Configuring SPNEGO (and Kerberos optionally) on WebSphere® Application Server
Configure SPNEGO and, optionally Kerberos, on IBM® WebSphere® Application Server.
Before you begin
The connectionsAdmin J2C alias that you specified during installation must correspond to a valid account that can authenticate with Active Directory. The alias must map to an administrative user account that can authenticate for single sign-on with Active Directory. If you update the user ID or credentials for this alias, complete the steps in the Changing references to administrative credentials topic.
Your WebSphere® Application Server administrative account must be a valid account that can authenticate with Active Directory. User accounts that are specified only in the WebSphere® Internal File Repository cannot check out configuration documents. Nor can such accounts connect to any of the LC MBeans to run commands.
The Kerberos authentication protocol (optional) uses strong cryptography that enables a client to prove its identity to a server across an insecure network connection. After the client and server have proven their identity, the authentication protocol encrypts all data that the client and server exchange. The SPNEGO tokens, which wrap valid Kerberos tickets, can be used to negotiate the security for SSO. For information about best practices for Service Principal Names and SPNEGO configuration, go to Tips on using Kerberos service principal names. The topic also provides tips for multitier environments. For more information about setting up SPNEGO web authentication for WebSphere® Application Server, refer to WebSphere® with a side of SPNEGO.
About this task
Procedure
- Log on to the WebSphere® Application Server Integrated Solutions Console on the Deployment Manager and select .
- Optional: Perform the following steps only
if you want to enable Kerberos.
- Click Kerberos configuration in the Authentication area,
and then specify the following details:
- Kerberos service name
- HTTP
- Kerberos configuration file
- Full path to your Kerberos configuration file
- Kerberos keytab file name
- Full path to your keytab file
- Kerberos realm name
- Name of your Kerberos realm
- Trim Kerberos realm from principal name
- Select this option if it is not selected.
- Enable delegation of Kerberos credentials
- Select this option if it is not selected.Note: Enable this option only if you are using Connections Mail with an Exchange backend; otherwise this setting should not be selected.
- Click OK and then click Save.
- Click Kerberos configuration and then in
the Related Configuration area, click SPNEGO
Web authentication.Note: SPNEGO Web authentication and Kerberos authentication use the same Kerberos client configuration and keytab files.
- Click Kerberos configuration in the Authentication area,
and then specify the following details:
- Click SPNEGO Web authentication and
then specify the SPNEGO filter as follows:
- On the SPNEGO Web authentication page, complete the following
steps:
- Select Dynamically update SPNEGO.
- Select Enable SPNEGO.
- Select Allow fall back to application authentication mechanism.
- Optional: Enter the path to the Kerberos configuration file in the Kerberos configuration file with full path field. You created this file in the Creating a service principal name and keytab file topic.
- Optional: Enter the path to the Kerberos keytab file in the Kerberos keytab file name with full path field. You created this file in the Creating a service principal name and keytab file topic.
- Click Apply.
-
Specify the level of authentication that users must go through to access your Connections
deployment. In the following choices, you can force users to always authenticate or allow users to
access Blogs, Bookmarks, Communities, Files, Profiles, and Wikis anonymously. These anonymous users
must log in only if they try to access a private area. For more information about forcing
authentication, see the Forcing users to log
in before they can access an application topic.
- (default) Allow anonymous access to Connections:
- Select .
- Click the link to the first Connections application in the Enterprise Applications table.
- In the Detail Properties area, click Security role to user/group mapping.
- Select the reader Role, click Map Special Subjects, and select Everyone.
- Click OK and then click Save.
- Repeat steps b through e for the remaining Connections applications in the Enterprise Applications table.
- Force users to log in to access HCL Connections:
- Select .
- Click the link to the first Connections application in the Enterprise Applications table.
- In the Detail Properties area, click Security role to user/group mapping.
- Select the reader Role, then click Map Special Subjects and select All Authenticated in Application's Realm.
- Click OK and then click Save.
- Repeat steps b through e for the remaining Connections applications in the Enterprise Applications table.
- (default) Allow anonymous access to Connections:
- Disable TAI authentication unless you are configuring Tivoli® Access Manager or Siteminder
with SPNEGO, in which case TAI authentication should be enabled
- To disable TAI authentication if you are not configuring Tivoli® Access Manager or Siteminder
with SPNEGO, select , and then enter the following
name and value pair:
- Name
- com.ibm.websphere.security.performTAIForUnprotectedURI
- Value
- false
- To enable TAI authentication if configuring Tivoli® Access Manager or Siteminder with SPNEGO,
select , and then enter the following name and value pair:
- Name
- com.ibm.websphere.security.performTAIForUnprotectedURI
- Value
- true
- Click OK and then click Save to preserve your update.
- To disable TAI authentication if you are not configuring Tivoli® Access Manager or Siteminder
with SPNEGO, select , and then enter the following
name and value pair:
- Click Global Security. In the Authentication area,
click LTPA if you have not configured Kerberos,
and then click Save.Note: The Kerberos and LTPA option is required only if you are using Connections Mail with an Exchange backend.
-
If you're using Cognos, you must disable the MBean to enable the metrics. In the WebSphere® Application Server Integrated Solutions Console,
click . Then click New to add the following custom property.
com.ibm.websphere.security.disableGetTokenFromMBean=false
- Synchronize all the nodes in your deployment.
- Stop and restart WebSphere® Application
Server:
- Stop all instances of WebSphere® Application Server that host your Connections applications.
- Stop all node agents.
- Restart the Deployment Manager.
- Restart all the node agents.
- Restart all instances of WebSphere® Application Server.