Java virtual machine (JVM) custom
properties control the operation of the Simple and Protected GSS-API
Negotiation Mechanism (SPNEGO) trust association interceptor (TAI).
Deprecated feature: In WebSphere® Application Server Version 6.1, a trust association interceptor
(TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism
(SPNEGO) to securely negotiate and authenticate HTTP requests for
secured resources was introduced. In WebSphere Application Server 7.0, this function is now deprecated. SPNEGO
web authentication has taken its place to provide dynamic reload of
the SPNEGO filters and to enable fallback to the application login
method.
depfeat
The following JVM custom properties control operation
of the SPNEGO TAI. Different custom property values can be specified
for each application server.
- com.ibm.ws.security.spnego.isEnabled
- Use this custom property to enable or disable operation of the
SPNEGO TAI in a given application server. When set to false, the SPNEGO TAI is disabled and not used by the web authentication
module for authenticating any web requests. When set to true, the SPNEGO TAI is enabled and used by the web authentication module
for authenticating any web requests.
- com.ibm.ws.security.spnego.propertyReloadFile
- Use this custom property to identify the file that contains configuration
properties for the SPNEGO TAI, when it is not convenient to stop and
restart the application server. The properties contained in this file
can be reloaded to configure the SPNEGO TAI.
Important: The properties that are defined in the specified file override any
properties defined using the administrative console.
A sample
of this reload file follows:
##########################################################
# Template properties files for SPNEGO TAI
#
# Where possible defaults have been provided.
#
##########################################################
#---------------------------------------------------------
# Hostname
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.HostName=wsecurity.austin.ibm.com
#---------------------------------------------------------
# (Optional) SpnegoNotSupportedPage
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.SpnegoNotSupportedPage=
#---------------------------------------------------------
# (Optional) NTLMTokenReceivedPage
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.NTLMTokenReceivedPage=
#---------------------------------------------------------
# (Optional) FilterClass
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.FilterClass=com.ibm.ws.spnego.HTTPHeaderFilter
#---------------------------------------------------------
# (Optional) Filter
#---------------------------------------------------------
#com.ibm.ws.spnego.SPN1.Filter=
Important: If com.ibm.ws.security.spnego.propertyReloadFile
custom property is set, but the com.ibm.ws.security.spnego.propertyReloadTimeout
custom property is not, then the SPNEGO TAI is not initialized.
- com.ibm.ws.security.spnego.propertyReloadTimeout
- Use this custom property to specify a time interval in seconds
that elapses after which the SPNEGO TAI reloads the configuration
properties. Also, the SPNEGO TAI reloads the configuration properties
if the file that is identified by the com.ibm.ws.security.spnego.propertyReloadFile
custom property changed since the last time the configuration custom
properties were retrieved. This time interval in seconds must be specified
as a positive integer.
- com.ibm.ws.security.spnego.useHttpFilterClass2
- Use this custom property to specify that the HttpHeaderFilter
classes should be used. The HttpHeaderFilter classes enable:
- The != operator to be used for SPNEGO TAI
filters.
- A space to exist in a SPNEGO TAI filter.
When this property is set to true the
following filter specification works properly.
user-agent!=IBM Web Services Explorer;request-url!=noSPNEGO
If this property is set to false, or is
not specified, the preceding filter does not work properly.
Important: - If the com.ibm.ws.security.spnego.propertyReloadFile custom property
and the com.ibm.ws.security.spnego.propertyReloadTimeout custom property
are not set, then the SPNEGO TAI properties are only loaded once
from the SPNEGO TAI custom properties defined in the WebSphere Application Server configuration data. This one time loading occurs
when the JVM is initialized.
- If com.ibm.ws.security.spnego.propertyReloadTimeout custom property
is set, but the com.ibm.ws.security.spnego.propertyReloadFile custom
property is not, then the SPNEGO TAI is not initialized. Configuring JVM custom properties, filtering HTTP requests, and enabling SPNEGO TAI in WebSphere Application Server (deprecated) or how to configure
the JVM custom properties for SPNEGO TAI.
The following custom properties are not used directly by the
SPNEGO TAI; however, they affect the operation of the core security
runtime and can also be used for problem determination.
- com.ibm.security.jgss.debug
- This custom property is optional. It can be used to collect diagnostic
trace information for problem determination in the Java Generic Security Service (JGSS) application programmer interface
(API) implementation. The value can be set to all or off to enable or disable tracing, respectively.
See Java Generic Security Service User's
Guide for specific JGSS API information.
- com.ibm.security.krb5.Krb5Debug
- This custom property is optional. It can be used to collect additional
diagnostic trace information for problem determination in the JGSS
implementation. The value can be set to all or off to enable or disable tracing, respectively.
- java.security.properties
- This property is optional. It can be used when different application
servers in a cell have different security requirements and it is not
convenient to modify the global java.security file
for the entire cell. In such situations, the java.security.properties
custom property is used to specify the location of the java.security file used by the JVM for each application server.
- javax.security.auth.useSubjectCredsOnly
- JGSS includes an optional Java Authentication and Authorization Service (JAAS) login facility that
saves Principal credentials and secret keys in the Subject of the application's JAAS login context. JGSS
retrieves credentials and secret keys from the Subject by default. This feature can be disabled by setting the Java property javax.security.auth.useSubjectCredsOnly
to false.
Attention: The SPNEGO TAI does
not use the optional JAAS login module. The javax.security.auth.useSubjectCredsOnly
property must be set to false.