The service principal name (SPN) identifies the ActiveMatrix BPM service to Kerberos. Kerberos uses the SPN to look up the service account and verify the credentials in service tickets presented to access the service. You must use TIBCO ActiveMatrix Administrator to specify the SPN in the substitution variables of the ActiveMatrix BPM application that govern Kerberos use.
Procedure
In TIBCO ActiveMatrix Administrator, select
Applications
.
From the
Applications window, expand
amx.bpm.app > System
Select
amx.bpm.app.
From the
amx.bpm.app window, select the
Substitution Variables tab.
You can click
Substitution Variable Name to display the variables alphabetically, which is useful here as the substitution variables you are interested in all start with 'auth' and are at the beginning of the list.
There are three substitution variables relevant to Kerberos which you can edit.
Variable
Description
Default
authAllowUsername
When the default method of authentication is not
LdapAsp, this variable governs whether the Web client can also login using username/password.
If
True, when the client includes the HTTP Request Header
X-TIBCO-BPM-Authenticate (with any non-null value), authentication follows the username/password behavior.
False
authDefaultMethod
Names the default method of Web-IT authentication, that is, authentication for web applications and REST services. Possible values are:
LdapAsp - username/password authentication.
SiteminderAsp - SiteMinder authentication.
KerberosAsp - Kerberos authentication.
LdapAsp
authSiteMinderService
Specifies SPN to be secured by Kerberos. Usually in the format:
ServiceName/FullyQualifiedDomainName@DomainName
For example:
HTTP/amxbpm.xyz.com@XYZ.COM
Note: The default value of "/" is only applicable to SiteMinder.
