Kerberos authentication settings
Use this page to configure and to verify Kerberos as the authentication mechanism for the application server.
When we have entered and applied the required information to the configuration, the server principal name is created from the service name, realm name, and host name, and is used to automatically verify authentication to the Kerberos service.
When configured, Kerberos is the primary authentication mechanism. Configure EJB authentication to resources by accessing the resource references links on the application details panel. To view this console page, click Security > Global security > Authentication, click Kerberos configuration.
When configuring Kerberos, the principal service must be in the format: <service name>/<fully_qualified hostname>@KerberosRealm. If we do not use this format, you might get following error:
org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Cannot get credential for principal service WAS/test@AUSTIN.IBM.COM
In the exception example, the fully qualified host name is not specified, which is why the failure occurs. For this failure, the host name of the system is usually obtained from the /etc/hosts file instead of from the Domain Name Server (DNS). On UNIX or Linux systems, if the "hosts": line in the /etc/nsswitch.conf file is configured to use the hosts file before the DNS, the Kerberos configuration fails if the hosts file contains an entry for the system that is not the fully qualified host name.
Kerberos realm name
Name of the Kerberos realm. In most cases, the realm is the domain name in uppercase letters. For example, a machine with the domain name of test.austin.ibm.com typically has a Kerberos realm name of AUSTIN.IBM.COM.
There are two components that use a realm name. The IBM implementation of the Java Generic Security Service (JGSS) component obtains the realm name from the krb5.conf file. WebSphere Application Server also maintains a realm name, which is usually the same one that JGSS uses. If we leave the Kerberos realm name field blank, WebSphere Application Server inherits the realm name from JGSS.
We might want WebSphere Application Server to use a different realm name, and can use the Kerberos realm name field to change it. However, be aware that if you change the realm name in the console only the WAS realm name is changed.
Information Value Data type: String
Kerberos service name
By convention, a Kerberos service principal is divided into three parts: the primary, the instance, and the Kerberos realm name. The format of the Kerberos service principal name is service/<fully qualified hostname>@KERBEROS_REALM.service_name. The service name is the first part of the Kerberos service principal name. For example, in WAS/test.austin.ibm.com@AUSTIN.IBM.COM, the service name is WAS.
Information Value Data type: String
Kerberos configuration file with full path
The Kerberos configuration file, krb5.conf or krb5.ini, contains client configuration information, including the locations of the Key Distribution Centers (KDCs) for the realm of interest. The krb5.conf file is used for all platforms except the Windows operating system, which uses the krb5.ini file.
Information Value Data type: String
Kerberos keytab file name with full path
Specifies the Kerberos keytab file name with its full path. We can click Browse to locate it. If this field is empty, then the keytab file name specified in the Kerberos configuration file is used.
Information Value Data type: String
Trim Kerberos realm from principal name
Whether Kerberos removes the suffix of the principal user name, starting from the @ that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true.
Information Value Default: Enabled
Enable delegation of Kerberos credentials
Whether the Kerberos delegated credentials are to be stored in the subject by the Kerberos authentication.
This option also enables an application to retrieve the stored credentials and to propagate them to other applications downstream for additional Kerberos authentication with the credential from the Kerberos client.
If this parameter is true, and the runtime cannot extract a client GSS delegation credential, then a warning message is logged.
Information Value Default: Enabled
(zos) Mapping Kerberos principal names to SAF identities
Whether to use the built-in mapping module to map a Kerberos principal name to an SAF identity on z/OS . Applies when the active user registry is Local OS.
There is some additional setup required. Read (zos) Mapping a Kerberos principal to a System Authorization Facility (SAF) identity on z/OS for more information.
The Use the KERB segment of an SAF user profile option uses the full Kerberos principal name and Kerberos realm for the mapping, regardless of what the Trim Kerberos realm from principal name field is set to.
Choose from one of the following radio buttons:
The default is Do not use SAF profiles for mapping Kerberos principals to SAF identities.
(zos)
- Do not use SAF profiles for mapping Kerberos principals to SAF identities
- Select this option if the Kerberos principal name already matches an SAF user so that mapping is not necessary, or if a Java Authentication and Authorization Service (JAAS) login module is configured to do the mapping.
This button is only visible when the active user registry is Local OS and the platform is z/OS.
- Use the KERB segment of an SAF user profile
- Select this option to map a Kerberos principal to an SAF user, where the Kerberos principal is specified in the KERB segment of that SAF user. When selected, the security custom property, com.ibm.websphere.security.krb.useBuiltInMappingToSAF, is set to true.
This button is only visible when the active user registry is Local OS and the platform is z/OS. This option uses the full Kerberos principal name and Kerberos realm for the mapping, regardless of what the Trim Kerberos realm from principal name field is set to.
- Use the RACMAP profiles in the SAF product for distributed identity mapping
- Select this option to map a Kerberos principal to an SAF user, where the Kerberos principal and the Kerberos realm are specified in the RACMAP profiles of the SAF product. Before we can select this option, the SAF product must support distributed identity mapping. When selected, the security custom property, com.ibm.websphere.security.krb.useRACMAPMappingToSAF, is set to true.
This button is only visible when the active user registry is Local OS, the cell is not mixed-version (no nodes prior to WebSphere Application Server v8.5), and the z/OS security product supports SAF identity mapping (for RACF , this means z/OS version 1.11 or later). This option uses the full Kerberos principal name and Kerberos realm for the mapping, regardless of what the Trim Kerberos realm from principal name field is set to.
SPNEGO web authentication enablement SPNEGO web authentication filter values