WAS v8.5 > Secure applications > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication > Kerberos token

Web Services Security Kerberos token for authentication in a single or cross Kerberos realm environment

To secure web services messages, we can use a Kerberos token as either an authentication token or a message protection token. For Kerberos authentication, both the single Kerberos realm environment, and the cross or trusted Kerberos realm environment are supported.


Single realm environment

In a single Kerberos realm environment, both the client application and the service provider use the same Kerberos realm. The client application obtains a Kerberos token based on the Kerberos realm used by the service provider. To configure the token, the client application defines the Kerberos service principal name (SPN) for the service provider in the client policy token generator bindings. The format of the SPN is shown later in this section, where Kerberos_Realm_Name is optional.

For cell-level configuration in WebSphere Application Server, all service providers use the same Kerberos realm.

If the service provider uses the Kerberos identity from the client for downstream web services requests, a delegated Kerberos ticket must exist in the Kerberos token specified in the Kerberos configuration file. The system JAAS login module for Kerberos is added to the provided Web Services Security caller. For more information on using the Kerberos token for caller credentials, read about updating the system Java Authentication and Authorization Service (JAAS) login with the Kerberos login module, and creating a Kerberos configuration file.


Cross realm environment or trusted realm environment

The following configuration procedures must be completed for the trusted realm environment:

In a cross or trusted Kerberos realm environment, the client application and the service provider use different Kerberos realms that have established trust with each other. The client application obtains a Kerberos token based on the Kerberos realm used by the service provider. To configure the token, the client application defines the Kerberos SPN for the service provider in the client policy token generator bindings. The format of the SPN is shown later in this section, where Kerberos_Realm_Name is required.

The client application must specify the Kerberos realm name for the client in the callback handler portion of the client policy token generator bindings. At the cell level, all service providers use the same Kerberos realm. However, client applications can still define their own Kerberos realm. Only peer-to-peer and transitive trust cross-realm authentication are supported.

The following figure illustrates the relationship between trusted realms as defined in the Kerberos Key Distribution Center (KDC):

If the service provider uses the Kerberos identity from the client for downstream web services requests, a delegated Kerberos ticket must exist in the Kerberos token that is configured in the Kerberos configuration file. The system JAAS login module for Kerberos is added to the provided Web Services Security caller. For more information on using the Kerberos token for caller credentials, read about updating the system JAAS login with the Kerberos login module, and creating a Kerberos configuration file.


Related concepts:

Kerberos usage overview for web services
Kerberos (KRB5) authentication mechanism support for security


Related


Configure the Kerberos token for Web Services Security
Configure the bindings for message protection for Kerberos
Update the system JAAS login with the Kerberos login module
Create a Kerberos configuration file


+

Search Tips   |   Advanced Search