PK84184: DYNAMIC MAPPING OF ALIAS HOSTNAME TO REAL HOSTNAME FOR SPNEGO SSO.

Fixes are available

APAR status

Closed as program error.

Error description

Alias support does not work if the alias host is added to DNS
after WebSphere has started.  Even though the alias is mapped to
the spnego configured host, SSO does not work for the alias that
is added later.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server who uses alias hostname for SPNEGO   *
*                  (Simple and Protected GSSAPI Negotiation    *
*                  Mechanism) single-sign on                   *
****************************************************************
* PROBLEM DESCRIPTION: SPNEGO single sigh-on does not work     *
*                      if alias hostname is dynamically        *
*                      added after Server startup.             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When http request comes in for an alias host, when the
alias hostname resolves to a host that is configured for
SPNEGO single sign-on,  WebSphere does not proceed since
hostname is not matching.

Problem conclusion

Code is updated to perform DNS lookup as http request comes
in. After this APAR, if the alias hostname is resolved
hostname that is already configured for SPNEGO single sign-on,
WebSphere Application Server continues to process it.

Note: This APAR requires following configuration in addition
to working SPNEGO-TAI Single-SignOn environment.

1. Define actual/real hostname for this variable:
com.ibm.ws.security.spnego.SPNx.hostName

From administration console:
(V6.1) Secure administration, applications, and infrastructure
> Trust association > Interceptors >
com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl >
Custom Properties
(V7.0) Global security > (Web and SIP security) > Trust
association > Interceptors >
com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl >
Custom Properties

Add/modify the following variable:
com.ibm.ws.security.spnego.SPNx.hostName=real.host.name

Although it is OK to have alias hostname defined, only real
hostname has to be defined since WebSphere resolves the alias
hostname to real host name as HTTP request comes in.

2. Turn on Canonical support flag.
From administration console:
(V6.1) Secure administration, applications, and infrastructure >
Custom properties
(V7.0) Global security > Custom properties

Add/modify the following variable and set it to "true":
com.ibm.websphere.security.krb.canonical_host = true

3. Configure browser:
On the browser on the client machine,  alias hostname needs
to be configured as trusted host
Internet Explorer: Tools -> Internet options
-> Security (tab) -> Local intranet -> sites -> advanced ->
(add alias hostname here)
Firefox : "About:config"-> confirm ->
network.negotiate-auth.trusted-uris ->  Add alias hostname in
there (separate hostnames with ",")

4. Make sure real host name is added to the keytab file.
If com.ibm.websphere.security.krb.canonical_host is set to
"true" (as instructed earlier) WebSphere expects real host name
to be in the keytab files. Aliases are not necessary.
On the other hand, if
com.ibm.websphere.security.krb.canonical_host  is set to false
and aliases are defined, aliases need to be present in the
keytab file.

Note: It is usually not required to add alias hostname to SPN
account. However some configuration might require this
additional step. (setspn /A HTTP/dns-alias userid)

The fix for this APAR is currently targeted for inclusion in
fix pack 6.1.0.27 and 7.0.0.5.  Please refer to the
Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK84184
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
60W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-04-06
Closed date
2009-05-18
Last modified date
2009-11-18

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
R700 PSY
UP

Rate this page:

(0 users)Average rating

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Document information

WebSphere Application Server

General

Software version:
6.0

Reference #:
PK84184

Modified date:
2009-11-18

PK84184: DYNAMIC MAPPING OF ALIAS HOSTNAME TO REAL HOSTNAME FOR SPNEGO SSO.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

R700 PSY

Rate this page:

Copyright and trademark information

Rate this page:

Add comments

Document information

Translate my page

Content navigation

Footer links