WAS v8.5 > Secure applications > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Configure the Kerberos token for Web Services Security

Update the system JAAS login with the Kerberos login module

Update the Kerberos system JAAS login module for JAX-WS applications.

If the Kerberos authentication mechanism is configured in the WebSphere Application Server security configuration for JAX-WS applications, the JAAS login wss.caller must be updated with the system JAAS login module for Kerberos. The login module is specified as com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.

There are two methods to update the Kerberos system JAAS login module: using the dmgr console, or by running a Jython script.

  1. Using the dmgr console, follow these steps:

    1. Click Security > Global security > Java Authentication and Authorization Service > System logins.

    2. Click on wss.caller, then click New to create a new JAAS login module.
    3. In the Module class name field, type com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.

    4. Click OK.
    5. In the wss.caller panel, click Set Order, then click on WSKrb5LoginModule.
    6. Move WSKrb5LoginModule up in the list of modules so that it is after com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule but before com.ibm.ws.security.server.lm.ltpaLoginModule. The order of the modules in the list is important. The finished list of modules should look like this:
      com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule                         1
      com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule                         2
      com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule                        3
      com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule                        4
      com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule             5
      com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule                         6
      com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule                             7
      com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule                              8
      com.ibm.ws.security.server.lm.ltpaLoginModule                                       9
      com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule                        10

    7. Click OK, then click Save to save the changes.

    8. Restart the server.

  2. We can also run a Jython script to update the module. For each cell, run the script addKrbLoginModuleWSSCaller.py, located in the app_server_root\bin directory, to update the WSKrb5LoginModule login module in the security configuration.

    1. Run the following command, where app_server_root is C:\WebSphere\AppServer:

        wsadmin -conntype NONE -lang jython -f C:\WebSphere\AppServer\bin\addKrbLoginModuleWSSCaller.py

    2. If the script is successful, the following message is displayed:

        System JAAS login entry wss.caller has been updated.

    3. Restart the server.


+

Search Tips   |   Advanced Search