Updating the system JAAS login with the Kerberos login module
Update the Kerberos system JAAS login module for JAX-WS applications.
If the Kerberos authentication mechanism is configured in the WAS security configuration for JAX-WS applications, the JAAS login wss.caller must be updated with the system JAAS login module for Kerberos. The login module is specified as com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.
There are two methods to update the Kerberos system JAAS login module: using the admin console, or by running a Jython script.
- Use the admin console, follow these steps:
- Click Security > Global security > Java Authentication and Authorization Service > System logins.
- Click on wss.caller, then click New to create a new JAAS login module.
- In the Module class name field, type com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.
- Click OK.
- In the wss.caller panel, click Set Order, then click on WSKrb5LoginModule.
- Move WSKrb5LoginModule up in the list of modules so that it is after com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule but before com.ibm.ws.security.server.lm.ltpaLoginModule. The order of the modules in the list is important. The finished list of modules should look like this:
com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule 1 com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule 2 com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule 3 com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule 4 com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule 5 com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule 6 com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule 7com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule 8 com.ibm.ws.security.server.lm.ltpaLoginModule 9 com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule 10
- Click OK, then click Save to save the changes.
- Restart the server.
- We can also run a Jython script to update the module. For each cell, run the script addKrbLoginModuleWSSCaller.py, located in...
APP_ROOT\binto update the WSKrb5LoginModule login module in the security configuration.
- Run the following command, where APP_ROOT is C:\WebSphere\AppServer:
wsadmin -conntype NONE -lang jython -f C:\WebSphere\AppServer\bin\addKrbLoginModuleWSSCaller.py- If the script is successful, the following message is displayed:
System JAAS login entry wss.caller has been updated.- Restart the server.
Related tasks
Set the Kerberos token for WS-Security