WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services

Configure the Kerberos token for Web Services Security

Use this topic to configure the Kerberos token for message-level Web Services Security.

Before we can use Kerberos with Web Service Security, configure Kerberos in the IBM WebSphere Application Server. We do not need to enable Kerberos as the authentication mechanism. However, the Kerberos configuration file, krb5.conf or krb5.ini, and the Kerberos keytab file, krb5.keytab, are required.

The initial setup and configuration processes to use Kerberos with Web Services Security are identical to the configuration processes for using Kerberos with the security function. Therefore, set up and configure Kerberos before continuing with the steps in this topic.

The "Kerberos (KRB5) authentication mechanism support for security" topic provides an overview of the Kerberos functionality and provides the initial steps for setting up and configuring Kerberos for authentication purposes. Within this topic, you must complete the steps in the section "Setting up Kerberos as the authentication mechanism for WAS". Use that topic to configure Kerberos, the service principal, and the keytab files. In addition, that topic provides references to the process for configuring Kerberos as the authentication mechanism using the dmgr console or commands. We can also find information on how to setup up Kerberos when the Key Distribution Center (KDC) and the Application Server do not use the same user registry.

The Kerberos token for JAX-WS applications is configured using policy sets and bindings. The JAX-WS application is attached with a custom policy and the Kerberos token is configured as a message protection token or an authentication token.

The implemented Kerberos functionality for Web Services Security also leverages existing tools and frameworks for the Kerberos token profile configuration for authentication and message protection. The support for Kerberos with Web Services Security in the product is based on the OASIS Web Services Security Kerberos Token Profile 1.1 specification.

To configure Kerberos with Web Service Security...

  1. Enable the Kerberos token profile for JAX-WS applications.

    The JAX-WS application is attached with a custom policy that has a Kerberos token, which is configured with a message protection token or an authentication token. For more information, see Configure the Kerberos token policy set for JAX-WS applications.

  2. Select the customized Kerberos token type. We can define key bindings for request message protection and response message protection. We can use the key type, such as the key identifier or security token reference, for the outbound key information. If we use a derived key, use a security token reference in both the outbound and inbound key information. If we use a Kerberos session key, we can use a security token reference in the outbound key information and a key identifier in the inbound key information for the client bindings. Then, use a key identifier in the outbound key information and a security token reference in the inbound key information for the provider bindings.

  3. Select the customized Kerberos token types for the token generator or token consumer.

  4. Configure the bindings for Kerberos message protection for JAX-WS applications. For more information, see the Configure the bindings for message protection for Kerberos.

Using this task, we have configured the Kerberos token for WAS.


Subtopics


Related concepts:

Kerberos token
Kerberos (KRB5) authentication mechanism support for security


Related


Configure Kerberos as the authentication mechanism


Related information:

Web Services Security Kerberos Binding specification

Web Services Security Kerberos Token Profile specification


+

Search Tips   |   Advanced Search