Generation of SPNEGO tokens for outbound JAX-WS requests using Client Policy Set Bindings

Generation of SPNEGO tokens for outbound JAX-WS requests using Client Policy Set Bindings

JAX-WS clients can authenticate using a number of different HTTP transport authentication mechanisms.

In addition to authenticating to service provider applications via WS-Security authentication, JAX-WS clients can authenticate using a number of HTTP transport authentication mechanisms, including the following:

Basic Authentication using properties in the HTTP transport bindings.
SSL/TLS Client authentication using SSL transport bindings.
SPNEGO authentication using custom properties in the HTTP transport bindings.

There are 5 different variations for obtaining the Kerberos credentials used for the outbound SPNEGO token:

A token requested using Windows Native credentials. When the WebSphere Java process is running on a Windows system under a userid, which has Kerberos credentials, the Windows OS maintains a Kerberos Ticket Granting Ticket (TGT) for that user. The JAX-WS client runtime uses that TGT to request a SPNEGO token that can be requested for a ServicePrincipalName (SPN) for the target service system.
A token requested using cached Kerberos credentials. On a system where a user has logged in, typically using tools such as the Java kinit tool, the user's Kerberos credentials are stored in a cache file named krb5cc_<userid>. Alternatively, a keytab file containing a user's key can be created using a number of tools such as the Microsoft ktpass tool, or the Java ktab tool. These files contain a copy of the user's Kerberos key that can be used to get a Ticket Granting Ticket (TGT) for that userid. The JAX-WS client runtime uses that TGT to request a SPNEGO token that can be requested for a ServicePrincipalName (SPN) for the target service system. The WebSphere process must be configured to use either the krb5cc_<userid> or keytab file. The UserPrincipalName (UPN) for the cached credential within the file must also be provided.
A token requested using a Kerberos credential with a userid and password. In this scenario, the JAX-WS client runtime connects to the Kerberos Key Distribution server with the supplied userid and password to get a Ticket Granting Ticket (TGT). The class will then request the SPNEGO token with that TGT. The JAX-WS client runtime requires the ServicePrincipalName (SPN) for the target service system, and the userid and password.
A token requested using a Kerberos credential that exists within a Java Subject. The Subject can obtain a Kerberos credential in one of the following ways:

The user who is logged into a web application using inbound SPNEGO web authentication. Only SPNEGO web authentication needs to be configured and enabled in the WAS for this option. The Kerberos userid associated with the inbound SPNEGO service must be enabled for full Kerberos delegation.
A JAX-WS web service request was received containing a WS-Security Kerberos token. The Kerberos userid associated with the inbound web service request must be enabled for full Kerberos delegation.
The user who is logged in with a userid and password, and the WAS is configured for LTPA and Kerberos authentication.

A JAX-WS web service request was received containing a user name token with a password, and the WAS is configured for LTPA and Kerberos authentication.

All 5 of the previous variations that can be used for obtaining the Kerberos credentials used for the outbound SPNEGO token require custom properties to be defined on the HTTP bindings in the client policy set bindings.

Property Name Value Comments
com.ibm.websphere.webservices.spnego.enabled Boolean Must be set to true to enable any of the SPNEGO authentication options in the JAX-WS client binding runtime.
com.ibm.websphere.webservices.spnegoOutboundSPN String Must be set to the Service Principal Name for the Web Service provider.
com.ibm.websphere.webservices.spnegoLoginMechanism String Must be one of GSSUP, native, caller, or keytab.
com.ibm.websphere.webservices.JAASConfigName String When spnegoLoginMechanism is set to the keytab, then this property must be set to the JAAS Login Configuration which identifies the keytab file to be used.
com.ibm.websphere.webservices.spnegoUPN String When spnegoLoginMechanism is set to the keytab, then this property must be set to the User Principal Name of the key within the keytab to be used.
com.ibm.websphere.webservices.spnegoOutboundLifeTime Integer If not specified the SPNEGO token is requested for Infinite lifetime.
com.ibm.websphere.webservices.spnegoOutboundDelegate Boolean If true, and the web service SPN account is enabled for delegation, then the SPNEGO token sent to the web service can be delegated.

When the spnegoLoginMechanism property is set to GSSUP, the userid and password are obtained from the basic authentication for outbound service requests properties.

When the spnegoLoginMechanism property is set to caller, the Kerberos credential is obtained from the Caller Subject.

When the spnegoLoginMechanism property is set to Native, the Kerberos credential is obtained from the Windows operating system.
Notes for Native credentials
The Microsoft Kerberos Logon Session credentials cache (MSLSA) relies on the ability to extract the entire Kerberos ticket, including the session key from the Kerberos Logon Session credentials cache (LSA). In an attempt to increase security, Microsoft has implemented a feature by which they no longer export the session keys for Ticket Getting Tickets, which can cause them to be useless to the IBM JGSS when attempts are made to request more service tickets. This new feature has been seen in Windows 2003 Server and later systems. Microsoft has provided the following registry key to disable this new feature:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
Requirements in the Kerberos configuration file

The Kerberos configuration file must be correctly configured regardless of the approach.

How the WebSphere process reaches the Key Distribution Center (KDC) must be properly configured via the [realms] and [domain_realm] stanzas.
The encryption types to be used in the [libdefaults] stanza must specify the default_tkt_enctypes and default_tgs_enctypes values.
The [libdefaults] stanza must include the following:

forwardable = true
renewable = true
noaddresses = true

The [libdefaults] stanza must define a reasonable clockskew value.

Property Name	Value	Comments
com.ibm.websphere.webservices.spnego.enabled	Boolean	Must be set to true to enable any of the SPNEGO authentication options in the JAX-WS client binding runtime.
com.ibm.websphere.webservices.spnegoOutboundSPN	String	Must be set to the Service Principal Name for the Web Service provider.
com.ibm.websphere.webservices.spnegoLoginMechanism	String	Must be one of GSSUP, native, caller, or keytab.
com.ibm.websphere.webservices.JAASConfigName	String	When spnegoLoginMechanism is set to the keytab, then this property must be set to the JAAS Login Configuration which identifies the keytab file to be used.
com.ibm.websphere.webservices.spnegoUPN	String	When spnegoLoginMechanism is set to the keytab, then this property must be set to the User Principal Name of the key within the keytab to be used.
com.ibm.websphere.webservices.spnegoOutboundLifeTime	Integer	If not specified the SPNEGO token is requested for Infinite lifetime.
com.ibm.websphere.webservices.spnegoOutboundDelegate	Boolean	If true, and the web service SPN account is enabled for delegation, then the SPNEGO token sent to the web service can be delegated.