SPNEGO, or the Simple and Protected GSSAPI Negotiation mechanism, enables a straightforward single sign-on (SSO) mechanism for WebSphere in Kerberos environments.
This article is intended to provide instructions to configure SPNEGO for WebSphere Application Server using Microsoft Active Directory as the Kerberos security server. It is meant to be a ‘quick-start’ guide, providing the minimum steps and default options required to get up and running quickly in several specific test scenarios, and is not meant to be a replacement for the official WebSphere documentation. Once you are comfortable with the basic SPNEGO steps that you learn here, please refer to your WebSphere Documentation Centre for further and more advanced configuration options.
This article covers four basic SPNEGO configuration scenarios: Single Server, Distributed, Clustered, and Dispatched:
|Single Server||Configuration with a single instance of WebSphere Application Server (WAS)|
|Distributed||Configuration with a single instance of WAS, plus the setup of an HTTP server on a separate machine routing requests to WAS.|
|Clustered||Configuration with a WAS ND cluster, also front-ended by HTTP servers.|
|Dispatched||Discuss the configuration with an IP Sprayer in front of the WAS ND cluster|
RedHat Enterprise Linux 4 was used as the OS to host all the instances of WebSphere V6 and V7 for the different scenarios. For WebSphere V8, RedHat Enterprise Linux 6.3 was used. An instance of Windows Server 2003 SP1 hosted the Active Directory and a Windows XP SP2 instance in the AD domain was used for the browser client. Testing was also performed with an instance of Windows Server 2000 SP4, and a Windows 7 client with Windows Server 2008 R2 as the security server.
Windows Server 2008 R2 requires no additional support tools to be installed.