Kerberos configuration models for web services
The WebSphere Application Server configuration model leverages existing frameworks.
The configuration model features include:
- Deployment descriptors and bindings configuration to enable the Kerberos token profile for JAX-RPC applications
- Policy sets and bindings configuration to enable the Kerberos token profile for Java Architecture for XML Web Services (JAX-WS) applications
- Web Services Security APIs for JAX-WS applications
- Administrative command scripts
- Interoperability with Microsoft Web Services Enhancements (WSE) Version 3.5
Examples of possible configurations when using the Kerberos token:
- A JAX-WS client on Windows operating systems
- A JAX-RPC client on Windows operating systems
- A Windows JAX-RPC client on z/OS operating systems
- Web Services Security APIs on Windows operating systems
- A Microsoft .NET WSE 3.5 client on Windows operating systems
- A Microsoft .NET WSE 3.5 client on z/OS operating systems
JAX-WS configuration model
For JAX-WS applications, the WAS client configuration model uses the policy set and leverages a custom policy set for the Kerberos token. We can specify the Kerberos token type and message signing and the encryption using the custom policy set. The Web Services Security (WS-Security) policy is the security policy used to secure the application messages.
Use the console, we can specify the Kerberos token type, message signing, and message encryption by using an existing custom policy set. Kerberos token generation and consumption includes the Kerberos token generation for unmanaged JAX-WS clients.
The JAX-WS programming model also provides capabilities to enable the Kerberos token profile and identity assertion by configuring the Kerberos token using policy sets, Web Services Security APIs, and administrative command scripts.
For JAX-WS applications, we can use administrative commands to configure the policy set as an alternative to using the console.
JAX-RPC configuration model
JAX-RPC applications are configured using a deployment model. The deployment descriptor specifies the custom token to use for the Kerberos token. A JAX-RPC client can generate the specified Kerberos token. A JAX-RPC web service can successfully authenticate the Kerberos token by using a custom or the default Kerberos identity mapping login module.
API configuration model
A set of APIs is provided by WebSphere Application Server. To successfully use these APIs, application developers must have knowledge about the OASIS Web Services Security Version 1.0 and 1.1 specifications. When you use these APIs, the application server assumes that a policy set is not attached to the client resources; however, a warning is still issued when the application server detects any policy set information.
For JAX-WS client applications, the APIs include and enforce Web Services Security policy for the Kerberos token, which is based on the OASIS token profile. To enable the Kerberos token profile with the policy set, first configure the WS-Security policy and the binding files with the custom token.
For JAX-RPC applications, APIs for Web Services Security are not provided. We must use the deployment descriptor to specify the custom token to use the Kerberos token. We can use the custom token panels within an assembly tool, such as Rational Application Developer, to configure the deployment information.
Related information:
Kerberos Token Profile Version 1.1 specification
Kerberos Token Profile 1.1 Approved Errata