Using an alias host name for SPNEGO TAI authentication using the administrative console

When you use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for authentication, and you would like to use alias host name as the host name for the application server, you must configure a custom property to resolve the alias host name to the actual hostname for SPNEGO single sign-on. Then, you can dynamically add or modify an alias name in the DNS without changing the application server's configuration. If you enable this custom property you will no longer need to set alias host names through the SPNEGO configuration.

Before you begin

You must have completed the steps as described in Implementing single sign-on to minimize Web user authentications and Configuring WebSphere Application Server and enabling the SPNEGO TAI before these settings will have an effect. This configuration requires a working SPNEGO-TAI single sign-on environment.

About this task

The application server will perform a DNS lookup as an HTTP request comes in, and if the alias host name is resolved as a host name that is already configured for SPNEGO single sign-on, the application server will continue to process it. It is usually not required to add alias hostname to a SPNEGO account.

Procedure

  1. Define the actual host name for the com.ibm.ws.security.spnego.SPNx.hostName variable.
    1. From administration console, click Secure administration, applications, and infrastructure > Trust association > Interceptors > com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl > Custom Properties
    2. Add or modify the com.ibm.ws.security.spnego.SPNx.hostName variable. Use the following information to define the variable:
      Name
      com.ibm.ws.security.spnego.SPNx.hostName
      Value
      real_host_name
      You can optionally define have the alias host name, but you are only required to define the real host name. The application server will resolve the alias host name to real host name as the HTTP request comes in.
  2. Turn on the Canonical support flag.
    1. From administration console, click Secure administration, applications, and infrastructure > Custom properties.
    2. Add or modify the com.ibm.websphere.security.krb.canonical_host variable and set it to "true".
      Name
      com.ibm.websphere.security.krb.canonical_host
      Value
      true
  3. Configure the browser. On the browser for the client machine, the alias host name needs to be configured as a trusted host.
    • For Internet Explorer:
      1. Select Tools > Internet options.
      2. Select the Security tab.
      3. Click Local intranet > sites > advanced
      4. Add the alias host name in this panel.
    • For Mozilla Firefox:
      1. Type About:config in the address bar and press ENTER to access configuration options.
      2. Locate the network.negotiate-auth.trusted-uris preference name, right-click on the preference, and select Modify. If you do not have this preference, right-click within the panel, and select New > string .
      3. Add alias host names in the text box, separating host names with a comma.
  4. Ensure that the real host name is added to the keytab file.
    Supported configurations Supported configurations: You can configure the keytab file in two ways:
    • If com.ibm.websphere.security.krb.canonical_host is set to "true", the application server expects the real host name to be in the keytab files. Aliases are not necessary.
    • If com.ibm.websphere.security.krb.canonical_host is set to false and aliases are defined, aliases need to be present in the keytab file.
    sptcfg



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 12:02:36 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-zos&topic=tsec_SPNEGO_add_alias
File name: tsec_SPNEGO_add_alias.html