You can configure IBM® Integration Bus to
operate as a client to a Kerberos secured service for message integrity,
confidentiality, and authenticity.
Before you begin
You must have access to a Key Distribution Center (KDC) and
a server that is hosting the service. For more information about configuring
Kerberos, see your host Kerberos documentation.
Procedure
- Set the user credentials that are used to authenticate
with the KDC.
- You can configure the credentials at the integration node level
by issuing a mqsisetdbparms.
For example,
mqsisetdbparms integrationNodeName -n SPN::realm -u username -p password
- You can also set the user credentials at the integration server
level. For example, you can set a specific realm in any integration
server with
mqsisetdbparms integrationNodeName -n kerberos::realm1::integrationServerName -u clientId -p password
- You can also use the Properties tree to set the credentials by
using the following ESQL in a compute node:
SET OutputRoot.Properties.IdentitySourceType = 'usernameAndPassword';
SET OutputRoot.Properties.IdentitySourceToken = Username;
SET OutputRoot.Properties.IdentitySourcePassword = Password;
- Create a Kerberos configuration file. The client can authenticate
with the KDC, using the configuration file.
For
more information about Kerberos-based WS-Security that is supported
in SOAP nodes, see Message
flow security and security profiles.
When you use
Kerberos for security, the default Kerberos configuration file is
the one on your workstation. The location for the configuration file
differs depending on the system. The usual locations are:
- For Windows
-
C:\Windows\krb5.ini
and C:\WINNT\krb5.ini
- For Linux® -
/etc/krb5.conf
, UNIX (AIX®) /etc/krb5/krb5.conf
- For z/OS® -
/krb5/krb5.conf
You can configure Kerberos configuration files for use by an
integration node or integration server.
The following
sample Kerberos configuration file shows typical values for the variables.
The variables default_realm, default_keytab_name,
and the names in the realms are among the values
you change in the configuration file, depending on your network and
location of the configuration file.
[libdefaults]
default_realm = MYREALM.EXAMPLE.COM
default_keytab_name = FILE:c:\Windows\krb5.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYREALM.EXAMPLE.COM = {
kdc = kdc.myrealm.example.com
admin_server = kdc.myrealm.example.com
}
For example, you can set the variables for
an IBM Integration Bus level Kerberos configuration
with
mqsichangeproperties integrationNodeName -o BrokerRegistry -n brokerKerberosConfigFile -v kerberosConfigLocation
For
example, you can set the variables for an integration server level
Kerberos configuration with
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmJVMManager -n brokerKerberosConfigFile -v kerberosConfigLocation
- Configure a policy set and binding that is associated with
the SOAPRequest node for the BAR containing the message flow.
Results
You have configured IBM Integration Bus to
operate as a client to a Kerberos secured service.