Network Deployment (Distributed operating systems), v8.0 > Reference > Sets
SPNEGO web authentication enablement
We can enable the Simple and Protected GSS-API Negotiation (SPNEGO) as the web authenticator for WAS.
SPNEGO web authentication provides client-server single sign-on by negotiating use of SPNEGO tokens. From the console...
Security > Global security. From Authentication, expand Web and SIP Security, and then click SPNEGO Web Authentication.
Use the alias host name for the application server
Enables you to resolve the alias host name for the application server to the actual host name for SPNEGO single sign-on. Disable this feature if you do not have an alias host name for the application server. Also, if we have an alias host name for the application server, but an alias host name cannot be resolved to the actual host name, then disable this feature.
When this option is enabled, you can dynamically add or modify an alias name in the DNS without changing the configuration of the application server; you do not need to set alias host names through the SPNEGO configuration. The application server performs a DNS lookup as an HTTP request comes in, and if the alias host name is resolved as a host name that is already configured for SPNEGO single sign-on, the application server continues to process it.
The application server expects the Kerberos service principal name (SPN) for a real host name to be present in the Kerberos keytab file.
If we have an alias host name, and we have disabled this option, set an alias host name through the SPNEGO configuration if the SPN for an alias host name is present in the keytab file.
Default: Enabled
Dynamically update SPNEGO
Enables you to dynamically update the SPNEGO runtime when SPNEGO changes occur without restarting the application server.
This option is disabled if the Enable SPNEGO option is not selected.
Default: Enabled
Enable SPNEGO
Specifies the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) as a web authenticator for the application server.
Default: Disabled
Allow fall back to application authentication mechanism
Specifies that SPNEGO as a web authenticator is used to log in to WAS first. However, if the login fails, then the application authentication mechanism is used to log in to WAS.
This option is disabled if the Enable SPNEGO option is not selected.
Default: Disabled
Kerberos configuration file with full path
The Kerberos configuration file name with its full path. We can click Browse to locate it.
The Kerberos client configuration file, krb5.conf or krb5.ini, contains Kerberos configuration information, including the locations of the Key Distribution Centers (KDCs) for the realm of interest. The krb5.conf file is the default name for all platforms except the Windows operating system, which uses the krb5.ini file.
Data type: String
Kerberos keytab file name with full path
The Kerberos keytab file name with its full path. We can click Browse to locate it.
The Kerberos keytab file contains one or more Kerberos service principal names and keys. The default keytab file is krb5.keytab. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only by authorized users. Read about Create a Kerberos service principal name and keytab file for more information.
If you do not specify a Kerberos keytab file then the default keytab file that is defined in the Kerberos configuration file is used.
Data type: String
Map Kerberos principals to SAF identities using the SAF RACMAP profiles
Maps the Kerberos principal in the SPNEGO token to an SAF user, where the Kerberos principal and the Kerberos realm are specified in the RACMAP profiles of the SAF product. Before you can select this option, the SAF product must support identity mapping.
This selection is visible only when the z/OS security product supports SAF identity mapping, the active user registry is Local OS, and there are no nodes prior to WAS v8.0 in the cell.
The default value is unchecked. When checked, the security custom property, com.ibm.websphere.security.spnego.useRACMAPMappingToSAF, is set to true.
Related
SPNEGO web authentication filter values
Kerberos authentication settings