Kerberos authentication commands

Kerberos authentication commands

Use wsadmin commands to create, modify or delete Kerberos as the authentication mechanism for WebSphere Application Server.

Create Kerberos authentication mechanism

The following items are required before we attempt to use the createKrbAuthMechanism command to create the KRB5 authentication mechanism security object field in the security configuration file:

If we do not already have a Kerberos configuration file (krb5.ini or krb5.conf), use the createkrbConfigFile command task to create the Kerberos configuration file. Read about creating a Kerberos configuration file for more information.
We must have a Kerberos keytab file (krb5.keytab) containing a Kerberos service principal name (SPN), <service name>/<fully qualified hostname>@KerberosRealm, for each machine that run WebSphere application servers. The service name can be anything; the default value is WAS.
For example, if we have two application server machines, host1.austin.ibm.com and host2.austin.ibm.com, the Kerberos keytab file must contain the <service name>/host1.austin.ibm.com and service name>/host2.austin.ibm.com SPNs and their Kerberos keys.

Use the createKrbAuthMechanism command to create the KRB5 authentication mechanism security object field in the security configuration file.

At the wsadmin prompt, enter:
$AdminTask help createKrbAuthMechanism
Option Description
<krb5Realm> Optional. It indicates the Kerberos realm name. If not specified, the default Kerberos realm in the Kerberos configuration file is used.
<krb5Config> Required. It indicates the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab> Optional. It indicates the directory location and file name of the Kerberos keytab file. If not specified, the default keytab in the Kerberos configuration file is used.
<serviceName> Required. It indicates the Kerberos service name. The default Kerberos service name is WAS.
<trimUserName> Optional. It removes the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. Optional. Default is true.
(ZOS) Note: We must set this field to true if we are using both the Local Operating System registry on z/OS and select the Use the KERB segment of an SAF user profile radio button to map Kerberos principals to SAF identities.
<enabledGssCredDelegate> This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. Default is true.
<allowKrbAuthForCsiInbound> Optional. It enables Kerberos authentication mechanism for Common Secure Interoperability (CSI) inbound. Default is true.
<allowKrbAuthForCsiOutbound> Required. It enables Kerberos authentication mechanism for CSI outbound. Default is true.

The Kerberos configuration file name and Kerberos keytab filename path do not have to be absolute paths. Use WebSphere variables for the paths instead. If we have a mixed platform environment, we can use a variable ${CONF_OR_INI} for the Kerberos configuration file. Security configuration will expand it to "ini" for Windows or "conf" for non-Windows platforms For example:
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI}
The following is an example of the createKrbAuthMechanism command:
wsadmin>$AdminTask createKrbAuthMechanism { 
		-krb5Realm  WSSEC.AUSTIN.IBM.COM 
		-krb5Config C:\\WINNT\\krb5.ini 
		-krb5Keytab C:\\WINNT\\krb5.keytab 
		-serviceName WAS }
Modify Kerberos authentication mechanism

Use the modifyKrbAuthMechanism command to make changes to the KRB5 authentication mechanism security object field in the security configuration file.

At the wsadmin prompt, enter:
$AdminTask help modifyKrbAuthMechanism
Option Description
<krb5Realm> Optional. It indicates the Kerberos realm name. If not specified, the default Kerberos realm in the Kerberos configuration file is used.
<krb5Config> Required. It indicates the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab> Optional. It indicates the directory location and file name of the Kerberos keytab file. If not specified, the default keytab in the Kerberos configuration file is used.
<serviceName> Required. It indicates the Kerberos service name. The default Kerberos service name is WAS.
<trimUserName> Optional. It removes the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. Optional. Default is true.
<enabledGssCredDelegate> This parameter is not required. Use to indicate whether to extract and place the client Kerberos and GSS delegation credential in the Kerberos authentication token (KRBAuthnToken). Default is true.
If this parameter is true, and the runtime cannot extract the Kerberos GSS delegation credential, the runtime logs a warning message.
<allowKrbAuthForCsiInbound> Optional. It enables Kerberos authentication mechanism for Common Secure Interoperability (CSI) inbound. Default is true.
<allowKrbAuthForCsiOutbound> Optional. It enables Kerberos authentication mechanism for CSI outbound. Default is true.

The Kerberos configuration file name and Kerberos keytab filename path do not have to be absolute paths. Use WebSphere variables for the paths instead. If we have a mixed platform environment, we can use a variable ${CONF_OR_INI} for the Kerberos configuration file. Security configuration will expand it to "ini" for Windows or "conf" for non-Windows platforms For example:
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI}
The following is an example of the modifyKrbAuthMechanism command:
wsadmin>$AdminTask modifyKrbAuthMechanism {
			-krb5Realm  WSSEC.AUSTIN.IBM.COM 
			-krb5Config C:\\WINNT\\krb5.ini 
			-krb5Keytab C:\\WINNT\\krb5.keytab 
			-serviceName WAS }
Delete Kerberos authentication mechanism

Use the deleteKrbAuthMechanism command to remove the KRB5 authentication mechanism security object field in the security configuration file.

At the wsadmin prompt, enter:
$AdminTask help deleteKrbAuthMechanism
The following is an example of the deleteKrbAuthMechanism command:
	wsadmin>$AdminTask deleteKrbAuthMechanism
Set active authentication mechanism

Use the setActiveAuthMechanism command to set the active authentication mechanism attribute in the security configuration.

At the wsadmin prompt, enter:
$AdminTask help setActiveAuthMechanism
Option Description
<authMechanismType> This parameter is not required. It indicates the authentication mechanism type. The default is KRB5.

The following is an example of the setActiveAuthMechanism command:
wsadmin> $AdminTask setActiveAuthMechanism {-authMechanismType KRB5 }
Configure security with scripting
Create a Kerberos configuration file
Create a Kerberos service principal name and keytab file
Configure inbound messages
Configure outbound messages

Option	Description
<krb5Realm>	Optional. It indicates the Kerberos realm name. If not specified, the default Kerberos realm in the Kerberos configuration file is used.
<krb5Config>	Required. It indicates the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab>	Optional. It indicates the directory location and file name of the Kerberos keytab file. If not specified, the default keytab in the Kerberos configuration file is used.
<serviceName>	Required. It indicates the Kerberos service name. The default Kerberos service name is WAS.
<trimUserName>	Optional. It removes the suffix of the principal user name, starting from the "@" that precedes the Kerberos realm name. Optional. Default is true. (ZOS) Note: We must set this field to true if we are using both the Local Operating System registry on z/OS and select the Use the KERB segment of an SAF user profile radio button to map Kerberos principals to SAF identities.
<enabledGssCredDelegate>	This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. Default is true.
<allowKrbAuthForCsiInbound>	Optional. It enables Kerberos authentication mechanism for Common Secure Interoperability (CSI) inbound. Default is true.
<allowKrbAuthForCsiOutbound>	Required. It enables Kerberos authentication mechanism for CSI outbound. Default is true.