Thursday, August 02, 2012

SPNEGO Lessons Learned

Was installing IC3011 and integrating with SP2010.  Needed to lay the foundation of IC3011 + Kerberos auth.  Then turned on SPNEGO SSO to allow pass-through auth for browser clients like SP2010 offers.  While setting up SPNEGO, there were a few issues I encountered and wanted to capture them so I remember the next time I need to do this.

Winking smile

Issue 1: Remember to Patch!

IC 3.0.1.1 supports WAS 7.0.0.11 through 7.0.0.21.

http://www-01.ibm.com/support/docview.wss?uid=swg27021342

Be sure to at least reach WAS 7.0.0.15 as there are critical Kerberos fixes that will make your life easier.

Issue 2: Double Check Security

When applying a FixPack post initial installation / configuration, it may revert your security to disabled.  Make sure to turn it back on right after upgrade.

Issue 3: Mind Your User IDs

My initial strategy was to use the same ID for all security related things.  When establishing the SPN for the server that ID needs to be a separate ID than the one setup as the administrative ID within the app server and for the individual features.

http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Mapping_an_Active_Directory_account_to_administrative_roles_ic301 – THIS ID IS SEPARATE FROM

http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Creating_a_service_principal_name_and_keytab_file_ic301 – THIS ID

Issue 4: Sync the Node(s)

Somewhere during all of the installation and patching activities to take a base 3.0.1 installation up to patched 3.0.1.1, the Node fell out of sync with the DM.  I had to manually force the sync for the ISC to report the state of applications and node agents properly.  The sync issue was also causing some of my configurations to not make their way to the running app server.  Periodically run a syncNode from the command line to course correct your node agent.

No comments:

Post a Comment