Configuring your platform to use Kerberos

The intelligent agent platform uses Kerberos principals to authenticate users and services throughout the agent platform. Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an insecure network.

Authentication of principals is completed through a centralized server called a key distribution center (KDC). The KDC authenticates a user with a Kerberos ticket. These tickets prove the principal's identity to other services in a network. After a principal is authenticated by these tickets, they can exchange encrypted data with a target service.

The platform uses Kerberos to authenticate user sign on and initial platform startup. To use Kerberos to secure your platform, either find an existing KDC, or create a working KDC that all parts of the platform use. Every system running a piece of the platform and every PC running a console that connects to this platform must be configured to use this KDC. You need to list all Kerberos principals in the ableplatform.preferences file that are used by the platform to authenticate users and services. Each platform Java™ Virtual Machine (agent pool) has a service principal associated with it, and each user logging onto the platform from a console needs a user principal. All of these principals need to be added to the KDC.

Find or create a usable Kerberos key distribution center (KDC).
The agent platform does not require a KDC on i5/OS^®. A KDC running on any platform will work. If you cannot find an existing KDC to use, you can create your own. In V5R3 or later, i5/OS supports a Kerberos server in i5/OS PASE. You can configure and manage a Kerberos server from your iSeries™ system. To configure a Kerberos server in i5/OS PASE, complete the following steps:
1. In a character-based interface, type call QP2TERM. This command opens an interactive shell environment that allows you to work with i5/OS PASE applications.
2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin. This command points to the Kerberos scripts that are necessary to run the executable files.
3. At the command line, enter config.krb5 -S -d iseriesa.myco.com -r MYCO.COM. This command updates the krb5.config file with the domain name and realm for the Kerberos server, creates the Kerberos database within the integrated file system, and configures the Kerberos server in i5/OS PASE. You are prompted to add a database master password and a password for the admin/admin principal, which is used to administer the Kerberos server.
4. At the command line, enter /usr/krb5/sbin/start.krb5 to start the servers.
Configure systems in your agent environment to use Kerberos.
After you create a Kerberos server (KDC), you need to individually configure each client PC that will attempt to connect to the secure platform, and each system in your agent platform to point to your Kerberos server (KDC).
- Configure your client PC
  To configure a client PC, you need to create a text file called krb5.conf in the security folder of the JVM that runs your iSeries Navigator intelligent agents console located here (where C: is the drive where your iSeries Access driver is installed):
  C:\Program Files\IBM\Client Access\JRE\Lib\Security
  
  The krb5.conf file tells all JVMs started from this JRE which KDC to use when dealing with Kerberos. The following is an example of what a generic krb5.conf file might look like if the KDC realm is KDC_REALM.PASE.COM and is found on system1.ibm.com:
```
[libdefaults]
 default_realm           = KDC_REALM.PASE.COM  default_tkt_enctypes    = des-cbc-crc  default_tgs_enctypes    = des-cbc-crc 
[realms]
 KDC_REALM.PASE.COM = {
         kdc = system1.rchland.ibm.com:88 }
        
[domain_realm]
 .rchland.ibm.com = KDC_REALM.PASE.COM
```
- Configure your system
  To point your system to your KDC, you need to modify the following file:
  /QIBM/userdata/OS400/networkauthentication/ krb5.conf
  
  The krb5.conf file tells all JVMs started from this JRE which KDC to use when dealing with Kerberos. The following is an example of what a generic krb5.conf file might look like on the server if the KDC realm is KDC_REALM.PASE.COM and is found on system1.ibm.com:
```
??(libdefaults??)                                     
  default_realm = KDC_REALM.PASE.COM                    
??(appdefaults??)                                     
??(realms??)                                          
  KDC_REALM.PASE.COM = {                                
    kdc = system1.rchland.ibm.com:88                  
  }                                                   
??(domain_realm??)                                    
 system1.rchland.ibm.com = KDC_REALM.PASE.COM
```
Acquire Kerberos user and service principals.
After you configure a KDC, you need to create the user and service principals you plan to use to secure the platform, and register these principals to the KDC:

Service principals:

Each agent pool (JVM) defined in the ableplatform.preferences file must have a service principal associated with it. Service principals are specific to the system that they run on, so they must include that system name and be in the following format: ServicePrincipalName/systemName@KDCRealm. Each of the agent pools on the platform can use the same service principal, or you can specify that each pool use its own service principal. If each of your agent pools has different authority levels, then different principals should be used for each different authority level.

User principals:

Each user that you want to allow to connect to the secure platform through the console needs a user principal. User principals can be associated with each agent definition listed in the ableplatform.preferences file. A user principal can connect to a platform from the console, regardless of the system the console is running on. Because of this, a user principal only needs to include the principal name and the KDC realm that the principal belongs to: UserPrincipalName@KDCRealm.

You need to add a principal to the KDC for each service and user principal that your platform uses. To add your principals to your KDC if you are using the integrated KDC on the server, follow these steps:
1. In a character-based interface, type call QP2TERM.
2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin. This command points to the Kerberos scripts that are necessary to run the executable files.
3. At the command line, type kadmin -p admin/admin, and press Enter.
4. Sign in with administrator's password.
5. Enter the following at a command line:
  - To add service principals for pools running on a system:
    addprinc -pw secret servicePrincipalName/fully qualified host name@REALM
  - To add user principals:
    addprinc -pw secret jonesm. This creates a principal for a user to log in from a console.
  - To add service principals for pools running on a PC:
    addprinc -requires_preauth -e des-cbc-crc:normal -pw host/pc1.myco.com.
If you are using the integrated KDC, see the following topics for more information on how to add principals to your KDC:
- If you are adding service principals for pools that run on a system, see Add i5/OS principals to the Kerberos server.
- If you are adding user principals or service principals for pools that run on a PC, see Create Host principals for Windows^® 2000 workstations and users
Add service principals to each keytab file.
When you start up a secure platform, each agent pool uses the principal that it was defined to start with, and uses it to authenticate itself. This requires each pool JVM to have access to valid Kerberos credentials for the principal it is using. The i5/OS Start Agent Services (STRAGTSRV) command handles this, as long as there is an entry in the keytab file for the principal that is being used.
To add an entry to the keytab file for each service principal when you are running the integrated KDC on a system, do the following:
1. In a character-based interface, type STRQSH. This command starts the qsh shell interpreter.
2. Enter the following command (where ServicePrincipal is the name of the service principal you want to add, system@KDCRealm is the fully qualified system name and Kerberos realm, and thePassword is the password associated with your service principal): keytab add ServicePrincipal/system@KDCRealm -p thePassword

After you set up your KDC and create your user and service principals, you need to configure security in your ableplatform.preferences file.

Parent topic:

Securing your agent environment