ELM client configuration for Kerberos/SPNEGO SSO
All IBM® Engineering Lifecycle Management (ELM) clients that are based on Java technology and support Kerberos/SPNEGO authentication must be explicitly configured.
In addition, to support earlier client versions, IBM WebSphere® Application Server must be configured with a special SPNEGO filter. For more information, see Configuring a SPNEGO filter in WebSphere Application Server.
Java system property | Description |
---|---|
-Djava.security.krb5.realm |
Realm (Kerberos domain name) to connect the client to. Important: The java.security.krb5.realm and
java.security.krb5.kdc
system properties must be set together; otherwise, they are ignored. |
-Djava.security.krb5.kdc |
Host name of the Microsoft Active Directory Key Distribution Center (KDC) to
connect the client to. If the server does not use the default port, the port number must be included
as well. Important: The java.security.krb5.realm and
java.security.krb5.kdc system properties must be set together; otherwise, they are
ignored. |
-Djava.security.krb5.conf |
Path to a Kerberos Version 5 configuration file. Although this file has the same format as a krb5.ini or krb5.conf file that might be found in the default location, it is a separate file. The file can have any name, including krb5.conf, and can include other configuration properties. However, only a small subset of configuration properties is needed to have a functional client. Also, the IBM JRE does not support all the configuration properties. Note: This system property can be set instead of the
java.security.krb5.realm and java.security.krb5.kdc properties.
|
All ELM clients can be configured for Kerberos/SPNEGO authentication by using Java system properties.
Alternatively, the Engineering Workflow Management Eclipse clients have a configuration interface to set these system properties in their respective connection wizards.
The JRE can also retrieve a configuration file with a well-known name that is in either the operating system directory or the JRE installation directory (see Table 2). JRE installations with Kerberos/SPNEGO frequently rely on these centralized configuration files instead of using system properties.
Administrators can choose a strategy for configuring the client configuration values based on whether they can easily alter the client software deployment or client operating system.
JRE search algorithm for locating the client configuration properties
The JRE applies the following search algorithm to locate the client configuration properties.
- If the
java.security.krb5.realm
andjava.security.krb5.kdc
system properties are set in the client, the JRE uses these values as the default realm and KDC, respectively.Note: These configuration values override any default values that are set in a krb5.conf or krb5.ini file if such a configuration file either is specified in thejava.security.krb5.conf
system property or is found in one of the default locations. - If the
java.security.krb5.realm
andjava.security.krb5.kdc
properties are not set, the JRE looks for the default realm and KDC in a krb5.conf or krb5.ini file if such a file either is specified in thejava.security.krb5.conf
property or is found in one of the default locations. - If none of the three system properties are set, the JRE applies
the following algorithm.
- The JRE searches for the krb5.conf file in
the following directory:
Java-Install-Dir\lib\security
Java-Install-Dir/lib/security
where Java-Install-Dir is the directory where the JRE is installed on the client computer.
- If a krb5.conf file still is not found, the
JRE searches for a configuration file in the location that is specified
in Table 2.
Table 2. Possible location of the Kerberos configuration file on the client computer Operating system Location C:\Windows\krb5.ini /etc/krb5.conf Other systems /etc/krb5/krb5.conf /etc/krb5.conf /etc/krb5/krb5.conf /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf
- The JRE searches for the krb5.conf file in
the following directory:
Example krb5.conf or krb5.ini file
[libdefaults]
default_realm = REALM.NAME
[realms]
REALM.NAME = {
kdc = ad.my.domain:88
default_domain = my.domain
}
[domain_realms]
.my.domain = REALM.NAME
REALM.NAME
is the Kerberos realm.my.domain
is the domain name.ad.my.domain
is the KDC host name.
- The definitions in this file are case-sensitive. For example, the Kerberos realm (REALM.NAME in the example) must be in all uppercase letters.
- The Kerberos krb5.conf or krb5.ini file described here is not identical to the Kerberos configuration file with the same name that is used to configure IBM WebSphere Application Server with SPNEGO. While both files support Kerberos in the JRE, they have different purposes.