SPNEGO web authentication configuration commands
Use wsadmin commands to configure, unconfigure, validate, or display Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) in the security configuration.
Configure SPNEGO web authentication
Use the configureSpnego command to configure SPNEGO as a web authenticator in the security configuration.
At the wsadmin prompt, enter the following command for help:
Option | Description |
---|---|
<enabled> | This parameter is optional. It enables SPNEGO web authentication. |
<dynamicReload> | This parameter is optional. It enables dynamic reload of SPNEGO web authentication filters. |
<allowAppAuthMethodFallback> | This parameter is optional. It allows fall back to the application authentication mechanism. |
<krb5Config> | This parameter is required. It supplies the directory location and file name of the configuration (krb5.ini or krb5.conf) file. |
<krb5Keytab> | This parameter is optional. It supplies the directory location and file name of the Kerberos keytab file. If you do not specify this parameter, the default keytab in the Kerberos configuration file is used. |
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI}
Unconfigure SPNEGO web authentication
Use the unconfigureSpnego command to unconfigure SPNEGO web authentication in the security configuration.
At the wsadmin prompt, enter the following command for help:
Show SPNEGO web authentication
Use the showSPNEGO command to display the SPNEGO web authentication in the security configuration.
At the wsadmin prompt, enter the following command for help:
Validate Kerberos configuration
Use the validateKrbConfig command to validate the Kerberos configuration data either in the global security file security.xml or specified as an input parameter.
At the wsadmin prompt, enter the following command for help:
Option | Description |
---|---|
<checkConfigOnly> | Checks the Kerberos configuration without validating, You must use global security for this check. |
<useGlobalSecurityConfig> | Uses the Global Security configuration data, security.xml, instead of input parameters. |
<validateKrbRealm> | Validates the Kerberos realm against the default Kerberos realm in the Kerberos configuration file (krb5.ini or krb5.conf). |
<serverId> | Specifies the server identity that is used for internal process communications. |
<serverIdPassword> | Specifies the password that is used for the server identity. |
<krb5Spn> | Specifies the Kerberos service principal name in the Kerberos keytab file. |
<krb5Config > | This parameter is required. It supplies the directory location and file name of the configuration (krb5.ini or krb5.conf) file. |
<krb5Keytab> | This parameter is optional. It supplies the directory location and file name of the Kerberos keytab file. If you do not specify this parameter, the default keytab in the Kerberos configuration file is used. |
<krb5Realm > | This parameter is required. It specifies the value for the Kerberos realm name. |
ini
for Windows or conf
for non-Windows platforms.
For example:
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI}
true
. To validate the Kerberos configuration
with input parameters, set useGlobalSecurityConfig and checkConfigOnly to false
and
specify values for krb5Spn, krb5Config, krb5Keytab, and krb5Realm.