Configure WAS and enabling the SPNEGO TAI (deprecated)

Perform this task helps you, as web administrator, to ensure that WebSphere Application Server is properly configured to enable the operation of the Simple and Protected GSS-API Negotiation (SPNEGO) trust association interceptor (TAI).

We need to know how to use the WAS administrative console to manage the security configuration and have the proper authority to modify the security configuration of the application server.

Deprecated feature:

In WAS v6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.

depfeat

Enable the operation of the SPNEGO TAI.

Tasks

1. Log on to the WAS administrative console.

2. Click Security > Global security.

3. Expand Web security and click Trust association.

4. Under the General Properties heading, select the Enable trust association check box, then click Interceptors.

5. Select the SPNEGO TAI in the list of interceptors.

6. Then click Custom properties.

7. Click New and then fill in the Name and Value fields. Click OK. Repeat this step for each custom property to apply to the SPNEGO TAI. See SPNEGO TAI custom properties configuration (deprecated) for a complete list of SPNEGO TAI custom properties.

   IBM recommends that we use the wsadmin utility to manage the SPNEGO TAI properties. We can add, modify, and delete SPNEGO TAI properties as well as display them using wsadmin. See Add SPNEGO TAI properties using the wsadmin utility (deprecated) to add, Modify SPNEGO TAI properties using the wsadmin utility (deprecated) to modify, and Delete SPNEGO TAI properties using the wsadmin utility (deprecated) to delete SPNEGO TAI properties.

8. After you finish defining our custom properties, click Save to store the updated SPNEGO TAI configuration.

9. Optional: If an alias for a connecting host name is added dynamically after the application server is started, we need to configure the alias. Refer to the Use an alias host name for SPNEGO TAI or SPENGO web authentication using the administrative console (deprecated) topic.

Your SPNEGO TAI configuration is now configured for WAS.

Subtopics

• Use an alias host name for SPNEGO TAI or SPENGO web authentication using the administrative console (deprecated)
  When we use the Simple and Protected GSS-API Negotiation echanism (SPNEGO) trust association interceptor (TAI) for authentication, and we would like to use alias host name as the host name for the application server, configure a custom property to resolve the alias host name to the actual hostname for SPNEGO single sign-on. Then, we can dynamically add or modify an alias name in the DNS without changing the application server's configuration. If we enable this custom property we will no longer need to set alias host names through the SPNEGO configuration.
• Add SPNEGO TAI properties using the wsadmin utility (deprecated)
  We use the wsadmin utility to add properties for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) in the security configuration for WAS.
• Modify SPNEGO TAI properties using the wsadmin utility (deprecated)
  We use the wsadmin utility to modify the properties in the configuration of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.
• Delete SPNEGO TAI properties using the wsadmin utility (deprecated)
  We use the wsadmin utility to delete properties in the configuration of the SPNEGO trust association interceptor (TAI) for WAS.
• Display SPNEGO TAI properties using the wsadmin utility (deprecated)
  We use the wsadmin utility to display the properties in the configuration of the SPNEGO trust association interceptor (TAI) for WAS.
• SPNEGO TAI custom properties configuration (deprecated)
  The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) custom configuration properties control different operational aspects of the SPNEGO TAI. We can specify different property values for each application server.
• SPNEGO TAI configuration requirements (deprecated)
  The configuration used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) on each selected application server is governed by various system requirements.

Related:

Single sign-on for HTTP requests using SPNEGO TAI (deprecated)

Configure the client browser to use SPNEGO TAI (deprecated)

Configure JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WAS (deprecated)

Create a single sign-on for HTTP requests using the SPNEGO TAI (deprecated)

The Kerberos configuration file