IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring IBM Integration Bus as a client to a Kerberos secured service

You can configure IBM® Integration Bus to operate as a client to a Kerberos secured service for message integrity, confidentiality, and authenticity.

You must have access to a Key Distribution Center (KDC) and a server that is hosting the service. For more information about configuring Kerberos, see your host Kerberos documentation.

Set the user credentials that are used to authenticate with the KDC.
- You can configure the credentials at the broker level by issuing a mqsisetdbparms. For example,
```
mqsisetdbparms brokerName -n SPN::realm -u username -p password
```
- You can also set the user credentials at the integration server level. For example, you can set a specific realm in any integration server with
```
mqsisetdbparms brokerName -n kerberos::realm1::ExecutionGroup1 -u clientId -p password 
```
- You can also use the Properties tree to set the credentials by using the following ESQL in a compute node:
```
SET OutputRoot.Properties.IdentitySourceType = 'usernameAndPassword';
SET OutputRoot.Properties.IdentitySourceToken = Username;
SET OutputRoot.Properties.IdentitySourcePassword = Password;
```
Create a Kerberos configuration file. The client can authenticate with the KDC, using the configuration file.
For more information about Kerberos-based WS-Security that is supported in SOAP nodes, see Message flow security and security profiles.
When you use Kerberos for security, the default Kerberos configuration file is the one on your workstation. The location for the configuration file differs depending on the system. The usual locations are:
- For Windows - C:\Windows\krb5.ini and C:\WINNT\krb5.ini
- For Linux - /etc/krb5.conf , UNIX (AIX®) /etc/krb5/krb5.conf
- For z/OS® - /krb5/krb5.conf
You can configure Kerberos configuration files for use by a broker or integration server.
The following sample Kerberos configuration file shows typical values for the variables. The variables default_realm, default_keytab_name, and the names in the realms are among the values you change in the configuration file, depending on your network and location of the configuration file.
```
[libdefaults]
default_realm = MYREALM.EXAMPLE.COM
default_keytab_name = FILE:c:\Windows\krb5.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYREALM.EXAMPLE.COM = {
kdc = kdc.myrealm.example.com
admin_server = kdc.myrealm.example.com
}
```
For example, you can set the variables for an IBM Integration Bus level Kerberos configuration with
```
mqsichangeproperties brokerName -o BrokerRegistry -n brokerKerberosConfigFile -v kerberosConfigLocation
```
For example, you can set the variables for an integration server level Kerberos configuration with
```
mqsichangeproperties brokerName -e integrationServerName -o ComIbmJVMManager -n brokerKerberosConfigFile -v kerberosConfigLocation
```
Configure a policy set and binding that is associated with the SOAPRequest node for the BAR containing the message flow.
- To configure the Kerberos token with a policy set, see Policy Sets and Policy Set Bindings editor: Message Level Protection panel.
- To configure a consumer message part policy, see Policy Sets and Policy Set Bindings editor: Message Part Protection panel.
- To optionally sign or encrypt message parts using the policy set, see Policy Sets and Policy Set Bindings editor: Message Part Policies panel.
- To configure Kerberos specific settings such as target service name and target service realm, see Policy Sets and Policy Set Bindings editor: Message Part Policies panel.

You have configured IBM Integration Bus to operate as a client to a Kerberos secured service.

bc49106_.htm |

Last updated Friday, 21 July 2017