+

Search Tips   |   Advanced Search

Set the Kerberos token policy set for JAX-WS applications


Use this topic to enable the Kerberos token policy set for JAX-WS applications.

Prior to beginning this task, specify the Kerberos configuration information for IBM WAS.

See Kerberos (KRB5) authentication mechanism support for security. The configuration model for the Kerberos token enables you to choose from the following existing WAS frameworks:

Complete the following steps to configure the Kerberos token policy set for JAX-WS applications using the admin console for WAS. In these steps, the Main policy configuation panel references the admin console panel that is available after you complete the first five steps.

 

  1. Expand Services > Policy sets and click Application policy sets > New to create a new policy set.

  2. Specify a name and a short description for the new policy set and click Apply.

  3. From the Policies heading, click Add and then select the WS-Security security policy type.

  4. Click OK and click Save to save the new configuration directly to the master configuration.

  5. In the Policies field, click WS-Security and click Main policy on the WS-Security panel to configure the main policy for the Kerberos token policy set.

  6. From the Key Symmetry heading, select Use symmetric tokens for message protection.

  7. Click Symmetric signature and encryption policies to configure the Kerberos custom token type or clear the Message level protection check box if we are configuring an authentication token only.

    You do not need to configure the request token policy if we are using the Kerberos token for message protection. If configuring the authentication token only, proceed to the next step. If not configuring the request token policy for the authentication token, skip the next step.

  8. On the Main policy configuration panel, configure the policy for the request token if we are configuring the authentication token.

    1. From the Policy Details heading, click Request token policies.

    2. Click Add token type and select Custom.

    3. Specify the name of the custom token in the Custom token name field.

    4. Specify the local part value in the Local part field.

      For interoperability with other Web services technologies, specify the following local part: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ. If not concerned with interoperability issues, we can specify one of the following local name values:

      • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ

      • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510

      • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510

      • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120

      • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120

      These alternative values depend on the spec level for the Kerberos AP-REQ token that is generated by the Key Distribution Center (KDC).

      See about when to use these values, see Token type settings.

    5. Do not specify a value for the Namespace URI field if we are generating a Kerberos token.

    6. Click OK and Save to save the configuration directly to the master configuration.

    This step completes the configuration process for configuring the request token policy for the authentication token. You do not need to complete the next two steps. Complete the next steps to configure encryption and symmetric signature policies.

  9. Return to the main policy configuration panel for the application policy set and click Symmetric signature and encryption policies to configure the encryption and symmetric signature policies.

    1. From the Message Integrity heading, click the Action menu list beside the Token type for signing and validating messages field and select Custom.

    2. From the Message Confidentiality heading, select the Use same token for confidentiality used for integrity option.

    3. Click OK and Save to save the configuration changes.

    4. From the Message Integrity heading, click the Action menu list beside the Token type for signing and validating messages field and select Edit Selected Type Policy.

    5. Edit the custom token type for the signature and encryption by specifying the local part for the Kerberos custom token.

      For example, specify http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ for the local part value. Do not specify a Namespace URI value.

    6. Click OK and then click the Save link to save the configuration changes.

  10. Return to the main policy configuration panel for the application policy set and click Algorithms for symmetric tokens to configure the symmetric token algorithm.

    1. Select the algorithm suite to use for the symmetric tokens from the Algorithm suite menu list. Select the Advanced Encryption Standard (AES) algorithms for a Kerberos token that is compliant with RFC-4120.The symmetric key wrap, or private key cryptography, algorithms include:

      • Triple DES key wrap: http://www.w3.org/2001/04/xmlenc#kw-tripledes

      • AES key wrap (aes128): http://www.w3.org/2001/04/xmlenc#kw-aes128

      • AES key wrap (aes256): http://www.w3.org/2001/04/xmlenc#kw-aes256

      Restriction: To use the 256–bit AES encryption algorithm, apply the unlimited jurisdiction policy files. To remain in compliance, see Basic Security Profile compliance tips.

      Before downloading these policy files, back up the existing policy files prior to overwriting them, in case you want to restore the original files later. The existing policy files, which are the local_policy.jar and US_export_policy.jar files, are located in...

      APP_ROOT/java/jre/lib/security/

      To download the policy files, complete one of the following sets of steps:

      • For appserver platforms using IBM Developer Kit, Java Technology Edition V5, we can obtain unlimited jurisdiction policy files by completing the following steps:

        1. Visit the IBM developerWorks: Security Information Web site.

        2. Click Java 5.

        3. Click IBM SDK Policy files.

          The Unrestricted JCE Policy files for SDK 5 Web site is displayed.

        4. Enter the user ID and password or register with IBM to download the policy files. The policy files are downloaded onto the workstation.

      See on the algorithm suite components, see Algorithms settings.

    2. Select either the Exclusive cannonicalization or Inclusive cannonicalization value for the Cannonicalization algorithm menu list.

      See XML digital signature.

    3. Specify the XPath 1.0 or XPathfilter 2.0 version to use from the XPath version menu list.

 

Next steps

Set the bindings for message protection for Kerberos for JAX-WS applications.

See Set the bindings for message protection for Kerberos.

 

Related concepts


Kerberos (KRB5) authentication mechanism support for security
XML digital signature
Basic Security Profile compliance tips

 

Related tasks


Set the bindings for message protection for Kerberos
Set the Kerberos token for WS-Security

 

Related


Request or Response token policies collection
Token type settings
Symmetric signature and encryption policies settings
Algorithms settings
Encryption information settings: Message parts

 

Related information


IBM developerWorks: Security Information Web site