Kerberos Authentication

About this task

Kerberos is an authentication protocol that uses symmetric encryption and a trusted third-party system to validate the identity of clients. The Kerberos protocol provides authentication over open and insecure networks in which communication between the hosts can be intercepted. You can use Integration Server to enable and configure Kerberos authentication for service requests.

Pre-requisites: The krb5.conf file from the Key Distribution Center(KDC).

Procedure

  1. Configure the krb5.conf in Integration Server Administrator.
    1. Start Integration Server Administrator.
    2. Go to Security > Kerberos.
    3. Click Edit Kerberos Settings.
    4. Go to Security > Kerberos > Edit page.
      Provide the following information in Kerberos Settings section:
      Field Description
      Realm Optional. Domain name of the Kerberos server, in all uppercase letters.
      Key Distribution Center Host Optional. Host name of the machine on which the KDC resides.
      Kerberos Configuration File Location of the Kerberos configuration file that contains the Kerberos configuration information, including the locations of KDCs, defaults for the realm and for Kerberos applications, and the host names and Kerberos realms mappings
      Use Subject Credentials Only Specifies whether Integration Server requires a Kerberos V5 Generic Security Services (GSS) mechanism to obtain the necessary credentials from an existing subject set up by the JAAS authentication module.

      For more information about configuring Integration Server to use Kerberos, see IBM webMethods Integration Server Administrator’s Guide.

  2. Add the login module in Integration Server_directory\instances\<instance_name>\config\is_jaas.cnf file. The is_jaas.cnf file is provided by Integration Server and located in Integration Server_directory\instances\<instance_name>\config directory.
    If you decide to create a login module configuration file, the file must follow this format: 
    <name> {  
    <LoginModule> <flag> <LoginModule options>;  
    <optional_additional_LoginModules, flags_and_options>;  
};
    Example of a login module configuration file for Microsoft SQL Server JDBC driver: 
    SQLJDBCDriver {  
   com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;  
};
    Note: The name of the login module configuration file can be fixed or variable, depending on the driver, and can be optionally passed as a connection property. For Microsoft SQL Server JDBC driver, the name of the login module configuration file can optionally be passed using connection property jaasConfigurationName, thereby allowing each connection to have its own login configuration.
  3. You can utilize Kerberos authentication in two ways.
    • Kerberos ticket cache
      Example of Kerberos ticket cache authentication for Microsoft SQL Server JDBC driver: 
      SQLJDBCDriver {  
   com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;  
};
    • Kerberos keytab file
      The keytab file specifies the service principal. Example of Kerberos keytab file authentication for Microsoft SQL Server JDBC driver: 
      SQLJDBCDriver {  
com.sun.security.auth.module.Krb5LoginModule 
required useKeyTab=true 
keyTab="c:\ibm\joe_analyst.keytab" 
principal="joe_analyst/xxx.eur.ad.sag@example.com";  
};
  4. Configure the Other Properties field in JDBC Connection.
    For example a Microsoft SQL Server JDBC driver: 
    integratedSecurity=true;authenticationScheme=JavaKerberos