Single Sign-On: Windows and WebSphere

A common requirement when implementing single sign-on solutions within organizations is to be able to share the authentication information betweeen the user desktop and the web application. This requirement becomes more important for intranet applications. WebSphere Application Server provides the capability to acheive Single Sign-On with Windows and Web Applications by providing a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources in WebSphere Application Server. When the SPNEGO TAI is initialized, authentication for all the Web Applications on that server goes through the TAI. HTTP users log in and authenticate only once at their desktop and are authenticated (internally) with WebSphere Application Server. The SPNEGO TAI is only visible to the WebSphere administrator who is responsible for ensuring a proper configuration, capacity, and maintenance of the Web environment.
Additional Requirements (Apart from WebSphere Application Server 6.1)

• Microsoft’s Windows 2000 or Windows 2003 Servers with Active Directory domain and associated Kerberos Key Distribution Center (KDC).
• Microsoft Internet Explorer Version 5.5 or later, Mozilla Firefox Version 1.0, or any other client application that supports SPNEGO mechanism.

Additional Considerations

• The LDAP Server used by WebSphere and the Windows Active Directory must be the same for the default configuration, if different, then a custom login module (provided with WAS) must be configured to handle authentication.
• The end user must configure the Web browser or .NET application to issue HTTP requests that are processed by the SPNEGO TAI.
• The Web administrator is responsible for configuring the SPNEGO TAI of WebSphere Application Server to respond to HTTP requests of the client.
• The WebSphere Application Server administrator is responsible for configuring WebSphere Application Server and the SPNEGO TAI for optimum installation performance.
• Kerberos version 5 is required.
• RC4-HMAC encryption is only supported when using a Windows 2003 Server as Kerberos key distribution center (KDC) and is not supported with a Windows 2000 Server.

Security Enhancements in WebSphere 6.1

In his latest article, Keys Botzum gives an overview of the the security enhancements to WebSphere Application Server 6.1. Here is a a list of the enhancements, for more details, read the article.

• Default Security Settings: Some of the default settings have been changed in the new version:
  • Administrative security is enabled automatically during installation.
  • All internal transports are authenticated by default.
  • Most internal transports are encrypted by default.
  • The default encryption keys are eliminated. A cell-specific set of keys is created automatically.
  • JNDI is read-only by default to all.
  • Messaging limits connections to only authenticated users granted the bus connect role by default. AllAuthenticated no longer has that role by default.
• Simplified certificate and key management.
  • The admin client can query the server and automatically import the server's signing certificate
  • The admin tools can be used to generate certificates and certificate requests, import keys and certificates, manage certificates and keys, and even share them across the cell.
  • Programmatic APIs for applications to obtain URLStreamHandlers, SSLContext instances, and SSLSocketFactories, based on the WebSphere Application Server-managed SSL configuration.
  • LTPA encryption keys are automatically changed at regular intervals. To avoid outages, multiple key versions are simultaneously supported.
• Support for federated repositories.
  • Support for file registry
  • Support for multiple LDAP registries.
  • Support for LDAP failover.
• Fine-grained authorization control (below cell level) for administrative users.
• Single Sign-On from windows desktops to intranet applications.