Engineering Lifecycle Management client configuration for Kerberos/SPNEGO SSO
All IBM® Engineering Lifecycle Management clients that are based on Java technology and support Kerberos/SPNEGO authentication must be explicitly configured.
Engineering Workflow Management client for Microsoft Visual Studio IDE, Engineering Workflow Management Windows Explorer integration, and Engineering Workflow Management MS-SCCI Provider include an embedded Java component, hence, these clients must be configured for Kerberos authentication as well.
Java system property | Description |
---|---|
-Djava.security.krb5.realm |
Realm (Kerberos domain name) to connect the client to. Important: The java.security.krb5.realm and
java.security.krb5.kdc
system properties must be set together; otherwise, they are ignored. |
-Djava.security.krb5.kdc |
Hostname of the Microsoft Active Directory Key Distribution Center (KDC) to
connect the client to. If the server does not use the default port, the port number must be included
as well. Important: The java.security.krb5.realm and
java.security.krb5.kdc system properties must be set together. If they are not set
together, they are ignored. |
-Djava.security.krb5.conf |
Path to a Kerberos Version 5 configuration file. Although this file has the same format as a krb5.ini or krb5.conf file that might be found in the default location, it is a separate file. The file can have any name, including krb5.conf, and can include other configuration properties. However, only a small subset of configuration properties is needed to have a functional client. Also, the IBM JRE does not support all the configuration properties. Note: These system properties can be set instead of the
java.security.krb5.realm and java.security.krb5.kdc properties.
|
Establishing a connection with the Kerberos/SPNEGO enabled Engineering Lifecycle Management Server
- Set Java system properties.
You can configure Engineering Lifecycle Management clients for Kerberos/SPNEGO authentication by using Java system properties java.security.krb5.realm and java.security.krb5.kdc or java.security.krb5.conf. They can be set by modifying the client configuration file or by using the client connection wizard.
- Setting system properties by using connection wizard
The Engineering Workflow Management Eclipse clients have a configuration interface to set these system properties in their respective connection wizards.
Connection wizard can also make use Kerberos Configuration file. See below for Kerberos configuration file sample.
- Setting system properties by using client configuration fileThese Java System properties can be set in the Engineering Lifecycle Management Client configuration file under the - vmargs section. For example for configuring SCM client, the configuration file Client- Install-Dir\scmtools\eclipse\scm.ini can be used. When configured it looks like below:
-vm ../../jdk/jre/bin -startup plugins/org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar --launcher.library plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20150204-1316 --launcher.suppressErrors -data @noDefault -vmargs -Xmx512m -Xshareclasses:nonfatal -Xquickstart -Dosgi.requiredJavaVersion=1.8 -Xdump:system:events=systhrow,filter=java/lang/OutOfMemoryError,request=exclusive+prepwalk -Dorg.eclipse.emf.ecore.plugin.EcorePlugin.doNotLoadResourcesPlugin=true -Djava.security.krb5.realm=REALM.NAME -Djava.security.krb5.kdc=ad.my.domain
The previous example includes the following parameters:REALM.NAME
is the Kerberos realmad.my.domain
is the KDC hostname
Locations of some of the client configuration files are as following:- Build-Client-Install-Dir\buildsystem\buildengine\eclipse\jbe.ini
- SCM-Client-Install-Dir\scmtools\eclipse\scm.ini
- EWM-Client-Install-Dir\eclipse.ini
- Setting system properties by using connection wizard
- Initiate the connection by selecting the authentication type as Kerberos/SPNEGO
The authentication type can be selected in the connection wizard or by providing appropriate parameter value on the command line.
Below is a sample command line that uses Kerberos authentication type for scm client:
scm login -r https://jazzserver1.realm.name:9443/ccm --kerberos
The JRE can also retrieve a configuration file with a well-known name that is in either the operating system directory or the JRE installation directory (see Table 2). JRE installations with Kerberos/SPNEGO frequently rely on these centralized configuration files instead of using system properties.
Administrators can choose a strategy for configuring the client configuration values based on whether they can easily alter the client software deployment or client operating system.
JRE search algorithm for locating the client configuration properties
The JRE applies the following search algorithm to locate the client configuration properties.
- If the
java.security.krb5.realm
andjava.security.krb5.kdc
system properties are set in the client, the JRE uses these values as the default realm and KDC, respectively.Note: These configuration values override any default values that are set in a krb5.conf or krb5.ini file if such a configuration file either is specified in thejava.security.krb5.conf
system property or is found in one of the default locations. - If the
java.security.krb5.realm
andjava.security.krb5.kdc
properties are not set, the JRE looks for the default realm and KDC in a krb5.conf or krb5.ini file if such a file either is specified in thejava.security.krb5.conf
property or is found in one of the default locations. - If none of the three system properties are set, the JRE applies
the following algorithm.
- The JRE searches for the krb5.conf file in the following
directory:
Java-Install-Dir\lib\security
Java-Install-Dir/lib/security
Where Java-Install-Dir is the directory where the JRE is installed on the client computer.
- If a krb5.conf file still is not found, the
JRE searches for a configuration file in the location that is specified
in Table 2.
Table 2. Possible location of the Kerberos configuration file on the client computer Operating system Location C:\Windows\krb5.ini /etc/krb5.conf Other systems /etc/krb5/krb5.conf /etc/krb5.conf /etc/krb5/krb5.conf /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf
- The JRE searches for the krb5.conf file in the following
directory:
Example krb5.conf or krb5.ini file
[libdefaults]
default_realm = REALM.NAME
[realms]
REALM.NAME = {
kdc = ad.my.domain:88
default_domain = my.domain
}
[domain_realms]
.my.domain = REALM.NAME
REALM.NAME
is the Kerberos realm.my.domain
is the domain name.ad.my.domain
is the KDC hostname.
- The definitions in this file are case-sensitive. For example, the Kerberos realm (REALM.NAME in the example) must be in all uppercase letters.
- The Kerberos krb5.conf or krb5.ini files that are described here is not identical to the Kerberos configuration file with the same name that is used to configure IBM WebSphere® Liberty with SPNEGO. While both files support Kerberos in the JRE, they have different purposes.
Providing a session key to the IBM JRE to enable Kerberos/SPNEGO SSO in Engineering Lifecycle Management Eclipse client
By default, Microsoft Windows restricts third-party applications from retrieving ticket-granting ticket (TGT) and session key pairs from the Kerberos security package. The IBM JRE that is included in Engineering Lifecycle Management Eclipse clients is one such third-party application that is affected by this Windows restriction. Engineering Lifecycle Management web clients are not affected. If Eclipse client is installed without selecting Integrated Windows Authentication, you must update the Windows registry manually to remove this restriction.
- Open the Windows registry editor, regedit.
- Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
- Create the allowtgtsessionkey key with the following attributes and values:
- Data type:
REG_DWORD
- Value: 1 (default is 0)
Note: For some versions of Windows, the allowtgtsessionkey key must be created in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos. To avoid issues, it is best to create the key in both locations. - Data type:
- Restart the client computer.