Question & Answer
Question
Why does the JGSS SPNEGO server attempt to contact the Kerberos Key Distribution Center (KDC) after migration from IBM SDK for Java 8 to Semeru JDK?
Cause
The Kerberos login class Krb5LoginModule implementation changes between IBM SDK for Java 8 and later Semeru JDK versions. The IBM SDK for Java 8 uses com.ibm.security.auth.module.Krb5LoginModule and Semeru JDK versions use the OpenJDK implementation, com.sun.security.auth.module.Krb5LoginModule. These two implementation classes have different configuration options, as summarized at:
https://www.ibm.com/docs/en/semeru-runtime-ce-z/11?topic=differences-jaas-options-kerberos-login
https://www.ibm.com/docs/en/semeru-runtime-ce-z/11?topic=differences-jaas-options-kerberos-login
In Kerberos, the identities that are authenticated are called principals. A principal that requests access to Kerberos authenticated services as the client is called an initiator. A principal that provides a service as the server is called an acceptor. A principal can be just an initiator (client), just a server (acceptor) or both, providing some services and requesting services from others. An initiator must always contact the KDC at login to get the tickets it needs for requesting services. If an acceptor-only server already has a keytab containing the long-term private key for the service it provides, then it does not need to connect to the KDC.
Answer
If the configuration for a Kerberos service that runs on a Semeru JDK does not set the Krb5LoginModule option isInitiator=false, then the option defaults to true. When the option value is true, then the service attempts to log in as an initiator, meaning that it must contact the KDC to get a Ticket Granting Ticket at login.
The change in behavior is safe. It only means that the Kerberos service does some additional work to log in to the KDC at initialization. If there is a firewall between the Kerberos server system and the KDC host, you might need to adjust the firewall rules to allow connection to the KDC host.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA3RN","label":"IBM Semeru Runtimes"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSW9CXR","label":"IBM Semeru Runtime Certified Edition for z\/OS"},"ARM Category":[{"code":"a8m0z0000001g85AAA","label":"SDK Java Technology on z\/OS"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
23 January 2024
UID
ibm17109967