Kerberos token

IBM WAS provides Kerberos token support for Web services message-level security. The support is based on the Organization for the Advancement of Structured Information Standards (OASIS) WS-Security Kerberos Token Profile V1.1. Use this topic to understand the Kerberos support that is available for Web services.


Kerberos token profile version 1.1

Kerberos Version 5 is a mature, open standard that provides a secure third-party authentication mechanism. The OASIS Web Services SOAP Message Security specification references the Kerberos token in the SOAP message. Web services applications can use the Kerberos token to send identities and protect messages more securely. Overall, Kerberos support involves Kerberos support in Java EE security and the Kerberos token support in WS-Security. This page covers the Kerberos token support in WS-Security only.

In WAS V7.0, WS-Security introduces support for the Kerberos token, which is based on OASIS WS-Security Kerberos Token Profile V1.1 specification. The Kerberos token is a binary security token for Web services message-level security. WS-Security provides SOAP message-level security, such as security token propagation, message signature, and message encryption. The Kerberos token is used for message security, specifically with the SOAP message security spec for Web services, and is another supported token, such as the username token and the secure conversation token.

See the WS-Security Kerberos Token Profile V1.1 specification. The specification explains how to use Kerberos security with the WS-Security and how the Kerberos token is propagated and used to secure the SOAP message through signing and encryption.


Kerberos token profile enablement

The WAS configuration model leverages existing tools and frameworks for the Kerberos token profile configuration of authentication and message protection, such as:

For JAX-WS client applications, the design updates the APIs for WS-Security and enforces a WS-Security policy with a Kerberos token, which is based on the OASIS token profile. To enable a Kerberos token profile by using a policy set, first establish the WS-Security policy and binding files by using a custom token.

See the "Kerberos configuration models for Web services" topic.


Kerberos support

The following Kerberos-related function is supported by Web services in WAS:

The appserver does not support the following function:


Kerberos message protection for Web services
Kerberos usage overview for Web services
Kerberos configuration models for Web services

WS-Security Kerberos token for authentication in a single or cross Kerberos realm environment
Kerberos clustering for Web services


Related concepts

WS-Security provides message integrity, confidentiality, and authentication


Related tasks

Set the Kerberos token for WS-Security


Related information

Kerberos Token Profile V 1.1 specification
Kerberos Token Profile 1.1 Approved Errata