Editing Substitution Variables for Kerberos

The service principal name (SPN) identifies the ActiveMatrix BPM service to Kerberos. Kerberos uses the SPN to look up the service account and verify the credentials in service tickets presented to access the service. You must use TIBCO ActiveMatrix Administrator to specify the SPN in the substitution variables of the ActiveMatrix BPM application that govern Kerberos use.

Procedure

  1. In TIBCO ActiveMatrix Administrator, select Applications.
  2. From the Applications window, expand amx.bpm.app > System.
  3. Select amx.bpm.app.
  4. From the amx.bpm.app window, select the Substitution Variables tab.
    You can click Substitution Variable Name to display the variables alphabetically, which is useful here as the substitution variables you are interested in all start with 'auth' and are at the beginning of the list.
  5. There are three substitution variables relevant to Kerberos which you can edit.
    Variable Description Default
    authAllowUsername When the default method of authentication is not LdapAsp, this variable governs whether the Web client can also login using username/password.

    If True, when the client includes the HTTP Request Header X-TIBCO-BPM-Authenticate (with any non-null value), authentication follows the username/password behavior.

    False
    authDefaultMethod Names the default method of Web-IT authentication, that is, authentication for web applications and REST services. Possible values are:
    • LdapAsp - username/password authentication.
    • SiteminderAsp - SiteMinder authentication.
    • KerberosAsp - Kerberos authentication.
    LdapAsp
    authSiteMinderService Specifies SPN to be secured by Kerberos. Usually in the format:

    ServiceName/FullyQualifiedDomainName@DomainName

    For example:

    HTTP/amxbpm.example.com@EXAMPLE.COM

    Note: The default value of "/" is only applicable to SiteMinder.