synchronizedrewritecond
rewritecond 时间:2021-01-11 阅读:()
CopyrightIBMCorporation2010TrademarksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage1of19Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentYangChaoFengLiShengShuangYuXiaoFengFebruary02,2010Inthisarticle,wediscusstheconfigurationofaKerberos-basedsinglesign-onsolutionfromaMicrosoftWindowsdesktoptoIBMLotusConnectionsrunningonIBMWebSphereApplicationServer.
Editor'snote:KnowalotaboutthistopicWanttoshareyourexpertiseParticipateintheIBMLotussoftwarewikiprogramtoday.
LotusConnectionswikiIntroductionBeforewestartourdiscussionofconfiguringsinglesing-oninIBMLotusConnection,weneedtoreviewsomeconceptsfirst:KerberosandSPNEGO.
Kerberosisacomputernetworkauthenticationprotocol,designedanddevelopedbyMIT,whichallowsnodescommunicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
Kerberosversion5authenticationprotocolisanRFC(RequestForComments)standard.
SPNEGO(SimpleandProtectedGSSAPINegotiationMechanism)isaGSSAPIpseudo-mechanismthatisusedtonegotiateoneofanumberofpossiblerealmechanisms.
ItsmostvisibleuseisinMicrosoft'sHTTPNegotiateauthenticationextension.
ThenegotiablesubmechanismsincludeNTLM(NTLANManager)andKerberos,bothusedinMicrosoftActiveDirectory.
Moreinformationcanbefoundhere.
LotusConnectionscanleveragetheWebSphereApplicationServerSPNEGOTAI(trustassociationinterceptor)toprovidethesinglesign-on(SSO)capability,enablinguserstosignontotheMicrosoftWindowsdesktopandthenbeautomaticallysignedintoLotusConnectionsfeatureswithouthavingtoauthenticate.
Figure1showstherequest/responsedataflowintheWebSphereApplicationServerSPNEGOenvironment.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage2of19Figure1.
SPNEGOdataflowdiagramYoucanreadmoreabouttheWebSphereApplicationServerSPNEGOTAIinitsInformationCenter.
Inthisarticle,weillustratehowyoucanenableLotusConnectionstoprovidethesinglesign-on(SSO)capabilityforusersbasedonthedeploymentshowninfigure2.
Figure2.
LotusConnectionsSPNEGOdeploymenttoplogyActiveDirectoryandKerberosKDC(keydistributioncenter)aredeployedonaMicrosoftWindows2003ServerEnterpriseEditionsystem.
TheMicrosoftWindowsclientsystemistheusers'Windowsclientsystemwithbrowsersandotherapplicationsdeployed.
LotusConnections2.
5serveristheLotusConnections2.
5environmentusingActiveDirectoryastheLDAPdirectory;LotusConnections2.
5servercanbeamultiple-nodesclusteroronesingle-nodeenvironment.
Inthisarticle,wedeployLotusConnections2.
5serverontheMicrosoftWindowssystem.
PrerequisitetasksonActiveDirectoryandKerberosKDChostThereareseveralprerequisitetaskstobefinishedbythesystemadministratorsontheActiveDirectoryandKerberosKDChostbeforewecanproceed.
InstallActiveDirectoryonMicrosoftWindows2003Refertohttp://technet.
microsoft.
com/en-us/library/aa998088.
aspxonHowtoinstallActiveDirectoryonWindows2003ServerEnterpriseEdition.
AfteryouhavesuccessfullyinstalledActiveDirectory,makesurethattheKerberoskeydistributioncentersystemservicesisconfiguredcorrectlyintheServiceslist.
Double-clicktheKerberosKeyDistributionCenterservicetoselectibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage3of19theKerberosKeyDistributionCenterpropertiesasshowninfigure3.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
Figure3.
KerberosKeyDistributionCenterpropertiesTheKDCserviceenablesuserstologontothenetworkusingtheKerberosV5authenticationprotocol.
Ifthisserviceisstopped,usersareunabletologontothedomainandaccessservices.
Onanon-KDC-enabledsystem(notadomaincontroller),theKDCservicestartuptypeisdisabled.
YoucanreadmoreabouttheMicrosoftWindowsKDCservice.
YoucanlearnhowtomodifytheKerberosprotocolregistryentriesandKDCconfigurationkeysinMicrosoftWindowsServer2003.
Weusethedefaultvaluesinthisconfiguration.
MakesurethatyouinstallaDNSserveronthisWindows2003systemasdetailedinstep9ofthisprocess.
OntheDNSRegistrationDiagnosticspage,followthesesteps:1.
ClickInstallandconfiguretheDNSserveronthiscomputer.
2.
SetthiscomputertousethisDNSserverasitspreferredDNSserver.
3.
ClickNext.
4.
TheDNSservicerunsonthisMicrosoftWindows2003Server.
Double-clicktheDNSServerservicetoselecttheDNSServerpropertiesasshowninfigure4.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage4of19Figure4.
DNSServerPropertieswindowTimesynchronizationfortheKerberosenvironmentTheMicrosoftWindowsServer2003hostingActiveDirectoryisusedasthedomaincontroller.
Iftimesynchronizationisnotaprobleminyourenterpriseintranet,youcanignorethissection.
Kerberosrequiresthattheclocksoftheinvolvedhostsaresynchronized.
Theticketshaveatimeavailabilityperiod,andifthehostclockisnotsynchronizedwiththeKerberosserverclock,theauthenticationfails.
WeoftenusethedomaincontrollerasthetimeserverandruntheWindowsScheduletaskontheinvolvedLotusConnectionsserverhoststodotimesynchronizationwiththedomaincontroller.
Figure5showsanexampletaskthatinvokesthesampleTimeSyn.
bateveryminute.
Figure5.
WindowsScheduledTasksfortimesynchronizationInourexample,usersneedtocreateabatchfilenamedTimeSyn.
batinC:\.
Ifexample.
yourdomain.
comisthedomaincontrollerandanNTPtimeserver,theTimeSyn.
batlookslikethecodeshowninlisting1.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage5of19Listing1.
SamplecodeforTimeSyn.
batw32tm/config/manualpeerlist:acme.
yourdomain.
com.
com,0x8/syncfromflags:MANUALnetstopw32timenetstartw32timew32tm/resyncInstallMicrosoftWindowssupporttoolsInstallMicrosoftWindowssupporttoolsontheWindows2003ServerEnterpriseEdition.
YouneedthistooltorunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandtogeneratethekeytabfile.
YoucangetdetailsabouthowtheKerberosprotocolworksinMicrosoftWindowsServer2003.
ConfiguretheLotusConnectionsservertosupporttheKerberosenvironment.
WhentheprerequisitetaskshavebeenfinishedwecanstarttheconfigurationontheLotusConnectionsserver.
ConfigureLotusConnectionstouseActiveDirectoryasauserrepositoryRefertotheLotusConnectionsInformationCentertolearnhowtoconfigurethesecuritytouseActiveDirectoryasauserrepositoryandhowtopopulatetheProfilesdatabase.
CreateaserviceaccounttoholdSPNinActiveDirectoryAnSPN(serviceprincipalname)isneededforLotusConnectionsintheKerberosenvironmenttoidentifytheLotusConnectionsserver.
AserviceaccountisneededinActiveDirectorytoholdthatSPN.
Tocreatetheserviceaccount,logintothedomaincontroller,gotoManageYourServer-DomainController(ActiveDirectory)-ManageusersandcomputersinActiveDirectory,andclickthebutton.
OntheAccountpage,makesurethatyouselecttheUsercannotchangepasswordandPasswordneverexpiresoptionsasshowninfigure6.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage6of19Figure6.
NewuseraccountpropertiesSetSPNandgeneratethekeytabfileRunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandgeneratethekeytabfile:ktpass–princ-out-mapuser-mapOpset–passwhereistheKerberosserviceprincipalname.
AKerberosprincipalisdividedintothreeparts:theprimary,theinstance,andtherealm.
TheformatofatypicalKerberosprincipalisprimary/instance@REALM.
IfLotusConnectionsishostedonthesystemSVTLCSPNEGO.
cn.
example.
comandthedomainnameisCN.
EXAMPLE.
COM,theSPNisHTTP/SVTLCSPNEGO.
cn.
example.
com@CN.
EXAMPLE.
COM.
isthelocationwhereyouwanttosavethekeytabfile.
istheserviceaccountname.
isthepasswordtotheserviceaccountname.
Assumethattheuseraccountcreatedinstep1islcserver01andthatthepasswordtotheserviceaccountisPassword1.
YouwanttosavethekeytabfileasC:\SVTLCSPNEGO.
keytab,sothecommandlookslikethefollowingcode:ktpass-princHTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COM-outibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage7of19c:\SVTLCSPNEGO.
keytab-mapuserlcserver01-mapOpset-passPassw0rd1Thecommandoutputisshowninlisting2.
Listing2.
ktpasscommandoutputTargetingdomaincontroller:SVTLCSPNEGO.
cn.
ibm.
comUsinglegacypasswordsettingmethodSuccessfullymappedHTTP/SVTLCSPNEGO.
cn.
ibm.
comtolcserver01.
WARNING:pTypeandaccounttypedonotmatch.
Thismightcauseproblems.
Keycreated.
Outputkeytabtoc:\SVTLCSPNEGO.
keytab:Keytabversion:0x502keysize68HTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COMptype0(KRB5_NT_UNKNOWN)vno4etype0x17(RC4-HMAC)keylength16(0x5858d47a41e40b40f294b3100bea611f)InaLotusConnectionscluster,youonlyneedtoselecttheIBMHTTPservernameorthevirtualhostname(usersaccesstheIBMHTTPserverorthevirtualhosttoexperienceLotusConnectionsfeatures)astheinstancenameintheKerberosserviceprincipalname.
ItisunnecessarytogeneratethekeytabfileforallnodesintheLotusConnectionscluster.
ConfigureSPNEGOTAIinWebSphereApplicationServerConfigureSPNEGOTAIintheWebSphereApplicationServeradministrativeconsolebytakingthesesteps:1.
NavigatetoSecurity-Secureadministration,applications,andinfrastructure,andexpandWebSecurity.
ClickTrustassociation.
2.
SelecttheEnabletrustassociationoptiontoenableTAI.
3.
SelectInterceptors-com.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImpl-Customproperties.
4.
Addthecustompropertiesshowninlisting3.
Listing3.
CustompropertiesforSPNEGOTAIcom.
ibm.
ws.
security.
spnego.
SPN1.
hostName=com.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
filter=request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGOcom.
ibm.
ws.
security.
spnego.
SPN1.
filterClass=com.
ibm.
ws.
security.
spnego.
HTTPHeaderFilterwhereisthenameoftheserverwithwhichLotusConnectionsisaccessed(forexample,theIBMHTTPservernameorthevirtualhostname).
iswheretheSPNEGOTAIredirectpageiscreatedonthelocalfilesystem,forinstancefile:///Z:/share/TAIRedirect.
html.
YouneedtocreatethatHTMLfilemanually.
Thecontentisthecodeshowninlisting4.
Listing4.
SPNEGOTAIredirectpageTAIRedirect.
htmlvarorigUrl=""+document.
location;if(origUrl.
indexOf("noSPNEGO")=0)origUrl+="&noSPNEGO";elseorigUrl+="noSPNEGO";}functionredirTimer(){self.
setTimeout("self.
location.
href=origUrl;",0);}document.
write("Redirectto"+origUrl+"");5.
ClickOKtosavethechanges.
Figure7isascreencaptureofwhatdispaysinarealdeployment.
Figure7.
WebSphereadministrativeconsolescreencaptureforSPNEGOTAIcustompropertiesListing5isthesampleJACLcodethatcanfulfilltheWebSphereSPNEGOTAIsetupfromthewsadmininterface.
NamethefileasConfigTA.
jaclandrunitlikethis:wsadmin-fConfigTA.
jaclibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage9of19Remembertoreplacethecom.
ibm.
ws.
security.
spnego.
SPN1.
hostNamevaluewithyourrealconfigurationvariable.
Listing5.
ConfigTA.
jaclforWebSphereSPNEGOTAIsetupprocsaveConfig{}{globalAdminConfig$AdminConfigsave}procconfigTA{}{globalAdminConfigsettrustAssocConfigId[$AdminConfiglistTrustAssociation]settrust_attrib{}setmatchFound0settrust_assocEnabledysettrust_interceptorClassNamecom.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImplif{$trust_assocEnabled!
={}}{if{[regexp$trust_assocEnabledy]}{lappendtrust_attrib[listenabled"true"]}else{lappendtrust_attrib[listenabled"false"]}$AdminConfigmodify$trustAssocConfigId$trust_attrib}if{$trust_interceptorClassName!
={}}{setlistOfTAI[$AdminConfiglistTAInterceptor]foreachtai$listOfTAI{setclassName[$AdminConfigshowAttribute$taiinterceptorClassName]if{[stringcompare$className$trust_interceptorClassName]==0}{setmatchFound1###break}}}if{$matchFound==1}{setinterceptorConfigId$taisettrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
hostName#replacewithyourIHShostsettrust_propertyValuesettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filterClasssettrust_propertyValuecom.
ibm.
ws.
security.
spnego.
HTTPHeaderFiltersettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage10of19$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filtersettrust_propertyValue"request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGO"settrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"}}#Mainprocedureputsstdout"Runlikethis:wsadmin-fConfigTA.
jacl"puts">configTA"configTAsaveConfigibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage11of19CreatetheKerberosconfigurationfileBeforeusingSPNEGOTAIinWebSphereApplicationServer,youneedtocreatetheKerberosconfigurationfile.
First,copythekeytabfiletotheserverwhereLotusConnectionsisinstalled.
ThenrunthecreateKrbConfigFilescriptwiththewsadmincommandlineutility,byissuingthecommandshowninlisting6.
Listing6.
wsadmincommandtocreatetheKerberosconfigurationfile$AdminTaskcreateKrbConfigFile{-krbPath\java\jre\lib\security\krb5.
conf-realm-kdcHost-dns-keytabPath}whereisthepathtotheWebSphereApplicationServerlocation,nottheLotusConnectionslocation.
istheKerberosrealmandmustbeshowninalluppercaseletters.
isthenameofthekeydistributioncenterhost.
istheDNSservername.
isthelocationofthekeytabfilegeneratedonthedomaincontroller.
EnabletheWebSphereSPNEGOTAIToenableSPNEGOTAI,logintotheWebSphereApplicationServeradministrativeconsole,andnavigatetoServers-Applicationservers.
Selecttheservername(typicallyserver1),expandJavaandProcessManagement,andselectProcessDefinition-JavaVirtualMachine-CustomProperties.
Addtwocustomproperties:com.
ibm.
ws.
security.
spnego.
isEnabled=truejava.
security.
krb5.
conf=IfyouinstallLotusConnectionsinmultipleserverinstances,youneedtorepeatthisstepforallserverinstances.
Listing7isthesampleJythoncodethatcanfulfillthetaskfromthewsadmininterface.
Namethefileasconfigspnegojvm.
pyandrunitlikethis:wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name.
Listing7.
configspnegojvm.
pyforenablingJVMSPNEGOcustompropertiesdefconfigspnegojvm(cellName,nodeName,serverName):globalAdminConfigkrb5conf="C:/IBM/WebSphere/AppServer/java/jre/lib/security/krb5.
conf"developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage12of19javasrv=AdminConfig.
getid("/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/")#Checkingforexistenceofserverprint"Checkingforexistenceofserver"+serverNameiflen(javasrv)==0:print"Error--servernotfoundforname"+serverName+"::/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/"returnelse:print"OK.
"+javasrvaddJVMCustomProperties=javaproc=AdminConfig.
list('JavaProcessDef',javasrv)prop=AdminConfig.
list('Property',javaproc)jvmp=AdminConfig.
list('JavaVirtualMachine',javaproc)if(prop.
find("com.
ibm.
ws.
security.
spnego.
isEnabled")>=0):print"INFO:JVMpropertiesseemalreadyexist:"printpropreturnAdminConfig.
create('Property',jvmp,[['name','com.
ibm.
ws.
security.
spnego.
isEnabled'],['value','true'],['required','false']])AdminConfig.
create('Property',jvmp,[['name','java.
security.
krb5.
conf'],['value',krb5conf],['required','false']])AdminConfig.
save()printCurrentJVMCustomProperties=prop=AdminConfig.
list('Property',jvmp)printprop#Main:#.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Nameif(len(sys.
argv)!
=3):print"Thisscriptrequires3parameters"print"e.
g.
:.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name"else:cellName=sys.
argv[0]nodeName=sys.
argv[1]serverName=sys.
argv[2]print"cellName:"+cellNameprint"nodeName:"+nodeNameprint"serverName:"+serverNameprintconfigspnegojvm(cellName,nodeName,serverName)ConfiguretheAjaxproxyfortheLtpaTokencookieAddthefollowingpartintotheproxy-config.
tplfiletoconfiguretheAjaxproxytoproxyLtpaTokencookies.
Youcandothistaskwiththewsadminutilitytoextracttheconfigurationfilesfirst,addthefollowingcontent,andcheckintheconfiguration.
Youneedtorestarttheserverinstancestopickupthechanges.
Seelisting8.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage13of19Listing8.
proxy-config.
tplsettingsforAjaxproxyLtpaTokencookieJSESSIONIDLtpaTokenLtpaToken2ConfigureHTTPrewriterulestologouttoanunprotectedURISetURLrewriterulesintheIBMHTTPServerconfigurationfilenamedhttpd.
conftologouttoanunprotectedWebpage,sothatSPNEGOauthenticationdoesn'thappenagaintologintheuserautomatically.
Followthesesteps:1.
Openthehttpd.
conffileontheIBMHTTPServer,anduncommentthefollowinglines(removethe#):#LoadModulerewrite_modulemodules/mod_rewrite.
so2.
Thenaddthecodeshowninlisting9.
Listing9.
HTTPrewriterulesRewriteEngineOnRewriteCond%{REQUEST_URI}/(.
*)/ibm_security_logout(.
*)RewriteCond%{QUERY_STRING}!
=logoutExitPage=RewriteRule/(.
*)/ibm_security_logout(.
*)/$1/ibm_security_logoutlogoutExitPage=[noescape,L,R]whereistheunprotectedURLtowhichtheuserisredirectedafterlogout.
ItisanunprotectedURLtopreventSPNEGOauthentication.
BesuretoconfiguretheURLrewriteruleforbothHTTPandHTTPS.
ConfiguringtheclientbrowsertouseSPNEGOUsersneedtoconfiguretheirclientsbeforetheycanusetheLotusConnectionsservicesintheKerberosenvironment.
UserclientsystemtojointhedomainFirst,theuserclientsystemjoinsthedomain.
Theclientsystem'sDNSservervalueissetasthedomaincontrolleraddressintheTCP/IPPropertieswindowasshowninfigure8.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage14of19Figure8.
TCP/IPPropertiesontheclientsystemNext,followthelinkhttp://support.
microsoft.
com/kb/295017tojointhedomain.
.
Aftertheclientsuccessfullyjoinsthedomain,theadministratorofthedomaincontrollercanseethenewlyjoinedmemberintheActiveDirectoryUsersandComputersviewasshowninfigure9.
Figure9.
ComputerslistbelongstothespecificdomainUserclientbrowserconfigurationSecond,usersneedtoconfiguretheirclientbrowserstouseSPNEGO.
IfyouareusingMicrosoftInternetExplorer,followthesesteps:1.
IntheInternetExplorerwindow,selectTools-InternetOptions-Security.
2.
SelecttheLocalintraneticon,andclickSites.
3.
Inthewindowthatdisplays,clickAdvanced.
IntheAddthisWebsitetothezonefield,entertheWebaddressofthehostnamesothatsinglesign-on(SSO)canbeenabledtothelistofWebsitesshownintheWebsitesfield.
4.
ClickClose,andthenclickOKtocompletethisstepandclosetheLocalintranetwindow.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage15of19Figure10.
Localintranetsettings5.
InthesectionofthewidowtitledSecuritylevelforthiszone,clickCustomLevel.
IntheSecuritySettingswindowthatdisplays,scrolltoUserAuthentication-LogonandselecttheAutomaticlogononlyinIntranetzoneoption.
ClickOKtoclosetheSecuritySettingswindow.
Seefigure11.
Figure11.
SecuritysettingsforthelocalintranetzonedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage16of196.
IntheInternetOptionswindow,clicktheAdvancedtabandscrolltoSecuritysettings.
MakesurethattheEnableIntegratedWindowsAuthentication(requiresrestart)optionisselected.
Seefigure12.
Figure12.
InternetOptionssetting7.
ClickOK.
RestartyourInternetExplorerbrowsertoactivatethisconfiguration.
IfyouareusingtheMozillaFirefoxbrowser,followthesesteps:1.
OpenFirefox.
2.
Intheaddressfield,enterabout:config.
3.
IntheFilterfield,enternetwork.
n.
4.
Doubleclick.
negotiate-auth.
trusted-uris.
ThispreferenceliststhesitesthatarepermittedtoengageinSPNEGOauthenticationwiththebrowser.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
NOTE:Youmustsetthevaluefornetwork.
negotiate-auth.
trusted-urisasshowninfigure13.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage17of19Figure13.
MozillaFirefoxbrowsersetting5.
IfthedeployedSPNEGOsolutionusestheadvancedKerberosfeatureofcredentialdelegation,double-clicknetwork.
negotiate-auth.
delegation-uris.
Thispreferenceliststhesitesforwhichthebrowsercandelegateuserauthorizationtotheserver.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
6.
ClickOK.
Theconfigurationdisplaysasupdated.
7.
RestartyourFirefoxbrowsertoactivatethisconfiguration.
AccessLotusConnectionswiththesinglesign-oncapabilityintheKerberosenvironmentAfteralltasksintheprecedingstepsarefinished,userscanstarttoexperienceLotusConnectionswithsinglesign-on.
Theyneedtologontotheirsystems,andtheywillnotbechallengedwhenusingLotusConnectionsfeatures.
Figure14isascreencapturetakenfromanactualdeployment.
UserAamir_000_000logsontohisWindowsclient(whichhasjoinedthedomaincontrolledbythedomaincontroller),openstheFirefoxbrowser,enterstheLotusConnectionshomepageaddress,andlogsontoLotusConnectionsautomatically.
Figure14.
AutomaticallyloadedLotusConnectionshomepagedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage18of19TroubleshootingIfyouhaveanyproblemswhenusingLotusConnectionsintheSPNEGOenvironment,youcanenabletracingonSPENGOandKerberosusingthesesettings:JVMcustompropertysettingcom.
ibm.
security.
jgss.
debug=allcom.
ibm.
security.
krb5.
Krb5Debug=allLogsandtracesettingcom.
ibm.
ws.
security.
*=all:com.
ibm.
ws.
security.
spnego.
*=allConclusionThisarticleintroducedtheMicrosoftWindowssinglesign-onSPNEGOconceptandconfigurationsforLotusConnections2.
5,providingdetailedexplanationsforeachconfigurationstep.
Thesamplecodelistings,whichareusefulforautomatingsystemadministrationwork,inthearticlehavebeenverifiedbythesystemtestteam.
TheconfigurationstepscanalsobeappliedtootherWebapplications.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage19of19RelatedtopicsReadtheWebSphereApplicationServerInformationCenterarticle,"Creatingasinglesign-onforHTTPrequestsusingtheSPNEGOTAI.
"RefertotheKerberosUser'sGuide.
CopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
Editor'snote:KnowalotaboutthistopicWanttoshareyourexpertiseParticipateintheIBMLotussoftwarewikiprogramtoday.
LotusConnectionswikiIntroductionBeforewestartourdiscussionofconfiguringsinglesing-oninIBMLotusConnection,weneedtoreviewsomeconceptsfirst:KerberosandSPNEGO.
Kerberosisacomputernetworkauthenticationprotocol,designedanddevelopedbyMIT,whichallowsnodescommunicatingoveranonsecurenetworktoprovetheiridentitytooneanotherinasecuremanner.
Kerberosversion5authenticationprotocolisanRFC(RequestForComments)standard.
SPNEGO(SimpleandProtectedGSSAPINegotiationMechanism)isaGSSAPIpseudo-mechanismthatisusedtonegotiateoneofanumberofpossiblerealmechanisms.
ItsmostvisibleuseisinMicrosoft'sHTTPNegotiateauthenticationextension.
ThenegotiablesubmechanismsincludeNTLM(NTLANManager)andKerberos,bothusedinMicrosoftActiveDirectory.
Moreinformationcanbefoundhere.
LotusConnectionscanleveragetheWebSphereApplicationServerSPNEGOTAI(trustassociationinterceptor)toprovidethesinglesign-on(SSO)capability,enablinguserstosignontotheMicrosoftWindowsdesktopandthenbeautomaticallysignedintoLotusConnectionsfeatureswithouthavingtoauthenticate.
Figure1showstherequest/responsedataflowintheWebSphereApplicationServerSPNEGOenvironment.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage2of19Figure1.
SPNEGOdataflowdiagramYoucanreadmoreabouttheWebSphereApplicationServerSPNEGOTAIinitsInformationCenter.
Inthisarticle,weillustratehowyoucanenableLotusConnectionstoprovidethesinglesign-on(SSO)capabilityforusersbasedonthedeploymentshowninfigure2.
Figure2.
LotusConnectionsSPNEGOdeploymenttoplogyActiveDirectoryandKerberosKDC(keydistributioncenter)aredeployedonaMicrosoftWindows2003ServerEnterpriseEditionsystem.
TheMicrosoftWindowsclientsystemistheusers'Windowsclientsystemwithbrowsersandotherapplicationsdeployed.
LotusConnections2.
5serveristheLotusConnections2.
5environmentusingActiveDirectoryastheLDAPdirectory;LotusConnections2.
5servercanbeamultiple-nodesclusteroronesingle-nodeenvironment.
Inthisarticle,wedeployLotusConnections2.
5serverontheMicrosoftWindowssystem.
PrerequisitetasksonActiveDirectoryandKerberosKDChostThereareseveralprerequisitetaskstobefinishedbythesystemadministratorsontheActiveDirectoryandKerberosKDChostbeforewecanproceed.
InstallActiveDirectoryonMicrosoftWindows2003Refertohttp://technet.
microsoft.
com/en-us/library/aa998088.
aspxonHowtoinstallActiveDirectoryonWindows2003ServerEnterpriseEdition.
AfteryouhavesuccessfullyinstalledActiveDirectory,makesurethattheKerberoskeydistributioncentersystemservicesisconfiguredcorrectlyintheServiceslist.
Double-clicktheKerberosKeyDistributionCenterservicetoselectibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage3of19theKerberosKeyDistributionCenterpropertiesasshowninfigure3.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
Figure3.
KerberosKeyDistributionCenterpropertiesTheKDCserviceenablesuserstologontothenetworkusingtheKerberosV5authenticationprotocol.
Ifthisserviceisstopped,usersareunabletologontothedomainandaccessservices.
Onanon-KDC-enabledsystem(notadomaincontroller),theKDCservicestartuptypeisdisabled.
YoucanreadmoreabouttheMicrosoftWindowsKDCservice.
YoucanlearnhowtomodifytheKerberosprotocolregistryentriesandKDCconfigurationkeysinMicrosoftWindowsServer2003.
Weusethedefaultvaluesinthisconfiguration.
MakesurethatyouinstallaDNSserveronthisWindows2003systemasdetailedinstep9ofthisprocess.
OntheDNSRegistrationDiagnosticspage,followthesesteps:1.
ClickInstallandconfiguretheDNSserveronthiscomputer.
2.
SetthiscomputertousethisDNSserverasitspreferredDNSserver.
3.
ClickNext.
4.
TheDNSservicerunsonthisMicrosoftWindows2003Server.
Double-clicktheDNSServerservicetoselecttheDNSServerpropertiesasshowninfigure4.
MakesurethattheStartuptypefieldisselectedasAutomatic(Automaticisselectedbydefault).
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage4of19Figure4.
DNSServerPropertieswindowTimesynchronizationfortheKerberosenvironmentTheMicrosoftWindowsServer2003hostingActiveDirectoryisusedasthedomaincontroller.
Iftimesynchronizationisnotaprobleminyourenterpriseintranet,youcanignorethissection.
Kerberosrequiresthattheclocksoftheinvolvedhostsaresynchronized.
Theticketshaveatimeavailabilityperiod,andifthehostclockisnotsynchronizedwiththeKerberosserverclock,theauthenticationfails.
WeoftenusethedomaincontrollerasthetimeserverandruntheWindowsScheduletaskontheinvolvedLotusConnectionsserverhoststodotimesynchronizationwiththedomaincontroller.
Figure5showsanexampletaskthatinvokesthesampleTimeSyn.
bateveryminute.
Figure5.
WindowsScheduledTasksfortimesynchronizationInourexample,usersneedtocreateabatchfilenamedTimeSyn.
batinC:\.
Ifexample.
yourdomain.
comisthedomaincontrollerandanNTPtimeserver,theTimeSyn.
batlookslikethecodeshowninlisting1.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage5of19Listing1.
SamplecodeforTimeSyn.
batw32tm/config/manualpeerlist:acme.
yourdomain.
com.
com,0x8/syncfromflags:MANUALnetstopw32timenetstartw32timew32tm/resyncInstallMicrosoftWindowssupporttoolsInstallMicrosoftWindowssupporttoolsontheWindows2003ServerEnterpriseEdition.
YouneedthistooltorunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandtogeneratethekeytabfile.
YoucangetdetailsabouthowtheKerberosprotocolworksinMicrosoftWindowsServer2003.
ConfiguretheLotusConnectionsservertosupporttheKerberosenvironment.
WhentheprerequisitetaskshavebeenfinishedwecanstarttheconfigurationontheLotusConnectionsserver.
ConfigureLotusConnectionstouseActiveDirectoryasauserrepositoryRefertotheLotusConnectionsInformationCentertolearnhowtoconfigurethesecuritytouseActiveDirectoryasauserrepositoryandhowtopopulatetheProfilesdatabase.
CreateaserviceaccounttoholdSPNinActiveDirectoryAnSPN(serviceprincipalname)isneededforLotusConnectionsintheKerberosenvironmenttoidentifytheLotusConnectionsserver.
AserviceaccountisneededinActiveDirectorytoholdthatSPN.
Tocreatetheserviceaccount,logintothedomaincontroller,gotoManageYourServer-DomainController(ActiveDirectory)-ManageusersandcomputersinActiveDirectory,andclickthebutton.
OntheAccountpage,makesurethatyouselecttheUsercannotchangepasswordandPasswordneverexpiresoptionsasshowninfigure6.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage6of19Figure6.
NewuseraccountpropertiesSetSPNandgeneratethekeytabfileRunthektpasscommandonthedomaincontrollertosetSPNfortheserviceaccountandgeneratethekeytabfile:ktpass–princ-out-mapuser-mapOpset–passwhereistheKerberosserviceprincipalname.
AKerberosprincipalisdividedintothreeparts:theprimary,theinstance,andtherealm.
TheformatofatypicalKerberosprincipalisprimary/instance@REALM.
IfLotusConnectionsishostedonthesystemSVTLCSPNEGO.
cn.
example.
comandthedomainnameisCN.
EXAMPLE.
COM,theSPNisHTTP/SVTLCSPNEGO.
cn.
example.
com@CN.
EXAMPLE.
COM.
isthelocationwhereyouwanttosavethekeytabfile.
istheserviceaccountname.
isthepasswordtotheserviceaccountname.
Assumethattheuseraccountcreatedinstep1islcserver01andthatthepasswordtotheserviceaccountisPassword1.
YouwanttosavethekeytabfileasC:\SVTLCSPNEGO.
keytab,sothecommandlookslikethefollowingcode:ktpass-princHTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COM-outibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage7of19c:\SVTLCSPNEGO.
keytab-mapuserlcserver01-mapOpset-passPassw0rd1Thecommandoutputisshowninlisting2.
Listing2.
ktpasscommandoutputTargetingdomaincontroller:SVTLCSPNEGO.
cn.
ibm.
comUsinglegacypasswordsettingmethodSuccessfullymappedHTTP/SVTLCSPNEGO.
cn.
ibm.
comtolcserver01.
WARNING:pTypeandaccounttypedonotmatch.
Thismightcauseproblems.
Keycreated.
Outputkeytabtoc:\SVTLCSPNEGO.
keytab:Keytabversion:0x502keysize68HTTP/SVTLCSPNEGO.
cn.
ibm.
com@CN.
IBM.
COMptype0(KRB5_NT_UNKNOWN)vno4etype0x17(RC4-HMAC)keylength16(0x5858d47a41e40b40f294b3100bea611f)InaLotusConnectionscluster,youonlyneedtoselecttheIBMHTTPservernameorthevirtualhostname(usersaccesstheIBMHTTPserverorthevirtualhosttoexperienceLotusConnectionsfeatures)astheinstancenameintheKerberosserviceprincipalname.
ItisunnecessarytogeneratethekeytabfileforallnodesintheLotusConnectionscluster.
ConfigureSPNEGOTAIinWebSphereApplicationServerConfigureSPNEGOTAIintheWebSphereApplicationServeradministrativeconsolebytakingthesesteps:1.
NavigatetoSecurity-Secureadministration,applications,andinfrastructure,andexpandWebSecurity.
ClickTrustassociation.
2.
SelecttheEnabletrustassociationoptiontoenableTAI.
3.
SelectInterceptors-com.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImpl-Customproperties.
4.
Addthecustompropertiesshowninlisting3.
Listing3.
CustompropertiesforSPNEGOTAIcom.
ibm.
ws.
security.
spnego.
SPN1.
hostName=com.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPage=com.
ibm.
ws.
security.
spnego.
SPN1.
filter=request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGOcom.
ibm.
ws.
security.
spnego.
SPN1.
filterClass=com.
ibm.
ws.
security.
spnego.
HTTPHeaderFilterwhereisthenameoftheserverwithwhichLotusConnectionsisaccessed(forexample,theIBMHTTPservernameorthevirtualhostname).
iswheretheSPNEGOTAIredirectpageiscreatedonthelocalfilesystem,forinstancefile:///Z:/share/TAIRedirect.
html.
YouneedtocreatethatHTMLfilemanually.
Thecontentisthecodeshowninlisting4.
Listing4.
SPNEGOTAIredirectpageTAIRedirect.
htmlvarorigUrl=""+document.
location;if(origUrl.
indexOf("noSPNEGO")=0)origUrl+="&noSPNEGO";elseorigUrl+="noSPNEGO";}functionredirTimer(){self.
setTimeout("self.
location.
href=origUrl;",0);}document.
write("Redirectto"+origUrl+"");5.
ClickOKtosavethechanges.
Figure7isascreencaptureofwhatdispaysinarealdeployment.
Figure7.
WebSphereadministrativeconsolescreencaptureforSPNEGOTAIcustompropertiesListing5isthesampleJACLcodethatcanfulfilltheWebSphereSPNEGOTAIsetupfromthewsadmininterface.
NamethefileasConfigTA.
jaclandrunitlikethis:wsadmin-fConfigTA.
jaclibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage9of19Remembertoreplacethecom.
ibm.
ws.
security.
spnego.
SPN1.
hostNamevaluewithyourrealconfigurationvariable.
Listing5.
ConfigTA.
jaclforWebSphereSPNEGOTAIsetupprocsaveConfig{}{globalAdminConfig$AdminConfigsave}procconfigTA{}{globalAdminConfigsettrustAssocConfigId[$AdminConfiglistTrustAssociation]settrust_attrib{}setmatchFound0settrust_assocEnabledysettrust_interceptorClassNamecom.
ibm.
ws.
security.
spnego.
TrustAssociationInterceptorImplif{$trust_assocEnabled!
={}}{if{[regexp$trust_assocEnabledy]}{lappendtrust_attrib[listenabled"true"]}else{lappendtrust_attrib[listenabled"false"]}$AdminConfigmodify$trustAssocConfigId$trust_attrib}if{$trust_interceptorClassName!
={}}{setlistOfTAI[$AdminConfiglistTAInterceptor]foreachtai$listOfTAI{setclassName[$AdminConfigshowAttribute$taiinterceptorClassName]if{[stringcompare$className$trust_interceptorClassName]==0}{setmatchFound1###break}}}if{$matchFound==1}{setinterceptorConfigId$taisettrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
hostName#replacewithyourIHShostsettrust_propertyValuesettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filterClasssettrust_propertyValuecom.
ibm.
ws.
security.
spnego.
HTTPHeaderFiltersettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage10of19$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
filtersettrust_propertyValue"request-url!
=/seedlist/authverify;request-url!
=/seedlist/server;request-url!
=/seedlist/myserver;request-url!
=noSPNEGO"settrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
spnegoNotSupportedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"settrust_propertyNamecom.
ibm.
ws.
security.
spnego.
SPN1.
NTLMTokenReceivedPagesettrust_propertyValuefile:///z:/TAIRedirect.
htmlsettrust_propertyRequiredfalsesetoptions_attrib{}lappendoptions_attrib[listname$trust_propertyName]lappendoptions_attrib[listvalue$trust_propertyValue]lappendoptions_attrib[listrequired$trust_propertyRequired]$AdminConfigmodify$interceptorConfigId[list[listtrustProperties[list$options_attrib]]]settrustAttrs[$AdminConfigshowall$interceptorConfigId]putsstdout"trustAttrs=$trustAttrs"}}#Mainprocedureputsstdout"Runlikethis:wsadmin-fConfigTA.
jacl"puts">configTA"configTAsaveConfigibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage11of19CreatetheKerberosconfigurationfileBeforeusingSPNEGOTAIinWebSphereApplicationServer,youneedtocreatetheKerberosconfigurationfile.
First,copythekeytabfiletotheserverwhereLotusConnectionsisinstalled.
ThenrunthecreateKrbConfigFilescriptwiththewsadmincommandlineutility,byissuingthecommandshowninlisting6.
Listing6.
wsadmincommandtocreatetheKerberosconfigurationfile$AdminTaskcreateKrbConfigFile{-krbPath\java\jre\lib\security\krb5.
conf-realm-kdcHost-dns-keytabPath}whereisthepathtotheWebSphereApplicationServerlocation,nottheLotusConnectionslocation.
istheKerberosrealmandmustbeshowninalluppercaseletters.
isthenameofthekeydistributioncenterhost.
istheDNSservername.
isthelocationofthekeytabfilegeneratedonthedomaincontroller.
EnabletheWebSphereSPNEGOTAIToenableSPNEGOTAI,logintotheWebSphereApplicationServeradministrativeconsole,andnavigatetoServers-Applicationservers.
Selecttheservername(typicallyserver1),expandJavaandProcessManagement,andselectProcessDefinition-JavaVirtualMachine-CustomProperties.
Addtwocustomproperties:com.
ibm.
ws.
security.
spnego.
isEnabled=truejava.
security.
krb5.
conf=IfyouinstallLotusConnectionsinmultipleserverinstances,youneedtorepeatthisstepforallserverinstances.
Listing7isthesampleJythoncodethatcanfulfillthetaskfromthewsadmininterface.
Namethefileasconfigspnegojvm.
pyandrunitlikethis:wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name.
Listing7.
configspnegojvm.
pyforenablingJVMSPNEGOcustompropertiesdefconfigspnegojvm(cellName,nodeName,serverName):globalAdminConfigkrb5conf="C:/IBM/WebSphere/AppServer/java/jre/lib/security/krb5.
conf"developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage12of19javasrv=AdminConfig.
getid("/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/")#Checkingforexistenceofserverprint"Checkingforexistenceofserver"+serverNameiflen(javasrv)==0:print"Error--servernotfoundforname"+serverName+"::/Cell:"+cellName+"/Node:"+nodeName+"/Server:"+serverName+"/"returnelse:print"OK.
"+javasrvaddJVMCustomProperties=javaproc=AdminConfig.
list('JavaProcessDef',javasrv)prop=AdminConfig.
list('Property',javaproc)jvmp=AdminConfig.
list('JavaVirtualMachine',javaproc)if(prop.
find("com.
ibm.
ws.
security.
spnego.
isEnabled")>=0):print"INFO:JVMpropertiesseemalreadyexist:"printpropreturnAdminConfig.
create('Property',jvmp,[['name','com.
ibm.
ws.
security.
spnego.
isEnabled'],['value','true'],['required','false']])AdminConfig.
create('Property',jvmp,[['name','java.
security.
krb5.
conf'],['value',krb5conf],['required','false']])AdminConfig.
save()printCurrentJVMCustomProperties=prop=AdminConfig.
list('Property',jvmp)printprop#Main:#.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Nameif(len(sys.
argv)!
=3):print"Thisscriptrequires3parameters"print"e.
g.
:.
/wsadmin-langjython-userwasadmin-passwordwasadmin-fconfigspnegojvm.
pyYour_Cell_NameYour_Node_NameYour_ServerInstance_Name"else:cellName=sys.
argv[0]nodeName=sys.
argv[1]serverName=sys.
argv[2]print"cellName:"+cellNameprint"nodeName:"+nodeNameprint"serverName:"+serverNameprintconfigspnegojvm(cellName,nodeName,serverName)ConfiguretheAjaxproxyfortheLtpaTokencookieAddthefollowingpartintotheproxy-config.
tplfiletoconfiguretheAjaxproxytoproxyLtpaTokencookies.
Youcandothistaskwiththewsadminutilitytoextracttheconfigurationfilesfirst,addthefollowingcontent,andcheckintheconfiguration.
Youneedtorestarttheserverinstancestopickupthechanges.
Seelisting8.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage13of19Listing8.
proxy-config.
tplsettingsforAjaxproxyLtpaTokencookieJSESSIONIDLtpaTokenLtpaToken2ConfigureHTTPrewriterulestologouttoanunprotectedURISetURLrewriterulesintheIBMHTTPServerconfigurationfilenamedhttpd.
conftologouttoanunprotectedWebpage,sothatSPNEGOauthenticationdoesn'thappenagaintologintheuserautomatically.
Followthesesteps:1.
Openthehttpd.
conffileontheIBMHTTPServer,anduncommentthefollowinglines(removethe#):#LoadModulerewrite_modulemodules/mod_rewrite.
so2.
Thenaddthecodeshowninlisting9.
Listing9.
HTTPrewriterulesRewriteEngineOnRewriteCond%{REQUEST_URI}/(.
*)/ibm_security_logout(.
*)RewriteCond%{QUERY_STRING}!
=logoutExitPage=RewriteRule/(.
*)/ibm_security_logout(.
*)/$1/ibm_security_logoutlogoutExitPage=[noescape,L,R]whereistheunprotectedURLtowhichtheuserisredirectedafterlogout.
ItisanunprotectedURLtopreventSPNEGOauthentication.
BesuretoconfiguretheURLrewriteruleforbothHTTPandHTTPS.
ConfiguringtheclientbrowsertouseSPNEGOUsersneedtoconfiguretheirclientsbeforetheycanusetheLotusConnectionsservicesintheKerberosenvironment.
UserclientsystemtojointhedomainFirst,theuserclientsystemjoinsthedomain.
Theclientsystem'sDNSservervalueissetasthedomaincontrolleraddressintheTCP/IPPropertieswindowasshowninfigure8.
developerWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage14of19Figure8.
TCP/IPPropertiesontheclientsystemNext,followthelinkhttp://support.
microsoft.
com/kb/295017tojointhedomain.
.
Aftertheclientsuccessfullyjoinsthedomain,theadministratorofthedomaincontrollercanseethenewlyjoinedmemberintheActiveDirectoryUsersandComputersviewasshowninfigure9.
Figure9.
ComputerslistbelongstothespecificdomainUserclientbrowserconfigurationSecond,usersneedtoconfiguretheirclientbrowserstouseSPNEGO.
IfyouareusingMicrosoftInternetExplorer,followthesesteps:1.
IntheInternetExplorerwindow,selectTools-InternetOptions-Security.
2.
SelecttheLocalintraneticon,andclickSites.
3.
Inthewindowthatdisplays,clickAdvanced.
IntheAddthisWebsitetothezonefield,entertheWebaddressofthehostnamesothatsinglesign-on(SSO)canbeenabledtothelistofWebsitesshownintheWebsitesfield.
4.
ClickClose,andthenclickOKtocompletethisstepandclosetheLocalintranetwindow.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage15of19Figure10.
Localintranetsettings5.
InthesectionofthewidowtitledSecuritylevelforthiszone,clickCustomLevel.
IntheSecuritySettingswindowthatdisplays,scrolltoUserAuthentication-LogonandselecttheAutomaticlogononlyinIntranetzoneoption.
ClickOKtoclosetheSecuritySettingswindow.
Seefigure11.
Figure11.
SecuritysettingsforthelocalintranetzonedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage16of196.
IntheInternetOptionswindow,clicktheAdvancedtabandscrolltoSecuritysettings.
MakesurethattheEnableIntegratedWindowsAuthentication(requiresrestart)optionisselected.
Seefigure12.
Figure12.
InternetOptionssetting7.
ClickOK.
RestartyourInternetExplorerbrowsertoactivatethisconfiguration.
IfyouareusingtheMozillaFirefoxbrowser,followthesesteps:1.
OpenFirefox.
2.
Intheaddressfield,enterabout:config.
3.
IntheFilterfield,enternetwork.
n.
4.
Doubleclick.
negotiate-auth.
trusted-uris.
ThispreferenceliststhesitesthatarepermittedtoengageinSPNEGOauthenticationwiththebrowser.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
NOTE:Youmustsetthevaluefornetwork.
negotiate-auth.
trusted-urisasshowninfigure13.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage17of19Figure13.
MozillaFirefoxbrowsersetting5.
IfthedeployedSPNEGOsolutionusestheadvancedKerberosfeatureofcredentialdelegation,double-clicknetwork.
negotiate-auth.
delegation-uris.
Thispreferenceliststhesitesforwhichthebrowsercandelegateuserauthorizationtotheserver.
Enteracomma-delimitedlistoftrusteddomainsorURLs.
6.
ClickOK.
Theconfigurationdisplaysasupdated.
7.
RestartyourFirefoxbrowsertoactivatethisconfiguration.
AccessLotusConnectionswiththesinglesign-oncapabilityintheKerberosenvironmentAfteralltasksintheprecedingstepsarefinished,userscanstarttoexperienceLotusConnectionswithsinglesign-on.
Theyneedtologontotheirsystems,andtheywillnotbechallengedwhenusingLotusConnectionsfeatures.
Figure14isascreencapturetakenfromanactualdeployment.
UserAamir_000_000logsontohisWindowsclient(whichhasjoinedthedomaincontrolledbythedomaincontroller),openstheFirefoxbrowser,enterstheLotusConnectionshomepageaddress,andlogsontoLotusConnectionsautomatically.
Figure14.
AutomaticallyloadedLotusConnectionshomepagedeveloperWorksibm.
com/developerWorks/Configuringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage18of19TroubleshootingIfyouhaveanyproblemswhenusingLotusConnectionsintheSPNEGOenvironment,youcanenabletracingonSPENGOandKerberosusingthesesettings:JVMcustompropertysettingcom.
ibm.
security.
jgss.
debug=allcom.
ibm.
security.
krb5.
Krb5Debug=allLogsandtracesettingcom.
ibm.
ws.
security.
*=all:com.
ibm.
ws.
security.
spnego.
*=allConclusionThisarticleintroducedtheMicrosoftWindowssinglesign-onSPNEGOconceptandconfigurationsforLotusConnections2.
5,providingdetailedexplanationsforeachconfigurationstep.
Thesamplecodelistings,whichareusefulforautomatingsystemadministrationwork,inthearticlehavebeenverifiedbythesystemtestteam.
TheconfigurationstepscanalsobeappliedtootherWebapplications.
ibm.
com/developerWorks/developerWorksConfiguringsinglesign-onforIBMLotusConnectionsintheKerberosenvironmentPage19of19RelatedtopicsReadtheWebSphereApplicationServerInformationCenterarticle,"Creatingasinglesign-onforHTTPrequestsusingtheSPNEGOTAI.
"RefertotheKerberosUser'sGuide.
CopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- synchronizedrewritecond相关文档
- COUNTrewritecond
- SCPRGrewritecond
- bruterewritecond
- dspacedbrewritecond
- cursesrewritecond
- addressrewritecond
阿里云秋季促销活动 轻量云服务器2G5M配置新购年60元
已经有一段时间没有分享阿里云服务商的促销活动,主要原因在于他们以前的促销都仅限新用户,而且我们大部分人都已经有过账户基本上促销活动和我们无缘。即便老用户可选新产品购买,也是比较配置较高的,所以就懒得分享。这不看到有阿里云金秋活动,有不错的促销活动可以允许产品新购。即便我们是老用户,但是比如你没有购买过他们轻量服务器,也是可以享受优惠活动的。这次轻量服务器在金秋活动中力度折扣比较大,2G5M配置年付...
PacificRack - 洛杉矶QN机房 低至年$7.2 同有站群多IP地址VPS主机
需要提前声明的是有网友反馈到,PacificRack 商家是不支持DD安装Windows系统的,他有安装后导致服务器被封的问题。确实有一些服务商是不允许的,我们尽可能的在服务商选择可以直接安装Windows系统套餐,毕竟DD安装的Win系统在使用上实际上也不够体验好。在前面有提到夏季促销的"PacificRack夏季促销PR-M系列和多IP站群VPS主机 年付低至19美元"有提到年付12美元的洛杉...
ReadyDedis:VPS全场5折,1G内存套餐月付2美元起,8个机房可选_服务器安装svn
ReadyDedis是一家2018年成立的国外VPS商家,由印度人开设,主要提供VPS和独立服务器租用等,可选数据中心包括美国洛杉矶、西雅图、亚特兰大、纽约、拉斯维加斯、杰克逊维尔、印度和德国等。目前,商家针对全部VPS主机提供新年5折优惠码,优惠后最低套餐1GB内存每月仅需2美元起,所有VPS均为1Gbps端口不限流量方式。下面列出几款主机配置信息。CPU:1core内存:1GB硬盘:25GB ...
rewritecond为你推荐
-
域名查询域名信息查询网站免费注册域名怎样免费注册域名呢 要详细的步骤哦cm域名注册CM域名后缀怎么样啊?百度对CM域名收录友好吗?国外域名注册如何注册国外域名?域名备案查询网站备案查询国内免费空间国内有没有好的免费空间啊php虚拟空间怎样修改php虚拟空间单个文件上传大小限制php虚拟空间php虚拟主机空间如何连接mysqlphp虚拟空间虚拟空间怎么修改php.ini配置php虚拟空间我已经有一套网站php代码和模板,并且有自己的虚拟空间和域名,怎么才能把我的代码加入到网站上.