I am adding this to my required reading list for projects where Kerberos and SPNEGO are used to deliver desktop Single Sign-On with WebSphere Application Server: -
Summary: The Simple and Protected GSS-API Negotiation (SPNEGO) trust association interceptor (TAI) in IBM® WebSphere® Application Server V6.1 and in the SPNEGO Web Authentication feature in WebSphere Application Server V7.0 can be a powerful tool to achieve a seamless single sign-on environment between Microsoft® Windows® desktops and WebSphere-based servers. However, some users have trouble configuring service principal names when using SPNEGO. This article describes some best practices for configuring Microsoft Active Directory when using SPNEGO with WebSphere Application Server. (Updated for WebSphere Application Server Versions 6.1 and 7.0.)
• Users with WebSphere Application Server Version 5.1.1.x and 6.0.x can obtain a custom service offering solution from IBM Software Services for WebSphere (ISSW). This solution comes with the source code, and you maintain the custom code yourself. To obtain more information about the ISSW SPNEGO TAI services offering for WebSphere Application Server V5.1.1 and V6.0, contact IBM Software Services for WebSphere.
• WebSphere Application Server Version 6.1 ships a TAI based upon the ISSW version mentioned above, which is a fully supported product code. However, you do not get the source code with this version.
• WebSphere Application Server V7.0 includes SPNEGO function via a new SPNEGO Web Authentication. (V7.0 still ships, but has deprecated, the SPNEGO TAI.)
as I'd previously assumed that WAS did not include native SPNEGO support until 22.214.171.124. In fact, we shipped SPNEGO in WAS 6.1, but have moved to a new SPNEGO Web Authentication module in v7.
All good stuff …..
Will add this to my existing presentation for WAS and SPNEGO ( as delivered at Social Connections II in Cardiff last year )
Driving IBM Installation Manager via the Command Line
Thu, May 23rd 2013 4:09a Dave Hay One of my ISSW colleagues drew my attention to this. It's possible to use IBM Installation Manager, via the command-line, to perform a complete uninstallation of a set of WebSphere-based products, without needing to generate and use a response file. So here's me uninstalling IBM BPM 126.96.36.199, plus it's underlying co-requisites: - Remove the WAS Profiles $ /opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -deleteAll Uninstall BPM, XML Feature Pack and WAS ND $ /opt/IBM/InstallationManager/ecli [read] Keywords: ibm
Top 6 mistakes in IBM Business Process Manager installations
Tue, May 7th 2013 7:09a Dave Hay Let's play a game of word association. What subject comes to mind with the words "engaging" and "terrifying"? Whatever you are thinking, I suspect it wasn't IT security. Yet those very words describe J Keith Wood and Jens Engelke's new IBM Redbooks publication. In it, they share their experiences of working with IBM customers around the world on securing IBM Business Process Manager solutions. Security pitfalls are everywhere and the stakes could not be higher. This blog post is part of [read] Keywords: ibm
Knowledge Collection: Troubleshooting documents for IBM Business Monitor
Tue, Apr 30th 2013 11:23a Dave Hay Abstract This Knowledge Collection is a focused compilation of links to documents for troubleshooting. Content A Knowledge Collection is a focused compilation of links to documents that share a common theme. Knowledge Collections are navigation aids that organize content to help users quickly find relevant information. Knowledge Collections are not designed to be an all-inclusive list of all documents dealing with the specific theme. Knowledge Collection: Troubleshooting documents for IBM Bus [read] Keywords: ibm