synchronizedrewritecond
rewritecond 时间:2021-01-11 阅读:()
CopyrightIBMCorporation2010TrademarksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage1of19Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentYangChaoFengLiShengShuangYuXiaoFengFebruary02,2010Inthisarticle,wediscusstheconfigurationofaKerberos-basedsinglesign-onsolutionfromaMicrosoftWindowsdesktoptoIBMLotusConnectionsrunningonIBMWebSphereApplicationServer.
Editor'snote:KnowalotaboutthistopicWanttoshareyourexpertiseParticipateintheIBMLotussoftwarewikiprogramtoday.
LotusConnectionswikiIntroductionBeforewestartourdiscussionofconfiguringsinglesing-oninIBMLotusConnection,weneedtoreviewsomeconceptsfirst:KerberosandSPNEGO.
Kerberosisacomputernetworkauthenticationprotocol,designedanddevelopedbyMIT,whichallowsnodescommunicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
Kerberosversion5authenticationprotocolisanRFC(RequestForComments)standard.
SPNEGO(SimpleandProtectedGSSAPINegotiationMechanism)isaGSSAPIpseudo-mechanismthatisusedtonegotiateoneofanumberofpossiblerealmechanisms.
ItsmostvisibleuseisinMicrosoft'sHTTPNegotiateauthenticationextension.
ThenegotiablesubmechanismsincludeNTLM(NTLANManager)andKerberos,bothusedinMicrosoftActiveDirectory.
Moreinformationcanbefoundhere.
LotusConnectionscanleveragetheWebSphereApplicationServerSPNEGOTAI(trustassociationinterceptor)toprovidethesinglesign-on(SSO)capability,enablinguserstosignontotheMicrosoftWindowsdesktopandthenbeautomaticallysignedintoLotusConnectionsfeatureswithouthavingtoauthenticate.
Figure1showstherequest/responsedataflowintheWebSphereApplicationServerSPNEGOenvironment.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage2of19Figure1.
SPNEGOdataflowdiagramYoucanreadmoreabouttheWebSphereApplicationServerSPNEGOTAIinitsInformationCenter.
Inthisarticle,weillustratehowyoucanenableLotusConnectionstoprovidethesinglesign-on(SSO)capabilityforusersbasedonthedeploymentshowninfigure2.
Figure2.
LotusConnectionsSPNEGOdeploymenttoplogyActiveDirectoryandKerberosKDC(keydistributioncenter)aredeployedonaMicrosoftWindows2003ServerEnterpriseEditionsystem.
TheMicrosoftWindowsclientsystemistheusers'Windowsclientsystemwithbrowsersandotherapplicationsdeployed.
LotusConnections2.
5serveristheLotusConnections2.
5environmentusingActiveDirectoryastheLDAPdirectory;LotusConnections2.
5servercanbeamultiple-nodesclusteroronesingle-nodeenvironment.
Inthisarticle,wedeployLotusConnections2.
5serverontheMicrosoftWindowssystem.
PrerequisitetasksonActiveDirectoryandKerberosKDChostThereareseveralprerequisitetaskstobefinishedbythesystemadministratorsontheActiveDirectoryandKerberosKDChostbeforewecanproceed.
InstallActiveDirectoryonMicrosoftWindows2003Refertohttp://technet.
microsoft.
com/en-us/library/aa998088.
aspxonHowtoinstallActiveDirectoryonWindows2003ServerEnterpriseEdition.
AfteryouhavesuccessfullyinstalledActiveDirectory,makesurethattheKerberoskeydistributioncentersystemservicesisconfiguredcorrectlyintheServiceslist.
Double-clicktheKerberosKeyDistributionCenterservicetoselectibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage3of19theKerberosKeyDistributionCenterpropertiesasshowninfigure3.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
Figure3.
KerberosKeyDistributionCenterpropertiesTheKDCserviceenablesuserstologontothenetworkusingtheKerberosV5authenticationprotocol.
Ifthisserviceisstopped,usersareunabletologontothedomainandaccessservices.
Onanon-KDC-enabledsystem(notadomaincontroller),theKDCservicestartuptypeisdisabled.
YoucanreadmoreabouttheMicrosoftWindowsKDCservice.
YoucanlearnhowtomodifytheKerberosprotocolregistryentriesandKDCconfigurationkeysinMicrosoftWindowsServer2003.
Weusethedefaultvaluesinthisconfiguration.
MakesurethatyouinstallaDNSserveronthisWindows2003systemasdetailedinstep9ofthisprocess.
OntheDNSRegistrationDiagnosticspage,followthesesteps:1.
ClickInstallandconfiguretheDNSserveronthiscomputer.
2.
SetthiscomputertousethisDNSserverasitspreferredDNSserver.
3.
ClickNext.
4.
TheDNSservicerunsonthisMicrosoftWindows2003Server.
Double-clicktheDNSServerservicetoselecttheDNSServerpropertiesasshowninfigure4.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage4of19Figure4.
DNSServerPropertieswindowTimesynchronizationfortheKerberosenvironmentTheMicrosoftWindowsServer2003hostingActiveDirectoryisusedasthedomaincontroller.
Iftimesynchronizationisnotaprobleminyourenterpriseintranet,youcanignorethissection.
Kerberosrequiresthattheclocksoftheinvolvedhostsaresynchronized.
Theticketshaveatimeavailabilityperiod,andifthehostclockisnotsynchronizedwiththeKerberosserverclock,theauthenticationfails.
WeoftenusethedomaincontrollerasthetimeserverandruntheWindowsScheduletaskontheinvolvedLotusConnectionsserverhoststodotimesynchronizationwiththedomaincontroller.
Figure5showsanexampletaskthatinvokesthesampleTimeSyn.
bateveryminute.
Figure5.
WindowsScheduledTasksfortimesynchronizationInourexample,usersneedtocreateabatchfilenamedTimeSyn.
batinC:\.
Ifexample.
yourdomain.
comisthedomaincontrollerandanNTPtimeserver,theTimeSyn.
batlookslikethecodeshowninlisting1.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage5of19Listing1.
SamplecodeforTimeSyn.
batw32tm/config/manualpeerlist:acme.
yourdomain.
com.
com,0x8/syncfromflags:MANUALnetstopw32timenetstartw32timew32tm/resyncInstallMicrosoftWindowssupporttoolsInstallMicrosoftWindowssupporttoolsontheWindows2003ServerEnterpriseEdition.
YouneedthistooltorunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandtogeneratethekeytabfile.
YoucangetdetailsabouthowtheKerberosprotocolworksinMicrosoftWindowsServer2003.
ConfiguretheLotusConnectionsservertosupporttheKerberosenvironment.
WhentheprerequisitetaskshavebeenfinishedwecanstarttheconfigurationontheLotusConnectionsserver.
ConfigureLotusConnectionstouseActiveDirectoryasauserrepositoryRefertotheLotusConnectionsInformationCentertolearnhowtoconfigurethesecuritytouseActiveDirectoryasauserrepositoryandhowtopopulatetheProfilesdatabase.
CreateaserviceaccounttoholdSPNinActiveDirectoryAnSPN(serviceprincipalname)isneededforLotusConnectionsintheKerberosenvironmenttoidentifytheLotusConnectionsserver.
AserviceaccountisneededinActiveDirectorytoholdthatSPN.
Tocreatetheserviceaccount,logintothedomaincontroller,gotoManageYourServer-DomainController(ActiveDirectory)-ManageusersandcomputersinActiveDirectory,andclickthebutton.
OntheAccountpage,makesurethatyouselecttheUsercannotchangepasswordandPasswordneverexpiresoptionsasshowninfigure6.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage6of19Figure6.
NewuseraccountpropertiesSetSPNandgeneratethekeytabfileRunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandgeneratethekeytabfile:ktpass–princ-out-mapuser-mapOpset–passwhereistheKerberosserviceprincipalname.
AKerberosprincipalisdividedintothreeparts:theprimary,theinstance,andtherealm.
TheformatofatypicalKerberosprincipalisprimary/instance@REALM.
IfLotusConnectionsishostedonthesystemSVTLCSPNEGO.
cn.
example.
comandthedomainnameisCN.
EXAMPLE.
COM,theSPNisHTTP/SVTLCSPNEGO.
cn.
example.
com@CN.
EXAMPLE.
COM.
isthelocationwhereyouwanttosavethekeytabfile.
istheserviceaccountname.
isthepasswordtotheserviceaccountname.
Assumethattheuseraccountcreatedinstep1islcserver01andthatthepasswordtotheserviceaccountisPassword1.
YouwanttosavethekeytabfileasC:\SVTLCSPNEGO.
keytab,sothecommandlookslikethefollowingcode:ktpass-princHTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COM-outibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage7of19c:\SVTLCSPNEGO.
keytab-mapuserlcserver01-mapOpset-passPassw0rd1Thecommandoutputisshowninlisting2.
Listing2.
ktpasscommandoutputTargetingdomaincontroller:SVTLCSPNEGO.
cn.
ibm.
comUsinglegacypasswordsettingmethodSuccessfullymappedHTTP/SVTLCSPNEGO.
cn.
ibm.
comtolcserver01.
WARNING:pTypeandaccounttypedonotmatch.
Thismightcauseproblems.
Keycreated.
Outputkeytabtoc:\SVTLCSPNEGO.
keytab:Keytabversion:0x502keysize68HTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COMptype0(KRB5_NT_UNKNOWN)vno4etype0x17(RC4-HMAC)keylength16(0x5858d47a41e40b40f294b3100bea611f)InaLotusConnectionscluster,youonlyneedtoselecttheIBMHTTPservernameorthevirtualhostname(usersaccesstheIBMHTTPserverorthevirtualhosttoexperienceLotusConnectionsfeatures)astheinstancenameintheKerberosserviceprincipalname.
ItisunnecessarytogeneratethekeytabfileforallnodesintheLotusConnectionscluster.
ConfigureSPNEGOTAIinWebSphereApplicationServerConfigureSPNEGOTAIintheWebSphereApplicationServeradministrativeconsolebytakingthesesteps:1.
NavigatetoSecurity-Secureadministration,applications,andinfrastructure,andexpandWebSecurity.
ClickTrustassociation.
2.
SelecttheEnabletrustassociationoptiontoenableTAI.
3.
SelectInterceptors-com.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImpl-Customproperties.
4.
Addthecustompropertiesshowninlisting3.
Listing3.
CustompropertiesforSPNEGOTAIcom.
ibm.
ws.
security.
spnego.
SPN1.
hostName=com.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
filter=request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGOcom.
ibm.
ws.
security.
spnego.
SPN1.
filterClass=com.
ibm.
ws.
security.
spnego.
HTTPHeaderFilterwhereisthenameoftheserverwithwhichLotusConnectionsisaccessed(forexample,theIBMHTTPservernameorthevirtualhostname).
iswheretheSPNEGOTAIredirectpageiscreatedonthelocalfilesystem,forinstancefile:///Z:/share/TAIRedirect.
html.
YouneedtocreatethatHTMLfilemanually.
Thecontentisthecodeshowninlisting4.
Listing4.
SPNEGOTAIredirectpageTAIRedirect.
htmlvarorigUrl=""+document.
location;if(origUrl.
indexOf("noSPNEGO")=0)origUrl+="&noSPNEGO";elseorigUrl+="noSPNEGO";}functionredirTimer(){self.
setTimeout("self.
location.
href=origUrl;",0);}document.
write("Redirectto"+origUrl+"");5.
ClickOKtosavethechanges.
Figure7isascreencaptureofwhatdispaysinarealdeployment.
Figure7.
WebSphereadministrativeconsolescreencaptureforSPNEGOTAIcustompropertiesListing5isthesampleJACLcodethatcanfulfilltheWebSphereSPNEGOTAIsetupfromthewsadmininterface.
NamethefileasConfigTA.
jaclandrunitlikethis:wsadmin-fConfigTA.
jaclibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage9of19Remembertoreplacethecom.
ibm.
ws.
security.
spnego.
SPN1.
hostNamevaluewithyourrealconfigurationvariable.
Listing5.
ConfigTA.
jaclforWebSphereSPNEGOTAIsetupprocsaveConfig{}{globalAdminConfig$AdminConfigsave}procconfigTA{}{globalAdminConfigsettrustAssocConfigId[$AdminConfiglistTrustAssociation]settrust_attrib{}setmatchFound0settrust_assocEnabledysettrust_interceptorClassNamecom.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImplif{$trust_assocEnabled!
={}}{if{[regexp$trust_assocEnabledy]}{lappendtrust_attrib[listenabled"true"]}else{lappendtrust_attrib[listenabled"false"]}$AdminConfigmodify$trustAssocConfigId$trust_attrib}if{$trust_interceptorClassName!
={}}{setlistOfTAI[$AdminConfiglistTAInterceptor]foreachtai$listOfTAI{setclassName[$AdminConfigshowAttribute$taiinterceptorClassName]if{[stringcompare$className$trust_interceptorClassName]==0}{setmatchFound1###break}}}if{$matchFound==1}{setinterceptorConfigId$taisettrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
hostName#replacewithyourIHShostsettrust_propertyValuesettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filterClasssettrust_propertyValuecom.
ibm.
ws.
security.
spnego.
HTTPHeaderFiltersettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage10of19$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filtersettrust_propertyValue"request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGO"settrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"}}#Mainprocedureputsstdout"Runlikethis:wsadmin-fConfigTA.
jacl"puts">configTA"configTAsaveConfigibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage11of19CreatetheKerberosconfigurationfileBeforeusingSPNEGOTAIinWebSphereApplicationServer,youneedtocreatetheKerberosconfigurationfile.
First,copythekeytabfiletotheserverwhereLotusConnectionsisinstalled.
ThenrunthecreateKrbConfigFilescriptwiththewsadmincommandlineutility,byissuingthecommandshowninlisting6.
Listing6.
wsadmincommandtocreatetheKerberosconfigurationfile$AdminTaskcreateKrbConfigFile{-krbPath\java\jre\lib\security\krb5.
conf-realm-kdcHost-dns-keytabPath}whereisthepathtotheWebSphereApplicationServerlocation,nottheLotusConnectionslocation.
istheKerberosrealmandmustbeshowninalluppercaseletters.
isthenameofthekeydistributioncenterhost.
istheDNSservername.
isthelocationofthekeytabfilegeneratedonthedomaincontroller.
EnabletheWebSphereSPNEGOTAIToenableSPNEGOTAI,logintotheWebSphereApplicationServeradministrativeconsole,andnavigatetoServers-Applicationservers.
Selecttheservername(typicallyserver1),expandJavaandProcessManagement,andselectProcessDefinition-JavaVirtualMachine-CustomProperties.
Addtwocustomproperties:com.
ibm.
ws.
security.
spnego.
isEnabled=truejava.
security.
krb5.
conf=IfyouinstallLotusConnectionsinmultipleserverinstances,youneedtorepeatthisstepforallserverinstances.
Listing7isthesampleJythoncodethatcanfulfillthetaskfromthewsadmininterface.
Namethefileasconfigspnegojvm.
pyandrunitlikethis:wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name.
Listing7.
configspnegojvm.
pyforenablingJVMSPNEGOcustompropertiesdefconfigspnegojvm(cellName,nodeName,serverName):globalAdminConfigkrb5conf="C:/IBM/WebSphere/AppServer/java/jre/lib/security/krb5.
conf"developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage12of19javasrv=AdminConfig.
getid("/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/")#Checkingforexistenceofserverprint"Checkingforexistenceofserver"+serverNameiflen(javasrv)==0:print"Error--servernotfoundforname"+serverName+"::/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/"returnelse:print"OK.
"+javasrvaddJVMCustomProperties=javaproc=AdminConfig.
list('JavaProcessDef',javasrv)prop=AdminConfig.
list('Property',javaproc)jvmp=AdminConfig.
list('JavaVirtualMachine',javaproc)if(prop.
find("com.
ibm.
ws.
security.
spnego.
isEnabled")>=0):print"INFO:JVMpropertiesseemalreadyexist:"printpropreturnAdminConfig.
create('Property',jvmp,[['name','com.
ibm.
ws.
security.
spnego.
isEnabled'],['value','true'],['required','false']])AdminConfig.
create('Property',jvmp,[['name','java.
security.
krb5.
conf'],['value',krb5conf],['required','false']])AdminConfig.
save()printCurrentJVMCustomProperties=prop=AdminConfig.
list('Property',jvmp)printprop#Main:#.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Nameif(len(sys.
argv)!
=3):print"Thisscriptrequires3parameters"print"e.
g.
:.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name"else:cellName=sys.
argv[0]nodeName=sys.
argv[1]serverName=sys.
argv[2]print"cellName:"+cellNameprint"nodeName:"+nodeNameprint"serverName:"+serverNameprintconfigspnegojvm(cellName,nodeName,serverName)ConfiguretheAjaxproxyfortheLtpaTokencookieAddthefollowingpartintotheproxy-config.
tplfiletoconfiguretheAjaxproxytoproxyLtpaTokencookies.
Youcandothistaskwiththewsadminutilitytoextracttheconfigurationfilesfirst,addthefollowingcontent,andcheckintheconfiguration.
Youneedtorestarttheserverinstancestopickupthechanges.
Seelisting8.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage13of19Listing8.
proxy-config.
tplsettingsforAjaxproxyLtpaTokencookieJSESSIONIDLtpaTokenLtpaToken2ConfigureHTTPrewriterulestologouttoanunprotectedURISetURLrewriterulesintheIBMHTTPServerconfigurationfilenamedhttpd.
conftologouttoanunprotectedWebpage,sothatSPNEGOauthenticationdoesn'thappenagaintologintheuserautomatically.
Followthesesteps:1.
Openthehttpd.
conffileontheIBMHTTPServer,anduncommentthefollowinglines(removethe#):#LoadModulerewrite_modulemodules/mod_rewrite.
so2.
Thenaddthecodeshowninlisting9.
Listing9.
HTTPrewriterulesRewriteEngineOnRewriteCond%{REQUEST_URI}/(.
*)/ibm_security_logout(.
*)RewriteCond%{QUERY_STRING}!
=logoutExitPage=RewriteRule/(.
*)/ibm_security_logout(.
*)/$1/ibm_security_logoutlogoutExitPage=[noescape,L,R]whereistheunprotectedURLtowhichtheuserisredirectedafterlogout.
ItisanunprotectedURLtopreventSPNEGOauthentication.
BesuretoconfiguretheURLrewriteruleforbothHTTPandHTTPS.
ConfiguringtheclientbrowsertouseSPNEGOUsersneedtoconfiguretheirclientsbeforetheycanusetheLotusConnectionsservicesintheKerberosenvironment.
UserclientsystemtojointhedomainFirst,theuserclientsystemjoinsthedomain.
Theclientsystem'sDNSservervalueissetasthedomaincontrolleraddressintheTCP/IPPropertieswindowasshowninfigure8.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage14of19Figure8.
TCP/IPPropertiesontheclientsystemNext,followthelinkhttp://support.
microsoft.
com/kb/295017tojointhedomain.
.
Aftertheclientsuccessfullyjoinsthedomain,theadministratorofthedomaincontrollercanseethenewlyjoinedmemberintheActiveDirectoryUsersandComputersviewasshowninfigure9.
Figure9.
ComputerslistbelongstothespecificdomainUserclientbrowserconfigurationSecond,usersneedtoconfiguretheirclientbrowserstouseSPNEGO.
IfyouareusingMicrosoftInternetExplorer,followthesesteps:1.
IntheInternetExplorerwindow,selectTools-InternetOptions-Security.
2.
SelecttheLocalintraneticon,andclickSites.
3.
Inthewindowthatdisplays,clickAdvanced.
IntheAddthisWebsitetothezonefield,entertheWebaddressofthehostnamesothatsinglesign-on(SSO)canbeenabledtothelistofWebsitesshownintheWebsitesfield.
4.
ClickClose,andthenclickOKtocompletethisstepandclosetheLocalintranetwindow.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage15of19Figure10.
Localintranetsettings5.
InthesectionofthewidowtitledSecuritylevelforthiszone,clickCustomLevel.
IntheSecuritySettingswindowthatdisplays,scrolltoUserAuthentication-LogonandselecttheAutomaticlogononlyinIntranetzoneoption.
ClickOKtoclosetheSecuritySettingswindow.
Seefigure11.
Figure11.
SecuritysettingsforthelocalintranetzonedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage16of196.
IntheInternetOptionswindow,clicktheAdvancedtabandscrolltoSecuritysettings.
MakesurethattheEnableIntegratedWindowsAuthentication(requiresrestart)optionisselected.
Seefigure12.
Figure12.
InternetOptionssetting7.
ClickOK.
RestartyourInternetExplorerbrowsertoactivatethisconfiguration.
IfyouareusingtheMozillaFirefoxbrowser,followthesesteps:1.
OpenFirefox.
2.
Intheaddressfield,enterabout:config.
3.
IntheFilterfield,enternetwork.
n.
4.
Doubleclick.
negotiate-auth.
trusted-uris.
ThispreferenceliststhesitesthatarepermittedtoengageinSPNEGOauthenticationwiththebrowser.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
NOTE:Youmustsetthevaluefornetwork.
negotiate-auth.
trusted-urisasshowninfigure13.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage17of19Figure13.
MozillaFirefoxbrowsersetting5.
IfthedeployedSPNEGOsolutionusestheadvancedKerberosfeatureofcredentialdelegation,double-clicknetwork.
negotiate-auth.
delegation-uris.
Thispreferenceliststhesitesforwhichthebrowsercandelegateuserauthorizationtotheserver.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
6.
ClickOK.
Theconfigurationdisplaysasupdated.
7.
RestartyourFirefoxbrowsertoactivatethisconfiguration.
AccessLotusConnectionswiththesinglesign-oncapabilityintheKerberosenvironmentAfteralltasksintheprecedingstepsarefinished,userscanstarttoexperienceLotusConnectionswithsinglesign-on.
Theyneedtologontotheirsystems,andtheywillnotbechallengedwhenusingLotusConnectionsfeatures.
Figure14isascreencapturetakenfromanactualdeployment.
UserAamir_000_000logsontohisWindowsclient(whichhasjoinedthedomaincontrolledbythedomaincontroller),openstheFirefoxbrowser,enterstheLotusConnectionshomepageaddress,andlogsontoLotusConnectionsautomatically.
Figure14.
AutomaticallyloadedLotusConnectionshomepagedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage18of19TroubleshootingIfyouhaveanyproblemswhenusingLotusConnectionsintheSPNEGOenvironment,youcanenabletracingonSPENGOandKerberosusingthesesettings:JVMcustompropertysettingcom.
ibm.
security.
jgss.
debug=allcom.
ibm.
security.
krb5.
Krb5Debug=allLogsandtracesettingcom.
ibm.
ws.
security.
*=all:com.
ibm.
ws.
security.
spnego.
*=allConclusionThisarticleintroducedtheMicrosoftWindowssinglesign-onSPNEGOconceptandconfigurationsforLotusConnections2.
5,providingdetailedexplanationsforeachconfigurationstep.
Thesamplecodelistings,whichareusefulforautomatingsystemadministrationwork,inthearticlehavebeenverifiedbythesystemtestteam.
TheconfigurationstepscanalsobeappliedtootherWebapplications.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage19of19RelatedtopicsReadtheWebSphereApplicationServerInformationCenterarticle,"Creatingasinglesign-onforHTTPrequestsusingtheSPNEGOTAI.
"RefertotheKerberosUser'sGuide.
CopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
Editor'snote:KnowalotaboutthistopicWanttoshareyourexpertiseParticipateintheIBMLotussoftwarewikiprogramtoday.
LotusConnectionswikiIntroductionBeforewestartourdiscussionofconfiguringsinglesing-oninIBMLotusConnection,weneedtoreviewsomeconceptsfirst:KerberosandSPNEGO.
Kerberosisacomputernetworkauthenticationprotocol,designedanddevelopedbyMIT,whichallowsnodescommunicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
Kerberosversion5authenticationprotocolisanRFC(RequestForComments)standard.
SPNEGO(SimpleandProtectedGSSAPINegotiationMechanism)isaGSSAPIpseudo-mechanismthatisusedtonegotiateoneofanumberofpossiblerealmechanisms.
ItsmostvisibleuseisinMicrosoft'sHTTPNegotiateauthenticationextension.
ThenegotiablesubmechanismsincludeNTLM(NTLANManager)andKerberos,bothusedinMicrosoftActiveDirectory.
Moreinformationcanbefoundhere.
LotusConnectionscanleveragetheWebSphereApplicationServerSPNEGOTAI(trustassociationinterceptor)toprovidethesinglesign-on(SSO)capability,enablinguserstosignontotheMicrosoftWindowsdesktopandthenbeautomaticallysignedintoLotusConnectionsfeatureswithouthavingtoauthenticate.
Figure1showstherequest/responsedataflowintheWebSphereApplicationServerSPNEGOenvironment.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage2of19Figure1.
SPNEGOdataflowdiagramYoucanreadmoreabouttheWebSphereApplicationServerSPNEGOTAIinitsInformationCenter.
Inthisarticle,weillustratehowyoucanenableLotusConnectionstoprovidethesinglesign-on(SSO)capabilityforusersbasedonthedeploymentshowninfigure2.
Figure2.
LotusConnectionsSPNEGOdeploymenttoplogyActiveDirectoryandKerberosKDC(keydistributioncenter)aredeployedonaMicrosoftWindows2003ServerEnterpriseEditionsystem.
TheMicrosoftWindowsclientsystemistheusers'Windowsclientsystemwithbrowsersandotherapplicationsdeployed.
LotusConnections2.
5serveristheLotusConnections2.
5environmentusingActiveDirectoryastheLDAPdirectory;LotusConnections2.
5servercanbeamultiple-nodesclusteroronesingle-nodeenvironment.
Inthisarticle,wedeployLotusConnections2.
5serverontheMicrosoftWindowssystem.
PrerequisitetasksonActiveDirectoryandKerberosKDChostThereareseveralprerequisitetaskstobefinishedbythesystemadministratorsontheActiveDirectoryandKerberosKDChostbeforewecanproceed.
InstallActiveDirectoryonMicrosoftWindows2003Refertohttp://technet.
microsoft.
com/en-us/library/aa998088.
aspxonHowtoinstallActiveDirectoryonWindows2003ServerEnterpriseEdition.
AfteryouhavesuccessfullyinstalledActiveDirectory,makesurethattheKerberoskeydistributioncentersystemservicesisconfiguredcorrectlyintheServiceslist.
Double-clicktheKerberosKeyDistributionCenterservicetoselectibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage3of19theKerberosKeyDistributionCenterpropertiesasshowninfigure3.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
Figure3.
KerberosKeyDistributionCenterpropertiesTheKDCserviceenablesuserstologontothenetworkusingtheKerberosV5authenticationprotocol.
Ifthisserviceisstopped,usersareunabletologontothedomainandaccessservices.
Onanon-KDC-enabledsystem(notadomaincontroller),theKDCservicestartuptypeisdisabled.
YoucanreadmoreabouttheMicrosoftWindowsKDCservice.
YoucanlearnhowtomodifytheKerberosprotocolregistryentriesandKDCconfigurationkeysinMicrosoftWindowsServer2003.
Weusethedefaultvaluesinthisconfiguration.
MakesurethatyouinstallaDNSserveronthisWindows2003systemasdetailedinstep9ofthisprocess.
OntheDNSRegistrationDiagnosticspage,followthesesteps:1.
ClickInstallandconfiguretheDNSserveronthiscomputer.
2.
SetthiscomputertousethisDNSserverasitspreferredDNSserver.
3.
ClickNext.
4.
TheDNSservicerunsonthisMicrosoftWindows2003Server.
Double-clicktheDNSServerservicetoselecttheDNSServerpropertiesasshowninfigure4.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage4of19Figure4.
DNSServerPropertieswindowTimesynchronizationfortheKerberosenvironmentTheMicrosoftWindowsServer2003hostingActiveDirectoryisusedasthedomaincontroller.
Iftimesynchronizationisnotaprobleminyourenterpriseintranet,youcanignorethissection.
Kerberosrequiresthattheclocksoftheinvolvedhostsaresynchronized.
Theticketshaveatimeavailabilityperiod,andifthehostclockisnotsynchronizedwiththeKerberosserverclock,theauthenticationfails.
WeoftenusethedomaincontrollerasthetimeserverandruntheWindowsScheduletaskontheinvolvedLotusConnectionsserverhoststodotimesynchronizationwiththedomaincontroller.
Figure5showsanexampletaskthatinvokesthesampleTimeSyn.
bateveryminute.
Figure5.
WindowsScheduledTasksfortimesynchronizationInourexample,usersneedtocreateabatchfilenamedTimeSyn.
batinC:\.
Ifexample.
yourdomain.
comisthedomaincontrollerandanNTPtimeserver,theTimeSyn.
batlookslikethecodeshowninlisting1.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage5of19Listing1.
SamplecodeforTimeSyn.
batw32tm/config/manualpeerlist:acme.
yourdomain.
com.
com,0x8/syncfromflags:MANUALnetstopw32timenetstartw32timew32tm/resyncInstallMicrosoftWindowssupporttoolsInstallMicrosoftWindowssupporttoolsontheWindows2003ServerEnterpriseEdition.
YouneedthistooltorunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandtogeneratethekeytabfile.
YoucangetdetailsabouthowtheKerberosprotocolworksinMicrosoftWindowsServer2003.
ConfiguretheLotusConnectionsservertosupporttheKerberosenvironment.
WhentheprerequisitetaskshavebeenfinishedwecanstarttheconfigurationontheLotusConnectionsserver.
ConfigureLotusConnectionstouseActiveDirectoryasauserrepositoryRefertotheLotusConnectionsInformationCentertolearnhowtoconfigurethesecuritytouseActiveDirectoryasauserrepositoryandhowtopopulatetheProfilesdatabase.
CreateaserviceaccounttoholdSPNinActiveDirectoryAnSPN(serviceprincipalname)isneededforLotusConnectionsintheKerberosenvironmenttoidentifytheLotusConnectionsserver.
AserviceaccountisneededinActiveDirectorytoholdthatSPN.
Tocreatetheserviceaccount,logintothedomaincontroller,gotoManageYourServer-DomainController(ActiveDirectory)-ManageusersandcomputersinActiveDirectory,andclickthebutton.
OntheAccountpage,makesurethatyouselecttheUsercannotchangepasswordandPasswordneverexpiresoptionsasshowninfigure6.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage6of19Figure6.
NewuseraccountpropertiesSetSPNandgeneratethekeytabfileRunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandgeneratethekeytabfile:ktpass–princ-out-mapuser-mapOpset–passwhereistheKerberosserviceprincipalname.
AKerberosprincipalisdividedintothreeparts:theprimary,theinstance,andtherealm.
TheformatofatypicalKerberosprincipalisprimary/instance@REALM.
IfLotusConnectionsishostedonthesystemSVTLCSPNEGO.
cn.
example.
comandthedomainnameisCN.
EXAMPLE.
COM,theSPNisHTTP/SVTLCSPNEGO.
cn.
example.
com@CN.
EXAMPLE.
COM.
isthelocationwhereyouwanttosavethekeytabfile.
istheserviceaccountname.
isthepasswordtotheserviceaccountname.
Assumethattheuseraccountcreatedinstep1islcserver01andthatthepasswordtotheserviceaccountisPassword1.
YouwanttosavethekeytabfileasC:\SVTLCSPNEGO.
keytab,sothecommandlookslikethefollowingcode:ktpass-princHTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COM-outibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage7of19c:\SVTLCSPNEGO.
keytab-mapuserlcserver01-mapOpset-passPassw0rd1Thecommandoutputisshowninlisting2.
Listing2.
ktpasscommandoutputTargetingdomaincontroller:SVTLCSPNEGO.
cn.
ibm.
comUsinglegacypasswordsettingmethodSuccessfullymappedHTTP/SVTLCSPNEGO.
cn.
ibm.
comtolcserver01.
WARNING:pTypeandaccounttypedonotmatch.
Thismightcauseproblems.
Keycreated.
Outputkeytabtoc:\SVTLCSPNEGO.
keytab:Keytabversion:0x502keysize68HTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COMptype0(KRB5_NT_UNKNOWN)vno4etype0x17(RC4-HMAC)keylength16(0x5858d47a41e40b40f294b3100bea611f)InaLotusConnectionscluster,youonlyneedtoselecttheIBMHTTPservernameorthevirtualhostname(usersaccesstheIBMHTTPserverorthevirtualhosttoexperienceLotusConnectionsfeatures)astheinstancenameintheKerberosserviceprincipalname.
ItisunnecessarytogeneratethekeytabfileforallnodesintheLotusConnectionscluster.
ConfigureSPNEGOTAIinWebSphereApplicationServerConfigureSPNEGOTAIintheWebSphereApplicationServeradministrativeconsolebytakingthesesteps:1.
NavigatetoSecurity-Secureadministration,applications,andinfrastructure,andexpandWebSecurity.
ClickTrustassociation.
2.
SelecttheEnabletrustassociationoptiontoenableTAI.
3.
SelectInterceptors-com.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImpl-Customproperties.
4.
Addthecustompropertiesshowninlisting3.
Listing3.
CustompropertiesforSPNEGOTAIcom.
ibm.
ws.
security.
spnego.
SPN1.
hostName=com.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
filter=request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGOcom.
ibm.
ws.
security.
spnego.
SPN1.
filterClass=com.
ibm.
ws.
security.
spnego.
HTTPHeaderFilterwhereisthenameoftheserverwithwhichLotusConnectionsisaccessed(forexample,theIBMHTTPservernameorthevirtualhostname).
iswheretheSPNEGOTAIredirectpageiscreatedonthelocalfilesystem,forinstancefile:///Z:/share/TAIRedirect.
html.
YouneedtocreatethatHTMLfilemanually.
Thecontentisthecodeshowninlisting4.
Listing4.
SPNEGOTAIredirectpageTAIRedirect.
htmlvarorigUrl=""+document.
location;if(origUrl.
indexOf("noSPNEGO")=0)origUrl+="&noSPNEGO";elseorigUrl+="noSPNEGO";}functionredirTimer(){self.
setTimeout("self.
location.
href=origUrl;",0);}document.
write("Redirectto"+origUrl+"");5.
ClickOKtosavethechanges.
Figure7isascreencaptureofwhatdispaysinarealdeployment.
Figure7.
WebSphereadministrativeconsolescreencaptureforSPNEGOTAIcustompropertiesListing5isthesampleJACLcodethatcanfulfilltheWebSphereSPNEGOTAIsetupfromthewsadmininterface.
NamethefileasConfigTA.
jaclandrunitlikethis:wsadmin-fConfigTA.
jaclibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage9of19Remembertoreplacethecom.
ibm.
ws.
security.
spnego.
SPN1.
hostNamevaluewithyourrealconfigurationvariable.
Listing5.
ConfigTA.
jaclforWebSphereSPNEGOTAIsetupprocsaveConfig{}{globalAdminConfig$AdminConfigsave}procconfigTA{}{globalAdminConfigsettrustAssocConfigId[$AdminConfiglistTrustAssociation]settrust_attrib{}setmatchFound0settrust_assocEnabledysettrust_interceptorClassNamecom.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImplif{$trust_assocEnabled!
={}}{if{[regexp$trust_assocEnabledy]}{lappendtrust_attrib[listenabled"true"]}else{lappendtrust_attrib[listenabled"false"]}$AdminConfigmodify$trustAssocConfigId$trust_attrib}if{$trust_interceptorClassName!
={}}{setlistOfTAI[$AdminConfiglistTAInterceptor]foreachtai$listOfTAI{setclassName[$AdminConfigshowAttribute$taiinterceptorClassName]if{[stringcompare$className$trust_interceptorClassName]==0}{setmatchFound1###break}}}if{$matchFound==1}{setinterceptorConfigId$taisettrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
hostName#replacewithyourIHShostsettrust_propertyValuesettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filterClasssettrust_propertyValuecom.
ibm.
ws.
security.
spnego.
HTTPHeaderFiltersettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage10of19$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filtersettrust_propertyValue"request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGO"settrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"}}#Mainprocedureputsstdout"Runlikethis:wsadmin-fConfigTA.
jacl"puts">configTA"configTAsaveConfigibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage11of19CreatetheKerberosconfigurationfileBeforeusingSPNEGOTAIinWebSphereApplicationServer,youneedtocreatetheKerberosconfigurationfile.
First,copythekeytabfiletotheserverwhereLotusConnectionsisinstalled.
ThenrunthecreateKrbConfigFilescriptwiththewsadmincommandlineutility,byissuingthecommandshowninlisting6.
Listing6.
wsadmincommandtocreatetheKerberosconfigurationfile$AdminTaskcreateKrbConfigFile{-krbPath\java\jre\lib\security\krb5.
conf-realm-kdcHost-dns-keytabPath}whereisthepathtotheWebSphereApplicationServerlocation,nottheLotusConnectionslocation.
istheKerberosrealmandmustbeshowninalluppercaseletters.
isthenameofthekeydistributioncenterhost.
istheDNSservername.
isthelocationofthekeytabfilegeneratedonthedomaincontroller.
EnabletheWebSphereSPNEGOTAIToenableSPNEGOTAI,logintotheWebSphereApplicationServeradministrativeconsole,andnavigatetoServers-Applicationservers.
Selecttheservername(typicallyserver1),expandJavaandProcessManagement,andselectProcessDefinition-JavaVirtualMachine-CustomProperties.
Addtwocustomproperties:com.
ibm.
ws.
security.
spnego.
isEnabled=truejava.
security.
krb5.
conf=IfyouinstallLotusConnectionsinmultipleserverinstances,youneedtorepeatthisstepforallserverinstances.
Listing7isthesampleJythoncodethatcanfulfillthetaskfromthewsadmininterface.
Namethefileasconfigspnegojvm.
pyandrunitlikethis:wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name.
Listing7.
configspnegojvm.
pyforenablingJVMSPNEGOcustompropertiesdefconfigspnegojvm(cellName,nodeName,serverName):globalAdminConfigkrb5conf="C:/IBM/WebSphere/AppServer/java/jre/lib/security/krb5.
conf"developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage12of19javasrv=AdminConfig.
getid("/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/")#Checkingforexistenceofserverprint"Checkingforexistenceofserver"+serverNameiflen(javasrv)==0:print"Error--servernotfoundforname"+serverName+"::/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/"returnelse:print"OK.
"+javasrvaddJVMCustomProperties=javaproc=AdminConfig.
list('JavaProcessDef',javasrv)prop=AdminConfig.
list('Property',javaproc)jvmp=AdminConfig.
list('JavaVirtualMachine',javaproc)if(prop.
find("com.
ibm.
ws.
security.
spnego.
isEnabled")>=0):print"INFO:JVMpropertiesseemalreadyexist:"printpropreturnAdminConfig.
create('Property',jvmp,[['name','com.
ibm.
ws.
security.
spnego.
isEnabled'],['value','true'],['required','false']])AdminConfig.
create('Property',jvmp,[['name','java.
security.
krb5.
conf'],['value',krb5conf],['required','false']])AdminConfig.
save()printCurrentJVMCustomProperties=prop=AdminConfig.
list('Property',jvmp)printprop#Main:#.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Nameif(len(sys.
argv)!
=3):print"Thisscriptrequires3parameters"print"e.
g.
:.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name"else:cellName=sys.
argv[0]nodeName=sys.
argv[1]serverName=sys.
argv[2]print"cellName:"+cellNameprint"nodeName:"+nodeNameprint"serverName:"+serverNameprintconfigspnegojvm(cellName,nodeName,serverName)ConfiguretheAjaxproxyfortheLtpaTokencookieAddthefollowingpartintotheproxy-config.
tplfiletoconfiguretheAjaxproxytoproxyLtpaTokencookies.
Youcandothistaskwiththewsadminutilitytoextracttheconfigurationfilesfirst,addthefollowingcontent,andcheckintheconfiguration.
Youneedtorestarttheserverinstancestopickupthechanges.
Seelisting8.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage13of19Listing8.
proxy-config.
tplsettingsforAjaxproxyLtpaTokencookieJSESSIONIDLtpaTokenLtpaToken2ConfigureHTTPrewriterulestologouttoanunprotectedURISetURLrewriterulesintheIBMHTTPServerconfigurationfilenamedhttpd.
conftologouttoanunprotectedWebpage,sothatSPNEGOauthenticationdoesn'thappenagaintologintheuserautomatically.
Followthesesteps:1.
Openthehttpd.
conffileontheIBMHTTPServer,anduncommentthefollowinglines(removethe#):#LoadModulerewrite_modulemodules/mod_rewrite.
so2.
Thenaddthecodeshowninlisting9.
Listing9.
HTTPrewriterulesRewriteEngineOnRewriteCond%{REQUEST_URI}/(.
*)/ibm_security_logout(.
*)RewriteCond%{QUERY_STRING}!
=logoutExitPage=RewriteRule/(.
*)/ibm_security_logout(.
*)/$1/ibm_security_logoutlogoutExitPage=[noescape,L,R]whereistheunprotectedURLtowhichtheuserisredirectedafterlogout.
ItisanunprotectedURLtopreventSPNEGOauthentication.
BesuretoconfiguretheURLrewriteruleforbothHTTPandHTTPS.
ConfiguringtheclientbrowsertouseSPNEGOUsersneedtoconfiguretheirclientsbeforetheycanusetheLotusConnectionsservicesintheKerberosenvironment.
UserclientsystemtojointhedomainFirst,theuserclientsystemjoinsthedomain.
Theclientsystem'sDNSservervalueissetasthedomaincontrolleraddressintheTCP/IPPropertieswindowasshowninfigure8.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage14of19Figure8.
TCP/IPPropertiesontheclientsystemNext,followthelinkhttp://support.
microsoft.
com/kb/295017tojointhedomain.
.
Aftertheclientsuccessfullyjoinsthedomain,theadministratorofthedomaincontrollercanseethenewlyjoinedmemberintheActiveDirectoryUsersandComputersviewasshowninfigure9.
Figure9.
ComputerslistbelongstothespecificdomainUserclientbrowserconfigurationSecond,usersneedtoconfiguretheirclientbrowserstouseSPNEGO.
IfyouareusingMicrosoftInternetExplorer,followthesesteps:1.
IntheInternetExplorerwindow,selectTools-InternetOptions-Security.
2.
SelecttheLocalintraneticon,andclickSites.
3.
Inthewindowthatdisplays,clickAdvanced.
IntheAddthisWebsitetothezonefield,entertheWebaddressofthehostnamesothatsinglesign-on(SSO)canbeenabledtothelistofWebsitesshownintheWebsitesfield.
4.
ClickClose,andthenclickOKtocompletethisstepandclosetheLocalintranetwindow.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage15of19Figure10.
Localintranetsettings5.
InthesectionofthewidowtitledSecuritylevelforthiszone,clickCustomLevel.
IntheSecuritySettingswindowthatdisplays,scrolltoUserAuthentication-LogonandselecttheAutomaticlogononlyinIntranetzoneoption.
ClickOKtoclosetheSecuritySettingswindow.
Seefigure11.
Figure11.
SecuritysettingsforthelocalintranetzonedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage16of196.
IntheInternetOptionswindow,clicktheAdvancedtabandscrolltoSecuritysettings.
MakesurethattheEnableIntegratedWindowsAuthentication(requiresrestart)optionisselected.
Seefigure12.
Figure12.
InternetOptionssetting7.
ClickOK.
RestartyourInternetExplorerbrowsertoactivatethisconfiguration.
IfyouareusingtheMozillaFirefoxbrowser,followthesesteps:1.
OpenFirefox.
2.
Intheaddressfield,enterabout:config.
3.
IntheFilterfield,enternetwork.
n.
4.
Doubleclick.
negotiate-auth.
trusted-uris.
ThispreferenceliststhesitesthatarepermittedtoengageinSPNEGOauthenticationwiththebrowser.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
NOTE:Youmustsetthevaluefornetwork.
negotiate-auth.
trusted-urisasshowninfigure13.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage17of19Figure13.
MozillaFirefoxbrowsersetting5.
IfthedeployedSPNEGOsolutionusestheadvancedKerberosfeatureofcredentialdelegation,double-clicknetwork.
negotiate-auth.
delegation-uris.
Thispreferenceliststhesitesforwhichthebrowsercandelegateuserauthorizationtotheserver.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
6.
ClickOK.
Theconfigurationdisplaysasupdated.
7.
RestartyourFirefoxbrowsertoactivatethisconfiguration.
AccessLotusConnectionswiththesinglesign-oncapabilityintheKerberosenvironmentAfteralltasksintheprecedingstepsarefinished,userscanstarttoexperienceLotusConnectionswithsinglesign-on.
Theyneedtologontotheirsystems,andtheywillnotbechallengedwhenusingLotusConnectionsfeatures.
Figure14isascreencapturetakenfromanactualdeployment.
UserAamir_000_000logsontohisWindowsclient(whichhasjoinedthedomaincontrolledbythedomaincontroller),openstheFirefoxbrowser,enterstheLotusConnectionshomepageaddress,andlogsontoLotusConnectionsautomatically.
Figure14.
AutomaticallyloadedLotusConnectionshomepagedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage18of19TroubleshootingIfyouhaveanyproblemswhenusingLotusConnectionsintheSPNEGOenvironment,youcanenabletracingonSPENGOandKerberosusingthesesettings:JVMcustompropertysettingcom.
ibm.
security.
jgss.
debug=allcom.
ibm.
security.
krb5.
Krb5Debug=allLogsandtracesettingcom.
ibm.
ws.
security.
*=all:com.
ibm.
ws.
security.
spnego.
*=allConclusionThisarticleintroducedtheMicrosoftWindowssinglesign-onSPNEGOconceptandconfigurationsforLotusConnections2.
5,providingdetailedexplanationsforeachconfigurationstep.
Thesamplecodelistings,whichareusefulforautomatingsystemadministrationwork,inthearticlehavebeenverifiedbythesystemtestteam.
TheconfigurationstepscanalsobeappliedtootherWebapplications.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage19of19RelatedtopicsReadtheWebSphereApplicationServerInformationCenterarticle,"Creatingasinglesign-onforHTTPrequestsusingtheSPNEGOTAI.
"RefertotheKerberosUser'sGuide.
CopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- synchronizedrewritecond相关文档
- COUNTrewritecond
- SCPRGrewritecond
- bruterewritecond
- dspacedbrewritecond
- cursesrewritecond
- addressrewritecond
BuyVM($5/月),1Gbps不限流量流媒体VPS主机
BuyVM针对中国客户推出了China Special - STREAM RYZEN VPS主机,带Streaming Optimized IP,帮你解锁多平台流媒体,适用于对于海外流媒体有需求的客户,主机开设在拉斯维加斯机房,AMD Ryzen+NVMe磁盘,支持Linux或者Windows操作系统,IPv4+IPv6,1Gbps不限流量,最低月付5加元起,比美元更低一些,现在汇率1加元=0.7...
小白云 (80元/月),四川德阳 4核2G,山东枣庄 4核2G,美国VPS20元/月起三网CN2
小白云是一家国人自营的企业IDC,主营国内外VPS,致力于让每一个用户都能轻松、快速、经济地享受高端的服务,成立于2019年,拥有国内大带宽高防御的特点,专注于DDoS/CC等攻击的防护;海外线路精选纯CN2线路,以确保用户体验的首选线路,商家线上多名客服一对一解决处理用户的问题,提供7*24无人全自动化服务。商家承诺绝不超开,以用户体验为中心为用提供服务,一直坚持主打以产品质量用户体验性以及高效...
香港 E5-2650 16G 10M 900元首月 美国 E5-2660 V2 16G 100M 688元/月 华纳云
华纳云双11钜惠出海:CN2海外物理服务器终身价688元/月,香港/美国机房,免费送20G DDos防御,50M CN2或100M国际带宽可选,(文内附带测评)华纳云作为一家专业的全球数据中心基础服务提供商,总部在香港,拥有香港政府颁发的商业登记证明,APNIC 和 ARIN 会员单位。主营香港服务器、美国服务器、香港/美国OpenStack云服务器、香港高防物理服务器、美国高防服务器、香港高防I...
rewritecond为你推荐
-
域名注册商如何成为一个域名注册商呀vps汽车的VPS是什么,和GPS有什么区别虚拟主机申请现在做网站申请虚拟主机选择哪种合适?虚拟主机系统虚拟主机采用什么操作系统?深圳虚拟主机深圳有哪些比较有名气的网络推广公司域名信息查询具体怎么查看一个网站的域名信息?免费二级域名谁有免费二级域名的地址啊?????建网站用百度域名www.baidu.com.cn是百度的网址吗域名反查whois反查怎么查,有什么接口吗?通过邮箱查有多少域名???域名反查在阿里万网注册了一个.xin域名,现在有些人直接反查我信息,我要怎么隐藏这些信息啊