WebSphere with a side of SPNEGOConfiguring SPNEGO in WebSphere 6.1, 7 and 8 Environments Using Microsoft Active Directory This document can be found on the web, www.ibm.com/support/techdocs Version 4.0: June 17, 2013 Websphere Technical Sales Rob Peeren Consulting IT Specialist
[email protected] Trademarks The following terms are registered trademarks of International Business Machines Corporation in the United States and/or other countries: WebSphere. A full list of U.S. trademarks owned by IBM may be found at http://iplswww.nas.ibm.com/wpts/trademarks/trademar.htm. Microsoft, Windows, Windows NT, and Windows XP are registered trademarks of Microsoft Corporation in the United States and/or other countries. UNIX is a registered trademark in the United States and other countries licensed exclusively through The Open Group. LINUX is a registered trademark of Linus Torvalds. Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States and/or other countries. Other company, product and service names may be trademarks or service marks of others. Summary of Changes 1.0 1.1 2.0 2.1 2.5 2.6 2.7 3.0 3.1 4.0 Initial Release Corrected hostnames in the examples. Change the term ‘Key Volume Number’ with ‘Key Version Number’ Clarifications and simplifications Added Windows 2000 disclaimer and cleaned up ktpass examples Expanded examples, standardized hostnames, and tested with Windows 2000 Added section on credential delegation Fixed section on credential delegation Changes to include WAS 7 Removed disablesecuritypreinvokeonfilters step (see page 27) Tweaked credential delegation (again!) Changes to include WAS 8 and AD 2008 R2 Table of Contents Trademarks ........................................................................................................................................... 2 Summary of Changes ............................................................................................................................ 2 Table of Contents .................................................................................................................................. 3 Introduction ........................................................................................................................................... 4 Differences Between WAS 6.1, WAS 7 and WAS 8 ........................................................................... 5 Acknowledgements ............................................................................................................................... 5 Single Server SPNEGO Configuration ................................................................................................. 6 SPNEGO with a Remote Web Server ................................................................................................. 28 Clusters and Load Balancing with SPNEGO...................................................................................... 44 SPNEGO with Network Dispatchers and IP Sprayers ........................................................................ 59 Setting up Delegation .......................................................................................................................... 60 © IBM Copyright, 2013 Web location of document (www.ibm.com/support/techdocs) SPNEGO Version 4.0, June 17, 2013 -3- This document covers four basic SPNEGO configuration scenarios: Single Server.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE4E7AC4F0912D&displaylang=en and SP2 here: © IBM Copyright. and Dispatched: Single Server Distributed Clustered Dispatched Configuration with a single instance of WebSphere Application Server (WAS) Configuration with a single instance of WAS. enables a straightforward single sign-on (SSO) mechanism for WebSphere in Kerberos environments. June 17. You can download the support tools service pack for SP1 here: http://www.microsoft. Windows Server 2008 R2 requires no additional support tools to be installed. The support tools are NOT installed when you install the operating system. Testing was also performed with an instance of Windows Server 2000 SP4. Configuration with a WAS ND cluster. providing the minimum steps and default options required to get up and running quickly in several specific test scenarios. It is meant to be a ‘quick-start’ guide. This document is intended to provide instructions to configure SPNEGO for WebSphere Application Server in standalone and clustered configurations using Microsoft Active Directory as the Kerberos security server.com/downloads/details. An instance of Windows Server 2003 SP1 hosted the Active Directory and a Windows XP SP2 instance in the AD domain was used for the browser client. also front-ended by HTTP servers. RedHat Enterprise Linux 6. please refer to your WebSphere Documentation Centre for further and more advanced configuration options. and a Windows 7 client with Windows Server 2008 R2 as the security server.Introduction SPNEGO. For Windows Server 2003. Clustered. For WebSphere V8. you also need to have Windows 2003 Support Tools installed. Discuss the configuration with an IP Sprayer in front of the WAS ND cluster RedHat Enterprise Linux 4 was used as the OS to host all the instances of WebSphere V6 and V7 for the different scenarios. and is not meant to be a replacement for the official WebSphere documentation.3 was used. or the Simple and Protected GSSAPI Negotiation Mechanism.ibm. Distributed. 2013 Web location of document (www. plus the setup of an HTTP server on a separate machine routing requests to WAS.com/support/techdocs) SPNEGO Version 4.0. 2013 -4- . Once you are comfortable with the basic SPNEGO steps that you learn here. and the minor differences are noted within the document.com/downloads/details. In the step-by-step instructions that follow. please contact your IBM Software Services for WebSphere (ISSW) representative for assistance. 2013 Web location of document (www.ibm. Acknowledgements Thanks very much to Ut Le in Austin. 2013 -5- . if there is no distinction made between versions of WebSphere.aspx?familyid=5fd831fd-ab77-46a3-9cfeff01d29e5c46&displaylang=en You Have Options! Please note that in order to use SPNEGO you are not restricted to Microsoft Active Directory as your security server. Configuration for WAS 7 and WAS 8 is virtually identical.aspx?id=15326 If you are using Windows 2000 SP4 as your security server. June 17.microsoft.com/en-us/download/details. there is only cosmetic difference between Windows Server 2008 and Windows Server 2003 (with the addition of the Windows power shell the most notable). To make use of other Kerberos servers for SPNEGO and SSO. Configuration on Windows Server 2008 is exactly the same as the documentation below for Windows Server 2003. Billy Lo in Toronto. then you need to perform that step regardless of which version you are using.com/downloads/details.1. you may need to download the setspn.aspx?familyid=F08D28F3-B835-4847-B810BB6539362473&displaylang=en Additionally for Windows Server 2000 users. WAS 7 and WAS 8 SPNEGO configuration on WAS 7 is more streamlined than in WAS 6.com/support/techdocs) SPNEGO Version 4.1. but the preparation is identical. and Martin Lansche in Toronto for reviewing this document and providing invaluable feedback.http://www.microsoft. © IBM Copyright. You can get that here: http://www. You can download them here: http://www.microsoft.0. you will also need to download and install SP4 of the Windows 2000 support tools. Differences Between WAS 6.exe utility. Additionally. Single Server SPNEGO Configuration Introduction In this example.robo. as long as the AD Servers are crosscertified.HOME. June 17. Clocks that drift or are set out of this range will not authenticate correctly. This is what we are going to establish in the following steps. the instance of WebSphere on the Linux server must also have an AD identity.CA DNS Domain: robo. 2013 -6- . The topology looks like this: Windows Client Host Name: xpclient. SPNEGO does not work locally on a system.home.HOME. © IBM Copyright. Finally. you will still need a separate Windows client to surf from.ca AD Domain: ROBO.ca AD Domain: ROBO.com/support/techdocs) SPNEGO Version 4. 2013 Web location of document (www. make sure all of your system clocks are set to within five minutes of each other.CA Linux Server Host Name: appserver1. In advanced scenarios. Cross-certification is not discussed in this document.home. it establishes that users’ identity on the network. Please note that if you will be configuring SPNEGO on a Windows system instead of a Linux system. When a user logs into the domain.robo. as long as your application server is installed elsewhere.ca Active Directory Server Host Name: w2ksvr.ca The Windows client must be in the same Active Directory (AD) domain as the AD Server. You can use the browser on your AD server for testing. For whatever reason.ibm. we are going to set up SPNEGO on a single instance of WebSphere Application Server.0.home. In order for trusted third party authentication to take place.home. the client can be in a different domain.robo. Please remember that if you do change the password for the account.ibm.0. and assign it the password ‘password’. © IBM Copyright. as long as it is not the ID you will be using to activate WebSphere Security with.Step 1 – Create a User ID for the Application Server The first thing we need to do is create an Active Directory ID for WebSphere to make use of. and cannot be the same as the WebSphere administration ID that you use when you turn on WebSphere Security (usually ‘wasadmin’ in test environments). you will also need to regenerate the keys. 2013 Web location of document (www. June 17. Then take a look at the account properties: You can use whatever logon name you wish. 2013 -7- . The ID that we will be creating here is the ID that the instance of WebSphere itself uses to authenticate to Active Directory. except perhaps to set the password to never expire in your test environment. There are no special account options that you need to set. Add the user ‘wastest’ in your Active Directory domain. This will save you the need to regenerate keys (discussed next) because the password never needs changing. Please note that the ID you will be creating here is not the same.com/support/techdocs) SPNEGO Version 4. 0. authentication will not work.com/support/techdocs) SPNEGO Version 4. © IBM Copyright. June 17. we need to map this account to the Kerberos Service Principal Name (SPN) and create a key file that WebSphere can use to log into the domain with. If you get this
[email protected] –mapuser wastest –pass password -ptype KRB5_NT_PRINCIPAL Please note that case is very important here. HTTP must be all in capital letters as well as the AD domain name. and not the Windows client users who will be logging in to the domain via the domain sign-on screen.keytab –princ HTTP/appserver1.HOME.ibm. 2013 Web location of document (www. 2013 -8- . open a command window on the Active Directory 2003 server. and issue the ‘ktpass’ command in the following manner: ktpass -out <keyfile name> -princ HTTP/fully qualified hostname@AD DOMAIN NAME -mapuser <AD user> -pass <password> -ptype KRB5_NT_PRINCIPAL In the example environment. Please note that SPNs and keytabs are only required for the WebSphere Application Server instance. the command was issued as follows: ktpass –out appserver1. To create the key.Step 2 – Assign the Service Principal Name and Create Key File After the account has been created.home. 0.robo. then RC4-HMAC is not available to you. you will now see the following: © IBM Copyright. 2013 Web location of document (www.home.com/support/techdocs) SPNEGO Version 4.robo. so you need to explicitly identify it with the –crypto flag when creating the key file. “Ah! The user ‘robobob’ wants to talk with the user ‘wastest’”. Issuing the same ktpass command on Windows 2000 would look like the following: ktpass –out appserver1. the mapping operation tells AD that any authenticated client using the http (or https) protocol to talk to appserver1.HOME. Fortunately WebSphere supports DES-CBC-MD5. Basically. a cryptography also supported by Windows Server 2000.Active Directory 2000 Users The ktpass command sets RC4-HMAC as the default cryptography for Active Directory 2003. If you are using Active Directory 2000. WebSphere will use this key to authenticate itself in the AD domain as ‘wastest’. If you return to the account properties for the user.CA –mapuser wastest –pass password -ptype KRB5_NT_PRINCIPAL –crypto DES-CBC-MD5 Two things happen when you issue the ktpass command using the –mapuser flag: A keytab file is created and the Service Principal Name (SPN) is mapped to the AD user ‘wastest’.HOME.CA domain will authenticate to the ‘wastest’ ID.robo. So for example. June 17. Unfortunately DES-CBC-MD5 is not the cryptography that ktpass defaults to on Windows 2000.home. starts a browser and surfs to http://appserver1. The keytab file will get shipped to the Linux machine for WebSphere to make use of. 2013 -9- .home. the AD server
[email protected]/snoop.ca in the ROBO.keytab –princ HTTP/appserver1. when the client ‘robobob’ logs into the AD domain. You may also note the documentation referring to the –mapOp flag as well.Note the ‘User logon name’ field.0. then you will also notice that the account option to use DES encryption types for this account is now checked. It now contains the Service Principal Name (or SPN) of the ID. 2013 . 2013 Web location of document (www. so you don’t actually need to issue the setspn command beforehand in this case. You may notice in the WebSphere documentation the usage of the setspn command before ktpass is issued. If you are using Windows Server 2000. but you don’t need to worry about it right now. you don’t need to worry about that in this example and it will be discussed later on. Again.10 - . the SPN is set automatically. June 17. © IBM Copyright.ibm. When you use ktpass with the –mapUser flag.com/support/techdocs) SPNEGO Version 4. The examples in the later sections of this document show how setspn is used. In this example. the Kerberos configuration file needs to be set up on the target server. After the key file has been copied. 2013 Web location of document (www.home.ibm. June 17. appserver1. 2013 .keytab file was copied to the /etc/krb5 directory.e C:\WINNT).ca is a Linux server.Step 3 – Set up Kerberos Configuration on the Application Server Copy the key file from the Active Directory machine to a directory on your application server.robo. Start up WebSphere. This can be any directory you like.11 - . but you will need to make sure you specify the exact path to the key file in the Kerberos configuration file that you will be creating.0. and the following command was invoked within wsadmin: © IBM Copyright. and then enter the following command: $AdminTask createKrbConfigFile {-krbPath <config file name> –realm <KERBEROS REALM> -kdcHost <AD hostname> -dns <dns domain> –keytabPath /etc/krb5/<keytab filename>} If you are running on a Windows machine.com/support/techdocs) SPNEGO Version 4. run wsadmin on the command line. The appserver1. issue the command with Windows style path names (i. conf file contains all of the information the WebSphere application server will need to authenticate itself with Active Directory. June 17.HOME.CA -kdcHost w2ksvr.ibm. but that may not necessarily always be the case.home. make note of the use of the mixed case. and the –dns flag is the DNS domain. When using AD. as shown below: The krb5.ca –keytabPath /etc/krb5/appserver1. The -kdcHost flag is the Active Directory hostname.$AdminTask createKrbConfigFile {-krbPath /etc/krb5/krb5.conf –realm ROBO. © IBM Copyright. the Kerberos realm is always the AD domain name in upper case.ca -dns robo.conf file.keytab} Note how the -realm flag corresponds to the Active Directory domain.com/support/techdocs) SPNEGO Version 4.12 - . as well as authenticate Kerberos clients via the SPNEGO protocol. In this example. 2013 . it is very significant! Executing this task will create a krb5. 2013 Web location of document (www. Once again.0.home. the AD domain and the DNS domain are the same.robo. ibm. 2013 . as indicated in the following figure: © IBM Copyright.Step 4 – Enable WebSphere Security Launch the WebSphere admin console. June 17. navigate to the ‘Security Global security’ page.0. and enable security on the application server: Enable WebSphere security using the Active Directory server as a standalone LDAP registry (SPNEGO will also work when using federated repositories.13 - . For the primary administrative user ID and the bind ID do not use the ID that you have just created a key file for. The ID you want to use here is the traditional ‘wasadmin’ ID or something similar. 2013 Web location of document (www. but that is not discussed in this document).com/support/techdocs) SPNEGO Version 4. 2013 Web location of document (www.0.© IBM Copyright. 2013 .com/support/techdocs) SPNEGO Version 4. June 17.ibm.14 - . 2013 .ibm.com/support/techdocs) SPNEGO Version 4.Step 5 – Enable SSO You may now optionally set up your SSO domain. If your browser will be communicating to more than one application server.0. the SPNEGO authentication exchange results in regular LTPA tokens being returned to the client browser and further authorization is done the traditional way with LTPA. the screen looks like this: On WAS 8 it looks like this: © IBM Copyright. For browser based applications. On WAS 6 and 7. June 17. you may want to have your SSO environment set up as well.15 - . 2013 Web location of document (www. TrustAssociationInterceptorImpl’ link.1 Only The next thing we need to do is activate trust association and configure the SPNEGO Trust Association Interceptor (TAI): Click on the ‘Interceptors’ link to get the following: Click on the ‘com. type ‘com. to enable SPNEGO on your server. Click the ‘OK’ button. the service principal hostname.16 - . In the ‘name’ field. 2013 .SPN1.spnego.ws.security.Step 6 – Enable SPNEGO in WebSphere Step 6 .com/support/techdocs) SPNEGO Version 4.ibm.ibm.hostName’. type the fully qualified hostname of your server.WebSphere Version 6.ws.ibm. Click the ‘New’ button. You will now need to add at least one SPNEGO property.security. June 17. 2013 Web location of document (www.0.spnego. © IBM Copyright. In the ‘value’ field. 0.home.ibm.In our example. the hostname is appserver1. Instead of using the admin console to set up the TAI configuration properties.com/support/techdocs) SPNEGO Version 4. There are several other properties you will want to set for production environments. 2013 Web location of document (www. Refer to the WebSphere documentation centre for more details. 2013 .robo. you could also use wsadmin to create the properties interactively: © IBM Copyright. June 17.17 - .ca. WebSphere Version 7 and 8 In the admin console.ibm. June 17. 2013 Web location of document (www. select Security Global security Web and SIP security SPNEGO Web authentication: Important WAS 8 feature: For WAS 8. then the server name will fall back to the IP address of the machine and will not match the SPN we set up earlier using the host name. If you do not have an alias set up and you select this option. please make sure to de-select 'Use the alias host name for the application server' option if you don't have an alias set up. click on the ‘New’ button under SPNEGO Filters: © IBM Copyright.com/support/techdocs) SPNEGO Version 4. 2013 .Step 6 . After updating the initial options as above.18 - .0. 0. June 17. 2013 Web location of document (www.19 - .com/support/techdocs) SPNEGO Version 4. click on the OK button again.Enter in your local hostname and your Kerberos realm name. Click the OK button. Select the ‘Trim Kerberos realm from principal name’ checkbox. then save the changes to the master configuration. © IBM Copyright.ibm. 2013 . © IBM Copyright.WebSphere Version 6.com/support/techdocs) SPNEGO Version 4.WebSphere Version 7 and 8 Enabling SPNEGO at the JVM level is not required for WebSphere 7 or 8.krb5. 2013 . so simply drop the last two entries from the image above. 2013 Web location of document (www.1 Only You may have multiple JVM’s in your instance of WebSphere. June 17.security.security. set ‘com. The debug entries are automatically placed in the Custom Properties table for you and set to ‘off’. and you may only want SPNEGO enabled on some of those JVM’s. Enable SPNEGO for each JVM in the following way: Note that the ‘java.debug’ and ‘com. Change them to ‘ALL’ for debugging. To enable tracing.20 - .ibm.0. but you still enable security tracing in this manner.ibm.krb5.ibm.jgss.conf’ property must point to the location of the Kerberos configuration file you created earlier.Krb5Debug’ to ‘ALL’.Step 7 – Enable SPNEGO at the JVM level Step 7 . Be sure to turn these off for production! Step 7 .security. 21 - . June 17.ws.ibm.0. 2013 .security. © IBM Copyright. 2013 Web location of document (www.*=all’ in the ‘Change Log Detail Levels’ section of the logging and tracing section for your server in the admin console.spnego.Step 8 – Turn on SPNEGO Logging and Tracing To get even more tracing.com/support/techdocs) SPNEGO Version 4. add the trace string ‘com. Remember to turn this off for production as well.ibm. 2013 Web location of document (www.Step 9 – Restart WebSphere SPNEGO is now fully enabled.0. so don't worry if you don't see this just quite yet.com/support/techdocs) SPNEGO Version 4.log file for lines that look like the following: On WAS 7 and WAS 8. check the SystemOut. but after the first access attempt. Restart WebSphere.1. © IBM Copyright. it should look like this: WAS 8 does not display this immediately. 2013 . June 17.ibm. On WAS 6.22 - . delegation-uris’ and ‘network. but we’re not done quite yet! Now that SPNEGO is enabled on the server. Set both of these to your SSO domain.negotiate-auth. type ‘about:config’ in the address bar. © IBM Copyright.ibm. You need to change a couple of settings to the browsers running on your Windows client machines. In this example.0.Step 10 – Configure Browsers We’re getting close. In the filter.home. you need to configure your browsers to send their Kerberos tokens to the server when challenged. There are then two fields you need to set: ‘network.trusteduris’. no special settings are required. 2013 .negotiate-auth.ca’ Chrome With Google Chrome.23 - . June 17.com/support/techdocs) SPNEGO Version 4. 2013 Web location of document (www. type ‘auth’. Firefox With Firefox. we set the two fields to ‘robo. 0. go into Tools Internet Options Security Local intranet Sites and add the SSO domain.home.24 - .com/support/techdocs) SPNEGO Version 4. 2013 Web location of document (www. Here we added *. June 17. © IBM Copyright.Internet Explorer For Internet Explorer.robo. 2013 .ca.ibm. You will need to restart IE for the changes to take effect.25 - .ibm.0. and make sure that ‘Enable Integrated Windows Authentication’ is checked. 2013 .com/support/techdocs) SPNEGO Version 4. scroll down to the Security section. © IBM Copyright. June 17. Go to Tools Internet Options Advanced.You also need to enable Integrated Windows Authentication. 2013 Web location of document (www. the snoop servlet will issue an authentication challenge to your browser.0.ibm. start your browser and attempt to surf to the snoop servlet. © IBM Copyright. June 17. using the fully qualified host name of the server. 2013 Web location of document (www. 2013 .26 - . which will initiate the SPNEGO Kerberos exchange.Step 11 – Surf! Make sure you are logged into the AD domain from your client machine.com/support/techdocs) SPNEGO Version 4. With security turned on. 1. Using the unqualified host name. If you are currently using this setting. 2013 . To see something really cool.0. and the underlying problem it originally addressed. there was a step to add this custom property to the web container to get around an authentication problem when using https to surf to web applications that used a login page for authentication (like the admin console). we surfed to the http://appserver1.27 - .home.ca:9080/snoop URL. You can also check the SystemOut.5. IFIX PK77465 fixes this exposure.25 and 7.0. Please note that you must always use the fully qualified host name for SPNEGO to work. © IBM Copyright. Congratulations! What happened to disablesecuritypreinvokeonfilters? In earlier versions of this document. or localhost will not work.0. Remember. June 17. If you are deploying your own web application. 2013 Web location of document (www.robo.log file of the application server. please DISCONTINUE using it immediately and apply the necessary IFIX or fixpack for your installation. the domain is king. It is included in 6. then you need to make sure you have your security constraints set in your web application deployment descriptor in order for SPNEGO to intercept the request. It has the value ‘Negotiate’ followed by an extremely long array of characters.It works! In this example. You should see your Windows user ID in the ‘User Principal’ field.0. It should bypass the login screen entirely. log into the AD domain as your ‘wasadmin’ ID and then try surfing to the admin console.com/support/techdocs) SPNEGO Version 4. and as a result this property no longer exists.ibm. This is how you can tell the SPNEGO exchange was successful (an NTLM header would be a short array of characters). Note the ‘Authorization’ section of the request headers. It has been discovered that this causes a security exposure. and we get the following: © IBM Copyright. the SPNEGO exchange still works fine. fully expecting SPNEGO to work.robo.CA Web Server Host Name: webserver1. 2013 Web location of document (www. Life is good! Now what we want to do is create a multi-tiered environment by putting a separate http server in front of WebSphere.ibm.robo.ca To accomplish this.ca AD Domain: ROBO.home.ca Linux Server Host Name: appserver1.xml file from the WebSphere system to the web server. as displayed in the following topology diagram: Windows Client Host Name: xpclient.HOME.home.0.robo. June 17.home.robo.CA DNS Domain: robo.com/support/techdocs) SPNEGO Version 4.HOME. we bring in a separate box. If you install an http server and the WebSphere plug-in on the same machine as WebSphere. and copy the plugin-cfg.28 - .SPNEGO with a Remote Web Server Introduction We now have a single working instance of WebSphere with SPNEGO enabled.ca AD Domain: ROBO.ca Active Directory Server Host Name: w2ksvr. we attempt to surf to the snoop servlet again via the web server’s address.home. and deploy your app with that web server.home. install the WebSphere plug-in. Now. install the http server on it. 2013 . June 17.com/support/techdocs) SPNEGO Version 4.0. we get the following page: What just happened? Life was good five minutes ago! © IBM Copyright.29 - . 2013 . 2013 Web location of document (www.ibm.Huh?!?!?! Hitting the cancel button. com/support/techdocs) SPNEGO Version 4.robo.robo. map a new SPN.We can get a clue to what is going on by turning off WebSphere security. 2013 . we will need to create another ID.ca doesn’t map to anything. June 17. The name webserver1. and then surfing to the snoop servlet via the web server again: When the web server redirects the request to WebSphere.home.ca. As you recall.ibm.home.robo.robo. the Service Principal Name (SPN) mapping we created was for appserver1.home. To resolve this issue. restarting WebSphere.ca.home. create a new key. and change some configuration information in WebSphere. the server name changes from appserver1. so AD doesn’t know which ID to create a session with.0. 2013 Web location of document (www. © IBM Copyright.30 - .ca to webserver1. 31 - . June 17.ibm.Step 1 – Create a New AD User Create a new AD user called ‘websphere’ using the same directions from the last section. and give it a permanent password of ‘password’.com/support/techdocs) SPNEGO Version 4.0. 2013 Web location of document (www. 2013 . © IBM Copyright. robo.ca websphere ktpass –princ HTTP/webserver1.com/support/techdocs) SPNEGO Version 4.Step 2 – Assign the Service Principal Name and Create Key File Instead of using the ktpass command with the –mapUser flag like we did last time. we are going to make it a two-step process with the use of the setspn command and ktpass without the –mapUser flag: setspn –a HTTP/<fully qualified hostname> <AD user> ktpass -out <keyfile name> -princ HTTP/<fully qualified hostname>@AD DOMAIN NAME -pass <password> -ptype KRB5_NT_PRINCIPAL In the above example.32 - .HOME.CA –out websphere. © IBM Copyright.ibm.0. 2013 Web location of document (www.home.home. It will show you the SPN that it is mapped to.robo. 2013 .keytab -pass password –ptype KRB5_NT_PRINCIPAL (AD 2000 Users: Remember to add –crypto DES-CBC-MD5) Try issuing ‘setspn –l websphere’ as shown in the image above. the commands look like this: setspn –a HTTP/webserver1. June 17.ca@ROBO. but mapping the same SPN to multiple user ID’s is extremely bad! Don’t do it. Mapping multiple SPN’s to the same user ID is fine. cutting down on the number of user ID’s you will need to create to support SPNEGO in your environment (we will see an example of this a little bit later). © IBM Copyright.33 - .If we now take a look at the account properties for the ‘websphere’ user: You will notice that the logon name has not changed. 2013 .0. June 17.com/support/techdocs) SPNEGO Version 4. Making the mapping and key generation a two-step process with the setspn command gives us the ability to map multiple SPN’s to the same AD user.ibm. unlike what happened last time when we created the mapping by just using the ktpass command with the –mapUser flag. 2013 Web location of document (www. 2013 .conf file. It’s up to you.0. Now that you have a new key file. June 17. we changed the key file from appserver1.34 - . 2013 Web location of document (www.com/support/techdocs) SPNEGO Version 4.keytab.Step 3 – Modify Kerberos Configuration on the Application Server Copy the new key file to your application server (not the web server).ibm. You could have also just overwritten the appserver1. © IBM Copyright.keytab file and not change the krb5. and put it in the same directory as before. you need to change the Kerberos configuration file to point to it: In this example.keytab to websphere. 0.home. the property was changed from appserver1.ibm. Log into the WebSphere admin console and change the TAI property to the name of the web server: Step 4 .WebSphere Version 6.com/support/techdocs) SPNEGO Version 4.home. and we need to change that. 2013 Web location of document (www. 2013 . June 17.robo.1 Only The TAI currently contains the application server host name as the SPN.robo.WebSphere Version 7 and 8 Update the SPNEGO Web Authentication page to change the hostname to the name of the web server: In this example.ca © IBM Copyright.ca to webserver1.Step 4 – Update the WebSphere SPNEGO Configuration Step 4 .35 - . Restarting WebSphere will produce SystemOut.36 - .ibm. 2013 .log file entries similar to the ones shown below: Notice how the Service Principal Name has changed from the application server to the web server address.Step 5 – Restart WebSphere Restart WebSphere. 2013 Web location of document (www.com/support/techdocs) SPNEGO Version 4.0. If you disabled security. re-enable it first. © IBM Copyright. June 17. ibm. 2013 .37 - .0. June 17. 2013 Web location of document (www.com/support/techdocs) SPNEGO Version 4.Step 6 – Surf! Now surf to the snoop servlet by directing the browser to the web server machine: We are back in business! © IBM Copyright. we can no longer authenticate against the application server directly. and two key files. Let’s revisit the setspn command to see how we can map both SPN’s to the same AD user ID. As you recall. © IBM Copyright. However.com/support/techdocs) SPNEGO Version 4. 2013 Web location of document (www. You can solve this problem by setting a policy stating that everyone must go through the web server.We have successfully switched the Service Principal Name from the application server to the web server. what if we want to be authenticated whether or not we are re-directed by the web server? Since we made the switch.0. June 17.38 - . two SPN’s. we already have two AD user ID’s.ibm. or you can configure WebSphere to handle both Service Principal Names. 2013 . you will notice how the ‘setspn –l websphere’ command now displays both SPN’s. so you must perform the ‘setspn –d’ before mapping to another user.39 - . 2013 Web location of document (www.robo. Remember. © IBM Copyright.Step 7 – Re-map the Original SPN and Create a New Key If we want to re-map the original SPN to a new user.ca websphere This un-mapped the SPN from the user ‘wastest’. June 17.home. 2013 .robo.com/support/techdocs) SPNEGO Version 4. we must first un-map it from the original user. you cannot have the same SPN mapped to more than one user. we issued the following: setspn –d HTTP/appserver1.ibm.ca wastest setspn –a HTTP/appserver1. and re-mapped it to the user ‘websphere’. In the example above. If you look at the image above.0.home. This will preserve the first mapping while creating the second mapping. 2013 . but find the use of the setspn command distasteful. Note as well the use of the –in flag in the second ktpass command to preserve the key generated from the first ktpass command. the ktpass command allows you to collapse it all back into a single command by using the –mapOp flag in combination with the –mapUser flag.HOME. © IBM Copyright. Adding the –in flag to ktpass will combine the appserver1 key with the webserver1 key instead of overwriting
[email protected] - . Take a look at the following two commands: ktpass –princ HTTP/newserver1. What about –mapOp? If you want to map multiple SPN’s to the same user id. we want to map the newserver1 and newserver2 SPN’s to the existing websphere user ID. The first ktpass command issues –mapOp set.ca@ROBO. This means that you would still need to use the setpsn –d command if you wanted to change the user ID an SPN points to.keytab file. the webserver1 key is still in the websphere. Please note that the –mapOp set flag will not remove mappings from any user other than the user identified with the –mapUser flag. it will wipe out the appserver1.home.0.After mapping.keytab In this example.CA –in websphere. The ktpass uses –mapOp add as the default.keytab –out websphere.keytab –out websphere.home. Make sure you combine the keys in this manner.robo. so please be careful).home. June 17.ibm. This is accomplished in the example with the following command: ktpass –princ HTTP/appserver1.HOME.home.HOME. The second ktpass command issues –mapOp add.ca@ROBO. so we didn’t really need to specify it in the second example.robo.home. This will wipe out any previous SPN mappings to the websphere user ID and replace with the new one (If you issue this command in the current demo environment. 2013 Web location of document (www.ca mapping.com/support/techdocs) SPNEGO Version 4.keytab ktpass –prince HTTP/newserver2.robo. we need to add the new key to our key file.CA –ptype KRB5_NT_PRINCIPAL –mapUser websphere –mapOp add –pass password –in websphere.robo.keytab –pass password –ptype KRB5_NT_PRINCIPAL (AD 2000 Users: remember to add –crypto DES-CBC-MD5) In this example.CA –ptype KRB5_NT_PRINCIPAL–mapUser websphere –mapOp set –pass password –out websphere.ca and webserver1. WebSphere Version 6. 2013 Web location of document (www.1 Only You need to add a second SPN entry in the SPNEGO TAI configuration: Notice the SPN2 in the new property.conf file points to this key file.Step 8 – Move the Updated Key File to the Server Copy the key to the WebSphere Application Server machine. You can have as many SPN’s as you wish.41 - . putting it in the same directory as before.0. June 17. Step 9 – Update the WebSphere SPNEGO Configuration Step 9 .com/support/techdocs) SPNEGO Version 4. © IBM Copyright. Make sure the entry in krb5. 2013 .ibm. 0. 2013 Web location of document (www. June 17.ibm.Step 9 .42 - .com/support/techdocs) SPNEGO Version 4. 2013 .WebSphere Version 7 and 8 Update the SPNEGO Web Authentication page to include both the application server hostname and the web server hostname: © IBM Copyright. log file similar to the following: Notice how the two SPN’s are now displayed.Step 10 – Restart WebSphere When you restart WebSphere.ibm. 2013 . Give it a try! © IBM Copyright. You can now surf using the webserver1. 2013 Web location of document (www.home. June 17.home. you should see entries in the SystemOut.robo.com/support/techdocs) SPNEGO Version 4.robo.43 - .ca address or the appserver1.ca address and still be authenticated.0. CA Web Server Host Name: webserver1.HOME.home.0.home. clustering web application servers within a WebSphere Network Deployment cell is a necessity.robo.robo.ca Active Directory Server Host Name: w2ksvr. 2013 .ca AD Domain: ROBO.44 - . June 17.ca Windows Client Host Name: xpclient.ca To provide scalability and high availability in our web applications. as displayed in the following topology diagram: Linux Server Host Name: appserver1.HOME.CA DNS Domain: robo.ibm.robo. Getting SPNEGO to work in this environment is almost identical to how we set up SPNEGO in a multi-tiered environment in the last section.com/support/techdocs) SPNEGO Version 4.home.robo. with most of the work being applied to simply building up the ND cell itself.home.robo.ca AD Domain: ROBO.home. © IBM Copyright.home.ca Linux Server Host Name: appserver2. we would now like to scale the system up to provide some load balancing and failover support. 2013 Web location of document (www.Clusters and Load Balancing with SPNEGO Introduction Now that we have the ability to apply SPNEGO to a multi-tier architecture. home. 2013 .home.45 - . Set up your WebSphere ND cell to contain your cell manager and all of your application servers.com/support/techdocs) SPNEGO Version 4. and the nodes have been consolidated into an ND cell. run on any of the application server node machines. How you set up your cluster is up to you.robo.robo.Step 1 – Create a WebSphere ND Cell Managing multi-tiered application and web servers is straightforward once they are collected within a WebSphere ND cell. The ND cell instance can. as shown in the diagram below: In the above example. WebSphere security was disabled on ‘spnegoNode1’ (appserver1.ibm. of course.ca). WebSphere has been installed on a second Linux node. © IBM Copyright. Before the cell was built up.ca). 2013 Web location of document (www.0. ‘spnegoNode2’ (appserver2. June 17. with the cell manager running on a third Linux machine. We can do this by adding the web server machine as an unmanaged node within the cell. and then follow the procedure from the next set of diagrams: Select Unmanaged node and Click Next.46 - .ca without manually manipulating it and/or copying it. Click OK.home. © IBM Copyright.robo. June 17.xml file directly to the web server running on webserver1.ibm. 2013 . Select a name for your node and the host name where the web server is running. 2013 Web location of document (www.com/support/techdocs) SPNEGO Version 4.0.Step 2 – Incorporate the Web Server into the Cell We would like to be able to send the WebSphere plugin-cfg. Click on the ‘Add Node’ button from the panel displayed above. 47 - . June 17.com/support/techdocs) SPNEGO Version 4.0. From the admin console. © IBM Copyright. 2013 Web location of document (www. we can add the HTTP Server to it. If you didn’t. click on Web Servers link in the Servers section of the menu pane: If you installed HTTP servers on your application server nodes before you incorporated the cell. Click New. you should see something similar to the above image. then you won’t see any web servers. Now that the ‘webserverNode1’ unmanaged node has been added. 2013 .You should now see something like the above image in your node list.ibm. Select the ‘webserverNode1’ node, and enter ‘webserver1’ as the server name (‘webserver1’ is the profile automatically given to a default WebSphere plug-in installs. If you specified a different name for the web server when you installed the WebSphere plug-in, use that profile name instead). Click Next. Click Next. © IBM Copyright, 2013 Web location of document (www.ibm.com/support/techdocs) SPNEGO Version 4.0, June 17, 2013 - 48 - Enter in the correct information, click Next, then click Finish. You now have incorporated the independent web server into your ND cell. © IBM Copyright, 2013 Web location of document (www.ibm.com/support/techdocs) SPNEGO Version 4.0, June 17, 2013 - 49 - Step 3 - Create an Application Server Cluster You have an incorporated cell, and the snoop servlet runs on both nodes within the cell, but that doesn’t mean we can load balance between them just yet. First we need to create an application cluster, and then deploy it to the nodes and the web server. Click on the Cluster link in the Servers section of the Admin Console: Click the New button. Enter a name for the cluster (we used snoopCluster here), then press then Next button. © IBM Copyright, 2013 Web location of document (www.ibm.com/support/techdocs) SPNEGO Version 4.0, June 17, 2013 - 50 - and click Next.ibm. © IBM Copyright.Select a member name for the first member in your cluster. June 17. select the node it runs on. 2013 . 2013 Web location of document (www.51 - .0.com/support/techdocs) SPNEGO Version 4. 0. and then the Finish button. June 17.52 - .Select a member name for the next member of your cluster and click on the Add Member button (you can use the same member name on different nodes. 2013 Web location of document (www. Then click the Next button.com/support/techdocs) SPNEGO Version 4. © IBM Copyright. You have successfully created an application cluster. as long as it is unique for that node).ibm. 2013 . Step 4 – Deploy Applications to Cluster Before you can start the cluster.ibm. June 17. press the OK button and then save to the master configuration.0.53 - . 2013 . which is contained in the default application.com/support/techdocs) SPNEGO Version 4. Afterwards. and then press the Apply button. select the application. and then on the Manage Modules link: Highlight the cluster and web server the application will be deployed to. © IBM Copyright. Click on the Enterprise Applications link in Applications section of the Admin Console: Click on the DefaultApplication link. 2013 Web location of document (www. you need to deploy the snoop servlet to it. © IBM Copyright.com/support/techdocs) SPNEGO Version 4. Now select the Web servers link from the Servers section of the Admin Console: Select the web server to update and click the Generate Plug-in button. Select the web server again. 2013 Web location of document (www. select the Update global Web server plugin configuration link: Click the OK button.ibm.Next. and then press the Propagate Plug-in button. 2013 . June 17.54 - . update the global web server plug-in configuration. Restart the web server on the web server node to make sure it picks up the changes quickly. From the Environment section of the Admin Console.0. home. We can copy it and the websphere.home. but copying the file works just as well.home.ibm. This means I only need to have a key for webserver1. © IBM Copyright. June 17.robo.0. We can use the wsadmin command again. there is just a little more of it.keytab file that we already created for this account Step 3 – Set up Kerberos Configuration on the Application Server The configuration file already exists on appserver1. 2013 . Step 4 – Enable WebSphere Security Enable global security exactly as before.ca. Step 5 – Enable SSO Same as before. For this example. Luckily. we already created this key and this mapping in one of the previous examples.com/support/techdocs) SPNEGO Version 4. using the ND admin console.ca. 2013 Web location of document (www.robo.keytab key file to the same directory on appserver2. there will be a policy that anyone wanting to access the applications servers will have to be routed through the web server node.ca. and apply them as needed for the cluster: Step 1 – Create a User ID for the Application Server We will reuse the websphere AD user that we already created. so we don’t even need to do that! Let’s follow the steps from the first example.Step 5 – Set up SPNEGO in the Cluster Setting up SPNEGO in an ND Cluster is exactly the same as setting up SPNEGO in the earlier sections.robo.55 - . Step 2 – Assign the Service Principal Name and Create Key File We will reuse the websphere. conf and keytab file are in the same directory on every machine in the cell that you want participating in SPNEGO. © IBM Copyright.home. 2013 .1 Only Same as before.WebSphere Version 6.ca as the hostname: This is global for the entire cell.56 - . using webserver1. Make sure the krb5. After you make global changes.WebSphere Version 7 and 8 Same as before using webserver1.Step 6 – Enable WebSphere SPNEGO Configuration Step 6 .robo. 2013 Web location of document (www.ibm. make sure you synchronize the changes with the nodes.0.ca as the SPN. Note that TAI configuration is global for the entire cell.home.com/support/techdocs) SPNEGO Version 4. Step 6 . It only needs to be set once. June 17.robo. you need to enable SPNEGO at the JVM level for each node in your cluster: Step 7 .1 Only As in the previous step.57 - . Stop the node agents running on each of the nodes and any application servers that may also be running. and then restart it. Check in the System administration section of the admin console to make sure the nodes have come up successfully. Step 8 – Turn on SPNEGO Logging and Tracing Same as before. you will need to restart the entire cell.WebSphere Version 6. Please note that you only need to restart the entire cell if you have just enabled WebSphere security as well. After the cell has restarted. You should now have to log into the admin console with the wasadmin userid and password. Now restart the node agents on the application server nodes. You only need to set the debugging variables if you need to. 2013 .com/support/techdocs) SPNEGO Version 4.ibm. Stop the cell manager. Step 9 – Restart WebSphere In this case. If security is already enabled. you can now start the cluster: © IBM Copyright.WebSphere Version 7 and 8 Same as before. there is no need to restart the nodes or the cell manager. 2013 Web location of document (www.0.Step 7 – Enable SPNEGO at the JVM Level Step 7 . June 17. ibm. A good first step is to turn security off and just make sure you have the cell set up correctly and the web application deployed correctly before worrying about the SPNEGO set up. carefully go over the steps again. and try to surf to the servlet again. You can check the SystemOut.58 - .0. The SPNEGO exchange should work just fine. start up a browser and surf to the snoop servlet via the web server. It should fail-over to the second application server instance just fine.com/support/techdocs) SPNEGO Version 4. 2013 . © IBM Copyright. Now log into the domain from your windows client. Make sure you look in the correct log files for the members of your cluster. There are a lot of steps in this example. and mixing any of them up could result in SPNEGO not working correctly. Go into the admin console and shut one of the servers in your cluster down. If you have problems. June 17. 2013 Web location of document (www.log files on each of the nodes to see if SPNEGO has successfully started.Select the cluster and press the Start button. ca Web Server Host: webserver2.home. 2013 Web location of document (www.robo. we can continue to scale it up with the use of network dispatchers. as demonstrated in the topology diagram below: Web Server Host: webserver1.robo.home.robo.home. © IBM Copyright. and place a network dispatcher with a cluster address in front of the web tier. June 17.home.CA Dispatcher Host: snoopcluster.robo. 2013 .home.robo.CA DNS Domain: robo.59 - .ca AD Domain: ROBO.ca Active Directory Server Host Name: w2ksvr. If we set the cluster host name to be snoopcluster.ibm.home.ca Windows Client Host: xpclient.home.HOME.robo. We could have any number of application servers.home.ca Linux Server Host: appserver1.0.ca Linux Server Host: appserver2.ca AD Domain: ROBO. web servers and deployed web applications all using the same key.ca We can add a second web server in the web tier.home.HOME. then we only need to create the one SPN and one key for the whole system.robo.robo.SPNEGO with Network Dispatchers and IP Sprayers Now that we have achieved clustering in our environment.com/support/techdocs) SPNEGO Version 4.ca and also set a policy dictating that all access needs to go through the dispatcher. 0.60 - .ibm. then there are a couple of extra things you need to do to enable this capability. you need to set the ‘Account is trusted for delegation’ flag on the Account tab of the AD user properties. 2013 . only for the application server ID. Step 1 – When Creating an ID for the Application Server When you create the AD user ID that the application server uses. as displayed below: Note that this option is not set for the individual client users. June 17.com/support/techdocs) SPNEGO Version 4. 2013 Web location of document (www.Setting up Delegation If you are running a web application on WebSphere Application Server that needs to be able to forward along the clients credentials to another server. © IBM Copyright. June 17.ibm. 2013 . 2013 Web location of document (www.0.On Windows Server 2000 systems.com/support/techdocs) SPNEGO Version 4.61 - . delegation capability is set in the account options list of the account tab: © IBM Copyright. 1 Only When setting the custom properties of the SPNEGO TAI in the WebSphere admin console. be mindful of the spelling and the case.SPN1.spnego. 2013 Web location of document (www.ibm.Step 2 – When Enabling SPNEGO in WebSphere WebSphere Version 6. you need to add an additional property named ‘com.ws. WebSphere Version 7 and 8 When setting up SPNEGO Web authentication for a host name in Global security. you need to set a check-box to enable credential delegation: © IBM Copyright. June 17.security. 2013 .enableCredDelegate’ and set its value to ‘true’.62 - .0.ibm.com/support/techdocs) SPNEGO Version 4. Once again. June 17. giving server applications the ability to request and forward these credentials to another server. 2013 .63 - . Please note that this is not an automatic process. © IBM Copyright.conf File After you create the krb5.ibm.Step 3 – When Creating the krb5. you will notice that the ‘forwardable = true’ line is commented out. Specific code needs to be written on the server to pull the credentials. 2013 Web location of document (www.0.com/support/techdocs) SPNEGO Version 4.conf file. as indicated in the image below: Remove the comment marker and save the file. Performing these operations will expose the client credentials at the application server.