Kerberos Requirements
You must have the Kerberos infrastructure set up in your deployment environment before you can
use the Kerberos cipher suites with JSSE. In particular, both the TLS client and server must have
accounts set up with the Kerberos Key Distribution Center (KDC). At run time, if one or more of the
Kerberos cipher suites have been enabled, the TLS client and server will acquire their Kerberos
credentials associated with their respective account from the KDC. For example, a TLS server running
on the machine mach1.imc.org
in the Kerberos realm IMC.ORG
must
have an account with the name host/mach1.imc.org@IMC.ORG
and be configured to use
the KDC for IMC.ORG
. See the Kerberos Requirements document for information about using Kerberos with
SDK.
An application can acquire its Kerberos credentials by using the Java™ Authentication and Authorization Service (JAAS) and a Kerberos login module. SDK Version 8 Development Kit comes with a Kerberos login module. You can use the Kerberos cipher suites with JSSE with, or without JAAS programming, similar to how you can use the Java Generic Security Services (Java GSS) with, or without JAAS programming.
com.ibm.net.ssl.server
or other
for the TLS server JAAS
configuration entry and com.ibm.net.ssl.client
or other
for the
TLS client. For example, a TLS server that is not using JAAS programming might have the following
JAAS configuration file.
com.ibm.net.ssl.server {
com.ibm.security.auth.module.Krb5LoginModule required
principal="host/mach1.imc.org@IMC.ORG"
useKeyTab=true
keyTab=mach1.keytab
storeKey=true;
};
An example of how to Java GSS and Kerberos without JAAS programming is described in the Java GSS Tutorial. You can adapt it to use JSSE by replacing Java GSS calls with JSSE calls.
To use the Kerberos cipher suites with JAAS programming, you can use any index name because your
application is responsible for creating the JAAS LoginContext
using the index name,
and then wrapping the JSSE calls inside of a Subject.doAs()
or
Subject.doAsPrivileged()
call. An example of how to use JAAS with Java GSS and Kerberos is described in the Java GSS Tutorial. You can adapt it to
use JSSE by replacing Java GSS calls with JSSE calls.
If you have trouble using or configuring the JSSE application to use Kerberos, see the Troubleshooting section of the Java GSS Tutorial.