WAS v8.5 > Secure applications > Authenticate users > Implement single sign-on to minimize web user authentications > Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)

Configure WAS and enabling the SPNEGO TAI (deprecated)

Performing this task helps you, as web administrator, to ensure that WebSphere Application Server is properly configured to enable the operation of the Simple and Protected GSS-API Negotiation (SPNEGO) TAI.

You need to know how to use the WAS dmgr console to manage the security configuration and have the proper authority to modify the security configuration of the application server.

Deprecated feature:

In WAS v6.1, a TAI that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method. depfeat

To enable the operation of the SPNEGO TAI.

1. Log on to the WAS dmgr console.

2. Click Security > Global security.

3. Expand Web security and click Trust association.

4. Under the General Properties heading, select the Enable trust association check box, then click Interceptors.

5. Select the SPNEGO TAI in the list of interceptors.
6. Then click Custom properties.

7. Click New and then fill in the Name and Value fields. Click OK. Repeat this step for each custom property to apply to the SPNEGO TAI. See SPNEGO TAI custom properties configuration (deprecated) for a complete list of SPNEGO TAI custom properties.

   It is recommended that we use the wsadmin utility to manage the SPNEGO TAI properties. We can add, modify, and delete SPNEGO TAI properties as well as display them using wsadmin. See Add SPNEGO TAI properties using the wsadmin utility (deprecated) to add, Modify SPNEGO TAI properties using the wsadmin utility (deprecated) to modify, and Delete SPNEGO TAI properties using the wsadmin utility (deprecated) to delete SPNEGO TAI properties.

8. After finishing defining your custom properties, click Save to store the updated SPNEGO TAI configuration.

9. Optional: If an alias for a connecting host name is added dynamically after the application server is started, you need to configure the alias. Refer to the Use an alias host name for SPNEGO TAI or SPENGO web authentication using the dmgr console (deprecated) topic.

Results

Your SPNEGO TAI configuration is now configured for WAS.

Subtopics

• Use an alias host name for SPNEGO TAI or SPENGO web authentication using the dmgr console (deprecated)
  When we use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI for authentication, and you would like to use alias host name as the host name for the application server, configure a custom property to resolve the alias host name to the actual hostname for SPNEGO single sign-on. Then, we can dynamically add or modify an alias name in the DNS without changing the application server's configuration. If you enable this custom property you will no longer need to set alias host names through the SPNEGO configuration.
• Add SPNEGO TAI properties using the wsadmin utility (deprecated)
  Use wsadmin utility to add properties for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI in the security configuration for WAS.
• Modify SPNEGO TAI properties using the wsadmin utility (deprecated)
  Use wsadmin utility to modify the properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI for WAS.
• Delete SPNEGO TAI properties using the wsadmin utility (deprecated)
  Use wsadmin utility to delete properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI for WAS.
• Display SPNEGO TAI properties using the wsadmin utility (deprecated)
  Use wsadmin utility to display the properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI for WAS.
• SPNEGO TAI custom properties configuration (deprecated)
  The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI custom configuration properties control different operational aspects of the SPNEGO TAI. We can specify different property values for each application server.
• SPNEGO TAI configuration requirements (deprecated)
  The configuration used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI on each selected application server is governed by various system requirements.
• Use an alias host name for SPNEGO TAI or SPENGO web authentication using the dmgr console (deprecated)
  When we use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI for authentication, and you would like to use alias host name as the host name for the application server, configure a custom property to resolve the alias host name to the actual hostname for SPNEGO single sign-on. Then, we can dynamically add or modify an alias name in the DNS without changing the application server's configuration. If you enable this custom property you will no longer need to set alias host names through the SPNEGO configuration.
• Add SPNEGO TAI properties using the wsadmin utility (deprecated)
  Use wsadmin utility to add properties for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) in the security configuration for WAS.
• Modify SPNEGO TAI properties using the wsadmin utility (deprecated)
  Use wsadmin utility to modify the properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.
• Delete SPNEGO TAI properties using the wsadmin utility (deprecated)
  Use wsadmin utility to delete properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.
• Display SPNEGO TAI properties using the wsadmin utility (deprecated)
  Use wsadmin utility to display the properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.
• SPNEGO TAI custom properties configuration (deprecated)
  The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI custom configuration properties control different operational aspects of the SPNEGO TAI. We can specify different property values for each application server.
• SPNEGO TAI configuration requirements (deprecated)
  The configuration used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) on each selected application server is governed by various system requirements.

Related concepts:

Single sign-on for HTTP requests using SPNEGO TAI (deprecated)

Related

Configure the client browser to use SPNEGO TAI (deprecated)
Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated)
Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)

Reference:

The Kerberos configuration file

+

Search Tips   |   Advanced Search