEGO

Configure and enable a SPNEGO trust association interceptor (TAI) on IBM WebSphere Application Server.

To configure and enable a SPNEGO TAI...

1. Create an HTML page to redirect users whose Web browsers do not support SPNEGO to a non SPNEGO-protected page that asks for authentication credentials. Store the HTML file on a publicly accessible directory on the server and include HTML like the following example:

   <!DOCTYPE HTML PUBLIC "-//W3C/DTD HTML 4.0 Transitional//EN">
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html">
   
   <!-- 
   
   Notes
       - This file should be served from an unprotected Web site. Alternatively, 
         it can be loaded from the WebSphere Application Server file system.
   
       - Any imbedded graphics/javascript/css MUST BE loaded from an unprotected 
         Web site.
   
       - This file will be loaded after when the WebSphere Application Server is 
         initialized. If changes to this file are necessary, the Application Server 
         should be restarted.
   
       - This file is returned whenever the SPNEGO TAI receives an NTLM 
         token for ANY application in the cell. In other words, this file is 
         generic for all applications. However, by using the Javascipt 
         document.location, we can get the original URL, and redirect to that 
         original URL with the "?noSPNEGO" text added - thus forcing the standard 
         application userid/password challenge.
   -->
   
   <html>
   <script language="javascript">
       var origUrl=""+document.location;
          if (origUrl.indexOf("noSPNEGO")<0) {
           if (origUrl.indexOf('?')>=0) origUrl+="&noSPNEGO";
               else origUrl+="?noSPNEGO";
       }
       function redirTimer() {
           self.setTimeout("self.location.href=origUrl;",0);
       }
   </script>
   
   <META HTTP-EQUIV = "Pragma" CONTENT="no-cache">
   <script language="javascript">
       document.write("<title> Redirect to "+origUrl+ " </title>");    
   </script>
   <head>
   </head>
   <body onLoad="redirTimer()"/>
   </html>
   

2. Log in to the WAS admin console, run...
   Security | Secure administration, applications, and infrastructure | Web Security | Trust association | Enable trust association | Interceptors | com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl | Custom properties

   and add each of the following custom properties...

   Name	Value
   com.ibm.ws.security.spnego.SPN1.hostName	<hostname>
   com.ibm.ws.security.spnego.SPN1.NTLMTokenReceivedPage	<TAIRedirectPage_location>
   com.ibm.ws.security.spnego.SPN1.spnegoNotSupportedPage	<TAIRedirectPage_location>
   com.ibm.ws.security.spnego.SPN1.filter	request-url!=/seedlist/authverify;request-url!=/seedlist/server;request-url!=/seedlist/myserver;request-url!=noSPNEGO
   com.ibm.ws.security.spnego.SPN1.filterClass	com.ibm.ws.security.spnego.HTTPHeaderFilter

   where

   <hostname>

   Name of the server from which the Lotus Connections features are accessed.

   <TAIRedirectPage_location>

   File path to the HTML redirect file that you created in Step 1. For example: file:///c:/share/TAIRedirect.html

3. From the main Integrated Solutions Console, expand...
   Servers | Application servers | server_name | Java and Process Management | Process Definition | Java Virtual Machine | Custom Properties

   ..and add the following custom properties:

   • com.ibm.ws.security.spnego.isEnabled = true
   • java.security.krb5.conf =<path_to_krb5.conf>

   where <path_to_krb5.conf> is the file path to the Kerberos configuration file that you created in the previous topic.

4. If you installed Lotus Connections in multiple server instances, repeat the previous step for each server instance.

5. Configure the Ajax proxy to proxy LtpaToken cookies by editing the proxy-config.tpl file to include the following:

   <proxy:cookies>
       <proxy:cookie>JSESSIONID</proxy:cookie>
       <proxy:cookie>LtpaToken</proxy:cookie>
       <proxy:cookie>LtpaToken2</proxy:cookie>
   </proxy:cookies>
   

   For more information, see Enabling the AJAX proxy to forward user credentials.

6. Edit the httpd.conf file to force a log out to be directed to an unprotected Web page to prevent SPNEGO from presenting the user with a login page. Open the httpd.conf file in a text editor. The file is stored in the following by default:
   • AIX/usr/IBM/HTTPServer/conf
   • Linux/opt/IBM/HTTPServer/conf
   • Microsoft WindowsC:\IBM\HTTPServer\conf

   Add the following statements to the end of the file:

   RewriteEngine On RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING}  !=logoutExitPage=<your-logout-url> RewriteRule /(.*)/ibm_security_logout(.*)
       /$1/ibm_security_logout?logoutExitPage=<your-logout-url>
      [noescape,L,R]
   

   where <your-logout-url> must be an unprotected URL that the user is directed to after logging out of Lotus Connections. Save and close the httpd.conf file.

7. Restart the WebSphere Application Servers hosting the Lotus Connections features.

Previous topic:

Create a service principal name and keytab file

Next topic:

Configure Web browser preferences to support Kerberos authentication

 

Related tasks

Enable single sign-on for the Windows desktop
Enable the AJAX proxy to forward user credentials

+

Search Tips   |   Advanced Search