Set up Kerberos as the authentication mechanism for WebSphere Application Server
We must perform the steps to set up Kerberos as the authentication mechanism for WebSphere Application Server.
Kerberos authentication mechanism on the server side must be done by the system administrator and on the Java client side by end users. The Kerberos keytab file must to be protected.
We must first ensure that the KDC is configured. For more information, see the Kerberos Administrator and User's guide.
(zos) To configure a KDC on z/OS , you must activate the APPL class in RACF . This action has the effect of enabling the APPL class profile defined for WebSphere and might restrict the ability of authenticated users to access applications that run on WebSphere. If the security configuration is using an SAF profile prefix, the profile name is the SAF profile prefix. Otherwise, the profile name is CBS390. To control whether the APPL profile is checked for WebSphere authorization, we can configure the checkbox that is labeled "Use APPL profile to restrict access to the server" on the SAF authorization panel in the administrative console. This setting can be configured at a WebSphere security domain level.
When configuring the envar file for a z/OS KDC, order the encryption types from most secure to least secure for the SKDC_TKT_ENCTYPES environment variable. The z/OS KDC prefers to use the encryption types that are first in the list, from left to right.gotcha
We must perform the following steps to set up Kerberos as the authentication mechanism for WebSphere Application Server.
- Create a Kerberos service principal name and keytab file
- Create a Kerberos configuration file
- Configure Kerberos as the authentication mechanism for WebSphere Application Server using the administrative console
- Map a client Kerberos principal name to the WebSphere user registry ID
- Set up Kerberos as the authentication mechanism for the pure Java client (Optional)
Subtopics
- Create a Kerberos service principal name and keytab file
- Create a Kerberos configuration file
- Configure Kerberos as the authentication mechanism for WebSphere Application Server using the administrative console
- Map a client Kerberos principal name to the WebSphere user registry ID
- Set up Kerberos as the authentication mechanism for the pure Java client (Optional)
Related tasks
Create a Kerberos service principal name and keytab file Create a Kerberos configuration file Configure Kerberos as the authentication mechanism using the administrative console Mapping of a client Kerberos principal name to the WebSphere user registry ID Configure a Java client for Kerberos authentication (zos) Mapping a Kerberos principal to a System Authorization Facility (SAF) identity on z/OS
Authenticating users Configure CSIv2 (CSIV2) inbound and outbound communication settings Enable and configure SPNEGO web authentication using the administrative console
Kerberos authentication commands SPNEGO web authentication configuration commands Use the ktab command to manage the Kerberos keytab file
Kerberos: The Network Authentication Protocol