WAS v8.5 > Secure applications > Authenticate users > Select an authentication mechanism

Set up Kerberos as the authentication mechanism for WAS

Kerberos authentication mechanism on the server side must be done by the system administrator and on the Java client side by end users. The Kerberos keytab file must to be protected.

Before starting, configure the KDC.

  1. Create a Kerberos service principal name and keytab file

    We can create a Kerberos service principal name and keytab file using Microsoft Windows, iSeries , Linux, Solaris, Massachusetts Institute of Technology (MIT) and z/OS operating systems key distribution centers (KDCs).

    Kerberos prefers servers and services to have a host-based service ID. The format of this ID is...

      service name/fully_qualified_hostname

    The default service name is WAS. For Kerberos authentication, the service name can be any strings allowed by the KDC. However, for SPNEGO web authentication, the service name must be HTTP. An example of a WebSphere Application Sever server ID is...

      WAS/myhost.austin.ibm.com

    Each host must have a server ID unique to the hostname. All processes on the same node share the same host-based service ID.

    A Kerberos administrator creates a Kerberos service principal name (SPN) for each node in the WebSphere cell. For example, for a cell with 3 nodes, such as...

      server1.austin.ibm.com, server2.austin.ibm.com and server3.austin.ibm.com

    ...the Kerberos administrator must create the following Kerberos service principals:

      WAS/server1.austin.ibm.com, WAS/server2.austin.ibm.com and WAS/server3.austin.ibm.com

    The Kerberos keytab file (krb5.keytab) contains all of the SPNs for the node and must be protected. This file can be placed in...

      config/cells/cell_name

  2. Create a Kerberos configuration file

    The IBM implementation of JGSS and KRB5 require a Kerberos configuration file (krb5.conf or krb5.ini) on each node or JVM. Place this file in...

      config/cells/cell_name

    If we do not have a Kerberos configuration file, use a wsadmin command to create one.

  3. Configure Kerberos as the authentication mechanism for WebSphere Application Server

    Use the dmgr console to configure Kerberos as the authentication mechanism for the application server. When we have entered and applied the required information to the configuration, the Kerberos service principal name is formed as...

      service name/fully_qualified_hostname;@KerberosRealm

    ...and is used to verify incoming Kerberos token requests.

  4. Map a client Kerberos principal name to the WebSphere user registry ID

    We can map the Kerberos client principal name to the WebSphere user registry ID for both SPNEGO web authentication and Kerberos authentication.

  5. Set up Kerberos as the authentication mechanism for the pure Java client (optional)

    A Java client can authenticate with WebSphere Application server with a Kerberos principal name and password or with the Kerberos credential cache (krb5Ccache).


Related

Configure CSIV2 inbound and outbound communication settings
Enable and configuring SPNEGO web authentication
Kerberos authentication commands
SPNEGO web authentication configuration commands
Use the ktab command to manage the Kerberos keytab file
Kerberos: The Network Authentication Protocol


+

Search Tips   |   Advanced Search