JGSS and JAAS depend on several configuration and policy files. You need to edit these files to conform to your environment and application. If you do not use JAAS with JGSS, you can safely ignore the JAAS configuration and policy files.
In the following instructions, ${java.home} denotes the path to the location of the version of Java™ that you are using on your server. For example, if you are using J2SDK, version 1.4, ${java.home} is /QIBM/ProdData/Java400/jdk14. Remember to replace ${java.home}in the property settings with the actual path to the Java home directory.
IBM® JGSS requires a Kerberos configuration file. The default name and location of the Kerberos configuration file depends on the operating system being used. JGSS uses the following order to search for the default configuration file:
The use of the JAAS login feature requires a JAAS configuration file. You can specify the JAAS configuration file by setting one of the following properties:
For more information, see the Sun Java Authentication and Authorization Service (JAAS) Web site.
When using the default policy implementation, JGSS grants JAAS permissions to entities by recording the permissions in a policy file. You can specify the JAAS policy file by setting one of the following properties:
If you are using J2SDK, version 1.4 or a subsequent release, specifying a separate policy file for JAAS is optional. The default policy provider in J2SDK, version 1.4 and above supports the policy file entries that JAAS requires.
For more information, see the Sun Java Authentication and Authorization Service (JAAS) Web site.
A Java virtual machine (JVM) uses many important security properties that you set by editing the Java master security properties file. This file, named java.security, usually resides in the ${java.home}/lib/security directory on your server.
The following list describes several relevant security properties for using JGSS. Use the descriptions as a guide for editing the java.security file.
When applicable, the descriptions include appropriate values required to run the JGSS samples.
security.provider.<integer>: The JGSS provider that you want to use. Also statically registers cryptographic provider classes. IBM JGSS uses cryptographic and other security services provided by the IBM JCE Provider. Specify the sun.security.provider.Sun and com.ibm.crypto.provider.IBMJCE packages exactly like the following example:
security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.crypto.provider.IBMJCE
policy.provider: System policy handler class. For example:
policy.provider=sun.security.provider.PolicyFile
policy.url.<integer>: URLs of policy files. To use the sample policy file, include an entry such as:
policy.url.1=file:/home/user/jgss/config/java.policy
login.configuration.provider: JAAS login configuration handler class, for example:
login.configuration.provider=com.ibm.security.auth.login.ConfigFile
auth.policy.provider: JAAS principal-based access control policy handler class, for example:
auth.policy.provider=com.ibm.security.auth.PolicyFile
login.config.url.<integer>: URLs for JAAS login configuration files. To use the sample configuration file, include an entry similar to:
login.config.url.1=file:/home/user/jgss/config/jaas.conf
auth.policy.url.<integer>: URLs for JAAS policy files. You can include both principal-based and CodeSource-based constructs in the JAAS policy file. To use the sample policy file, include an entry such as:
auth.policy.url.1=file:/home/user/jgss/config/jaas.policy
A user principal keeps its Kerberos credentials in a credentials cache. A service principal keeps its secret key in a key table. At runtime, IBM JGSS locates these caches in the following ways:
User credentials cache
JGSS uses the following order to locate the user credentials cache:
Server key table
JGSS uses the following order to locate the server key table file:
Related concepts
Obtaining Kerberos credentials and creating secret keys The Kinit and Ktab tools JAAS Kerberos login interface