When you use the Simple and Protected GSS-API Negotiation
Mechanism (SPNEGO) trust association interceptor (TAI) for authentication,
and you would like to use alias host name as the host name for the
application server, you must configure a custom property to resolve
the alias host name to the actual hostname for SPNEGO single sign-on.
Then, you can dynamically add or modify an alias name in the DNS without
changing the application server's configuration. If you enable
this custom property you will no longer need to set alias host names
through the SPNEGO configuration.
About this task
The application server will perform a DNS lookup as an HTTP
request comes in, and if the alias host name is resolved as a host
name that is already configured for SPNEGO single sign-on, the application
server will continue to process it. It is usually not required to
add alias hostname to a SPNEGO account.
Procedure
- Define the actual host name for the com.ibm.ws.security.spnego.SPNx.hostName
variable.
- From administration console, click
- Add or modify the com.ibm.ws.security.spnego.SPNx.hostName
variable. Use the following information to define the
variable:
- Name
- com.ibm.ws.security.spnego.SPNx.hostName
- Value
- real_host_name
You can optionally define have the
alias host name, but you are only required to define the real host
name. The application server will resolve the alias host name to real
host name as the HTTP request comes in.
- Turn on the Canonical support flag.
- From administration console, click .
- Add or modify the com.ibm.websphere.security.krb.canonical_host
variable and set it to "true".
- Name
- com.ibm.websphere.security.krb.canonical_host
- Value
- true
- Configure the browser. On the browser for the
client machine, the alias host name needs to be configured as a trusted
host.
- For Internet Explorer:
- Select .
- Select the Security tab.
- Click
- Add the alias host name in this panel.
- For Mozilla Firefox:
- Type About:config in the address bar and
press ENTER to access configuration options.
- Locate the network.negotiate-auth.trusted-uris preference
name, right-click on the preference, and select Modify.
If you do not have this preference, right-click within the panel,
and select .
- Add alias host names in the text box, separating host names with
a comma.
- Ensure that the real host name is added to the keytab file.
Supported configurations: You can configure the
keytab file in two ways:
- If com.ibm.websphere.security.krb.canonical_host is set to "true",
the application server expects the real host name to be in the keytab
files. Aliases are not necessary.
- If com.ibm.websphere.security.krb.canonical_host is set to false
and aliases are defined, aliases need to be present in the keytab
file.
sptcfg