WAS v8.5 > Secure applications > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication > Kerberos token

Kerberos configuration models for web services

The IBM WebSphere Application Server configuration model leverages existing frameworks.

The configuration model features include:

Examples of possible configurations when using the Kerberos token:


JAX-WS configuration model

For JAX-WS applications, the WAS client configuration model uses the policy set and leverages a custom policy set for the Kerberos token. We can specify the Kerberos token type and message signing and the encryption using the custom policy set. The WS-Security policy is the security policy used to secure the application messages.

Using the dmgr console, we can specify the Kerberos token type, message signing, and message encryption using an existing custom policy set. Kerberos token generation and consumption includes the Kerberos token generation for unmanaged JAX-WS clients.

The JAX-WS programming model also provides capabilities to enable the Kerberos token profile and identity assertion by configuring the Kerberos token using policy sets, Web Services Security APIs, and administrative command scripts.

For JAX-WS applications, we can use administrative commands to configure the policy set as an alternative to using the dmgr console.


JAX-RPC configuration model

JAX-RPC applications are configured using a deployment model. The deployment descriptor specifies the custom token to use for the Kerberos token. A JAX-RPC client can generate the specified Kerberos token. A JAX-RPC web service can successfully authenticate the Kerberos token using a custom or the default Kerberos identity mapping login module.


API configuration model

A set of APIs is provided by WAS. To successfully use these APIs, application developers must have knowledge about the OASIS Web Services Security v1.0 and 1.1 specifications. When we use these APIs, the application server assumes that a policy set is not attached to the client resources; however, a warning is still issued when the application server detects any policy set information.

For JAX-WS client applications, the APIs include and enforce Web Services Security policy for the Kerberos token, which is based on the OASIS token profile. To enable the Kerberos token profile with the policy set, first configure the WS-Security policy and the binding files with the custom token.

For JAX-RPC applications, APIs for Web Services Security are not provided. You must use the deployment descriptor to specify the custom token to use the Kerberos token. We can use the custom token panels within an assembly tool, such as Rational Application Developer, to configure the deployment information.


Related information:

Kerberos Token Profile v1.1 specification

Kerberos Token Profile 1.1 Approved Errata


+

Search Tips   |   Advanced Search