+

Search Tips   |   Advanced Search

 

SPNEGO TAI JVM configuration attributes

 

JVM attributes control the operation of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI). The following JVM attributes control operation of the SPNEGO TAI. Different attribute values can be specified for each appserver.

Table 1. JVM configuration attributes
Attribute Name Required Value Type Default Value Recommended Value
com.ibm.ws.security.spnego.isEnabled No Boolean False True
com.ibm.ws.security.spnego.propertyReloadFile No String None For Windows

C:\temp\TAI.props 
For UNIX

/tmp/TestTAI.Properties 
com.ibm.ws.security.spnego.propertyReloadTimeout No Integer None 120

com.ibm.ws.security.spnego.isEnabled

Use this attribute to enable or disable operation of the SPNEGO TAI in a given appserver. When set to false, the SPNEGO TAI is disabled and not used by the Web authentication module for authenticating any Web requests. When set to true, the SPNEGO TAI is enabled and used by the Web authentication module for authenticating any Web requests.

com.ibm.ws.security.spnego.propertyReloadFile

Use this attribute to identify the file that contains configuration properties for the SPNEGO TAI, when it is not convenient to stop and restart the appserver. The properties contained in this file can be reloaded to configure the SPNEGO TAI.

The properties that are defined in the specified file override any properties defined using the administrative console.

A sample of this reload file follows:

##########################################################
# Template properties files for SPNEGO TAI #  
# Where possible defaults have been provided.
#
##########################################################

#---------------------------------------------------------
# Hostname
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.HostName=wsecurity.austin.ibm.com 

#---------------------------------------------------------
# (Optional) SpnegoNotSupportedPage
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.SpnegoNotSupportedPage=

#---------------------------------------------------------
# (Optional) NTLMTokenReceivedPage
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.NTLMTokenReceivedPage=

#---------------------------------------------------------
# (Optional) FilterClass
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.FilterClass=com.ibm.ws.spnego.HTTPHeaderFilter

#---------------------------------------------------------
# (Optional) Filter
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.Filter=

If com.ibm.ws.security.spnego.propertyReloadFile attribute is set, but the com.ibm.ws.security.spnego.propertyReloadTimeout attribute is not, then the SPNEGO TAI is not initialized.

com.ibm.ws.security.spnego.propertyReloadTimeout

Use this attribute to specify a time interval in seconds that elapses after which the SPNEGO TAI reloads the configuration properties. Also, the SPNEGO TAI reloads the configuration properties if the file that is identified by the com.ibm.ws.security.spnego.propertyReloadFile attribute changed since the last time the configuration attributes were retrieved. This time interval in seconds must be specified as a positive integer.

The following examples show how to enable operation of the SPNEGO TAI by setting the com.ibm.ws.security.spnego.isEnabled JVM property to true using the scripting that is available in WebSphere Application Server for AdminConfig commands.

Use JACL:

set server [$AdminConfig getid /Cell:mycell/Node:mynode/Server:myserver] set jvm [$AdminConfig list JavaVirtualMachine $server]
$AdminConfig modify $jvm {{genericJvmArguments "-Dcom.ibm.ws.security.spnego.isEnabled =true"}}
$AdminConfig save

Use Jython:

server = AdminConfig.getid(‘/Cell:mycell/Node:mynode/Server:myserver’)
  jvm = AdminConfig.list(‘JavaVirtualMachine’, server)
  AdminConfig.modify(jvm, [[‘genericJvmArguments’, “Dcom.ibm.ws.security.spnego.isEnabled =true”]])
AdminConfig.save()

You can also use the wsadmin command for the AdminConfig scripting object to interactively set the com.ibm.ws.security.spnego.isEnabled attribute. See Enabling the SPNEGO TAI using scripting for more information. The following attributes are not used directly by the SPNEGO TAI; however, they affect the operation of the core security runtime and can also be used for problem determination.

Table 2. JVM configuration attributes
Attribute Name Required Value Type Default Value Recommended Value
java.security.properties No String None
com.ibm.security.jgss.debug No String None "off" or "all"
com.ibm.security.krb5.Krb5Debug No String None "off" or "all"
javax.security.auth.useSubjectCredsOnly Yes Boolean True False

java.security.properties

This property is optional. It can be used when different appservers in a cell have different security requirements and it is not convenient to modify the global java.security file for the entire cell. In such situations, the java.security.properties attribute is used to specify the location of the java.security file used by the JVM for each appserver.

com.ibm.security.jgss.debug

This attribute is optional. It can be used to collect diagnostic trace information for problem determination in the Java Generic Security Service (JGSS) application programmer interface (API) implementation. The value can be set to all or off to enable or disable tracing, respectively. See Java Generic Security Service User's Guide for specific JGSS API information.

com.ibm.security.krb5.Krb5Debug

This attribute is optional. It can be used to collect additional diagnostic trace information for problem determination in the JGSS implementation. The value can be set to all or off to enable or disable tracing, respectively.

javax.security.auth.useSubjectCredsOnly

JGSS includes an optional Java Authentication and Authorization Service (JAAS) login facility that saves Principal credentials and secret keys in the Subject of the application’s JAAS login context. JGSS retrieves credentials and secret keys from the Subject by default. This feature can be disabled by setting the Java property javax.security.auth.useSubjectCredsOnly to false.

The SPNEGO TAI does not use the optional JAAS login module. The javax.security.auth.useSubjectCredsOnly property must be set to false.




 

Related concepts


Single sign-on for HTTP requests using SPNEGO

 

Related tasks


Configure JVM properties and enabling SPNEGO TAI in WebSphere Application Server

 

Related Reference


Java Generic Security Service User's Guide

 

Reference topic