Chat now with support
Chat with Support

Single Sign-On for Java 3.3.2 - Administration Guide

About this guide Introducing Single Sign-on for Java Preparing for Single Sign-on for Java Deploying Single Sign-on for Java
Getting started with Single Sign-on for Java Single Sign-on for Java and your web applications Setting up logging Controlling access to resources
Security Issues Maintenance and Troubleshooting Appendix: Configuration Parameters Appendix: Using the JKTools

SPN Mapping and DNS Aliases

If you use multiple hostnames to refer to the Java application server (for example, if you use name-based virtual hosting), you should use setspn to create an SPN mapping for each hostname involved.

For example, assume that:

  • you have an application server on appservhost1.example.com, and
  • that application server also has a DNS alias, appservhost1alias.example.com.

For each of those hostnames, you should map both its fully qualified domain name and its unqualified hostname (short name). If you have a DNS canonical name and one or more DNS aliases, you should set up SPN mappings both for the aliases and for the canonical name.

Thus, for the vsj_appservhost1 account, you should map the following SPNs:

HTTP/appservhost1.example.com

HTTP/appservhost1

HTTP/appservhost1alias.example.com

HTTP/appservhost1alias

Setup with Authentication Services

Setup with Authentication Services

As an alternative to the steps outlined above, Single Sign-on for Java supports integration with Authentication Services to allow you to simplify installation on Authentication Services-enabled UNIX or Linux hosts. The following sections describe how to perform this setup.

Authentication Services

The Authentication Services system allows UNIX and Linux users to be authenticated using Active Directory. It provides integration with the UNIX Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) systems.

A system administrator enables Authentication Services on a UNIX host by joining it to the Active Directory domain using the vastool utility. This creates a computer account object in Active Directory along with a host principal and keytab that can be used to authenticate service tickets that are presented to Kerberos/Authentication Services-enabled applications.

Authentication Services keytabs

Authentication Services keytab files are created in the /etc/opt/quest/vas directory. Each keytab file is named according to the service that uses it. For example, the host principal keys are stored in the /etc/opt/quest/vas/host.keytab file. Authentication Services keytab files are stored using the standard Kerberos keytab file format and may be used by third party applications including Single Sign-on for Java.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating