Configure the Kerberos token for Web Services Security

Use this topic to configure the Kerberos token for message-level Web Services Security.

Before using Kerberos with Web Service Security, configure Kerberos in the IBM WebSphere Application Server. We do not need to enable Kerberos as the authentication mechanism. However, the Kerberos configuration file, krb5.conf or krb5.ini, and the Kerberos keytab file, krb5.keytab, are required.

The initial setup and configuration processes to use Kerberos with Web Services Security are identical to the configuration processes for using Kerberos with the security function. Therefore, we must set up and configure Kerberos before continuing with the steps in this topic.

The Kerberos (KRB5) authentication mechanism support for security topic provides an overview of the Kerberos functionality and provides the initial steps for setting up and configuring Kerberos for authentication purposes. Within this topic, complete the steps in the section Set up Kerberos as the authentication mechanism for WAS. Use that topic to configure Kerberos, the service principal, and the keytab files. In addition, that topic references the process for configuring Kerberos as the authentication mechanism using the administrative console or commands. We can also find information on how to setup up Kerberos when the Key Distribution Center (KDC) and the Application Server do not use the same user registry.

The Kerberos token for JAX-WS applications is configured using policy sets and bindings. The JAX-WS application is attached with a custom policy and the Kerberos token is configured as a message protection token or an authentication token.

The implemented Kerberos functionality for Web Services Security also leverages existing tools and frameworks for the Kerberos token profile configuration for authentication and message protection. The support for Kerberos with Web Services Security in the product is based on the OASIS Web Services Security Kerberos Token Profile 1.1 specification.

Configure Kerberos with Web Service Security

1. Enable the Kerberos token profile for JAX-WS applications.

   The JAX-WS application is attached with a custom policy that has a Kerberos token, which is configured with a message protection token or an authentication token. See Configure the Kerberos token policy set for JAX-WS applications.

2. Select the customized Kerberos token type. We can define key bindings for request message protection and response message protection. Use the key type, such as the key identifier or security token reference, for the outbound key information. If we use a derived key, use a security token reference in both the outbound and inbound key information. If we use a Kerberos session key, we can use a security token reference in the outbound key information and a key identifier in the inbound key information for the client bindings. Then, use a key identifier in the outbound key information and a security token reference in the inbound key information for the provider bindings.

3. Select the customized Kerberos token types for the token generator or token consumer.

4. Configure the bindings for Kerberos message protection for JAX-WS applications. See Configure the bindings for message protection for Kerberos.

What to do next

Use this task, we have configured the Kerberos token for WAS.

Subtopics

• Configure the Kerberos token policy set for JAX-WS applications
  
• Configure the bindings for message protection for Kerberos
  
• Update the system JAAS login with the Kerberos login module
  
• Configure Kerberos policy sets and V2 general sample bindings
  

Related:

Kerberos token

Kerberos (KRB5) authentication mechanism support for security

Configure Kerberos as the authentication mechanism

Web Services Security Kerberos Binding specification

Web Services Security Kerberos Token Profile specification