Kerberos authentication settings
Use this page to configure and to verify Kerberos as the authentication mechanism for the application server.
When you have entered and applied the required information to the configuration, the server principal name is created from the service name, realm name, and host name, and is used to automatically verify authentication to the Kerberos service.
When configured, Kerberos is the primary authentication mechanism. Configure Enterprise JavaBeans (EJB) authentication to resources by accessing the resource references links on the application details panel.
To view this administrative console page, click Kerberos configuration.
. Under Authentication, click<service name>/<fully_qualified
hostname>@KerberosRealm
. If you do not use this format, you might get following
error:org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Cannot get credential for principal service WAS/test@AUSTIN.IBM.COMIn the exception example, the fully qualified host name is not specified, which is why the failure occurs. For this failure, the host name of the system is usually obtained from the /etc/hosts file instead of from the domain name system (DNS) server. On UNIX or Linux® systems, if the "hosts": line in the /etc/nsswitch.conf file is configured to use the hosts file before the DNS, the Kerberos configuration fails if the hosts file contains an entry for the system that is not the fully qualified host name.
Kerberos realm name
Specifies the name of your Kerberos realm. In most cases, your realm is your domain name
in uppercase letters. For example, a machine with the domain name of
test.austin.ibm.com
typically has a Kerberos realm name of
AUSTIN.IBM.COM
.
There are two components that use a realm name. The IBM® implementation of the Java™ Generic Security Service (JGSS) component obtains the realm name from the krb5.conf file. WebSphere® Application Server also maintains a realm name, which is usually the same one that JGSS uses. If you leave the Kerberos realm name field blank, WebSphere Application Server inherits the realm name from JGSS.
You might want WebSphere Application Server to use a different realm name, and can use the Kerberos realm name field to change it. However, be aware that if you change the realm name in the administrative console only the WebSphere Application Server realm name is changed.
Information | Value |
---|---|
Data type: | String |
Kerberos service name
By convention, a Kerberos service principal is divided into three parts: the primary, the
instance, and the Kerberos realm name. The format of the Kerberos service principal name is
service/<fully qualified
hostname>@KERBEROS_REALM.service_name
. The service name is the
first part of the Kerberos service principal name. For example, in
WAS/test.austin.ibm.com@AUSTIN.IBM.COM
, the service name is
WAS
.
Information | Value |
---|---|
Data type: | String |
Kerberos configuration file with full path
The Kerberos configuration file, krb5.conf or krb5.ini, contains client configuration information, including the locations of the Key Distribution Centers (KDCs) for the realm of interest. The krb5.conf file is used for all platforms except the Windows operating system, which uses the krb5.ini file.
Information | Value |
---|---|
Data type: | String |
Kerberos keytab file name with full path
Specifies the Kerberos keytab file name with its full path. You can click Browse to locate it. If this field is empty, then the keytab file name specified in the Kerberos configuration file is used.
Information | Value |
---|---|
Data type: | String |
Trim Kerberos realm from principal name
Specifies whether Kerberos removes the suffix of the principal user name, starting from the @ that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true.
Information | Value |
---|---|
Default: | Enabled |
Enable delegation of Kerberos credentials
Specifies whether the Kerberos delegated credentials are to be stored in the subject by the Kerberos authentication.
This option also enables an application to retrieve the stored credentials and to propagate them to other applications downstream for additional Kerberos authentication with the credential from the Kerberos client.
If this parameter is boolean: no, and the runtime cannot extract a client GSS delegation credential, then a warning message is logged.
Information | Value |
---|---|
Default: | Enabled |