Enabling Kerberos on the application server (WebSphere Application Server)

To enable Kerberos under WebSphere, you must set up a special Engine Kerberos Service Authentication Provider.

About this task

To set up the special Engine Kerberos Service Authentication Provider:

Procedure

  1. Copy the Engine-authn.jar to the following location:
    Option Description
    Windows %WAS_HOME%\lib
    UNIX ${WAS_HOME}/lib

    This JAR file can be found in the Content Platform Engine installation directory, such as Program Files\FileNet\ContentEngine\Kerberos for Windows or installdir/FileNet/ContentEngine/Kerberos for UNIX.

  2. Start the WebSphere server and run the administrative console.
  3. In the Security > Global Security > Federated repositories > Trusted authentication realms - inbound page, select Trust all realms (including those external to this cell).
  4. In the Security > Global Security page, click Java Authentication and Authorization Service, to show the items underneath, then click Application Logins.
  5. Create FileNetP8KerberosService configuration in the Application Logins. If Content Platform Engine is configured using Configuration Manager, then a FileNetP8KerberosService is already created, and there is no need to add this again. Otherwise, click New and follow instruction to add FileNetP8KerberosService login configuration.
  6. Once FileNetP8KerberosService configuration is created, click FileNetP8KerberosService, and follow the steps to add three login modules.
  7. Click New and in Module Classname enter:
    com.filenet.engine.authentication.kerberos.login.KrbServiceLoginModule

    Leave other fields as is. Click OK

  8. If desired, add any options by clicking the new KrbServerLoginModule entry, click Custom Properties, then New, and then enter the option name (for example, debug) and its value (for example, true). Click OK and then click JAAS Login Modules.
  9. Click New and in Module Classname enter:
    com.ibm.ws.security.server.lm.ltpaLoginModule

    Leave other fields as is. Click OK

  10. Click New and in Module Classname enter:
    com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule

    Leave other fields as is. Click OK

  11. Save the changes.