The KrbServiceLoginModule (or WebLogic Engine Kerberos
Authentication Provider) does the Kerberos service authentication
on the Content Platform Engine server.
This login module has several options that can change its behavior.
- debug
- when true will output additional debugging information to the
console, server log, or both. The default is false. You can enable
additional debugging information when first setting up Kerberos, or
afterward if attempting to debug a problem with Kerberos authentication.
- useShortNameAsPrincipal
- when true will use the user's short name as the principal; if
false then will use the full Kerberos name in the form: username@REALM.COM.
The default is false.
- storeGssContext
- when true will add a GSSContext as a private credential. This
can be used by the server to encrypt and sign messages between the
server and the client, but will need substantial programming on both
to accomplish this. When false, this private credential is not added.
The default (and recommended) setting is false.
- loginUsingTicketSpn
- if true will attempt to log in using the SPN (Service Principal
Name) of the Kerberos service ticket. The default is false, which
will attempt to log in using the normal FNCEWS_computername account
name. The recommended setting is false.
- serviceAccountName
- this specifies the account name that the service will use when
it is logging in. If not specified, this defaults to FNCEWS_ computername.
This option should only need to be set to some account that is shared
by every server if Content Platform Engine is
clustered or if on WebSphere systems and the default name would be
longer then 20 characters. This option is ignored if loginUsingTicketSpn
is true.
- tgtLoginConfigName
- this option specifies the name of a JAAS configuration that will
be used when the service initially logs in to get its Kerberos TGT
(Ticket Granting Ticket).
For example, if tgtLoginConfigName=KrbTgtLogin,
then there could be a JAAS configuration entry such as:
KrbTgtLogin {
com.sun.security.auth.module.Krb5LoginModule required
debug=true useKeyTab=true storeKey=true
keyTab="c:/etc/krb5.keytab";
};
If this is not set, the default is to use an internal
configuration that is tailored for the application server. It is recommended
that this option not be set as the default will almost always work
correctly.
- keytabPath
- this option specifies the keytab file, which will be used for
the service's initial TGT login, and will be set like the following
example:
keytabPath="file:/c:/etc/krb5.keytab"
If
this option is not set, then the default Java keytab will be used,
which is usually found in home/krb5.keytab.
For example: C:/Documents and Settings/mike.MYDO/krb5.keytab.
The keytabPath option
needs to be used when the application server is running as a Windows
service or if the keytab is not in the default location. This option
is ignored if tgtLoginConfigName is set.
- cacheSize
- specifies the size of the ticket cache used on JBoss application
servers. This cache works around errors stating that the request is
replayed, which are generated because of the way that JBoss sometimes
uses a Kerberos ticket twice during a normal authentication and triggers
the error on the second use. This defaults to 100 on JBoss and is
ignored on other application servers. It is recommended that this
option not be set, unless running on JBoss servers that have been
receiving errors stating that the request is a replay, in which case
you can try values greater than 100.