Skip to Main Content
Cloud Platform


This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Status Delivered
Created by Guest
Created on Apr 22, 2016

Provide support for Kerberos Constrained Delegation (S4U2Proxy, S4U2Self) in WebSphere Full Profile

With JDK 8 the S4U2Proxy and S4U2Self mechanisms are implemented in the GSSApi for delegated access with credentials of the client to backend servers with Kerberos.

See: http://www.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/whats_new/security_changes_80/security_whatsnew.html#changes__kb_delegation

Currently WebSphere Application Server 8.5.5 and 9beta do not provide APIs or Support for delegating credentials via S4U2Proxy and S4U2Self in a Kerberos authenticated Installation.

In Liberty Profile the S4U2Proxy, S4U2Self mechanisms are supported but this is not the case in Full Profile and seems not to be provided with the new Version 9 of Full Profile.

It would be very helpful, if the Full Profile supports constrained delegation too.

Idea priority High
RFE ID 87276
RFE URL
RFE Product WebSphere Application Server
  • Guest
    Reply
    |
    Sep 12, 2022

    This has been delivered in 9.0.5.13.

  • Guest
    Reply
    |
    Jul 26, 2022

    This has been delivered in 8.5.5.22. It will close when it is also available in 9.0.5. The documentation is here.

4 MERGED

Support constrained delegation on traditional WAS

Merged
Currently configuration of Constrained Delegation in the Microsoft KDC is only supported in Liberty but not in tWAS at this time. Please add this support to tWAS also so that the customers can have a more secure setup. Related to a case TS005914097
over 3 years ago in WebSphere traditional 2 Delivered