Set a Java client for Kerberos authentication


A Java client can authenticate with WebSphere Application Server with a Kerberos principal name and password or with the Kerberos credential cache (krb5Ccache).

 

  1. Create a Kerberos configuration file (krb5.ini or krb5.conf). Read about Create a Kerberos configuration file for more information.

  2. Place either the krb5.ini or krb5.conf files we have created in a default location. If either file is not located in the default location set com.ibm.COBRA.krb5ConfigFile in sas.client.props with the correct path and Kerberos configuration file name.

    On a Windows operating system, the default location is c:\winnt\krb5.ini.

    On a Linux operating system, the default location is /etc/krb5.conf.

    On other UNIX-based operating systemss, the default location is /etc/krb5/krb5.conf.

    On the z/OS operating system, the default location is /etc/krb5/krb5.conf.

    On the IBM i operating system, the default location is /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf

  3. In sas.client.props, set the com.ibm.CORBA.authenticationTarget property to KRB5. Read about Set security with scripting for more information.

  4. Also in sas.client.props, set the com.ibm.CORBA.loginSource property to one of the supported values shown below: When authenticationTarget is BasicAuth, the loginSource supported are:

    • prompt [default]

    • properties

    • stdin

    • none

    When authenticationTarget is KRB5, the loginSource supported are:

    • prompt [default]

    • properties

    • stdin

    • none

    • krb5Ccache

    • krb5Ccache:prompt

    • krb5Ccache:properties

    • krb5Ccache:stdin

    Also consider the following:

    krb5Ccache:prompt

    Use krb5Ccache to authenticate to WAS first. If it fails, then it falls back to prompt.

    krb5Ccache:properties

    Use krb5Ccache to authenticate to WAS first. If it fails, then it falls back to properties.

    krb5Ccache:stdin

    Use krb5Ccache to authenticate to WAS first. If it fails, then it falls back to stdin.

  5. If the authenticationTarget is KRB5, the Java client application must have the wsjaas_client.conf file. If we don’t use the launchClient command, then set the java option as follows:

    -Djava.security.auth.login.config=wsjaas_client.config
    

  6. If the authenticationTarget is KRB5 and loginSource is the Kerberos credential cache, do the following:

    1. In the wsjaas_client.conf file, update the WSKRB5Login entry:

      WSKRB5Login{
          com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient required
          credsType=INITIATOR useFirstPass=false  forwardable=false renewable=false noAddress=false;
      };
      
      

    2. If the Kerberos credential cache is not at the default location, set the com.ibm.CORBA.krb5CcacheFile property as a URL:

      For example:

      com.ibm.CORBA.krb5CcacheFile=FILE:/home/smith/krb5cc_smith
      
      The default location of the Kerberos credential cache file depends on which operating system you use. The user credential cache is located in the following order:

      The file referenced by the Java property KRB5CCNAME
      <user.home>/krb5cc_<user.name>
      <user.home>/krb5cc (if <user.name> cannot be obtained)

  7. If an error occurs, make sure that all WAS machine's clocks are in sync with the KDC machines. Validate a Kerberos principal name and password by using the kinit command. It is recommended that you use the kinit command that comes with the Java SE Development Kit (JDK) 6. Type the following to receive help for this command:

    kinit -help
    

    An example of the kinit command is as follows. In this example, a Kerberos ticket-granting ticket (TGT) can be obtained for duke, and the Kerberos credential cache is stored in the default location, c:\Documents and Settings\duke\krb5cc_duke:

    kinit duke@JAVA.SUN.COM
    

    This command usage might not work on all versions of KDCs.

 

Results

we have now configured a Java client for Kerberos authentication.

We can complete the configuration of Kerberos on the server side by using either the admin console or by using wsadmin commands. Read about Set Kerberos as the authentication mechanism or Kerberos authentication commands respectively for more information.

 

Related tasks


Set Kerberos as the authentication mechanism
Create a Kerberos service principal and keytab file
Create a Kerberos configuration file
Authenticate users
Set CSIV2 inbound and outbound communication settings
Enable and configuring SPNEGO Web authentication
Select an authentication mechanism

 

Related


SPNEGO Web authentication configuration commands