SpnegoTAICommands group for the AdminTask object (deprecated)
Use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands in the SpnegoTAICommands group can be used to manage configurations used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI).
Deprecated feature:
In WebSphere Application Server v6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. This function was deprecated in WAS Version 7.0. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.
depfeatThe SpnegoTAICommands .includes the following commands:
- addSpnegoTAIProperties
- deleteSpnegoTAIProperties
- modifySpnegoTAIProperties
- showSpnegoTAIProperties
- createKrbConfigFile
addSpnegoTAIProperties
The addSpnegoTAIProperties command adds properties in the configuration of the SPNEGO trust association interceptor (TAI) for the application server.Target object: None
Parameters and return values
- -spnId
- This is the SPN identifier for the group of custom properties that are to be defined with this command. If not specified, an unused SPN identifier is assigned. (String, optional)
- -host
- Host name portion in the SPN used by the SPNEGO TAI to establish a Kerberos secure context. (String, required)
- -filter
- Defines the filtering criteria used by the class specified with the given attribute. If no filter is specified, all HTTP requests are subject to SPNEGO authentication. (String, optional)
- -filterClass
- Name of the Java class used by the SPNEGO TAI to select which HTTP requests will be subject to SPNEGO authentication. If no filter class is specified, the default filter class, com.ibm.ws.security.spnego.HTTPHeaderFilter, is used. (String, optional)
- -noSpnegoPage
- The URL of a resource containing the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if it does not support SPNEGO authentication. (String, optional).
If we do not specify the noSpnegoPage attribute then the default is used:
"<html><head><title>SPNEGO authentication is not supported.</title></head>" + "<body>SPNEGO authentication is not supported on this client.</body></html>";
- -ntlmTokenPage
- The URL of a resource containing the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application when the SPNEGO token received by the interceptor after the challenge-response handshake contains a NT LAN manager (NTLM) token instead of the expected SPNEGO token. (String, optional).
If we do not specify the ntlmTokenPage attribute then the default is used:
"<html><head><title>An NTLM Token was received.</title></head>" + "<body>Your browser configuration is correct, but we have not logged into a supported Windows Domain." + "<p>Please login to the application using the normal login page.</html>";
- -trimUserName
- Specifies whether (true) or not (false) the SPNEGO TAI is to remove the suffix of the principal user name, starting from the @ that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true. (String, optional)
Examples
Batch mode example usage:
- Jacl:
$AdminTask addSpnegoTAIProperties -host myhost.ibm.com -filter user-agent%=IE 6- Jython string:
AdminTask.addSpnegoTAIProperties ('[-host myhost.ibm.com -filter user-agent%=IE 6]')- Jython list:
AdminTask.addSpnegoTAIProperties (['-host', 'myhost.ibm.com', '-filter', 'user-agent%=IE', '6'])
Interactive mode example usage:
- Jacl:
$AdminTask addSpnegoTAIProperties -interactive- Jython string:
AdminTask.addSpnegoTAIProperties ('[-interactive]')- Jython list:
AdminTask.addSpnegoTAIProperties ['-interactive'])
deleteSpnegoTAIProperties
The deleteSpnegoTAIProperties command deletes properties in the configuration of the SPNEGO trust association interceptor (TAI) for WAS.Target object: None
Parameters and return values
- -spnId
- The SPN identifier for the group of custom properties that are to be deleted with this command. If not specified, all SPNEGO TAI custom properties are deleted. (String, optional)
Examples
Batch mode example usage:
- Jacl:
$AdminTask deleteSpnegoTAIProperties {-spnId 2}- Jython string:
AdminTask.deleteSpnegoTAIProperties ('[-spnId 2]')- Jython list:
AdminTask.deleteSpnegoTAIProperties (['-spnId', '2'])
Interactive mode example usage:
- Jacl:
$AdminTask deleteSpnegoTAIProperties -interactive- Jython string:
AdminTask.deleteSpnegoTAIProperties ('[-interactive]')- Jython list:
AdminTask.deleteSpnegoTAIProperties ['-interactive'])
modifySpnegoTAIProperties
The modifySpnegoTAIProperties command modifies the properties in the configuration of the SPNEGO trust association interceptor (TAI) for WAS.Target object: None
Parameters and return values
- -spnId
- The SPN identifier for the group of custom properties that are to be defined with this command. (String, required)
- -host
- Host name portion in the SPN used by the SPNEGO TAI to establish a Kerberos secure context. (String, optional)
- -filter
- Defines the filtering criteria used by the class specified with the given attribute. (String, optional)
- -filterClass
- Name of the Java class used by the SPNEGO TAI to select which HTTP requests will be subject to SPNEGO authentication. If no class is specified, all HTTP requests will be subject to SPNEGO authentication. (String, optional)
- -noSpnegoPage
- The URL of a resource containing the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application if it does not support SPNEGO authentication. (String, optional)
- -ntlmTokenPage
- The URL of a resource containing the content the SPNEGO TAI will include in the HTTP response to be displayed by the (browser) client application when the SPNEGO token received by the interceptor after the challenge-response handshake contains a NT LAN manager (NTLM) token instead of the expected SPNEGO token. (String, optional)
- -trimUserName
- Specifies whether (true) or not (false) the SPNEGO TAI is to remove the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true. (String, optional)
Examples
Batch mode example usage:
- Jacl:
$AdminTask modifySpnegoTAIPROPERTIES -spnId 1 -filter host==myhost.company.com- Jython string:
AdminTask.modifySpnegoTAIPROPERTIES ('[-spnId 1 -filter host==myhost.company.com]')- Jython list:
AdminTask.modifySpnegoTAIPROPERTIES (['-spnId', '1', '-filter', 'host==myhost.company.com'])
Interactive mode example usage:
- Jacl:
$AdminTask modifySpnegoTAIProperties -interactive- Jython string:
AdminTask.modifySpnegoTAIProperties ('[-interactive]')- Jython list:
AdminTask.modifySpnegoTAIProperties ['-interactive'])
showSpnegoTAIProperties
The showSpnegoTAIProperties command displays the properties in the configuration of the SPNEGO trust association interceptor (TAI) for WAS.Target object: None
Parameters and return values
- -spnId
- The service principal name (SPN) identifier for the group of custom properties that are to be displayed with this command. If we do not specify this parameter, all SPNEGO TAI custom properties are displayed. (String, optional)
Examples
Batch mode example usage:
- Jacl:
$AdminTask showSpnegoTAIProperties -spnId 1- Jython string:
AdminTask.showSpnegoTAIProperties ('[-spnId 1]')- Jython list:
AdminTask.showSpnegoTAIProperties (['-spnId', '1'])
Interactive mode example usage:
- Jacl:
$AdminTask showSpnegoTAIProperties -interactive- Jython string:
AdminTask.showSpnegoTAIProperties ('[-interactive]')- Jython list:
AdminTask.showSpnegoTAIProperties ['-interactive'])
createKrbConfigFile
The createKrbConfigFile command creates the Kerberos configuration file for use with the Simple and Protected GSS-API Negotiation echanism (SPNEGO) trust association interceptor (TAI) for WAS.Target object: None
Parameters and return values
- -krbPath
- Provides the fully qualified file system location of the Kerberos configuration (krb5.ini or krb5.conf) file. (String, required)
- -realm
- Provides the Kerberos realm name. The value of this attribute is used by the SPNEGO TAI to form the Kerberos service principal name for each of the hosts specified with the property com.ibm.ws.security.spnego.SPN<id>.hostname (String, required)
- -kdcHost
- Provides the host name of the Kerberos Key Distribution Center (KDC). (String, required)
- -kdcPort
- Provides the port number of the KDC. The default value, if not specified, is 88. (String, optional)
- -dns
- Provides the default domain name service (DNS) used to produce a fully qualified host name. (String, required)
- -keytabPath
- Provides the file system location of the Kerberos keytab file. (String, required)
- -encryption
- Identifies the list of supported encryption types, separated by a space. The specified value is used for the default_tkt_enctypes and default_tgs_enctypes. The default encryption types, if not specified, are des-cbc-md5 and rc4-hmac. (String, optional)
Examples
Interactive mode example usage:
- Jacl:
$AdminTask createKrbConfigFile -interactive- Jython string:
AdminTask.createKrbConfigFile ('[-interactive]')- Jython list:
AdminTask.createKrbConfigFile ['-interactive'])
wsadmin AdminTask Commands for the AdminTask object