+

Search Tips   |   Advanced Search

Set the Kerberos token for WS-Security


Use this topic to configure the Kerberos token for message-level WS-Security.

Before we can use Kerberos with Web service security, configure Kerberos in the IBM WAS. You do not need to enable Kerberos as the authentication mechanism. However, the Kerberos configuration file, krb5.conf or krb5.ini, and the Kerberos keytab file, krb5.keytab, are required.

Configure Kerberos, the service principal, and the keytab files.

We can also setup Kerberos when the Key Distribution Center (KDC) and the appserver do not use the same user registry.

New feature: The support for Kerberos with WS-Security in WAS Version 7.0 is based on the OASIS Web Service Security Kerberos Token Profile 1.1 specification

The Kerberos token for JAX-WS applications is configured using policy sets and bindings. The JAX-WS application is attached with a custom policy and the Kerberos token is configured as a message protection token or an authentication token.

The implemented Kerberos functionality for WS-Security also leverages existing tools and frameworks for the Kerberos token profile configuration for authentication and message protection.

To configure Kerberos with Web service security...

  1. Enable the Kerberos token profile for JAX-WS applications.

    The JAX-WS application is attached with a custom policy that has a Kerberos token, which is configured with a message protection token or an authentication token.

  2. Select the customized Kerberos token type.

    We can define key bindings for request message protection and response message protection. Use the key type, such as the key identifier or security token reference, for the outbound key information. If we use a derived key, use a security token reference in both the outbound and inbound key information. If we use a Kerberos session key, we can use a security token reference in the outbound key information and a key identifier in the inbound key information for the client bindings. Then, use a key identifier in the outbound key information and a security token reference in the inbound key information for the provider bindings.

  3. Select the customized Kerberos token types for the token generator or token consumer.
  4. Set the bindings for Kerberos message protection for JAX-WS applications.

 

Related concepts

Set the Kerberos token policy set for JAX-WS applications
Set the bindings for message protection for Kerberos
Kerberos token
Kerberos (KRB5) authentication mechanism support for security
Task overview: Implement Web services applications

 

Related tasks


Set Kerberos as the authentication mechanism

 

Related information


WS-Security Kerberos Binding specification
WS-Security Kerberos Token Profile specification