Active Directory
Create SPN
setspn -A HTTP/wasserver.private.lan ad-svc-spn
Check SPN
setspn –L ad-svc-spn
Generate keytab
Ktpass –princ HTTP/wasserver.private.lan@ad-domain -out c: keytab.file –mapuser ad-svc-spn –mapOp set –pass Password
WebSphere Application Server
enable TAI
com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl
custom roperties com.ibm.ws.security.spnego.SPN1.wasserver.private.lan
JVM settings
set server1 [$AdminConfig getid /Cell:QCell/Node:Q1N/Server:server1/]
set jvm [$AdminConfig list JavaVirtualMachine $server1]
set cjvm [lindex $jvm 0]
set attr_name [list name com.ibm.ws.security.spnego.isEnabled]
set attr_value [list value true]
set attr_required [list required false]
set attr_description [list description “Enabled SPNEGO TAI”]
set attrs [list $attr_name $attr_value $attr_required $attr_description]
$AdminConfig create Property $cjvm $attrs
$AdminConfig save
$AdminTask createKrbConfigFile {-krbPath c:winntkrb5.ini -realm I-ad-domain -kdcHost kdchost.private.lan -kdcPort 88 -dns dns.private.lan -keytabPath c:winntkrb5.keytab -encryption rc4-hmac-nt}
$AdminConfig save
Copy c:winntkrb5.keytab from dmgr to clustermembers
Note: If you don’t use the default location and Kerberos configuration file name, then you have to update *.krb5ConfigFileproperties in the soap.client.prop, ipc.client.props and sas.client.props files. Also, if the client programmatic login uses the WSKRBLogin module, you must also set the java.security.krb5.confJVM property.