I am adding this to my required reading list for projects where Kerberos and SPNEGO are used to deliver desktop Single Sign-On with WebSphere Application Server: -
Summary: The Simple and Protected GSS-API Negotiation (SPNEGO) trust association interceptor (TAI) in IBM® WebSphere® Application Server V6.1 and in the SPNEGO Web Authentication feature in WebSphere Application Server V7.0 can be a powerful tool to achieve a seamless single sign-on environment between Microsoft® Windows® desktops and WebSphere-based servers. However, some users have trouble configuring service principal names when using SPNEGO. This article describes some best practices for configuring Microsoft Active Directory when using SPNEGO with WebSphere Application Server. (Updated for WebSphere Application Server Versions 6.1 and 7.0.)
• Users with WebSphere Application Server Version 5.1.1.x and 6.0.x can obtain a custom service offering solution from IBM Software Services for WebSphere (ISSW). This solution comes with the source code, and you maintain the custom code yourself. To obtain more information about the ISSW SPNEGO TAI services offering for WebSphere Application Server V5.1.1 and V6.0, contact IBM Software Services for WebSphere.
• WebSphere Application Server Version 6.1 ships a TAI based upon the ISSW version mentioned above, which is a fully supported product code. However, you do not get the source code with this version.
• WebSphere Application Server V7.0 includes SPNEGO function via a new SPNEGO Web Authentication. (V7.0 still ships, but has deprecated, the SPNEGO TAI.)
as I'd previously assumed that WAS did not include native SPNEGO support until 22.214.171.124. In fact, we shipped SPNEGO in WAS 6.1, but have moved to a new SPNEGO Web Authentication module in v7.
All good stuff …..
Will add this to my existing presentation for WAS and SPNEGO ( as delivered at Social Connections II in Cardiff last year )
Top ten best practices for WebSphere administrators
Sat, Dec 6th 2014 3:12a Dave Hay This from developerWorks: -The following list consists of the top ten best practices compiled from numerous common problems that I have seen throughout my technical support years. Most of these issues could easily be prevented by taking these simple precaution steps. So, if you're a WebSphere administrator, this is your must-read!Top ten best practices for WebSphere administratorsPS In my own bashful way, I'm now proud to report that those nice people at developerWorks have allowed me to post [read] Keywords: ibm
Mozilla Thunderbird and SSL v3
Fri, Dec 5th 2014 12:05p Dave Hay In case it helps, I needed to make Thunderbird LESS secure in order to access a Newsgroup server that was offering up SSL v3.This was what I saw in TB's Error Console: -Timestamp: 05/12/2014 13:12:40Error: An error occurred during a connection to newsgroup.foobar.com:563.Cannot communicate securely with peer: no common encryption algorithm(s).(Error code: ssl_error_no_cypher_overlap)and this is what led me to the solution: -openssl s_client -connect newsgroup.foobar.com:563 -status...New, TLSv1 [read] Keywords: firefox
IBM BPM Advanced 8.5.5 - Process Center to Process Server
Fri, Dec 5th 2014 3:05a Dave Hay So I am continuing to get my head around the integration between Process Center and Process Server, in that it's possible to have a connected Process Server to which one can actively deploy snapshots, using the so-called online/connected deployment.This is what the connected Process Server looks like: -Whilst this is easy to configure when one first creates a Deployment Environment, I had a situation recently where one of our team inadvertently clicked the Take Server Offline button.This does p [read] Keywords: ibm
IBM Business Process Manager - WAS to DB2 authentication - SQLSTATE=42815
Tue, Dec 2nd 2014 4:45a Dave Hay I have blogged about this before: -WAS to DB2 - Null userid is not supported. ERRORCODE=-4461, SQLSTATE=42815and saw the same issue again today, albeit in a different context.Whilst bringing up a BPM Advanced 126.96.36.199 environment, I was using the Test Connection button to validate my WAS to DB2 connectivity, via a JDBC Data Source that's in the scope of the Support Cluster ( SupCluster ).Now I had manually created this datasource last week, in the context of the connectivity between IBM BPM and [read] Keywords: agent