Kerberos Client and Server Principals - How they are used in various actions in WebSphere DataPower

Overview of client and server principals

The client and server principals typically refer to the signer/encryptor and the verifier/decryptor of the message respectively. This article will provide you with an overview of the terminology and how they are referred to in various actions within WebSphere DataPower SOA appliances.

Share:

Krithika Prakash (krithika@ca.ibm.com), Software Engineer, IBM  

Krithika is Software Engineer with a total seven years of experience in the IT industry. She specializes in software development in the areas of networking, security, Web services security and XML/XSLT technologies. After having worked for Novell Inc. for 4 years, Krithika joined IBM as a L3 specialist for WebSphere DataPower. She is currently working as a developer in the Security team of WebSphere DataPower.



16 November 2009

Introduction

Understanding the terminology used within the Kerberos world, can be challenging. Especially when the same verbiage is used in various places to denote different meanings for different configurations. This article describes the terms "client principal" and "server principal" and how they are used in various actions in WebSphere DataPower and what they mean when they are present in the policy parameter set of a WebSphere DataPower Web services proxy.


Kerberos client and server principals – terminology

  • Server principal - The Verifier principal (when used in verify/sign) or the Decryptor principal (when used in decryption/encryption)
  • Client principal - The Signer Principal (when used in verify/sign) or the Encryptor principal (when used in encryption/decryption)

General concepts of Kerberos tokens

When the client signs a message and generates an AP-REQ token, it will specify who he is as the signer, as well as where the token is being sent to the verifier. Only the verifier specified in the token can verify the message.

When the server (the verifier), receives the AP-REQ, it verifies the message using the key tab file.


WebSphere DataPower implementation

Verify Action

WebSphere DataPower (which is the server in this example), verifies the AP-REQ token and additionally compares if the "signer principal" configured in the verify action is the same as the signer of the message. If not, it rejects the message. This feature is also available in the verify actions generated by the security policy.

Sign Action

When configured to use the Kerberos session key, WebSphere DataPower does not generate a new AP-REQ. Instead it generates APREQSHA1. It's the SHA1 of the Kerberos tokens and is one of the secure ways defined by the specifications to pass the Kerberos tokens. The "verifier" principal configured is not used here.

Policy parameters in Security policy

The policy parameters 'Kerberos server principal' and 'Kerberos client principal' are used as "verifier" and "signer" for the verify actions generated by the policy. For the sign actions generated in the response rule, the client and the server principal’s values are interchanged.

If you enable probe, you can view the actions generated by the policy and the tool tip for the sign and the verify actions will tell you the client and the server principals used by that action.

For example, for the sign action, though the following is specified in the policy parameter set, the sign action is generated with the client and the server principals automatically interchanged as you can see in Figure 1.

In the policy parameter set:

Client principal : Administrator@WPS.CSUPPORT.COM
Server principal: HOST/9.33.96.220:2052@WPS.CUSPPORT.COM
Figure 1. Client and Server principals interchanged in the sign action generated in the response rule by the policy
Sample figure containing an image

Conclusion

The behavior explained above holds true for the other crypto actions as well (encrypt, verify and decrypt). Once we become familiar with the terms used in various places, understanding the data flow becomes much simpler. The same is true with Kerberos. This articles consolidated the various instances in which the client and server principals are referred within WebSphere DataPower. With this knowledge and with the help of probe, it will be easy to identify what values of the configured policy parameters are used by the crypto actions that are generated by the security policy.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into SOA and web services on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=SOA and web services, WebSphere
ArticleID=445232
ArticleTitle=Kerberos Client and Server Principals - How they are used in various actions in WebSphere DataPower
publish-date=11162009