Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated)

WAS v8.5 > Secure applications > Authenticate users > Implement single sign-on to minimize web user authentications > Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)
Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated)

Performing this task helps you, as web administrator, to ensure that WebSphere Application Server is configured to enable the operation of the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) TAI with the required JVM property and with the appropriate filtering of HTTP requests.
You need to know how to use the dmgr console to manage the security configuration and have the proper authority to modify the security configuration of the application server.
Deprecated feature:
In WAS v6.1, a TAI that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method. depfeat
Verify the configuration of your SPNEGO TAI. The deployment of the SPNEGO TAI can vary from a single WAS system on which a single application is running to a large multinode WAS, Network Deployment (ND) cell, with dozens of application servers, hosting many applications. Every SPNEGO TAI is installed at the cell level. You must be aware of your particular SPNEGO TAI configuration.
The default behavior of the SPNEGO TAI is to not intercept HTTP requests. This default behavior ensures the SPNEGO TAI can be installed into an existing cell, configured for a single application server and not change any other application servers in the cell. Other WASs can run exactly as before within a given configuration.
Decide whether or not to use the sample SPN<id>.filterClass and determine the exact filter properties to use.
The default behavior of the SPNEGO TAI is to use the com.ibm.ws.security.spnego.SPN<id>.filterClass and intercept all requests. If the default behavior is not appropriate, we can use a customer provided class, or extend or modify the sample class as required. The system programmer interface, com.ibm.ws.security.spnego.SpnegoFilter allows you to implement a custom filter to determine whether or not to intercept a particular HTTP request. With the default implementation, we can set filter rules for coarse as well as fine-grained criteria in selecting which HTTP requests to intercept.

For an alternative to the steps below for enabling the SPNEGO TAI, we can use scripting to perform the operation. See Enable the SPNEGO TAI as JVM custom property using scripting (deprecated) for the details. Complete the following steps to enable the operation of the SPNEGO TAI with your selected filtering and with the JVM required property.

Log on to dmgr console.

Click Servers > Application servers.
Select the appropriate server. Under Server Infrastructure, expand Java and process management > Process Definition.

Click Java virtual machine. Under Additional Properties, click Custom Properties. Create a new custom property, if required, by clicking New, then code com.ibm.ws.security.spnego.isEnabled in the name field and true in the value field.

Click Apply > OK to save the configuration
Identify when the SPNEGO TAI intercepts a given request. A set of filter properties is provided, but you must determine what is appropriate and modify the com.ibm.ws.security.spnego.SPN<id>.filterClass accordingly.

Results
The application server is configured and ready to provide a single sign-on environment for end users who have successfully authenticated in a Microsoft Active Directory domain. Restart each application server that is configured for SPNEGO web authentication. Then your SPNEGO TAI is set to filter HTTP request when it is operating.

Subtopics

Enable the SPNEGO TAI as JVM custom property using scripting (deprecated)
Use wsadmin utility to enable the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI for WAS.
SPNEGO TAI JVM configuration custom properties (deprecated)
JVM custom properties control the operation of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI.
Enable the SPNEGO TAI as JVM custom property using scripting (deprecated)
Use wsadmin utility to enable the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.
SPNEGO TAI JVM configuration custom properties (deprecated)
JVM custom properties control the operation of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI.

Related concepts:

Single sign-on for HTTP requests using SPNEGO TAI (deprecated)

Related

Configure WAS and enabling the SPNEGO TAI (deprecated)
Configure the client browser to use SPNEGO TAI (deprecated)
Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)

Reference:

SPNEGO TAI custom properties configuration (deprecated)

+
Search Tips | Advanced Search