Configuring a Java client for Kerberos authentication
A Java™ client can authenticate with WebSphere® Application Server with a Kerberos principal name and password or with the Kerberos credential cache (krb5Ccache).
Procedure
- Create a Kerberos configuration file (krb5.ini or krb5.conf).
- Place either the krb5.ini or krb5.conf files you have created in a default
location. If either file is not located in the default location you must set
com.ibm.COBRA.krb5ConfigFile
in thesas.client.props
file with the correct path and Kerberos configuration file name.The default location is
c:\winnt\krb5.ini
.The default location is
/etc/krb5.conf
.The default location is
/etc/krb5/krb5.conf
.The default location is
/QIBM/UserData/OS400/NetworkAuthentication/krb5.conf
- In the sas.client.props file, set the com.ibm.CORBA.authenticationTarget property
to KRB5. Read about configuring security with scripting for more information.
- Also in the sas.client.props file, set the com.ibm.CORBA.loginSource property to
one of the supported values shown here: When authenticationTarget is BasicAuth, the loginSource supported are:
- prompt [default]
- properties
- stdin
- none
When authenticationTarget is KRB5, the loginSource supported are:- prompt [default]
- properties
- stdin
- none
- krb5Ccache
- krb5Ccache:prompt
- krb5Ccache:properties
- krb5Ccache:stdin
Also consider the following:- krb5Ccache:prompt
- Use krb5Ccache to authenticate to WebSphere Application Server first. If it fails, then it falls back to prompt.
- krb5Ccache:properties
- Use krb5Ccache to authenticate to WebSphere Application Server first. If it fails, then it falls back to properties.
- krb5Ccache:stdin
- Use krb5Ccache to authenticate to WebSphere Application Server first. If it fails, then it falls back to stdin.
- If the authenticationTarget is KRB5, the Java client application must have the
wsjaas_client.conf file. If you don't use the launchClient command, then you must set the java option as follows:
-Djava.security.auth.login.config=wsjaas_client.config
- If the authenticationTarget is KRB5 and loginSource is the Kerberos credential
cache, do the following:
- In the wsjaas_client.conf file, update the WSKRB5Login entry:
WSKRB5Login{ com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient required credsType=INITIATOR useFirstPass=false forwardable=false renewable=false noAddress=false; };
- If the Kerberos credential cache is not at the default location, set the
com.ibm.CORBA.krb5CcacheFile property as a URL:
For example:
com.ibm.CORBA.krb5CcacheFile=FILE:/home/smith/krb5cc_smith
The default location of the Kerberos credential cache file depends on which operating system you use. The user credential cache is located in the following order:
The file referenced by the Java property KRB5CCNAME
<user.home>/krb5cc_<user.name>
<user.home>/krb5cc (if <user.name> cannot be obtained)
Note: When the Kerberos credential cache is used for authentication, the client Kerberos delegation ticket is not renewable.
- In the wsjaas_client.conf file, update the WSKRB5Login entry:
- Optional: If an error occurs, make sure that all WebSphere Application Server machine's clocks are in sync with the KDC machines.
Validate a Kerberos principal name and password by using the kinit command. It is recommended that you use the kinit command that comes with the Java SE Development Kit (JDK) 8.Type the following to receive help for this command:
kinit -help
An example of the kinit command is as follows. In this example, a Kerberos ticket-granting ticket (TGT) can be obtained for duke, and the Kerberos credential cache is stored in the default location, c:\Documents and Settings\duke\krb5cc_duke:kinit duke@JAVA.SUN.COM
Note: This command usage might not work on all versions of KDCs.
Results
You can complete your configuration of Kerberos on the server side by using either the administrative console or by using wsadmin commands.