+

Search Tips   |   Advanced Search

Configure a Java client for Kerberos authentication

A Java client can authenticate with WebSphere Application Server with a Kerberos principal name and password or with the Kerberos credential cache (krb5Ccache).

  1. Create a Kerberos configuration file (krb5.ini or krb5.conf). Read about Create a Kerberos configuration file for more information.

  2. Place either the krb5.ini or krb5.conf files we have created in a default location. If either file is not located in the default location set com.ibm.COBRA.krb5ConfigFile in the sas.client.props file with the correct path and Kerberos configuration file name.

    The default location is c:\winnt\krb5.ini.

    The default location is /etc/krb5.conf.

    (zos) The default location is /etc/krb5/krb5.conf.

    (iseries) The default location is /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf

  3. In the sas.client.props file, set the com.ibm.CORBA.authenticationTarget property to KRB5. Read about configuring security for more information.

  4. Also in the sas.client.props file, set the com.ibm.CORBA.loginSource property to one of the supported values shown here:

    When authenticationTarget is BasicAuth, the loginSource supported are:

    • prompt [default]

    • properties

    • stdin

    • none

    When authenticationTarget is KRB5, the loginSource supported are:

    • prompt [default]

    • properties

    • stdin

    • none

    • krb5Ccache

    • krb5Ccache:prompt

    • krb5Ccache:properties

    • krb5Ccache:stdin

    Also consider the following:

    krb5Ccache:prompt

    Use krb5Ccache to authenticate to WebSphere Application Server first. If it fails, then it falls back to prompt.

    krb5Ccache:properties

    Use krb5Ccache to authenticate to WebSphere Application Server first. If it fails, then it falls back to properties.

    krb5Ccache:stdin

    Use krb5Ccache to authenticate to WebSphere Application Server first. If it fails, then it falls back to stdin.

  5. If the authenticationTarget is KRB5, the Java client application must have the wsjaas_client.conf file. If we don't use the launchClient command, then set the java option as follows:

      -Djava.security.auth.login.config=wsjaas_client.config

  6. If the authenticationTarget is KRB5 and loginSource is the Kerberos credential cache, do the following:

    1. In the wsjaas_client.conf file, update the WSKRB5Login entry: 
      WSKRB5Login{
    com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient  required     credsType=INITIATOR useFirstPass=false  forwardable=false renewable=false noAddress=false;
};

    2. If the Kerberos credential cache is not at the default location, set the com.ibm.CORBA.krb5CcacheFile property as a URL: For example:

        com.ibm.CORBA.krb5CcacheFile=FILE:/home/smith/krb5cc_smith

      The default location of the Kerberos credential cache file depends on which operating system you use. The user credential cache is located in the following order:

      The file referenced by the Java property KRB5CCNAME
      <user.home>/krb5cc_<user.name>
      <user.home>/krb5cc (if <user.name> cannot be obtained)

      When the Kerberos credential cache is used for authentication, the client Kerberos delegation ticket is not renewable.

  7. Optional: If an error occurs, make sure that all WebSphere Application Server machine's clocks are in sync with the KDC machines. Validate a Kerberos principal name and password using the kinit command. IBM recommends that you use the kinit command that comes with the Java SE Development Kit (JDK) 6.

    Type the following to receive help for this command:

      kinit -help

    An example of the kinit command is as follows. In this example, a Kerberos ticket-granting ticket (TGT) can be obtained for duke, and the Kerberos credential cache is stored in the default location, c:\Documents and Settings\duke\krb5cc_duke:

      kinit duke@JAVA.SUN.COM

    This command usage might not work on all versions of KDCs.

    (zos)

    Both the Kerberos principal name and the password are case-sensitive. In the case where you are using a KDC on z/OS, you must enter the Kerberos principal name exactly as it appears in the RACF user id's KERB segment. Unless we have mixed-case passwords enabled for RACF, you must enter the password in all capital letters for the kinit command.


Results

You have now configured a Java client for Kerberos authentication.

We can complete the configuration of Kerberos on the server side by using either the console or by using wsadmin commands. Read about Configure Kerberos as the authentication mechanism using the administrative console or Kerberos authentication commands respectively for more information.


Related tasks

  • Select an authentication mechanism
  • Configure Kerberos as the authentication mechanism using the administrative console
  • Create a Kerberos service principal name and keytab file
  • Create a Kerberos configuration file
  • Set up Kerberos as the authentication mechanism for WebSphere Application Server
  • Authenticating users
  • Configure CSIv2 (CSIV2) inbound and outbound communication settings
  • Enable and configure SPNEGO web authentication using the administrative console
  • Configure security

  • SPNEGO web authentication configuration commands
  • Kerberos authentication commands (for wsadmin)