Modify SPNEGO TAI properties using the wsadmin utility (deprecated)

Modify SPNEGO TAI properties using the wsadmin utility (deprecated)

Use wsadmin utility to modify the properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere Application Server.

Deprecated feature:
In WAS v6.1, a trust association interceptor (TAI) that uses the SPNEGO to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method. depfeat
Verify that end-user desktop browsers are configured to support SPNEGO authentication, that the SPNEGO TAI is enabled, that the JVM property is set and, that WebSphere Application Server is configured to enable the operation of the SPNEGO TAI. Use wsadmin utility to configure the SPNEGO TAI for WebSphere Application Server:
Start WebSphere Application Server.

(dist)(zos) Start the command-line utility by running the wsadmin command from the app_server_root/bin directory.

(iseries) Start the command-line utility by running the wsadmin command from the app_server_root/bin directory from the Qshell command line.
At the wsadmin prompt, enter the following command:
$AdminTask modifySpnegoTAIProperties
Use the following parameters with this command:
Option Description
<spnId> Required. It is the SPN identifier for the group of custom properties that are to be defined with this command.
<host> Optional. It specifies the host name portion in the SPN used by the SPNEGO TAI to establish a Kerberos secure context.
<filter> Optional. It defines the filtering criteria used by the class specified with the previous attribute.
<filterClass> Optional. It specifies the name of the Java class used by the SPNEGO TAI to select which HTTP requests will be subject to SPNEGO authentication. If no class is specified, all HTTP requests will be subject to SPNEGO authentication.
<noSpnegoPage>
Optional. It specifies the URL of a resource containing the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if it does not support SPNEGO authentication.
If we do not specify the noSpnegoPage attribute then the default is used:
"<html><head><title>SPNEGO  authentication is not supported.
</title></head>" +
"<body>SPNEGO authentication is  not supported on this client.
</body></html>";
<ntlmTokenPage>
Optional. The ntlmTokenPage parameter specifies the URL of a resource containing the content the SPNEGO TAI will include in the HTTP response, which will be displayed by the (browser) client application. The (browser) client application displays this HTTP response when the browser client sends a NT LAN manager (NTLM) token instead of the expected SPNEGO token during the challange-response handshake.
If we do not specify the ntlmTokenPage attribute then the default is used:
"<html><head><title>An NTLM Token  was received.</title></head>"
+ "<body>Your browser configuration is correct, but we have not logged into a supported Windows  Domain."
+ "<p>Please login to the application using the normal login page.</html>";
<trimUserName> Optional. It specifies whether (true) or not (false) the SPNEGO TAI is to remove the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true.
Results
SPNEGO TAI properties are modified for this WebSphere Application Server.

Example
Example 1
The following example configures the SPNEGO TAI to intercept HTTP requests containing IE 6 in the user agent request header. The SPNEGO TAI uses the SPN of HTTP/myhost.ibm.com@<default_realm> to authenticate the request originator. Then the example modifies the value of the filter custom property that was defined and changes it from user-agent%=IE 6 to host==myhost.company.com.
$AdminTask addSpnegoTAIProperties -host myhost.ibm.com -filter user-agent%=IE 6
$AdminTask modifySpnegoTAIProperties -spnId 1 -filter host==myhost.company.com
Example 2
This is an example of modifying the SPNEGO TAI for SPN1 properties to add a filter for host central01.austin.ibm.com.
wsadmin>$AdminTask modifySpnegoTAIProperties -interactive
Modify SPNEGO TAI properties  Modify SPNEGO TAI configuration properties   *Service Principal Name identifier (spnId): 1
Host name in Service Principal Name (host): central01.austin.ibm.com
HTTP header filter rule (filter): request-url!=noSPNEGO;request-url%=snoop
Name of class used to filter HTTP requests (filterClass):
SPNEGO not supported browser response (noSpnegoPage):
NTLM Token received browser response (ntlmTokenPage):
Trim User Name browser response (trimUserName):
 Modify SPNEGO TAI properties  F (Finish)
C (Cancel)
 Select [F, C]: [F] f
WASX7278I: Generated command line: $AdminTask modifySpnegoTAIProperties {-spnId
1 -host w2003secdev.austin.ibm.com -filter request-url!=noSPNEGO;request-url%=sn
oop}
com.ibm.ws.security.spnego.SPN1.filter=request-url!=noSPNEGO;request-url%=snoop
com.ibm.ws.security.spnego.SPN1.hostName=central01.austin.ibm.com
wsadmin>
Related tasks

Configure WebSphere Application Server and enabling the SPNEGO TAI (deprecated)

SPNEGO TAI custom properties configuration (deprecated)

Option	Description
<spnId>	Required. It is the SPN identifier for the group of custom properties that are to be defined with this command.
<host>	Optional. It specifies the host name portion in the SPN used by the SPNEGO TAI to establish a Kerberos secure context.
<filter>	Optional. It defines the filtering criteria used by the class specified with the previous attribute.
<filterClass>	Optional. It specifies the name of the Java class used by the SPNEGO TAI to select which HTTP requests will be subject to SPNEGO authentication. If no class is specified, all HTTP requests will be subject to SPNEGO authentication.
<noSpnegoPage>	Optional. It specifies the URL of a resource containing the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if it does not support SPNEGO authentication. If we do not specify the noSpnegoPage attribute then the default is used: "<html><head><title>SPNEGO authentication is not supported. </title></head>" + "<body>SPNEGO authentication is not supported on this client. </body></html>";
<ntlmTokenPage>	Optional. The ntlmTokenPage parameter specifies the URL of a resource containing the content the SPNEGO TAI will include in the HTTP response, which will be displayed by the (browser) client application. The (browser) client application displays this HTTP response when the browser client sends a NT LAN manager (NTLM) token instead of the expected SPNEGO token during the challange-response handshake. If we do not specify the ntlmTokenPage attribute then the default is used: "<html><head><title>An NTLM Token was received.</title></head>" + "<body>Your browser configuration is correct, but we have not logged into a supported Windows Domain." + "<p>Please login to the application using the normal login page.</html>";
<trimUserName>	Optional. It specifies whether (true) or not (false) the SPNEGO TAI is to remove the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true.