synchronizedrewritecond
rewritecond 时间:2021-01-11 阅读:()
CopyrightIBMCorporation2010TrademarksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage1of19Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentYangChaoFengLiShengShuangYuXiaoFengFebruary02,2010Inthisarticle,wediscusstheconfigurationofaKerberos-basedsinglesign-onsolutionfromaMicrosoftWindowsdesktoptoIBMLotusConnectionsrunningonIBMWebSphereApplicationServer.
Editor'snote:KnowalotaboutthistopicWanttoshareyourexpertiseParticipateintheIBMLotussoftwarewikiprogramtoday.
LotusConnectionswikiIntroductionBeforewestartourdiscussionofconfiguringsinglesing-oninIBMLotusConnection,weneedtoreviewsomeconceptsfirst:KerberosandSPNEGO.
Kerberosisacomputernetworkauthenticationprotocol,designedanddevelopedbyMIT,whichallowsnodescommunicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
Kerberosversion5authenticationprotocolisanRFC(RequestForComments)standard.
SPNEGO(SimpleandProtectedGSSAPINegotiationMechanism)isaGSSAPIpseudo-mechanismthatisusedtonegotiateoneofanumberofpossiblerealmechanisms.
ItsmostvisibleuseisinMicrosoft'sHTTPNegotiateauthenticationextension.
ThenegotiablesubmechanismsincludeNTLM(NTLANManager)andKerberos,bothusedinMicrosoftActiveDirectory.
Moreinformationcanbefoundhere.
LotusConnectionscanleveragetheWebSphereApplicationServerSPNEGOTAI(trustassociationinterceptor)toprovidethesinglesign-on(SSO)capability,enablinguserstosignontotheMicrosoftWindowsdesktopandthenbeautomaticallysignedintoLotusConnectionsfeatureswithouthavingtoauthenticate.
Figure1showstherequest/responsedataflowintheWebSphereApplicationServerSPNEGOenvironment.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage2of19Figure1.
SPNEGOdataflowdiagramYoucanreadmoreabouttheWebSphereApplicationServerSPNEGOTAIinitsInformationCenter.
Inthisarticle,weillustratehowyoucanenableLotusConnectionstoprovidethesinglesign-on(SSO)capabilityforusersbasedonthedeploymentshowninfigure2.
Figure2.
LotusConnectionsSPNEGOdeploymenttoplogyActiveDirectoryandKerberosKDC(keydistributioncenter)aredeployedonaMicrosoftWindows2003ServerEnterpriseEditionsystem.
TheMicrosoftWindowsclientsystemistheusers'Windowsclientsystemwithbrowsersandotherapplicationsdeployed.
LotusConnections2.
5serveristheLotusConnections2.
5environmentusingActiveDirectoryastheLDAPdirectory;LotusConnections2.
5servercanbeamultiple-nodesclusteroronesingle-nodeenvironment.
Inthisarticle,wedeployLotusConnections2.
5serverontheMicrosoftWindowssystem.
PrerequisitetasksonActiveDirectoryandKerberosKDChostThereareseveralprerequisitetaskstobefinishedbythesystemadministratorsontheActiveDirectoryandKerberosKDChostbeforewecanproceed.
InstallActiveDirectoryonMicrosoftWindows2003Refertohttp://technet.
microsoft.
com/en-us/library/aa998088.
aspxonHowtoinstallActiveDirectoryonWindows2003ServerEnterpriseEdition.
AfteryouhavesuccessfullyinstalledActiveDirectory,makesurethattheKerberoskeydistributioncentersystemservicesisconfiguredcorrectlyintheServiceslist.
Double-clicktheKerberosKeyDistributionCenterservicetoselectibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage3of19theKerberosKeyDistributionCenterpropertiesasshowninfigure3.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
Figure3.
KerberosKeyDistributionCenterpropertiesTheKDCserviceenablesuserstologontothenetworkusingtheKerberosV5authenticationprotocol.
Ifthisserviceisstopped,usersareunabletologontothedomainandaccessservices.
Onanon-KDC-enabledsystem(notadomaincontroller),theKDCservicestartuptypeisdisabled.
YoucanreadmoreabouttheMicrosoftWindowsKDCservice.
YoucanlearnhowtomodifytheKerberosprotocolregistryentriesandKDCconfigurationkeysinMicrosoftWindowsServer2003.
Weusethedefaultvaluesinthisconfiguration.
MakesurethatyouinstallaDNSserveronthisWindows2003systemasdetailedinstep9ofthisprocess.
OntheDNSRegistrationDiagnosticspage,followthesesteps:1.
ClickInstallandconfiguretheDNSserveronthiscomputer.
2.
SetthiscomputertousethisDNSserverasitspreferredDNSserver.
3.
ClickNext.
4.
TheDNSservicerunsonthisMicrosoftWindows2003Server.
Double-clicktheDNSServerservicetoselecttheDNSServerpropertiesasshowninfigure4.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage4of19Figure4.
DNSServerPropertieswindowTimesynchronizationfortheKerberosenvironmentTheMicrosoftWindowsServer2003hostingActiveDirectoryisusedasthedomaincontroller.
Iftimesynchronizationisnotaprobleminyourenterpriseintranet,youcanignorethissection.
Kerberosrequiresthattheclocksoftheinvolvedhostsaresynchronized.
Theticketshaveatimeavailabilityperiod,andifthehostclockisnotsynchronizedwiththeKerberosserverclock,theauthenticationfails.
WeoftenusethedomaincontrollerasthetimeserverandruntheWindowsScheduletaskontheinvolvedLotusConnectionsserverhoststodotimesynchronizationwiththedomaincontroller.
Figure5showsanexampletaskthatinvokesthesampleTimeSyn.
bateveryminute.
Figure5.
WindowsScheduledTasksfortimesynchronizationInourexample,usersneedtocreateabatchfilenamedTimeSyn.
batinC:\.
Ifexample.
yourdomain.
comisthedomaincontrollerandanNTPtimeserver,theTimeSyn.
batlookslikethecodeshowninlisting1.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage5of19Listing1.
SamplecodeforTimeSyn.
batw32tm/config/manualpeerlist:acme.
yourdomain.
com.
com,0x8/syncfromflags:MANUALnetstopw32timenetstartw32timew32tm/resyncInstallMicrosoftWindowssupporttoolsInstallMicrosoftWindowssupporttoolsontheWindows2003ServerEnterpriseEdition.
YouneedthistooltorunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandtogeneratethekeytabfile.
YoucangetdetailsabouthowtheKerberosprotocolworksinMicrosoftWindowsServer2003.
ConfiguretheLotusConnectionsservertosupporttheKerberosenvironment.
WhentheprerequisitetaskshavebeenfinishedwecanstarttheconfigurationontheLotusConnectionsserver.
ConfigureLotusConnectionstouseActiveDirectoryasauserrepositoryRefertotheLotusConnectionsInformationCentertolearnhowtoconfigurethesecuritytouseActiveDirectoryasauserrepositoryandhowtopopulatetheProfilesdatabase.
CreateaserviceaccounttoholdSPNinActiveDirectoryAnSPN(serviceprincipalname)isneededforLotusConnectionsintheKerberosenvironmenttoidentifytheLotusConnectionsserver.
AserviceaccountisneededinActiveDirectorytoholdthatSPN.
Tocreatetheserviceaccount,logintothedomaincontroller,gotoManageYourServer-DomainController(ActiveDirectory)-ManageusersandcomputersinActiveDirectory,andclickthebutton.
OntheAccountpage,makesurethatyouselecttheUsercannotchangepasswordandPasswordneverexpiresoptionsasshowninfigure6.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage6of19Figure6.
NewuseraccountpropertiesSetSPNandgeneratethekeytabfileRunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandgeneratethekeytabfile:ktpass–princ-out-mapuser-mapOpset–passwhereistheKerberosserviceprincipalname.
AKerberosprincipalisdividedintothreeparts:theprimary,theinstance,andtherealm.
TheformatofatypicalKerberosprincipalisprimary/instance@REALM.
IfLotusConnectionsishostedonthesystemSVTLCSPNEGO.
cn.
example.
comandthedomainnameisCN.
EXAMPLE.
COM,theSPNisHTTP/SVTLCSPNEGO.
cn.
example.
com@CN.
EXAMPLE.
COM.
isthelocationwhereyouwanttosavethekeytabfile.
istheserviceaccountname.
isthepasswordtotheserviceaccountname.
Assumethattheuseraccountcreatedinstep1islcserver01andthatthepasswordtotheserviceaccountisPassword1.
YouwanttosavethekeytabfileasC:\SVTLCSPNEGO.
keytab,sothecommandlookslikethefollowingcode:ktpass-princHTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COM-outibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage7of19c:\SVTLCSPNEGO.
keytab-mapuserlcserver01-mapOpset-passPassw0rd1Thecommandoutputisshowninlisting2.
Listing2.
ktpasscommandoutputTargetingdomaincontroller:SVTLCSPNEGO.
cn.
ibm.
comUsinglegacypasswordsettingmethodSuccessfullymappedHTTP/SVTLCSPNEGO.
cn.
ibm.
comtolcserver01.
WARNING:pTypeandaccounttypedonotmatch.
Thismightcauseproblems.
Keycreated.
Outputkeytabtoc:\SVTLCSPNEGO.
keytab:Keytabversion:0x502keysize68HTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COMptype0(KRB5_NT_UNKNOWN)vno4etype0x17(RC4-HMAC)keylength16(0x5858d47a41e40b40f294b3100bea611f)InaLotusConnectionscluster,youonlyneedtoselecttheIBMHTTPservernameorthevirtualhostname(usersaccesstheIBMHTTPserverorthevirtualhosttoexperienceLotusConnectionsfeatures)astheinstancenameintheKerberosserviceprincipalname.
ItisunnecessarytogeneratethekeytabfileforallnodesintheLotusConnectionscluster.
ConfigureSPNEGOTAIinWebSphereApplicationServerConfigureSPNEGOTAIintheWebSphereApplicationServeradministrativeconsolebytakingthesesteps:1.
NavigatetoSecurity-Secureadministration,applications,andinfrastructure,andexpandWebSecurity.
ClickTrustassociation.
2.
SelecttheEnabletrustassociationoptiontoenableTAI.
3.
SelectInterceptors-com.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImpl-Customproperties.
4.
Addthecustompropertiesshowninlisting3.
Listing3.
CustompropertiesforSPNEGOTAIcom.
ibm.
ws.
security.
spnego.
SPN1.
hostName=com.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
filter=request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGOcom.
ibm.
ws.
security.
spnego.
SPN1.
filterClass=com.
ibm.
ws.
security.
spnego.
HTTPHeaderFilterwhereisthenameoftheserverwithwhichLotusConnectionsisaccessed(forexample,theIBMHTTPservernameorthevirtualhostname).
iswheretheSPNEGOTAIredirectpageiscreatedonthelocalfilesystem,forinstancefile:///Z:/share/TAIRedirect.
html.
YouneedtocreatethatHTMLfilemanually.
Thecontentisthecodeshowninlisting4.
Listing4.
SPNEGOTAIredirectpageTAIRedirect.
htmlvarorigUrl=""+document.
location;if(origUrl.
indexOf("noSPNEGO")=0)origUrl+="&noSPNEGO";elseorigUrl+="noSPNEGO";}functionredirTimer(){self.
setTimeout("self.
location.
href=origUrl;",0);}document.
write("Redirectto"+origUrl+"");5.
ClickOKtosavethechanges.
Figure7isascreencaptureofwhatdispaysinarealdeployment.
Figure7.
WebSphereadministrativeconsolescreencaptureforSPNEGOTAIcustompropertiesListing5isthesampleJACLcodethatcanfulfilltheWebSphereSPNEGOTAIsetupfromthewsadmininterface.
NamethefileasConfigTA.
jaclandrunitlikethis:wsadmin-fConfigTA.
jaclibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage9of19Remembertoreplacethecom.
ibm.
ws.
security.
spnego.
SPN1.
hostNamevaluewithyourrealconfigurationvariable.
Listing5.
ConfigTA.
jaclforWebSphereSPNEGOTAIsetupprocsaveConfig{}{globalAdminConfig$AdminConfigsave}procconfigTA{}{globalAdminConfigsettrustAssocConfigId[$AdminConfiglistTrustAssociation]settrust_attrib{}setmatchFound0settrust_assocEnabledysettrust_interceptorClassNamecom.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImplif{$trust_assocEnabled!
={}}{if{[regexp$trust_assocEnabledy]}{lappendtrust_attrib[listenabled"true"]}else{lappendtrust_attrib[listenabled"false"]}$AdminConfigmodify$trustAssocConfigId$trust_attrib}if{$trust_interceptorClassName!
={}}{setlistOfTAI[$AdminConfiglistTAInterceptor]foreachtai$listOfTAI{setclassName[$AdminConfigshowAttribute$taiinterceptorClassName]if{[stringcompare$className$trust_interceptorClassName]==0}{setmatchFound1###break}}}if{$matchFound==1}{setinterceptorConfigId$taisettrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
hostName#replacewithyourIHShostsettrust_propertyValuesettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filterClasssettrust_propertyValuecom.
ibm.
ws.
security.
spnego.
HTTPHeaderFiltersettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage10of19$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filtersettrust_propertyValue"request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGO"settrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"}}#Mainprocedureputsstdout"Runlikethis:wsadmin-fConfigTA.
jacl"puts">configTA"configTAsaveConfigibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage11of19CreatetheKerberosconfigurationfileBeforeusingSPNEGOTAIinWebSphereApplicationServer,youneedtocreatetheKerberosconfigurationfile.
First,copythekeytabfiletotheserverwhereLotusConnectionsisinstalled.
ThenrunthecreateKrbConfigFilescriptwiththewsadmincommandlineutility,byissuingthecommandshowninlisting6.
Listing6.
wsadmincommandtocreatetheKerberosconfigurationfile$AdminTaskcreateKrbConfigFile{-krbPath\java\jre\lib\security\krb5.
conf-realm-kdcHost-dns-keytabPath}whereisthepathtotheWebSphereApplicationServerlocation,nottheLotusConnectionslocation.
istheKerberosrealmandmustbeshowninalluppercaseletters.
isthenameofthekeydistributioncenterhost.
istheDNSservername.
isthelocationofthekeytabfilegeneratedonthedomaincontroller.
EnabletheWebSphereSPNEGOTAIToenableSPNEGOTAI,logintotheWebSphereApplicationServeradministrativeconsole,andnavigatetoServers-Applicationservers.
Selecttheservername(typicallyserver1),expandJavaandProcessManagement,andselectProcessDefinition-JavaVirtualMachine-CustomProperties.
Addtwocustomproperties:com.
ibm.
ws.
security.
spnego.
isEnabled=truejava.
security.
krb5.
conf=IfyouinstallLotusConnectionsinmultipleserverinstances,youneedtorepeatthisstepforallserverinstances.
Listing7isthesampleJythoncodethatcanfulfillthetaskfromthewsadmininterface.
Namethefileasconfigspnegojvm.
pyandrunitlikethis:wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name.
Listing7.
configspnegojvm.
pyforenablingJVMSPNEGOcustompropertiesdefconfigspnegojvm(cellName,nodeName,serverName):globalAdminConfigkrb5conf="C:/IBM/WebSphere/AppServer/java/jre/lib/security/krb5.
conf"developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage12of19javasrv=AdminConfig.
getid("/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/")#Checkingforexistenceofserverprint"Checkingforexistenceofserver"+serverNameiflen(javasrv)==0:print"Error--servernotfoundforname"+serverName+"::/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/"returnelse:print"OK.
"+javasrvaddJVMCustomProperties=javaproc=AdminConfig.
list('JavaProcessDef',javasrv)prop=AdminConfig.
list('Property',javaproc)jvmp=AdminConfig.
list('JavaVirtualMachine',javaproc)if(prop.
find("com.
ibm.
ws.
security.
spnego.
isEnabled")>=0):print"INFO:JVMpropertiesseemalreadyexist:"printpropreturnAdminConfig.
create('Property',jvmp,[['name','com.
ibm.
ws.
security.
spnego.
isEnabled'],['value','true'],['required','false']])AdminConfig.
create('Property',jvmp,[['name','java.
security.
krb5.
conf'],['value',krb5conf],['required','false']])AdminConfig.
save()printCurrentJVMCustomProperties=prop=AdminConfig.
list('Property',jvmp)printprop#Main:#.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Nameif(len(sys.
argv)!
=3):print"Thisscriptrequires3parameters"print"e.
g.
:.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name"else:cellName=sys.
argv[0]nodeName=sys.
argv[1]serverName=sys.
argv[2]print"cellName:"+cellNameprint"nodeName:"+nodeNameprint"serverName:"+serverNameprintconfigspnegojvm(cellName,nodeName,serverName)ConfiguretheAjaxproxyfortheLtpaTokencookieAddthefollowingpartintotheproxy-config.
tplfiletoconfiguretheAjaxproxytoproxyLtpaTokencookies.
Youcandothistaskwiththewsadminutilitytoextracttheconfigurationfilesfirst,addthefollowingcontent,andcheckintheconfiguration.
Youneedtorestarttheserverinstancestopickupthechanges.
Seelisting8.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage13of19Listing8.
proxy-config.
tplsettingsforAjaxproxyLtpaTokencookieJSESSIONIDLtpaTokenLtpaToken2ConfigureHTTPrewriterulestologouttoanunprotectedURISetURLrewriterulesintheIBMHTTPServerconfigurationfilenamedhttpd.
conftologouttoanunprotectedWebpage,sothatSPNEGOauthenticationdoesn'thappenagaintologintheuserautomatically.
Followthesesteps:1.
Openthehttpd.
conffileontheIBMHTTPServer,anduncommentthefollowinglines(removethe#):#LoadModulerewrite_modulemodules/mod_rewrite.
so2.
Thenaddthecodeshowninlisting9.
Listing9.
HTTPrewriterulesRewriteEngineOnRewriteCond%{REQUEST_URI}/(.
*)/ibm_security_logout(.
*)RewriteCond%{QUERY_STRING}!
=logoutExitPage=RewriteRule/(.
*)/ibm_security_logout(.
*)/$1/ibm_security_logoutlogoutExitPage=[noescape,L,R]whereistheunprotectedURLtowhichtheuserisredirectedafterlogout.
ItisanunprotectedURLtopreventSPNEGOauthentication.
BesuretoconfiguretheURLrewriteruleforbothHTTPandHTTPS.
ConfiguringtheclientbrowsertouseSPNEGOUsersneedtoconfiguretheirclientsbeforetheycanusetheLotusConnectionsservicesintheKerberosenvironment.
UserclientsystemtojointhedomainFirst,theuserclientsystemjoinsthedomain.
Theclientsystem'sDNSservervalueissetasthedomaincontrolleraddressintheTCP/IPPropertieswindowasshowninfigure8.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage14of19Figure8.
TCP/IPPropertiesontheclientsystemNext,followthelinkhttp://support.
microsoft.
com/kb/295017tojointhedomain.
.
Aftertheclientsuccessfullyjoinsthedomain,theadministratorofthedomaincontrollercanseethenewlyjoinedmemberintheActiveDirectoryUsersandComputersviewasshowninfigure9.
Figure9.
ComputerslistbelongstothespecificdomainUserclientbrowserconfigurationSecond,usersneedtoconfiguretheirclientbrowserstouseSPNEGO.
IfyouareusingMicrosoftInternetExplorer,followthesesteps:1.
IntheInternetExplorerwindow,selectTools-InternetOptions-Security.
2.
SelecttheLocalintraneticon,andclickSites.
3.
Inthewindowthatdisplays,clickAdvanced.
IntheAddthisWebsitetothezonefield,entertheWebaddressofthehostnamesothatsinglesign-on(SSO)canbeenabledtothelistofWebsitesshownintheWebsitesfield.
4.
ClickClose,andthenclickOKtocompletethisstepandclosetheLocalintranetwindow.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage15of19Figure10.
Localintranetsettings5.
InthesectionofthewidowtitledSecuritylevelforthiszone,clickCustomLevel.
IntheSecuritySettingswindowthatdisplays,scrolltoUserAuthentication-LogonandselecttheAutomaticlogononlyinIntranetzoneoption.
ClickOKtoclosetheSecuritySettingswindow.
Seefigure11.
Figure11.
SecuritysettingsforthelocalintranetzonedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage16of196.
IntheInternetOptionswindow,clicktheAdvancedtabandscrolltoSecuritysettings.
MakesurethattheEnableIntegratedWindowsAuthentication(requiresrestart)optionisselected.
Seefigure12.
Figure12.
InternetOptionssetting7.
ClickOK.
RestartyourInternetExplorerbrowsertoactivatethisconfiguration.
IfyouareusingtheMozillaFirefoxbrowser,followthesesteps:1.
OpenFirefox.
2.
Intheaddressfield,enterabout:config.
3.
IntheFilterfield,enternetwork.
n.
4.
Doubleclick.
negotiate-auth.
trusted-uris.
ThispreferenceliststhesitesthatarepermittedtoengageinSPNEGOauthenticationwiththebrowser.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
NOTE:Youmustsetthevaluefornetwork.
negotiate-auth.
trusted-urisasshowninfigure13.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage17of19Figure13.
MozillaFirefoxbrowsersetting5.
IfthedeployedSPNEGOsolutionusestheadvancedKerberosfeatureofcredentialdelegation,double-clicknetwork.
negotiate-auth.
delegation-uris.
Thispreferenceliststhesitesforwhichthebrowsercandelegateuserauthorizationtotheserver.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
6.
ClickOK.
Theconfigurationdisplaysasupdated.
7.
RestartyourFirefoxbrowsertoactivatethisconfiguration.
AccessLotusConnectionswiththesinglesign-oncapabilityintheKerberosenvironmentAfteralltasksintheprecedingstepsarefinished,userscanstarttoexperienceLotusConnectionswithsinglesign-on.
Theyneedtologontotheirsystems,andtheywillnotbechallengedwhenusingLotusConnectionsfeatures.
Figure14isascreencapturetakenfromanactualdeployment.
UserAamir_000_000logsontohisWindowsclient(whichhasjoinedthedomaincontrolledbythedomaincontroller),openstheFirefoxbrowser,enterstheLotusConnectionshomepageaddress,andlogsontoLotusConnectionsautomatically.
Figure14.
AutomaticallyloadedLotusConnectionshomepagedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage18of19TroubleshootingIfyouhaveanyproblemswhenusingLotusConnectionsintheSPNEGOenvironment,youcanenabletracingonSPENGOandKerberosusingthesesettings:JVMcustompropertysettingcom.
ibm.
security.
jgss.
debug=allcom.
ibm.
security.
krb5.
Krb5Debug=allLogsandtracesettingcom.
ibm.
ws.
security.
*=all:com.
ibm.
ws.
security.
spnego.
*=allConclusionThisarticleintroducedtheMicrosoftWindowssinglesign-onSPNEGOconceptandconfigurationsforLotusConnections2.
5,providingdetailedexplanationsforeachconfigurationstep.
Thesamplecodelistings,whichareusefulforautomatingsystemadministrationwork,inthearticlehavebeenverifiedbythesystemtestteam.
TheconfigurationstepscanalsobeappliedtootherWebapplications.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage19of19RelatedtopicsReadtheWebSphereApplicationServerInformationCenterarticle,"Creatingasinglesign-onforHTTPrequestsusingtheSPNEGOTAI.
"RefertotheKerberosUser'sGuide.
CopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
Editor'snote:KnowalotaboutthistopicWanttoshareyourexpertiseParticipateintheIBMLotussoftwarewikiprogramtoday.
LotusConnectionswikiIntroductionBeforewestartourdiscussionofconfiguringsinglesing-oninIBMLotusConnection,weneedtoreviewsomeconceptsfirst:KerberosandSPNEGO.
Kerberosisacomputernetworkauthenticationprotocol,designedanddevelopedbyMIT,whichallowsnodescommunicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
Kerberosversion5authenticationprotocolisanRFC(RequestForComments)standard.
SPNEGO(SimpleandProtectedGSSAPINegotiationMechanism)isaGSSAPIpseudo-mechanismthatisusedtonegotiateoneofanumberofpossiblerealmechanisms.
ItsmostvisibleuseisinMicrosoft'sHTTPNegotiateauthenticationextension.
ThenegotiablesubmechanismsincludeNTLM(NTLANManager)andKerberos,bothusedinMicrosoftActiveDirectory.
Moreinformationcanbefoundhere.
LotusConnectionscanleveragetheWebSphereApplicationServerSPNEGOTAI(trustassociationinterceptor)toprovidethesinglesign-on(SSO)capability,enablinguserstosignontotheMicrosoftWindowsdesktopandthenbeautomaticallysignedintoLotusConnectionsfeatureswithouthavingtoauthenticate.
Figure1showstherequest/responsedataflowintheWebSphereApplicationServerSPNEGOenvironment.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage2of19Figure1.
SPNEGOdataflowdiagramYoucanreadmoreabouttheWebSphereApplicationServerSPNEGOTAIinitsInformationCenter.
Inthisarticle,weillustratehowyoucanenableLotusConnectionstoprovidethesinglesign-on(SSO)capabilityforusersbasedonthedeploymentshowninfigure2.
Figure2.
LotusConnectionsSPNEGOdeploymenttoplogyActiveDirectoryandKerberosKDC(keydistributioncenter)aredeployedonaMicrosoftWindows2003ServerEnterpriseEditionsystem.
TheMicrosoftWindowsclientsystemistheusers'Windowsclientsystemwithbrowsersandotherapplicationsdeployed.
LotusConnections2.
5serveristheLotusConnections2.
5environmentusingActiveDirectoryastheLDAPdirectory;LotusConnections2.
5servercanbeamultiple-nodesclusteroronesingle-nodeenvironment.
Inthisarticle,wedeployLotusConnections2.
5serverontheMicrosoftWindowssystem.
PrerequisitetasksonActiveDirectoryandKerberosKDChostThereareseveralprerequisitetaskstobefinishedbythesystemadministratorsontheActiveDirectoryandKerberosKDChostbeforewecanproceed.
InstallActiveDirectoryonMicrosoftWindows2003Refertohttp://technet.
microsoft.
com/en-us/library/aa998088.
aspxonHowtoinstallActiveDirectoryonWindows2003ServerEnterpriseEdition.
AfteryouhavesuccessfullyinstalledActiveDirectory,makesurethattheKerberoskeydistributioncentersystemservicesisconfiguredcorrectlyintheServiceslist.
Double-clicktheKerberosKeyDistributionCenterservicetoselectibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage3of19theKerberosKeyDistributionCenterpropertiesasshowninfigure3.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
Figure3.
KerberosKeyDistributionCenterpropertiesTheKDCserviceenablesuserstologontothenetworkusingtheKerberosV5authenticationprotocol.
Ifthisserviceisstopped,usersareunabletologontothedomainandaccessservices.
Onanon-KDC-enabledsystem(notadomaincontroller),theKDCservicestartuptypeisdisabled.
YoucanreadmoreabouttheMicrosoftWindowsKDCservice.
YoucanlearnhowtomodifytheKerberosprotocolregistryentriesandKDCconfigurationkeysinMicrosoftWindowsServer2003.
Weusethedefaultvaluesinthisconfiguration.
MakesurethatyouinstallaDNSserveronthisWindows2003systemasdetailedinstep9ofthisprocess.
OntheDNSRegistrationDiagnosticspage,followthesesteps:1.
ClickInstallandconfiguretheDNSserveronthiscomputer.
2.
SetthiscomputertousethisDNSserverasitspreferredDNSserver.
3.
ClickNext.
4.
TheDNSservicerunsonthisMicrosoftWindows2003Server.
Double-clicktheDNSServerservicetoselecttheDNSServerpropertiesasshowninfigure4.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage4of19Figure4.
DNSServerPropertieswindowTimesynchronizationfortheKerberosenvironmentTheMicrosoftWindowsServer2003hostingActiveDirectoryisusedasthedomaincontroller.
Iftimesynchronizationisnotaprobleminyourenterpriseintranet,youcanignorethissection.
Kerberosrequiresthattheclocksoftheinvolvedhostsaresynchronized.
Theticketshaveatimeavailabilityperiod,andifthehostclockisnotsynchronizedwiththeKerberosserverclock,theauthenticationfails.
WeoftenusethedomaincontrollerasthetimeserverandruntheWindowsScheduletaskontheinvolvedLotusConnectionsserverhoststodotimesynchronizationwiththedomaincontroller.
Figure5showsanexampletaskthatinvokesthesampleTimeSyn.
bateveryminute.
Figure5.
WindowsScheduledTasksfortimesynchronizationInourexample,usersneedtocreateabatchfilenamedTimeSyn.
batinC:\.
Ifexample.
yourdomain.
comisthedomaincontrollerandanNTPtimeserver,theTimeSyn.
batlookslikethecodeshowninlisting1.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage5of19Listing1.
SamplecodeforTimeSyn.
batw32tm/config/manualpeerlist:acme.
yourdomain.
com.
com,0x8/syncfromflags:MANUALnetstopw32timenetstartw32timew32tm/resyncInstallMicrosoftWindowssupporttoolsInstallMicrosoftWindowssupporttoolsontheWindows2003ServerEnterpriseEdition.
YouneedthistooltorunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandtogeneratethekeytabfile.
YoucangetdetailsabouthowtheKerberosprotocolworksinMicrosoftWindowsServer2003.
ConfiguretheLotusConnectionsservertosupporttheKerberosenvironment.
WhentheprerequisitetaskshavebeenfinishedwecanstarttheconfigurationontheLotusConnectionsserver.
ConfigureLotusConnectionstouseActiveDirectoryasauserrepositoryRefertotheLotusConnectionsInformationCentertolearnhowtoconfigurethesecuritytouseActiveDirectoryasauserrepositoryandhowtopopulatetheProfilesdatabase.
CreateaserviceaccounttoholdSPNinActiveDirectoryAnSPN(serviceprincipalname)isneededforLotusConnectionsintheKerberosenvironmenttoidentifytheLotusConnectionsserver.
AserviceaccountisneededinActiveDirectorytoholdthatSPN.
Tocreatetheserviceaccount,logintothedomaincontroller,gotoManageYourServer-DomainController(ActiveDirectory)-ManageusersandcomputersinActiveDirectory,andclickthebutton.
OntheAccountpage,makesurethatyouselecttheUsercannotchangepasswordandPasswordneverexpiresoptionsasshowninfigure6.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage6of19Figure6.
NewuseraccountpropertiesSetSPNandgeneratethekeytabfileRunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandgeneratethekeytabfile:ktpass–princ-out-mapuser-mapOpset–passwhereistheKerberosserviceprincipalname.
AKerberosprincipalisdividedintothreeparts:theprimary,theinstance,andtherealm.
TheformatofatypicalKerberosprincipalisprimary/instance@REALM.
IfLotusConnectionsishostedonthesystemSVTLCSPNEGO.
cn.
example.
comandthedomainnameisCN.
EXAMPLE.
COM,theSPNisHTTP/SVTLCSPNEGO.
cn.
example.
com@CN.
EXAMPLE.
COM.
isthelocationwhereyouwanttosavethekeytabfile.
istheserviceaccountname.
isthepasswordtotheserviceaccountname.
Assumethattheuseraccountcreatedinstep1islcserver01andthatthepasswordtotheserviceaccountisPassword1.
YouwanttosavethekeytabfileasC:\SVTLCSPNEGO.
keytab,sothecommandlookslikethefollowingcode:ktpass-princHTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COM-outibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage7of19c:\SVTLCSPNEGO.
keytab-mapuserlcserver01-mapOpset-passPassw0rd1Thecommandoutputisshowninlisting2.
Listing2.
ktpasscommandoutputTargetingdomaincontroller:SVTLCSPNEGO.
cn.
ibm.
comUsinglegacypasswordsettingmethodSuccessfullymappedHTTP/SVTLCSPNEGO.
cn.
ibm.
comtolcserver01.
WARNING:pTypeandaccounttypedonotmatch.
Thismightcauseproblems.
Keycreated.
Outputkeytabtoc:\SVTLCSPNEGO.
keytab:Keytabversion:0x502keysize68HTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COMptype0(KRB5_NT_UNKNOWN)vno4etype0x17(RC4-HMAC)keylength16(0x5858d47a41e40b40f294b3100bea611f)InaLotusConnectionscluster,youonlyneedtoselecttheIBMHTTPservernameorthevirtualhostname(usersaccesstheIBMHTTPserverorthevirtualhosttoexperienceLotusConnectionsfeatures)astheinstancenameintheKerberosserviceprincipalname.
ItisunnecessarytogeneratethekeytabfileforallnodesintheLotusConnectionscluster.
ConfigureSPNEGOTAIinWebSphereApplicationServerConfigureSPNEGOTAIintheWebSphereApplicationServeradministrativeconsolebytakingthesesteps:1.
NavigatetoSecurity-Secureadministration,applications,andinfrastructure,andexpandWebSecurity.
ClickTrustassociation.
2.
SelecttheEnabletrustassociationoptiontoenableTAI.
3.
SelectInterceptors-com.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImpl-Customproperties.
4.
Addthecustompropertiesshowninlisting3.
Listing3.
CustompropertiesforSPNEGOTAIcom.
ibm.
ws.
security.
spnego.
SPN1.
hostName=com.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
filter=request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGOcom.
ibm.
ws.
security.
spnego.
SPN1.
filterClass=com.
ibm.
ws.
security.
spnego.
HTTPHeaderFilterwhereisthenameoftheserverwithwhichLotusConnectionsisaccessed(forexample,theIBMHTTPservernameorthevirtualhostname).
iswheretheSPNEGOTAIredirectpageiscreatedonthelocalfilesystem,forinstancefile:///Z:/share/TAIRedirect.
html.
YouneedtocreatethatHTMLfilemanually.
Thecontentisthecodeshowninlisting4.
Listing4.
SPNEGOTAIredirectpageTAIRedirect.
htmlvarorigUrl=""+document.
location;if(origUrl.
indexOf("noSPNEGO")=0)origUrl+="&noSPNEGO";elseorigUrl+="noSPNEGO";}functionredirTimer(){self.
setTimeout("self.
location.
href=origUrl;",0);}document.
write("Redirectto"+origUrl+"");5.
ClickOKtosavethechanges.
Figure7isascreencaptureofwhatdispaysinarealdeployment.
Figure7.
WebSphereadministrativeconsolescreencaptureforSPNEGOTAIcustompropertiesListing5isthesampleJACLcodethatcanfulfilltheWebSphereSPNEGOTAIsetupfromthewsadmininterface.
NamethefileasConfigTA.
jaclandrunitlikethis:wsadmin-fConfigTA.
jaclibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage9of19Remembertoreplacethecom.
ibm.
ws.
security.
spnego.
SPN1.
hostNamevaluewithyourrealconfigurationvariable.
Listing5.
ConfigTA.
jaclforWebSphereSPNEGOTAIsetupprocsaveConfig{}{globalAdminConfig$AdminConfigsave}procconfigTA{}{globalAdminConfigsettrustAssocConfigId[$AdminConfiglistTrustAssociation]settrust_attrib{}setmatchFound0settrust_assocEnabledysettrust_interceptorClassNamecom.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImplif{$trust_assocEnabled!
={}}{if{[regexp$trust_assocEnabledy]}{lappendtrust_attrib[listenabled"true"]}else{lappendtrust_attrib[listenabled"false"]}$AdminConfigmodify$trustAssocConfigId$trust_attrib}if{$trust_interceptorClassName!
={}}{setlistOfTAI[$AdminConfiglistTAInterceptor]foreachtai$listOfTAI{setclassName[$AdminConfigshowAttribute$taiinterceptorClassName]if{[stringcompare$className$trust_interceptorClassName]==0}{setmatchFound1###break}}}if{$matchFound==1}{setinterceptorConfigId$taisettrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
hostName#replacewithyourIHShostsettrust_propertyValuesettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filterClasssettrust_propertyValuecom.
ibm.
ws.
security.
spnego.
HTTPHeaderFiltersettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage10of19$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filtersettrust_propertyValue"request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGO"settrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"}}#Mainprocedureputsstdout"Runlikethis:wsadmin-fConfigTA.
jacl"puts">configTA"configTAsaveConfigibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage11of19CreatetheKerberosconfigurationfileBeforeusingSPNEGOTAIinWebSphereApplicationServer,youneedtocreatetheKerberosconfigurationfile.
First,copythekeytabfiletotheserverwhereLotusConnectionsisinstalled.
ThenrunthecreateKrbConfigFilescriptwiththewsadmincommandlineutility,byissuingthecommandshowninlisting6.
Listing6.
wsadmincommandtocreatetheKerberosconfigurationfile$AdminTaskcreateKrbConfigFile{-krbPath\java\jre\lib\security\krb5.
conf-realm-kdcHost-dns-keytabPath}whereisthepathtotheWebSphereApplicationServerlocation,nottheLotusConnectionslocation.
istheKerberosrealmandmustbeshowninalluppercaseletters.
isthenameofthekeydistributioncenterhost.
istheDNSservername.
isthelocationofthekeytabfilegeneratedonthedomaincontroller.
EnabletheWebSphereSPNEGOTAIToenableSPNEGOTAI,logintotheWebSphereApplicationServeradministrativeconsole,andnavigatetoServers-Applicationservers.
Selecttheservername(typicallyserver1),expandJavaandProcessManagement,andselectProcessDefinition-JavaVirtualMachine-CustomProperties.
Addtwocustomproperties:com.
ibm.
ws.
security.
spnego.
isEnabled=truejava.
security.
krb5.
conf=IfyouinstallLotusConnectionsinmultipleserverinstances,youneedtorepeatthisstepforallserverinstances.
Listing7isthesampleJythoncodethatcanfulfillthetaskfromthewsadmininterface.
Namethefileasconfigspnegojvm.
pyandrunitlikethis:wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name.
Listing7.
configspnegojvm.
pyforenablingJVMSPNEGOcustompropertiesdefconfigspnegojvm(cellName,nodeName,serverName):globalAdminConfigkrb5conf="C:/IBM/WebSphere/AppServer/java/jre/lib/security/krb5.
conf"developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage12of19javasrv=AdminConfig.
getid("/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/")#Checkingforexistenceofserverprint"Checkingforexistenceofserver"+serverNameiflen(javasrv)==0:print"Error--servernotfoundforname"+serverName+"::/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/"returnelse:print"OK.
"+javasrvaddJVMCustomProperties=javaproc=AdminConfig.
list('JavaProcessDef',javasrv)prop=AdminConfig.
list('Property',javaproc)jvmp=AdminConfig.
list('JavaVirtualMachine',javaproc)if(prop.
find("com.
ibm.
ws.
security.
spnego.
isEnabled")>=0):print"INFO:JVMpropertiesseemalreadyexist:"printpropreturnAdminConfig.
create('Property',jvmp,[['name','com.
ibm.
ws.
security.
spnego.
isEnabled'],['value','true'],['required','false']])AdminConfig.
create('Property',jvmp,[['name','java.
security.
krb5.
conf'],['value',krb5conf],['required','false']])AdminConfig.
save()printCurrentJVMCustomProperties=prop=AdminConfig.
list('Property',jvmp)printprop#Main:#.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Nameif(len(sys.
argv)!
=3):print"Thisscriptrequires3parameters"print"e.
g.
:.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name"else:cellName=sys.
argv[0]nodeName=sys.
argv[1]serverName=sys.
argv[2]print"cellName:"+cellNameprint"nodeName:"+nodeNameprint"serverName:"+serverNameprintconfigspnegojvm(cellName,nodeName,serverName)ConfiguretheAjaxproxyfortheLtpaTokencookieAddthefollowingpartintotheproxy-config.
tplfiletoconfiguretheAjaxproxytoproxyLtpaTokencookies.
Youcandothistaskwiththewsadminutilitytoextracttheconfigurationfilesfirst,addthefollowingcontent,andcheckintheconfiguration.
Youneedtorestarttheserverinstancestopickupthechanges.
Seelisting8.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage13of19Listing8.
proxy-config.
tplsettingsforAjaxproxyLtpaTokencookieJSESSIONIDLtpaTokenLtpaToken2ConfigureHTTPrewriterulestologouttoanunprotectedURISetURLrewriterulesintheIBMHTTPServerconfigurationfilenamedhttpd.
conftologouttoanunprotectedWebpage,sothatSPNEGOauthenticationdoesn'thappenagaintologintheuserautomatically.
Followthesesteps:1.
Openthehttpd.
conffileontheIBMHTTPServer,anduncommentthefollowinglines(removethe#):#LoadModulerewrite_modulemodules/mod_rewrite.
so2.
Thenaddthecodeshowninlisting9.
Listing9.
HTTPrewriterulesRewriteEngineOnRewriteCond%{REQUEST_URI}/(.
*)/ibm_security_logout(.
*)RewriteCond%{QUERY_STRING}!
=logoutExitPage=RewriteRule/(.
*)/ibm_security_logout(.
*)/$1/ibm_security_logoutlogoutExitPage=[noescape,L,R]whereistheunprotectedURLtowhichtheuserisredirectedafterlogout.
ItisanunprotectedURLtopreventSPNEGOauthentication.
BesuretoconfiguretheURLrewriteruleforbothHTTPandHTTPS.
ConfiguringtheclientbrowsertouseSPNEGOUsersneedtoconfiguretheirclientsbeforetheycanusetheLotusConnectionsservicesintheKerberosenvironment.
UserclientsystemtojointhedomainFirst,theuserclientsystemjoinsthedomain.
Theclientsystem'sDNSservervalueissetasthedomaincontrolleraddressintheTCP/IPPropertieswindowasshowninfigure8.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage14of19Figure8.
TCP/IPPropertiesontheclientsystemNext,followthelinkhttp://support.
microsoft.
com/kb/295017tojointhedomain.
.
Aftertheclientsuccessfullyjoinsthedomain,theadministratorofthedomaincontrollercanseethenewlyjoinedmemberintheActiveDirectoryUsersandComputersviewasshowninfigure9.
Figure9.
ComputerslistbelongstothespecificdomainUserclientbrowserconfigurationSecond,usersneedtoconfiguretheirclientbrowserstouseSPNEGO.
IfyouareusingMicrosoftInternetExplorer,followthesesteps:1.
IntheInternetExplorerwindow,selectTools-InternetOptions-Security.
2.
SelecttheLocalintraneticon,andclickSites.
3.
Inthewindowthatdisplays,clickAdvanced.
IntheAddthisWebsitetothezonefield,entertheWebaddressofthehostnamesothatsinglesign-on(SSO)canbeenabledtothelistofWebsitesshownintheWebsitesfield.
4.
ClickClose,andthenclickOKtocompletethisstepandclosetheLocalintranetwindow.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage15of19Figure10.
Localintranetsettings5.
InthesectionofthewidowtitledSecuritylevelforthiszone,clickCustomLevel.
IntheSecuritySettingswindowthatdisplays,scrolltoUserAuthentication-LogonandselecttheAutomaticlogononlyinIntranetzoneoption.
ClickOKtoclosetheSecuritySettingswindow.
Seefigure11.
Figure11.
SecuritysettingsforthelocalintranetzonedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage16of196.
IntheInternetOptionswindow,clicktheAdvancedtabandscrolltoSecuritysettings.
MakesurethattheEnableIntegratedWindowsAuthentication(requiresrestart)optionisselected.
Seefigure12.
Figure12.
InternetOptionssetting7.
ClickOK.
RestartyourInternetExplorerbrowsertoactivatethisconfiguration.
IfyouareusingtheMozillaFirefoxbrowser,followthesesteps:1.
OpenFirefox.
2.
Intheaddressfield,enterabout:config.
3.
IntheFilterfield,enternetwork.
n.
4.
Doubleclick.
negotiate-auth.
trusted-uris.
ThispreferenceliststhesitesthatarepermittedtoengageinSPNEGOauthenticationwiththebrowser.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
NOTE:Youmustsetthevaluefornetwork.
negotiate-auth.
trusted-urisasshowninfigure13.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage17of19Figure13.
MozillaFirefoxbrowsersetting5.
IfthedeployedSPNEGOsolutionusestheadvancedKerberosfeatureofcredentialdelegation,double-clicknetwork.
negotiate-auth.
delegation-uris.
Thispreferenceliststhesitesforwhichthebrowsercandelegateuserauthorizationtotheserver.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
6.
ClickOK.
Theconfigurationdisplaysasupdated.
7.
RestartyourFirefoxbrowsertoactivatethisconfiguration.
AccessLotusConnectionswiththesinglesign-oncapabilityintheKerberosenvironmentAfteralltasksintheprecedingstepsarefinished,userscanstarttoexperienceLotusConnectionswithsinglesign-on.
Theyneedtologontotheirsystems,andtheywillnotbechallengedwhenusingLotusConnectionsfeatures.
Figure14isascreencapturetakenfromanactualdeployment.
UserAamir_000_000logsontohisWindowsclient(whichhasjoinedthedomaincontrolledbythedomaincontroller),openstheFirefoxbrowser,enterstheLotusConnectionshomepageaddress,andlogsontoLotusConnectionsautomatically.
Figure14.
AutomaticallyloadedLotusConnectionshomepagedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage18of19TroubleshootingIfyouhaveanyproblemswhenusingLotusConnectionsintheSPNEGOenvironment,youcanenabletracingonSPENGOandKerberosusingthesesettings:JVMcustompropertysettingcom.
ibm.
security.
jgss.
debug=allcom.
ibm.
security.
krb5.
Krb5Debug=allLogsandtracesettingcom.
ibm.
ws.
security.
*=all:com.
ibm.
ws.
security.
spnego.
*=allConclusionThisarticleintroducedtheMicrosoftWindowssinglesign-onSPNEGOconceptandconfigurationsforLotusConnections2.
5,providingdetailedexplanationsforeachconfigurationstep.
Thesamplecodelistings,whichareusefulforautomatingsystemadministrationwork,inthearticlehavebeenverifiedbythesystemtestteam.
TheconfigurationstepscanalsobeappliedtootherWebapplications.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage19of19RelatedtopicsReadtheWebSphereApplicationServerInformationCenterarticle,"Creatingasinglesign-onforHTTPrequestsusingtheSPNEGOTAI.
"RefertotheKerberosUser'sGuide.
CopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- synchronizedrewritecond相关文档
- COUNTrewritecond
- SCPRGrewritecond
- bruterewritecond
- dspacedbrewritecond
- cursesrewritecond
- addressrewritecond
10GBIZ(月$2.36 ), 香港和洛杉矶CN2 GIA
10GBIZ服务商经常有看到隔壁的一些博客分享内容,我翻看网站看之前有记录过一篇,只不过由于服务商是2020年新成立的所以分享内容比较谨慎。这不至今已经有将近两年的服务商而且云服务产品也比较丰富,目前有看到10GBIZ服务商有提供香港、美国洛杉矶等多机房的云服务器、独立服务器和站群服务器。其中比较吸引到我们用户的是亚洲节点的包括香港、日本等七星级网络服务。具体我们看看相关的配置和线路产品。第一、香...
CloudCone2核KVM美国洛杉矶MC机房机房2.89美元/月,美国洛杉矶MC机房KVM虚拟架构2核1.5G内存1Gbps带宽,国外便宜美国VPS七月特价优惠
近日CloudCone发布了七月的特价便宜优惠VPS云服务器产品,KVM虚拟架构,性价比最高的为2核心1.5G内存1Gbps带宽5TB月流量,2.89美元/月,稳定性还是非常不错的,有需要国外便宜VPS云服务器的朋友可以关注一下。CloudCone怎么样?CloudCone服务器好不好?CloudCone值不值得购买?CloudCone是一家成立于2017年的美国服务器提供商,国外实力大厂,自己开...
个人网站备案流程及注意事项(内容方向和适用主机商)
如今我们还有在做个人网站吗?随着自媒体和短视频的发展和兴起,包括我们很多WEB2.0产品的延续,当然也包括个人建站市场的低迷和用户关注的不同,有些个人已经不在做网站。但是,由于我们有些朋友出于网站的爱好或者说是有些项目还是基于PC端网站的,还是有网友抱有信心的,比如我们看到有一些老牌个人网站依旧在运行,且还有新网站的出现。今天在这篇文章中谈谈有网友问关于个人网站备案的问题。这个也是前几天有他在选择...
rewritecond为你推荐
-
虚拟主机代理个人适合代理虚拟主机的业务吗免费网站域名申请怎么免费上传我的网站呀和免费申请域名虚拟主机申请个人虚拟主机怎么申请?海外域名什么叫海外域名?免费域名空间求速度快的 免费空间 带域名的 谢谢大家成都虚拟空间成都市规划信息技术中心如何?免费网站空间免费个人网站 空间什么是虚拟主机虚拟主机是什么北京虚拟主机租用北京云主机租用哪家资质正规,价格便宜,服务好?要真云主机不要那种vps的假云主机,机房要在北京的!天津虚拟主机天津APP开发的比较专业的公司有哪些?