Web Services Security Kerberos token for authentication in a single or cross Kerberos realm environment
To secure web services messages, you can use a Kerberos token as either an authentication token or a message protection token. For Kerberos authentication, both the single Kerberos realm environment, and the cross or trusted Kerberos realm environment are supported.
Single realm environment
Kerberos_Realm_Name
is optional.ServiceName/HostName@Kerberos_Realm_Name
For
cell-level configuration in WebSphere® Application
Server, all service providers use the same Kerberos realm.If the service provider uses the Kerberos identity from the client for downstream web services requests, a delegated Kerberos ticket must exist in the Kerberos token that is specified in the Kerberos configuration file. The system JAAS login module for Kerberos is added to the provided Web Services Security caller. For more information on using the Kerberos token for caller credentials, read about updating the system Java™ Authentication and Authorization Service (JAAS) login with the Kerberos login module, and creating a Kerberos configuration file.
Cross realm environment or trusted realm environment
- The Kerberos trusted realm setup must be completed for all the configured Kerberos KDCs. See your Kerberos Administrator and User's Guide for more information about how to set up a Kerberos trusted realm.
- The Kerberos configuration file (krb5.ini on Windows, and krb5.conf for Unix and z/OS® platforms) must list the trusted realms. See your Kerberos Administrator and User's Guide for more information.
- The client application token generator bindings must be configured with the Kerberos SPN information from the service provider. For more information, see configuring the bindings for message protection for Kerberos.
Kerberos_Realm_Name
is
required.ServiceName/HostName@Kerberos_Realm_Name
The
client application must specify the Kerberos realm name for the client
in the callback handler portion of the client policy token generator
bindings. At the cell level, all service providers use the same Kerberos
realm. However, client applications can still define their own Kerberos
realm. Only peer-to-peer and transitive trust cross-realm authentication
are supported.If the service provider uses the Kerberos identity from the client for downstream web services requests, a delegated Kerberos ticket must exist in the Kerberos token that is configured in the Kerberos configuration file. The system JAAS login module for Kerberos is added to the provided Web Services Security caller. For more information on using the Kerberos token for caller credentials, read about updating the system JAAS login with the Kerberos login module, and creating a Kerberos configuration file.