Configuring the Kerberos token for Web Services Security

Use this topic to configure the Kerberos token for message-level Web Services Security.

Before you begin

Before you can use Kerberos with Web Service Security, you must configure Kerberos in the IBM® WebSphere® Application Server. You do not need to enable Kerberos as the authentication mechanism. However, the Kerberos configuration file, krb5.conf or krb5.ini, and the Kerberos keytab file, krb5.keytab, are required.

The initial setup and configuration processes to use Kerberos with Web Services Security are identical to the configuration processes for using Kerberos with the security function. Therefore, you must set up and configure Kerberos before continuing with the steps in this topic.

The Kerberos (KRB5) authentication mechanism support for security topic provides an overview of the Kerberos functionality and provides the initial steps for setting up and configuring Kerberos for authentication purposes. Within this topic, you must complete the steps in the section Setting up Kerberos as the authentication mechanism for WebSphere Application Server. Use that topic to configure Kerberos, the service principal, and the keytab files. In addition, that topic references the process for configuring Kerberos as the authentication mechanism using the administrative console or commands. You can also find information on how to setup up Kerberos when the Key Distribution Center (KDC) and the Application Server do not use the same user registry.

About this task

The Kerberos token for JAX-WS applications is configured using policy sets and bindings. The JAX-WS application is attached with a custom policy and the Kerberos token is configured as a message protection token or an authentication token.

The implemented Kerberos functionality for Web Services Security also leverages existing tools and frameworks for the Kerberos token profile configuration for authentication and message protection. The support for Kerberos with Web Services Security in the product is based on the OASIS Web Services Security Kerberos Token Profile 1.1 specification.

To configure Kerberos with Web Service Security, complete the following steps:

Procedure

  1. Enable the Kerberos token profile for JAX-WS applications.

    The JAX-WS application is attached with a custom policy that has a Kerberos token, which is configured with a message protection token or an authentication token. For more information, see Configuring the Kerberos token policy set for JAX-WS applications.

  2. Select the customized Kerberos token type.
    You can define key bindings for request message protection and response message protection. You can use the key type, such as the key identifier or security token reference, for the outbound key information. If you use a derived key, use a security token reference in both the outbound and inbound key information. If you use a Kerberos session key, you can use a security token reference in the outbound key information and a key identifier in the inbound key information for the client bindings. Then, use a key identifier in the outbound key information and a security token reference in the inbound key information for the provider bindings.
  3. Select the customized Kerberos token types for the token generator or token consumer.
  4. Configure the bindings for Kerberos message protection for JAX-WS applications.
    For more information, see the Configuring the bindings for message protection for Kerberos.

What to do next

Using this task, you have configured the Kerberos token for WebSphere Application Server.