The Kerberos configuration file

The Kerberos configuration file

The Kerberos configuration properties, krb5.ini or krb5.conf files, must be configured on every WebSphere Application Server instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WAS.

Deprecated feature: In WAS v6.1, a trust association interceptor (TAI) that uses the SPNEGO to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS 7.0, this function is now deprecated. SPNEGO web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.depfeat
The default Kerberos configuration file name for Windows is krb5.ini. For other platforms is the default Kerberos configuration file name is krb5.conf. The default location for the Kerberos configuration file is shown later in this section:

Operating System Default Location
Windows c:\winnt\krb5.ini
If the krb5.ini file is not located in the c:\winnt directory it might be located in c:\windows directory.
Linux /etc/krb5.conf
other UNIX-based /etc/krb5/krb5.conf
z/OS /etc/krb5/krb5.conf
IBM i /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf

If we do not use the default location and Kerberos configuration file name, then we have to update *.krb5ConfigFile properties in the soap.client.prop, ipc.client.props, and sas.client.props files. Also, if the client programmatic login uses the WSKRBLogin module, we must also set the java.security.krb5.conf JVM property.
For SPNEGO TAI, if we do not use the default location and Kerberos configuration file name, then specify the java.security.krb5.conf JVM property.

The default Kerberos configuration file on Windows is /winnt/krb5.ini and on a distributed environment is /etc/krb5. If we specify another location path, then we must also specify the java.security.krb5.conf JVM property.

For example, if your krb5.conf file is specified at /opt/IBM/WebSphere/profiles/AppServer/etc/krb5.conf, then we need to specify -Djava.security.krb5.conf=/opt/IBM/WebSphere/profiles/AppServer/etc/krb5.conf.

The WebSphere runtime code searches for the Kerberos configuration file in the order as follows:

The file referenced by the Java property java.security.krb5.conf
<java.home>/lib/security/krb5.conf
c:\winnt\krb5.ini on Microsoft Windows platforms
/etc/krb5/krb5.conf on UNIX platforms
/etc/krb5.conf on Linux platforms.

Use the wsadmin utility to configure the SPNEGO TAI for WAS:
Start WAS.
Start the command-line utility by running the wsadmin command from the app_server_root/bin directory.
(iSeries) Start the command-line utility by running the wsadmin command from the app_server_root/bin directory from the Qshell command line.
At the wsadmin prompt, enter:
$AdminTask createKrbConfigFile
Use the following parameters with this command:

Option Description
<krbPath> Required. It provides the fully qualified file system location of the Kerberos configuration (krb5.ini or krb5.conf) file.
<realm> Required. It provides the Kerberos realm name. Used by the SPNEGO TAI to form the Kerberos service principal name for each of the hosts specified with the property com.ibm.ws.security.spnego.SPNid.hostName.
<kdcHost> Required. It provides the host name of the Kerberos Key Distribution Center (KDC).
<kdcPort> Optional. It provides the port number of the KDC. The default value, if not specified, is 88.
<dns> Required. It provides the default domain name service (DNS) used to produce a fully qualified host name.
<keytabPath> Required. It provides the file system location of the Kerberos keytab file.
<encryption> Optional. It identifies the list of supported encryption types, separated by a space. The specified value is used for the default_tkt_enctypes and default_tgs_enctypes. The default encryption types, if not specified, are des-cbc-md5 and rc4-hmac.
In the following example, the wsadmin command creates the krb5.ini file in the c:\winnt directory. The default Kerberos keytab file is also in c:\winnt. The actual Kerberos realm name is WSSEC.AUSTIN.IBM.COM and the KDC host name is host1.austin.ibm.com.
wsadmin>$AdminTask createKrbConfigFile {-krbPath 
c:\winnt\krb5.ini -realm WSSEC.AUSTIN.IBM.COM -kdcHost host1.austin.ibm.com
 -dns austin.ibm.com -keytabPath c:\winnt\krb5.keytab}
The previous wsadmin command creates a krb5.ini file as follows:
[libdefaults]
 default_realm = WSSEC.AUSTIN.IBM.COM
        default_keytab_name = FILE:c:\winnt\krb5.keytab
        default_tkt_enctypes = des-cbc-md5 rc4-hmac
        default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
        WSSEC.AUSTIN.IBM.COM = {
  kdc = host1.austin.ibm.com:88
              default_domain = austin.ibm.com        
}
[domain_realm]
        .austin.ibm.com = WSSEC.AUSTIN.IBM.COM
(iSeries) A Kerberos keytab file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk. The krb5.conf file permission must be 644, which means that we can read and write the file; however, members of the group that the file belongs to, and all others can only read the file.
A Kerberos keytab file contains a list of keys that are analogous to user passwords. It is important for hosts to protect their Kerberos keytab files by storing them on the local disk. The krb5.conf file permission must be 644, which means that we can read and write the file; however, members of the group that the file belongs to, and all others can only read the file. The user ID that runs adjunct, control, and servants must have read access to the krb5.conf and krb5.keytab files.
If the run time cannot read the default_tkt_enctypes or default_tgs_enctypes entries in the krb5.ini file, their values are missing, or their values are not supported, the DES-CBC-MD5 value is used by default.

(iSeries) The krb5.conf configuration file supports trigraphs to represent the {, }, [, and ] characters. These characters depend on the language set. The natively generated keytabs cannot be read by the Kerberos client. If we have difficulty configuring SPNEGO TAI with the native krb5.conf or krb5.keytab files, complete one of the following scenarios to address the trigraphs issue:

Replace the trigraphs in the krb5.conf file with the characters that they represent.
Use the krb5.conf file generated by WAS.
Use a Microsoft Windows or a key distribution center (KDC) generated keytab file.

Kerberos configuration settings, the Kerberos key distribution center (KDC) name, and realm settings for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) are provided in the Kerberos configuration file or through java.security.krb5.kdc and java.security.krb5.realm system property files.

Configure security with scripting

Operating System	Default Location
Windows	c:\winnt\krb5.ini If the krb5.ini file is not located in the c:\winnt directory it might be located in c:\windows directory.
Linux	/etc/krb5.conf
other UNIX-based	/etc/krb5/krb5.conf
z/OS	/etc/krb5/krb5.conf
IBM i	/QIBM/UserData/OS400/NetworkAuthentication/krb5.conf

Option	Description
<krbPath>	Required. It provides the fully qualified file system location of the Kerberos configuration (krb5.ini or krb5.conf) file.
<realm>	Required. It provides the Kerberos realm name. Used by the SPNEGO TAI to form the Kerberos service principal name for each of the hosts specified with the property com.ibm.ws.security.spnego.SPNid.hostName.
<kdcHost>	Required. It provides the host name of the Kerberos Key Distribution Center (KDC).
<kdcPort>	Optional. It provides the port number of the KDC. The default value, if not specified, is 88.
<dns>	Required. It provides the default domain name service (DNS) used to produce a fully qualified host name.
<keytabPath>	Required. It provides the file system location of the Kerberos keytab file.
<encryption>	Optional. It identifies the list of supported encryption types, separated by a space. The specified value is used for the default_tkt_enctypes and default_tgs_enctypes. The default encryption types, if not specified, are des-cbc-md5 and rc4-hmac.