Kerberos configuration models for Web services
The WAS configuration model leverages existing frameworks.
The configuration model features include:
- Deployment descriptors and bindings configuration to enable the Kerberos token profile for JAX-RPC applications
- Policy sets and bindings configuration to enable the Kerberos token profile for Java Architecture for XML Web Services (JAX-WS) applications
- WS-Security APIs for JAX-WS applications
- Administrative command scripts
- Interoperability with Microsoft Web Services Enhancements (WSE) V3.5
Following are some examples of possible configurations when using the Kerberos token:
- A JAX-WS client on Windows operating systems
- A JAX-RPC client on Windows operating systems
- A Windows JAX-RPC client on z/OS operating systems
- WS-Security APIs on Windows operating systems
- A Microsoft .NET WSE 3.5 client on Windows operating systems
- A Microsoft .NET WSE 3.5 client on z/OS operating systems
JAX-WS configuration model
For JAX-WS applications, the WAS client configuration model uses the policy set and leverages a custom policy set for the Kerberos token. We can specify the Kerberos token type and message signing and the encryption by using the custom policy set. The WS-Security policy is the security policy used to secure the application messages.
Use the admin console, we can specify the Kerberos token type, message signing, and message encryption by using an existing custom policy set. Kerberos token generation and consumption includes the Kerberos token generation for unmanaged JAX-WS clients.
The JAX-WS model also provides capabilities to enable the Kerberos token profile and identity assertion by configuring the Kerberos token using policy sets, WS-Security APIs, and admin command scripts.
For JAX-WS applications, we can use admin commands to configure the policy set as an alternative to using the admin console.
JAX-RPC configuration model
JAX-RPC applications are configured using a deployment model. The deployment descriptor specifies the custom token to use for the Kerberos token. A JAX-RPC client can generate the specified Kerberos token. A JAX-RPC Web service can successfully authenticate the Kerberos token by using a custom or the default Kerberos identity mapping login module.
API configuration model
A set of APIs is provided by WAS. To successfully use these APIs, application developers must have knowledge about the OASIS WS-Security V1.0 and 1.1 specifications. When you use these APIs, the appserver assumes that a policy set is not attached to the client resources; however, a warning is still issued when the appserver detects any policy set information.
For JAX-WS client applications, the APIs include and enforce WS-Security policy for the Kerberos token, which is based on the OASIS token profile. To enable the Kerberos token profile with the policy set, first configure the WS-Security policy and the binding files with the custom token.
For JAX-RPC applications, APIs for WS-Security are not provided. You must use the deployment descriptor to specify the custom token to use the Kerberos token. Use the custom token panels within an assembly tool, such as Rational Application Developer, to configure the deployment information.
Kerberos Token Profile V1.1 specification
Kerberos Token Profile 1.1 Approved Errata