+

Search Tips   |   Advanced Search

Set up Kerberos as the authentication mechanism for WAS

Kerberos authentication mechanism on the server side must be done by the system administrator and on the Java client side by end users. The Kerberos krb5.keytab file must to be protected.

  1. Configure a key distribution center (KDC).

  2. Create a Kerberos service principal name and krb5.keytab

    1. Create a Kerberos service principal name and krb5.keytab file. Kerberos prefers servers and services to have a host-based service ID. The format of this ID is...

        <service name>/<fully qualified hostname>

      The default service name is WAS. For Kerberos authentication, the service name can be any strings allowed by the KDC. However, for SPNEGO web authentication, the service name must be HTTP. An example of a WAS ID is...

        WAS/myhost.mpls.myco.com

      Each host must have a server ID unique to the host name. All processes on the same node share the same host-based service ID.

      A Kerberos administrator creates a Kerberos service principal name (SPN) for each node in the WebSphere cell. For example, for a cell with three nodes (such as server1.mpls.myco.com, server2.mpls.myco.com and server3.mpls.myco.com), the Kerberos administrator must create the following Kerberos service principals:

      • WAS/server1.mpls.myco.com
      • WAS/server2.mpls.myco.com
      • WAS/server3.mpls.myco.com

      The Kerberos krb5.keytab file contains all of the SPNs for the node and must be protected. This file can be placed in the config/cells/cell directory.

  3. Create a Kerberos configuration file

    1. The IBM implementation of the Java Generic Security Service (JGSS) and KRB5 require a Kerberos configuration file krb5.conf or krb5.ini on each node or Java virtual machine (JVM). In this release of WAS, this configuration file should be placed in the directory...

        config/cells/cell

      ...so that all application servers can access this file. If we do not have a Kerberos configuration file, use a wsadmin command to create one.

  4. Configure Kerberos as the authentication mechanism for WAS using the administrative console

    1. Use the administrative console to configure Kerberos as the authentication mechanism for the application server. When we have entered and applied the needed information to the configuration, the Kerberos service principal name is formed as...

        <service name>/<fully qualified hostname>@KerberosRealm

      ...and is used to verify incoming Kerberos token requests.

  5. Map a client Kerberos principal name to the WebSphere user registry ID

    1. We can map the Kerberos client principal name to the WebSphere user registry ID for both Simple and Protected GSS-API Negotiation (SPNEGO) web authentication and Kerberos authentication.

  6. Set up Kerberos as the authentication mechanism for the pure Java client (optional)

    1. A Java client can authenticate with the WAS using a Kerberos principal name and password or with the Kerberos credential cache (krb5Ccache).



See also

  1. Create a Kerberos service principal name and krb5.keytab
  2. Create a Kerberos configuration file
  3. Configure Kerberos as the authentication mechanism
  4. Map a client Kerberos principal name to the WebSphere user registry ID
  5. Configure a Java client for Kerberos authentication
  6. Authenticating users
  7. Configure CSIv2 inbound and outbound communication settings
  8. Configure SPNEGO web authentication
  9. Kerberos authentication commands
  10. SPNEGO web authentication configuration commands
  11. Use the ktab command to manage the Kerberos krb5.keytab
  12. Kerberos: The Network Authentication Protocol