IBM

Configuring Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) in IBM Websphere

Need to setup Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) in IBM WebSphere on Windows? Here are the steps, along with a video.

Enjoy!

 

  1. BACKUP YOUR WEBSPHERE CONFIGURATION!!!
  2. Add a Service Principle Name (SPN) User ID (AD_User) in Active Directory. It is recommended to not use the WebSphere Admin ID.
  3. Assign the SPN to the Active Directory user and map the SPN to the HTTP Server by running the following command from the Active Directory server command line. Note: Multiple hostnames can be added. All hostnames must be A type records in DNSsetspn -S HTTP/fully_qualified_HTTP_Server_host_name AD_user
  4. Create the keytab file by running the following command from the command line on the Websphere server:ktpass -out keyfile_name -princ HTTP/fully_qualified_HTTP_Server_host_name@AD_DOMAIN_NAME -pass password -ptype KRB5_NT_PRINCIPAL
  5. Run the java klist to verify that the keytab is configured correctly:ie. c:\Program Files\ibm\WebSphere\AppServer\java\8.0\jre\bin\klist.exe” -k -t c:\Windows\krb5.keytab
  6. Run the wsadmin tool and run the following command at the wsadmin prompt to create the krb5.ini:$AdminTask createKrbConfigFile {-krbPath configuration_file_name -realm KERBEROS_REALM -kdcHost AD_host_name -dns dns_domain -keytabPath fully_qualified_keytab_path}Note: Edit the krb5.ini and add a kerberos_realm = KERBEROS_REALM under [domain_realm]

 

Move on to the the Websphere (WAS) configurations

  1. Open the WebSphere Application Server administrative console and go to Security > Global Security and ensure that application level security is enabled.
  2. Go to Web and SIP security and select Single sign-on (SSO). Select Enabled to enable single sign-on and enter the domain name of the KDC. Click OK and Save.
  3. Go to Web and SIP security and select SPNEGO Web authentication.
  4. Create a new SPNEGO filter. Enter the host name of the system where WebSphere Application Server is running and the name of your Kerberos realm. Select Trim Kerberos realm from principal name. Click OK and Save. This should take you back to the SPNEGO Web authentication page
  5. Select Enable SPNEGO to enable WebSphere Application Server to authenticate Kerberos clients by using the SPNEGO protocol. Browse to and select the keytab file and the Kerberos configuration files. Click OK and Save.
  6. Restart WAS
Platforms & Technology - A Business Leaders Guide to Key Trends in Cloud
A Business Leaders Guide to Key Trends in Cloud

Cloud’s dynamic nature can make it hard to keep up with the wide-ranging capabilities that make it a key enabler to improve business processes and support a larger digital transformation.

Get the Guide

 

Configure Browser.

This example is for Internet Explorer. There are instruction for Firefox/Chrome/Edge available on the internet

  1. Click Tools > Internet Options > Security.
  2. Select Local Intranet.
  3. Click Sites.
  4. Click Advanced.
  5. Enter your SSO domain using the following format: *.domain_name_serviceFor example, enter: *.addomain.home.com
  6. Click Add and then click Close.
  7. Click OK to close the Local intranet window.
  8. Enable Integrated Windows Authentication.In the Internet Options window, select the Advanced tab. In the Security section, ensure that Enable Integrated Windows Authentication is selected.
  9. Restart Internet Explorer for your changes to take effect.
  10. From your web browser, connect to the snoop servlet by using the fully qualified host name of the WebSphere Application Server instance where you plan to deploy IBM Content Navigator. When SSO is correctly configured, the snoop servlet issues an authentication challenge to your web browser, which initiates the SPNEGO/Kerberos exchange.

 

 

 

For more information on Perficient and to learn what we can do for your business, please visit perficient.com.

Perficient

About the Author

More from this Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up