+

Search Tips   |   Advanced Search

Configure SPNEGO on WAS

Configure SPNEGO on IBM WebSphere Application Server V8.0.

The connectionsAdmin J2C alias specified during installation must correspond to a valid account that can authenticate with Active Directory. The alias must map to an administrative user account that can authenticate for single sign-on with Active Directory. If we update the user ID or credentials for this alias, complete the steps in the Change references to administrative credentials.

Your WebSphere Application Server administrative account must be a valid account that can authenticate with Active Directory. User accounts specified only in the WebSphere Internal File Repository cannot check out configuration documents. Nor can such accounts connect to any of the LC MBeans to run commands.

For information about best practices for Service Principal Names and SPNEGO configuration, go to Tips on using Kerberos service principal names. The topic also provides tips for multitier environments. For more information about setting up SPNEGO web authentication for WAS, go to WebSphere with a side of SPNEGO.

To configure SPNEGO on WAS:

  1. Log on to the WAS console on the dmgr and select...

      Security | Global Security | Authentication | Kerberos configuration

    ...and then enter the following details

    Kerberos service name

    HTTP

    Kerberos configuration file

    Full path to the Kerberos configuration file

    Kerberos keytab file name

    Full path to the keytab file

    Kerberos realm name

    Name of the Kerberos realm

  2. Select Trim Kerberos realm from principal name if it is not already selected.

  3. Select Enable delegation of Kerberos credentials if it is not already selected.

    Enable this option only if we are using Connections Mail with an Exchange backend; otherwise this setting should not be selected.

  4. Click OK and then click Save.

  5. Click...

      Kerberos configuration | Related Configuration | SPNEGO Web authentication

    SPNEGO Web authentication and Kerberos authentication use the same Kerberos client configuration and keytab files.

  6. Specify the SPNEGO filter:

    1. In the SPNEGO Filters area, click New and enter the following details:

      Host name

      Enter the URI for how the Connections environment is accessed. Typically, it is the hostname/alias of the HTTP server.

      Kerberos realm name

      Enter the Kerberos realm name.

      Filter criteria

      request-url!=noSPNEGO;request-url!=/mobile;request-url!=/nav;request-url!=/bundles/js;request-url!=/static;request-url!=/activities/oauth;request-url!=/blogs/oauth;request-url!=/dogear/oauth;request-url!=/communities/calendar/oauth;request-url!=/communities/service/atom/oauth;request-url!=/communities/service/opensocial/oauth/;request-url!=/communities/recomm/oauth;request-url!=/connections/opensocial/oauth;request-url!=/connections/opensocial/anonymous/rest;request-url!=/connections/opensocial/common;request-url!=/connections/opensocial/gadgets;request-url!=/connections/opensocial/ic;request-url!=/connections/opensocial/rpc;request-url!=/connections/opensocial/social;request-url!=/connections/opensocial/xrds;request-url!=/connections/opensocial/xpc;request-url!=/connections/resources/web;request-url!=/connections/resources/ic;request-url!=/files/oauth;request-url!=/forums/oauth;request-url!=/homepage/oauth;request-url!=/metrics/service/oauth;request-url!=/moderation/oauth;request-url!=/news/oauth;request-url!=/news/follow/oauth;request-url!=/profiles/oauth;request-url!=/wikis/oauth;request-url!=/search/oauth;request-url!=/connections/core/oauth/;request-url!=/resources;request-url!=/oauth2/endpoint/

      Ensure that you separate each filter with a semicolon (;). No other character is allowed as a separator.

      Filter class

      Leave this field blank to allow the system to use the default filter class (com.ibm.ws.security.spnego.HTTPHeaderFilter).

      SPNEGO not supported error page URL

      Enter the URL to the redirect page that you created. For example: http://webserver/NoSpnegoRedirect.html.

      where webserver is the name of the IBM HTTP Server instance and NoSpnegoRedirect.html is the name of the redirect page.

      NTLM token received error page URL

      Enter the URL to the redirect page that you created. For example: http://webserver/NoSpnegoRedirect.html.

    2. Select Trim Kerberos realm from principal name.

    3. Select Enable delegation of Kerberos credentials.

    4. Click OK and then click Save.

  7. On the SPNEGO Web authentication page:

    1. Select Dynamically update SPNEGO.

    2. Select Enable SPNEGO.

    3. Select Allow fall back to application authentication mechanism.

    4. Path to the Kerberos configuration file in the Kerberos configuration file with full path field. We created this file in the Create a service principal name and keytab file topic.

    5. Path to the Kerberos keytab file in the Kerberos keytab file name with full path field. We created this file in the Create a service principal name and keytab file topic.

    6. Click Apply.

  8. Specify the level of authentication that users must go through to access the Connections deployment. In the following choices, we can force users to always authenticate or allow users to access Blogs, Bookmarks, Communities, Files, Profiles, and Wikis anonymously. These anonymous users must log in only if they try to access a private area. For more information about forcing authentication, see the Force users to log in before they can access an application.

    • (default) Allow anonymous access to IBM Connections:

      1. Select...

          Applications > Application Types > WebSphere enterprise applications

      2. Click the link to the first Connections application in the Enterprise Applications table.

      3. In the Detail Properties area, click...

          Security role to user/group mapping

      4. Select the reader Role, click Map Special Subjects, and select Everyone.

      5. Click OK and then click Save.

      6. Repeat steps b-e for the remaining Connections applications in the Enterprise Applications table.

    • Force users to log in to access IBM Connections:

      1. Select Applications > Application Types > WebSphere enterprise applications.

      2. Click the link to the first Connections application in the Enterprise Applications table.

      3. In the Detail Properties area, click...

          Security role to user/group mapping

      4. Select the reader Role, then click Map Special Subjects and select All Authenticated in Application's Realm.

      5. Click OK and then click Save.

      6. Repeat steps b-e for the remaining Connections applications in the Enterprise Applications table.

  9. Disable TAI authentication:

    Important: If we are configuring Tivoli Access Manager with SPNEGO, or SiteMinder with SPNEGO. Those configurations require the default value of true for this parameter.

    1. Select...

        Security | Global Security | Custom properties | New

    2. Enter the following name and value pair:

      Name com.ibm.websphere.security.performTAIForUnprotectedURI
      Value true

    3. Click OK and then click Save.

  10. Click...

      Global Security | Authentication | Kerberos | LTPA

    Click Save.

  11. Synchronize all the nodes in the deployment.

  12. Stop and restart WebSphere Application Server:

    1. Stop all instances of WAS that host your Connections applications.

    2. Stop all node agents.

    3. Restart the dmgr.

    4. Restart all the node agents.

    5. Restart all instances of WAS.


Parent topic:
Enable single sign-on for the Windows desktop

Previous topic: Create a redirect page for users without SPNEGO support

Next topic: Configure web browsers to support SPNEGO


Related:

Enable the AJAX proxy to forward user credentials

Start the wsadmin client

Change common configuration property values

Force users to log in before they can access an application

Install and enable OAuth TAI

Related reference:

Create a Kerberos configuration file