Set Kerberos as the authentication mechanism using the admin console
Overview
Use the admin console to configure Kerberos as the authentication mechanism for the appserver. When you have entered and applied the required information to the configuration, the Kerberos service principal name is formed as...
service name/fully_qualified_hostname@KerberosRealmThis name is used to verify incoming Kerberos token requests.
Before attempting to configure Kerberos as the authentication mechanism using the admin console see Kerberos (KRB5) authentication mechanism support for security.
The following items are required before you attempt to configure Kerberos as the authentication mechanism using the admin console:
- Use createkrbConfigFile to create the Kerberos configuration file, krb5.ini or krb5.conf.
- You must have a Kerberos keytab file (krb5.keytab) that contains a Kerberos service principal name (SPN)...
service name/fully_qualified hostname@KerberosRealm...for each machine that run WebSphere application servers. The service name can be anything; the default value is WAS.
For example, if we have two appserver machines...
host1.mpls.setgetweb.com
host2.mpls.setgetweb.com...the Kerberos keytab file must contain the following SPNs and their Kerberos keys...
service name/host1.mpls.setgetweb.com
service name/host2.mpls.setgetweb.comKerberos will only load and use one keytab file per session. For example, if Kerberos is configured, and you want to use a new keytab file with the same name and location as the previous keytab file, first restart the server to use the new keytab file.
If configuring Kerberos for the first time, and you accidentally use a bad keytab file, unconfigure Kerberos and restart the server before we can configure Kerberos again using a new keytab file. This is not true, however, if we have the JDK with SP3 installed.
You must first enable global and application security.
If Kerberos is configured in global security, but you want to configure Simple and Protected GSS-API Negotiation (SPNEGO) on a domain using a different Kerberos realm, first use the Java ktab -m command to merge existing keytab files into one keytab file. Use that merged keytab file to configure Kerberos and SPNEGO on global and domain security
Procedure
- In the admin console, click...
Security | Global security | Authentication | Kerberos configuration
- Enter the Kerberos service name.
By convention, a Kerberos service principal is divided into three parts:
- primary
- instance
- realm
The format of the Kerberos service principal name is...
serviceName/fully_qualified hostName@kerberos_realmThe service name is the first part of the Kerberos service principal name.
For example, in...
WAS/test.mpls.setgetweb.com@mpls.setgetweb.com...the service name is WAS. In this example, the keytab file must have the Kerberos service principal name...
WAS/test.mpls.setgetweb.com@mpls.setgetweb.com...and its keys.
- Enter the Kerberos configuration file name or click Browse to locate it.
The Kerberos client configuration file, krb5.conf or krb5.ini, contains Kerberos configuration information, including the locations of the Key Distribution Centers (KDCs) for the realm of interest. The krb5.conf file is the default file name for all platforms except the Windows operating system, which uses the krb5.ini file.
The Kerberos configuration file name and Kerberos keytab filename path do not have to be absolute paths. Use WebSphere variables for the paths instead. If we have a mixed platform environment, we can use a variable ${CONF_OR_INI} for the Kerberos configuration file. Security configuration will expand it to "ini" for Windows or "conf" for non-Windows.
For example:
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI- Enter the Kerberos keytab file name or click Browse to locate it.
The Kerberos keytab file contains one or more Kerberos service principal names and keys. The default keytab file is krb5.keytab. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk, which makes them readable only by authorized users. Read about Create a Kerberos service principal and keytab file for more information. If we do not specify this parameter, the default keytab in the Kerberos configuration file is used.
The Kerberos configuration file name and Kerberos keytab filename path do not have to be absolute paths. Use WebSphere variables for the paths instead. If we have a mixed platform environment, we can use a variable ${CONF_OR_INI} for the Kerberos configuration file. Security configuration will expand it to "ini" for Windows or "conf" for non-Windows.
For example:
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI- Enter the name of the Kerberos realm in the Kerberos realm name field.
In most cases, the realm is the domain name in uppercase letters. If we do not specify this parameter, the default Kerberos realm name in the Kerberos configuration file is used.
For example, a machine with the domain name of...
test.mpls.setgetweb.com...would usually have a Kerberos realm name of...
mpls.setgetweb.comThe Kerberos realm name for the Microsoft KDC is an uppercase of the Microsoft Domain Controller name.
- Trim Kerberos realm from principal name is selected by default.
We can deselect this option if we want the suffix of the Kerberos principal name to be retained.
This option specifies whether the Kerberos login module removes the suffix of the principal user name, starting from the @ that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true.
- Enable delegation of Kerberos credentials is selected by default.
This option specifies whether the Kerberos delegated credentials are to be stored in the subject by the Kerberos authentication. This option also enables an application to retrieve the stored credentials and to propagate them to other applications downstream for additional Kerberos authentication with the credential from the Kerberos client.
If this parameter is true, and the runtime cannot extract a client GSS delegation credential, then a warning message is displayed.
- Click OK.
When you select Apply or OK the Kerberos authentication is automatically tested. If the Kerberos configuration is not complete, a message is displayed that indicates authentication failure.
Results
we have now configured and saved Kerberos as the authentication mechanism for WAS.
Next steps
To enable SPNEGO, click SPNEGO web authentication enablement from Related Configuration.
SPNEGO Web authentication and Kerberos authentication use the same Kerberos client configuration and keytab files.
Kerberos authentication
Create a Kerberos configuration file
Create a Kerberos service principal and keytab file
Mapping of a client Kerberos principal name to the WebSphere user registry ID
Related tasks
Set CSIV2 inbound and outbound communication settings
Authenticate users
Related
Kerberos authentication commands
CSIv2 inbound communications settings
CSIv2 outbound communications settings
Use the ktab command to manage the Kerberos keytab file
Kerberos: The Network Authentication Protocol