Content Platform Engine, Version 5.2.1            

KrbServiceLoginModule options

The KrbServiceLoginModule (or WebLogic Engine Kerberos Authentication Provider) does the Kerberos service authentication on the Content Platform Engine server. This login module has several options that can change its behavior.

debug
when true will output additional debugging information to the console, server log, or both. The default is false. You can enable additional debugging information when first setting up Kerberos, or afterward if attempting to debug a problem with Kerberos authentication.
useShortNameAsPrincipal
when true will use the user's short name as the principal; if false then will use the full Kerberos name in the form: username@REALM.COM. The default is false.
storeGssContext
when true will add a GSSContext as a private credential. This can be used by the server to encrypt and sign messages between the server and the client, but will need substantial programming on both to accomplish this. When false, this private credential is not added. The default (and recommended) setting is false.
loginUsingTicketSpn
if true will attempt to log in using the SPN (Service Principal Name) of the Kerberos service ticket. The default is false, which will attempt to log in using the normal FNCEWS_computername account name. The recommended setting is false.
serviceAccountName
this specifies the account name that the service will use when it is logging in. If not specified, this defaults to FNCEWS_ computername. This option should only need to be set to some account that is shared by every server if Content Platform Engine is clustered or if on WebSphere systems and the default name would be longer then 20 characters. This option is ignored if loginUsingTicketSpn is true.
tgtLoginConfigName
this option specifies the name of a JAAS configuration that will be used when the service initially logs in to get its Kerberos TGT (Ticket Granting Ticket).

For example, if tgtLoginConfigName=KrbTgtLogin, then there could be a JAAS configuration entry such as:

KrbTgtLogin {
   com.sun.security.auth.module.Krb5LoginModule required
     debug=true useKeyTab=true storeKey=true
     keyTab="c:/etc/krb5.keytab";
 };

If this is not set, the default is to use an internal configuration that is tailored for the application server. It is recommended that this option not be set as the default will almost always work correctly.

keytabPath
this option specifies the keytab file, which will be used for the service's initial TGT login, and will be set like the following example:
keytabPath="file:/c:/etc/krb5.keytab"

If this option is not set, then the default Java keytab will be used, which is usually found in home/krb5.keytab. For example: C:/Documents and Settings/mike.MYDO/krb5.keytab.

The keytabPath option needs to be used when the application server is running as a Windows service or if the keytab is not in the default location. This option is ignored if tgtLoginConfigName is set.

cacheSize
specifies the size of the ticket cache used on JBoss application servers. This cache works around errors stating that the request is replayed, which are generated because of the way that JBoss sometimes uses a Kerberos ticket twice during a normal authentication and triggers the error on the second use. This defaults to 100 on JBoss and is ignored on other application servers. It is recommended that this option not be set, unless running on JBoss servers that have been receiving errors stating that the request is a replay, in which case you can try values greater than 100.


Last updated: March 2016
p8psn032.htm

© Copyright IBM Corporation 2016.