+

Search Tips   |   Advanced Search

 

SpnegoTAICommands group for the AdminTask object

 

You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the SpnegoTAICommands group can be used to create and manage configurations that are used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI). The SpnegoTAICommands command group for the AdminTask object includes the following commands:

 

addSpnegoTAIProperties

The addSpnegoTAIProperties command adds properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for the appserver.

Target object None

Parameters and return values

-spnId

This is the SPN identifier for the group of custom properties that are to be defined with this command. If you do not specify this parameter, an unused SPN identifier is assigned. (String, optional)

-host

Specifies the host name portion in the SPN used by the SPNEGO TAI to establish a Kerberos secure context. (String, required)

-filter

Defines the filtering criteria used by the class specified with the above attribute. If no filter is specified, all HTTP requests are subject to SPNEGO authentication. (String, optional)

-filterClass

Specifies the name of the Java class used by the SPNEGO TAI to select which HTTP requests will be subject to SPNEGO authentication. If no filter class is specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used. (String, optional)

-noSpnegoPage

Specifies the URL of a resource that contains the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if it does not support SPNEGO authentication. (String, optional). If you do not specify the noSpnegoPage attribute then the default is used: 

"<html><head><title>SPNEGO authentication is not supported.</title></head>" +"<body>SPNEGO authentication is not supported on this client.</body></html>";

-ntlmTokenPage

Specifies the URL of a resource that contains the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application when the SPNEGO token received by the interceptor after the challenge-response handshake contains a NT LAN manager (NTLM) token instead of the expected SPNEGO token. (String, optional). If you do not specify the ntlmTokenPage attribute then the default is used: 

"<html><head><title>An NTLM Token was received.</title></head>" + "<body>Your browser configuration is correct, but you have not logged into a supported Windows Domain." + "<p>Please login to the application using the normal login page.</html>";

-trimUserName

Specifies whether (true) or not (false) the SPNEGO TAI is to remove the suffix of the principal user name, starting from the @ that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

 

createKrbConfigFile

The createKrbConfigFile command creates the Kerberos configuration file for use with the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.

Target object None

Parameters and return values

-krbPath

Provides the fully qualified file system location of the Kerberos configuration (krb5.ini or krb5.conf) file. (String, required)

-realm

Provides the Kerberos realm name. The value of this attribute is used by the SPNEGO TAI to form the Kerberos service principal name for each of the hosts specified with the property com.ibm.ws.security.spnego.SPN<id>.hostname (String, required)

-kdcHost

Provides the host name of the Kerberos Key Distribution Center (KDC). (String, required)

-kdcPort

Provides the port number of the KDC. The default value, if not specified, is 88. (String, optional)

-dns

Provides the default domain name service (DNS) that is used to produce a fully qualified host name. (String, required)

-keytabPath

Provides the file system location of the Kerberos keytab file. (String, required)

-encryption

Identifies the list of supported encryption types, separated by a space. The specified value is used for the default_tkt_enctypes and default_tgs_enctypes. The default encryption types, if not specified, are des-cbc-md5 and rc4-hmac. (String, optional)

Examples

Interactive mode example usage:

 

deleteSpnegoTAIProperties

The deleteSpnegoTAIProperties command deletes properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.

Target object None

Parameters and return values

-spnId

The SPN identifier for the group of custom properties that are to be deleted with this command. If you do not specify this parameter, all SPNEGO TAI custom properties are deleted. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

 

modifySpnegoTAIProperties

The modifySpnegoTAIProperties command modifies the properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.

Target object None

Parameters and return values

-spnId

The SPN identifier for the group of custom properties that are to be defined with this command. (String, required)

-host

Specifies the host name portion in the SPN used by the SPNEGO TAI to establish a Kerberos secure context. (String, optional)

-filter

Defines the filtering criteria used by the class specified with the above attribute. (String, optional)

-filterClass

Specifies the name of the Java class used by the SPNEGO TAI to select which HTTP requests will be subject to SPNEGO authentication. If no class is specified, all HTTP requests will be subject to SPNEGO authentication. (String, optional)

-noSpnegoPage

Specifies the URL of a resource that contains the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if it does not support SPNEGO authentication. (String, optional)

-ntlmTokenPage

Specifies the URL of a resource that contains the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application when the SPNEGO token received by the interceptor after the challenge-response handshake contains a NT LAN manager (NTLM) token instead of the expected SPNEGO token. (String, optional)

-trimUserName

Specifies whether (true) or not (false) the SPNEGO TAI is to remove the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

 

showSpnegoTAIProperties

The showSpnegoTAIProperties command displays the properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.

Target object None

Parameters and return values

-spnId

The service principal name (SPN) identifier for the group of custom properties that are to be displayed with this command. If you do not specify this parameter, all SPNEGO TAI custom properties are displayed. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:



 

Related tasks


Use the AdminTask object for scripted administration

 

Related Reference


Commands for the AdminTask object

 

Reference topic