Kerberos token capabilities for extraction and propagation

This topic describes integration node capability for extraction, propagation, or both using a Kerberos token in web services.

Kerberos tickets from SOAP nodes are not supported for token extraction and propagation with an external Security Token Service (STS) configured in the security profile.

On the Inbound route, with SOAPInput and SOAPAsyncResponse nodes, the presence of a security profile with propagation enabled causes the Kerberos Service Principal Name (SPN) to be placed in the properties tree as a Username token.

On the Outbound route, with SOAPRequest and SOAPAsyncRequest nodes, identity propagation can be used to provide the Kerberos Key Distribution Center (KDC) credentials. Arrange for the KDC credentials to be set as a Username and password token in the properties tree and associate the SOAP node with a security profile that specifies propagation; otherwise the KDC credentials are obtained using the Kerberos resource credentials that are created using the mqsisetdbparms command.