SPNEGO web authentication configuration commands

WAS v8.5 > Reference > Commands (wsadmin scripting)
SPNEGO web authentication configuration commands

Use wsadmin commands to configure, unconfigure, validate, or display Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) in the security configuration.

Configure SPNEGO web authentication

You must first have a workable Kerberos configuration file and a Kerberos keytab file. For more information, read topics about creating a Kerberos configuration file and creating a Kerberos service principal name and keytab file.
Use the configureSpnego command to configure SPNEGO as a web authenticator in the security configuration.
At the wsadmin prompt, enter the following command for help:
Wsadmin>$AdminTask help configureSpnego

Command parameters. We can use the following parameters with the configureSpnego command:

Option Description
<enabled> This parameter is optional. It enables SPNEGO web authentication.
<dynamicReload> This parameter is optional. It enables dynamic reload of SPNEGO web authentication filters.
<allowAppAuthMethodFallback> This parameter is optional. It allows fall back to the application authentication mechanism.
<krb5Config> This parameter is required. It supplies the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab> This parameter is optional. It supplies the directory location and file name of the Kerberos keytab file. If we do not specify this parameter, the default keytab in the Kerberos configuration file is used.

WebSphere variables can be used to specify the krb5Config and krb5Keytab file paths. If we have a mixed platform environment, we can use a variable ${CONF_OR_INI} for the Kerberos configuration file. Security configuration will expand it to “ini” for Windows or “conf” for non-Windows platforms For example:
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI}

The configureSpnego and validateSpnegoConfig commands verify the krb5Config and krb5Keytab files only when SPNEGO is enabled. If SPNEGO is not enabled, these commands only verify the krb5Config and krb5Keytab files exist. This allows you to configure SPNEGO without enabling.

Unconfigure SPNEGO web authentication

Use the unconfigureSpnego command to unconfigure SPNEGO web authentication in the security configuration.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help unconfigureSpnego

Show SPNEGO web authentication

Use the showSPNEGO command to display the SPNEGO web authentication in the security configuration.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help showSpnego

Validate Kerberos configuration

Use the validateKrbConfig command to validate the Kerberos configuration data either in the global security file security.xml or specified as an input parameter.
At the wsadmin prompt, enter the following command for help:
wsadmin>$AdminTask help validateKrbConfig
We can use the following parameters with the validateKrbConfig command:
Command parameters.
This table describes parameters for the validateKrbConfig command.

Option Description
<checkConfigOnly> Checks the Kerberos configuration without validating, You must use global security for this check.
<useGlobalSecurityConfig> Uses the Global Security configuration data, security.xml, instead of input parameters.
<validateKrbRealm> Validates the Kerberos realm against the default Kerberos realm in the Kerberos configuration file (krb5.ini or krb5.conf).
<serverId> Specifies the server identity used for internal process communications.
<serverIdPassword> Password used for the server identity.
<krb5Spn> Specifies the Kerberos service principal name in the Kerberos keytab file.
<krb5Config > This parameter is required. It supplies the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab> This parameter is optional. It supplies the directory location and file name of the Kerberos keytab file. If we do not specify this parameter, the default keytab in the Kerberos configuration file is used.
<krb5Realm > This parameter is required. It specifies the value for the Kerberos realm name.

WebSphere variables can be used to specify the krb5Config and krb5Keytab file paths. If we have a mixed platform environment, we can use a variable ${CONF_OR_INI} for the Kerberos configuration file. Security configuration will expand it to ini for Windows or conf for non-Windows platforms. For example:
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI}

To validate the Kerberos configuration in the global security configuration file security.xml, run validateKrbConfig with no parameters or with useGlobalSecurityConfig set to true. To validate the Kerberos configuration with input parameters, set useGlobalSecurityConfig and checkConfigOnly to false and specify values for krb5Spn, krb5Config, krb5Keytab, and krb5Realm.

Related

Configure security with scripting
Configure Kerberos as the authentication mechanism
Create a Kerberos configuration file
Create a single sign-on for HTTP requests using SPNEGO Web authentication

Related information:

SPNEGO web authentication filter commands

+
Search Tips | Advanced Search

Option	Description
<enabled>	This parameter is optional. It enables SPNEGO web authentication.
<dynamicReload>	This parameter is optional. It enables dynamic reload of SPNEGO web authentication filters.
<allowAppAuthMethodFallback>	This parameter is optional. It allows fall back to the application authentication mechanism.
<krb5Config>	This parameter is required. It supplies the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab>	This parameter is optional. It supplies the directory location and file name of the Kerberos keytab file. If we do not specify this parameter, the default keytab in the Kerberos configuration file is used.

Option	Description
<checkConfigOnly>	Checks the Kerberos configuration without validating, You must use global security for this check.
<useGlobalSecurityConfig>	Uses the Global Security configuration data, security.xml, instead of input parameters.
<validateKrbRealm>	Validates the Kerberos realm against the default Kerberos realm in the Kerberos configuration file (krb5.ini or krb5.conf).
<serverId>	Specifies the server identity used for internal process communications.
<serverIdPassword>	Password used for the server identity.
<krb5Spn>	Specifies the Kerberos service principal name in the Kerberos keytab file.
<krb5Config >	This parameter is required. It supplies the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab>	This parameter is optional. It supplies the directory location and file name of the Kerberos keytab file. If we do not specify this parameter, the default keytab in the Kerberos configuration file is used.
<krb5Realm >	This parameter is required. It specifies the value for the Kerberos realm name.