SPNEGO TAI configuration requirements

Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

SPNEGO TAI configuration requirements

The configuration that is used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) on each selected application server is governed by various system requirements. The following list of configuration requirements highlights those attributes, properties, qualities, restrictions, exclusions, inclusions, and dependencies that you need to be aware of when planning a WebSphere Application Server configuration that incorporates the use of the SPNEGO TAI.
Table 1. SPNEGO TAI requirements

Function item Description

SPNEGO TAI The SPNEGO TAI is a server side solution in WebSphere Application Server. Client-side applications are responsible for generating the SPNEGO token for use by the SPNEGO TAI.
Microsoft Windows Windows 2000 or Windows 2003 servers with Active Directory domain and its associated Kerberos key distribution center (KDC) is required.
Client application (browser or .NET client) A browser (client application) or .NET client that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478 is required.
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) SPNEGO authentication, as defined in IETF RFC 2478 is used.
Internet browsers

Use Microsoft Internet Explorer version 5.5 or higher
Use Mozilla Firefox version 1.0

Kerberos Level Kerberos version 5 is required.
WebSphere Application Server Version 6.1 is required.
Java generic security service (JGSS) Version 1.0.1 is required.
Java Virtual Machine (JVM) See Configuring the JVM for information on configuring JVM.
Java SDK level Java 5.0 SDK is required.
Encryption Types RC4-HMAC encryption is only supported when using a Windows 2003 Server as Kerberos key distribution center (KDC) and is not supported with a Windows 2000 Server.

Related concepts

Single sign-on for HTTP requests using SPNEGO

Related tasks

Creating a single sign-on for HTTP requests using the SPNEGO TAI
Configuring the JVM

Related reference

SPNEGO TAI custom properties configuration
SPNEGO TAI JVM configuration custom properties
Using the ktab command to manage the Kerberos keytab file
The Simple and Protected GSS-API Negotiation Mechanism (IETF RFC 2478)
Single Sign-on Using Kerberos in Java

Related information

Configuring WebSphere Application Server and enabling the SPNEGO TAI


Function item	Description
SPNEGO TAI	The SPNEGO TAI is a server side solution in WebSphere Application Server. Client-side applications are responsible for generating the SPNEGO token for use by the SPNEGO TAI.
Microsoft Windows	Windows 2000 or Windows 2003 servers with Active Directory domain and its associated Kerberos key distribution center (KDC) is required.
Client application (browser or .NET client)	A browser (client application) or .NET client that supports the SPNEGO authentication mechanism, as defined in IETF RFC 2478 is required.
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)	SPNEGO authentication, as defined in IETF RFC 2478 is used.
Internet browsers	Use Microsoft Internet Explorer version 5.5 or higher Use Mozilla Firefox version 1.0
Kerberos Level	Kerberos version 5 is required.
WebSphere Application Server	Version 6.1 is required.
Java generic security service (JGSS)	Version 1.0.1 is required.
Java Virtual Machine (JVM)	See Configuring the JVM for information on configuring JVM.
Java SDK level	Java 5.0 SDK is required.
Encryption Types	RC4-HMAC encryption is only supported when using a Windows 2003 Server as Kerberos key distribution center (KDC) and is not supported with a Windows 2000 Server.