+

Search Tips   |   Advanced Search

Updating the system JAAS login with the Kerberos login module


Update the Kerberos system JAAS login module for JAX-WS applications.

If the Kerberos authentication mechanism is configured in the WAS security configuration for JAX-WS applications, the JAAS login wss.caller must be updated with the system JAAS login module for Kerberos. The login module is specified as com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.

There are two methods to update the Kerberos system JAAS login module: using the admin console, or by running a Jython script.

 

  1. Use the admin console, follow these steps:

    1. Click Security > Global security > Java Authentication and Authorization Service > System logins.

    2. Click on wss.caller, then click New to create a new JAAS login module.

    3. In the Module class name field, type com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.

    4. Click OK.

    5. In the wss.caller panel, click Set Order, then click on WSKrb5LoginModule.

    6. Move WSKrb5LoginModule up in the list of modules so that it is after com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule but before com.ibm.ws.security.server.lm.ltpaLoginModule. The order of the modules in the list is important. The finished list of modules should look like this:

      com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule                         1 com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule                         2 com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule                        3 com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule                        4 com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule             5 com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule                         6 com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule                             7
      
      
      

      com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule 8 com.ibm.ws.security.server.lm.ltpaLoginModule 9 com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule 10

    7. Click OK, then click Save to save the changes.

    8. Restart the server.

  2. We can also run a Jython script to update the module. For each cell, run the script addKrbLoginModuleWSSCaller.py, located in...

    APP_ROOT\bin

    to update the WSKrb5LoginModule login module in the security configuration.

    1. Run the following command, where APP_ROOT is C:\WebSphere\AppServer:

      wsadmin -conntype NONE -lang jython -f  C:\WebSphere\AppServer\bin\addKrbLoginModuleWSSCaller.py
      

    2. If the script is successful, the following message is displayed:

      System JAAS login entry wss.caller has been updated.
      

    3. Restart the server.

 

Related tasks


Set the Kerberos token for WS-Security