Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services


Configure the Kerberos token for Web Services Security

Use this topic to configure the Kerberos token for message-level Web Services Security.

Before you can use Kerberos with Web Service Security, configure Kerberos in the IBM WAS. You do not need to enable Kerberos as the authentication mechanism. However, the Kerberos configuration file, krb5.conf or krb5.ini, and the Kerberos keytab file, krb5.keytab, are required.

The initial setup and configuration processes to use Kerberos with Web Services Security are identical to the configuration processes for using Kerberos with the security function. Therefore, set up and configure Kerberos before continuing with the steps in this topic.

The "Kerberos (KRB5) authentication mechanism support for security" topic provides an overview of the Kerberos functionality and provides the initial steps for setting up and configuring Kerberos for authentication purposes. Within this topic, complete the steps in the section "Setting up Kerberos as the authentication mechanism for WAS." Use topic to configure Kerberos, the service principal, and the keytab files. In addition, topic provides references to the process for configuring Kerberos as the authentication mechanism or commands. We can also find information on how to setup up Kerberos when the Key Distribution Center (KDC) and the Application Server do not use the same user registry.

The Kerberos token for JAX-WS applications is configured using policy sets and bindings. The JAX-WS application is attached with a custom policy and the Kerberos token is configured as a message protection token or an authentication token.

The implemented Kerberos functionality for Web Services Security also leverages existing tools and frameworks for the Kerberos token profile configuration for authentication and message protection. The support for Kerberos with Web Services Security in the product is based on the OASIS Web Services Security Kerberos Token Profile 1.1 specification.

To configure Kerberos with Web Service Security...


Procedure

  1. Enable the Kerberos token profile for JAX-WS applications.

    The JAX-WS application is attached with a custom policy that has a Kerberos token, which is configured with a message protection token or an authentication token. See Configure the Kerberos token policy set for JAX-WS applications.

  2. Select the customized Kerberos token type. We can define key bindings for request message protection and response message protection. We can use the key type, such as the key identifier or security token reference, for the outbound key information. If you use a derived key, use a security token reference in both the outbound and inbound key information. If you use a Kerberos session key, you can use a security token reference in the outbound key information and a key identifier in the inbound key information for the client bindings. Then, use a key identifier in the outbound key information and a security token reference in the inbound key information for the provider bindings.

  3. Select the customized Kerberos token types for the token generator or token consumer.

  4. Configure the bindings for Kerberos message protection for JAX-WS applications. See the Configure the bindings for message protection for Kerberos.


What to do next

Use this task, we have configured the Kerberos token for WAS.


Related


Configure the Kerberos token policy set for JAX-WS applications
Configure the bindings for message protection for Kerberos
Kerberos token
Kerberos (KRB5) authentication mechanism support for security
Task overview: Implementing web services applications
Configure Kerberos as the authentication mechanism
Web Services Security Kerberos Binding specification
Web Services Security Kerberos Token Profile specification

+

Search Tips   |   Advanced Search