JAAS Kerberos login interface

IBM® JGSS features a Java™ Authentication and Authorizaiton Service (JAAS) Kerberos login interface. You can disable this feature by setting the Java property javax.security.auth.useSubjectCredsOnly to false.

Note: Although the pure Java JGSS provider can use the login interface, the native IBM i JGSS provider cannot.

For more information about JAAS, see Java Authentication and Authorization Service.

JAAS and JVM permissions

If you are using a security manager, you need to ensure that your application and JGSS have the necessary JVM and JAAS permissions. For more information, see Using a security manager.

JAAS configuration file options

The login interface requires a JAAS configuration file that specifies com.ibm.security.auth.module.Krb5LoginModule as the login module to be used. The following table lists the options that Krb5LoginModule supports. Note that the options are not case-sensitive.

Option name Value Default Explanation
principal <string> None; prompted for. Kerberos principal name
credsType initiator | acceptor | both initiator The JGSS credential type
forwardable true|false false Whether to acquire a forwardable ticket-granting ticket (TGT)
proxiable true|false false Whether to acquire a proxiable TGT
useCcache <URL> Don't use ccache Retrieve TGT from the specified credential cache
useKeytab <URL> Don't use key table Retrieve secret key from the specified key table
useDefaultCcache true|false Don't use default ccache Retrieve TGT from default credential cache
useDefaultKeytab true|false Don't use default key table Retrieve secret key from the specified key table

For a simple example of using Krb5LoginModule, see the Sample JAAS login configuration file.

Option incompatabilities

Some Krb5LoginModule options, excluding principal name, are incompatible with each other, meaning that you cannot specify them together. The following table represents compatible and incompatible login module options.

Indicators in the table describe the relationship between the two associated options:

  • X = Incompatible
  • N/A = Inapplicable combination
  • Blank = Compatible
Krb5LoginModule option credsType initiator credsType acceptor credsType both forward proxy use Ccache use Keytab useDefault Ccache useDefault Keytab
credsType=initiator N/A N/A X X
credsType=acceptor N/A N/A X X X X
credsType=both N/A N/A
forwardable X X X X X
proxiable X X X X X
useCcache X X X X X X
useKeytab X X X X X X
useDefaultCcache X X X X X X
useDefaultKeytab X X X X X X

Principal name option

You can specify a principal name in combination with any other option. If you do not specify a principal name, the Krb5LoginModule may prompt the user for a principal name. Whether or not Krb5LoginModule prompts the user depends on the other options that you specify.

Service principal name format

You must use one of the following formats to specify a service principal name:

  • <service_name> (for example, superSecureServer)
  • <service_name>@<host> (for example, superSecureServer@myhost)

In the latter format, <host> is the hostname of the machine on which the service resides. You can (but do not have to) use a fully qualified hostname.

Note: JAAS recognizes certain characters as delimiters. When you use any of the following characters in a JAAS string (such as a principal name), enclose the character in quotes:
     _  (underscore)
     :  (colon)
     /  (forward slash)
     \  (back slash)

Prompting for the principal name and password

The options that you specify in the JAAS configuration file determine whether the Krb5LoginModule login is noninteractive or interactive.

  • A noninteractive login does not prompt for any information whatsoever
  • An interactive login prompts for principal name, password, or both

Noninteractive logins

The login proceeds noninteractively when you specify the credential type as initiator (credsType=initiator) and you perform one of the following actions:

  • Specify the useCcache option
  • Set the useDefaultCcache option to true

The login also proceeds noninteractively when you specify the credential type as acceptor or both (credsType=acceptor or credsType=both) and you perform one of the following actions:

  • Specify the useKeytab option
  • Set the useDefaultKeytab option to true

Interactive logins

Other configurations result in the login module prompting for a principal name and password so that it may obtain a TGT from a Kerberos KDC. The login module prompts for only a password when you specify the principal option.

Interactive logins require that the application specify com.ibm.security.auth.callback.Krb5CallbackHandler as the callback handler when creating the login context. The callback handler is responsible for prompting for input.

Credential type option

When you require the credential type to be both initiator and acceptor (credsType=both), Krb5LoginModule obtains both a TGT and a secret key. The login module uses the TGT to initiate contexts and the secret key to accept contexts. The JAAS configuration file must contain sufficient information to enable the login module to acquire the two types of credentials.

For credential types acceptor and both, the login module assumes a service principal.

Parent topic: Running IBM JGSS applications
Related concepts:
Obtaining Kerberos credentials and creating secret keys
The kinit and ktab tools
Configuration and policy files