Network Deployment (Distributed operating systems), v8.0 > Reference > Custom properties
SPNEGO TAI JVM configuration custom properties (deprecated)
JVM (JVM) custom properties control the operation of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI).
Deprecated feature:
In WAS v6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method. depfeat
The following JVM custom properties control operation of the SPNEGO TAI. Different custom property values can be specified for each application server.
JVM configuration custom properties.
This table lists the SPNEGO JVM configuration custom properties.
Custom Property Name Required Value Type Default Value Recommended Value com.ibm.ws.security.spnego.isEnabled No Boolean False True com.ibm.ws.security.spnego.propertyReloadFile No String None For Windows C:\temp\TAI.propsFor UNIX/tmp/TestTAI.Propertiescom.ibm.ws.security.spnego.propertyReloadTimeout No Integer None 120 com.ibm.ws.security.spnego.useHttpFilterClass2
No
Boolean
False
True
com.ibm.ws.security.spnego.isEnabled
Use this custom property to enable or disable operation of the SPNEGO TAI in a given application server. When set to false, the SPNEGO TAI is disabled and not used by the web authentication module for authenticating any web requests. When set to true, the SPNEGO TAI is enabled and used by the web authentication module for authenticating any web requests.
com.ibm.ws.security.spnego.propertyReloadFile
Use this custom property to identify the file that contains configuration properties for the SPNEGO TAI, when it is not convenient to stop and restart the application server. The properties contained in this file can be reloaded to configure the SPNEGO TAI. The properties that are defined in the specified file override any properties defined using the admin console.
A sample of this reload file follows:
########################################################## # Template properties files for SPNEGO TAI # # Where possible defaults have been provided. # ########################################################## #--------------------------------------------------------- # Hostname #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.HostName=wsecurity.austin.ibm.com #--------------------------------------------------------- # (Optional) SpnegoNotSupportedPage #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.SpnegoNotSupportedPage= #--------------------------------------------------------- # (Optional) NTLMTokenReceivedPage #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.NTLMTokenReceivedPage= #--------------------------------------------------------- # (Optional) FilterClass #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.FilterClass=com.ibm.ws.spnego.HTTPHeaderFilter #--------------------------------------------------------- # (Optional) Filter #--------------------------------------------------------- #com.ibm.ws.spnego.SPN1.Filter=If com.ibm.ws.security.spnego.propertyReloadFile custom property is set, but the com.ibm.ws.security.spnego.propertyReloadTimeout custom property is not, then the SPNEGO TAI is not initialized.
com.ibm.ws.security.spnego.propertyReloadTimeout
Use this custom property to specify a time interval in seconds that elapses after which the SPNEGO TAI reloads the configuration properties. Also, the SPNEGO TAI reloads the configuration properties if the file that is identified by the com.ibm.ws.security.spnego.propertyReloadFile custom property changed since the last time the configuration custom properties were retrieved. This time interval in seconds must be specified as a positive integer.
com.ibm.ws.security.spnego.useHttpFilterClass2
Use this custom property to specify that the HttpHeaderFilter classes should be used. The HttpHeaderFilter classes enable:
- The != operator to be used for SPNEGO TAI filters.
- A space to exist in a SPNEGO TAI filter.
When this property is set to true the following filter specification works properly.
user-agent!=IBM Web Services Explorer;request-url!=noSPNEGOIf this property is set to false, or is not specified, the preceding filter does not work properly.
- If the com.ibm.ws.security.spnego.propertyReloadFile custom property and the com.ibm.ws.security.spnego.propertyReloadTimeout custom property are not set, then the SPNEGO TAI properties are only loaded once from the SPNEGO TAI custom properties defined in the WAS configuration data. This one time loading occurs when the JVM is initialized.
- If com.ibm.ws.security.spnego.propertyReloadTimeout custom property is set, but the com.ibm.ws.security.spnego.propertyReloadFile custom property is not, then the SPNEGO TAI is not initialized. Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated) or how to configure the JVM custom properties for SPNEGO TAI.
Remember: We can also use the wsadmin command for the AdminConfig scripting object to interactively set the com.ibm.ws.security.spnego.isEnabled custom property. See Enable the SPNEGO TAI as JVM custom property using scripting (deprecated) for more information.
The following custom properties are not used directly by the SPNEGO TAI; however, they affect the operation of the core security runtime and can also be used for problem determination.
JVM configuration custom properties.
This table describes the JVM configuration custom properties
Custom Property Name Required Value Type Default Value Recommended Value com.ibm.security.jgss.debug No String None "off" or "all" com.ibm.security.krb5.Krb5Debug No String None "off" or "all" java.security.properties No String None javax.security.auth.useSubjectCredsOnly Yes Boolean True False
com.ibm.security.jgss.debug
This custom property is optional. It can be used to collect diagnostic trace information for problem determination in the Java Generic Security Service (JGSS) application programmer interface (API) implementation. The value can be set to all or off to enable or disable tracing, respectively. See Java Generic Security Service User's Guide for specific JGSS API information.
com.ibm.security.krb5.Krb5Debug
This custom property is optional. It can be used to collect additional diagnostic trace information for problem determination in the JGSS implementation. The value can be set to all or off to enable or disable tracing, respectively.
java.security.properties
This property is optional. It can be used when different application servers in a cell have different security requirements and it is not convenient to modify the global java.security file for the entire cell. In such situations, the java.security.properties custom property is used to specify the location of the java.security file used by the JVM for each application server.
javax.security.auth.useSubjectCredsOnly
JGSS includes an optional JAAS login facility that saves Principal credentials and secret keys in the Subject of the application's JAAS login context. JGSS retrieves credentials and secret keys from the Subject by default. This feature can be disabled by setting the Java property javax.security.auth.useSubjectCredsOnly to false. Attention: The SPNEGO TAI does not use the optional JAAS login module. The javax.security.auth.useSubjectCredsOnly property must be set to false.
Single sign-on for HTTP requests using SPNEGO TAI (deprecated)
Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated)
Related
Java Generic Security Service User's Guide