You can configure WebSphere® Message
Broker to
operate as a Kerberos secured service for message integrity, confidentiality, and
authenticity.
You must have access to a Key Distribution Center (KDC) and
a server that is hosting the Kerberos secured service. For more information
about configuring Kerberos, see your host Kerberos documentation.
Use this task to configure Kerberos as a secured service
for WebSphere Message
Broker.
- Export a keytab that contains the private key of the service
principal from the KDC. For example,
ktpass -out c:\Windows\krb5.keytab -princ SomePrincipal@YourDomain -crypto RC4-HMAC-NT mapUser Username -pass Password -mapOp set
where- out filename
- Specifies the name and path of the keytab file to be generated.
- princ principal_name
- The principal name.
- crypto encryption_type
- Specify the encryption type to use.
- mapuser username
- Map the name of a Kerberos principal to a local account.
- pass password
- Password to use for this principal name.
- mapOp attribute
- Define how the mapping attribute is set. The attribute alternatives
are either add or set.
- Copy the keytab file to the server that hosts the service.
You can copy the file to the server by exporting the keytab file and
transferring it to the server, for instance, by using FTP. The Kerberos
configuration file contains a reference to the keytab file in the
form of a file URL (such as, /home/user/my.keytab) Because the reference is in the configuration file on the server,
the server service can take on the Kerberos principal that is defined
in the keytab.
- ).
- Create a Kerberos configuration file that specifies the
location of keytab file on the local workstation.
You can use more than one service principle name
per broker per Kerberos realm. Use your workstation default Kerberos
configuration file when you are using Kerberos for security. The location
for the configuration file differs depending on the system. The usual
locations:
- Windows: C:\Windows\krb5.ini and
C:\WINNT\krb5.ini
- : /etc/krb5.conf
- UNIX (AIX®): /etc/krb5/krb5.conf
- z/OS®: /krb5/krb5.conf
. Different Kerberos configuration files can be configured for
use by the broker or Execution Group.
The following sample
Kerberos configuration file shows typical values for the variables.
The variables default_realm, default_keytab_name,
and the names in the realms are among the values
you change in the configuration file, depending on your network and
location of the configuration file.
[libdefaults]
default_realm = MYREALM.EXAMPLE.COM
default_keytab_name = FILE:c:\Windows\krb5.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYREALM.EXAMPLE.COM = {
kdc = kdc.myrealm.example.com
admin_server = kdc.myrealm.example.com
}
- Create a new Kerberos configuration file to use unique
Kerberos Service Principals per broker or per Execution Group. You
do so by specifying the keytab file that contains the required service
principal.
- Use one of these mqsichangeproperties commands
to specify the location of your new configuration file.
- For a broker level Kerberos configuration
mqsichangeproperties brokerName -o BrokerRegistry -n kerberosConfigFile -v kerberosConfigLocation
- For Execution Group level Kerberos configuration
mqsichangeproperties brokerName -e executionGroupName -o ComIbmJVMManager -n kerberosConfigFile -v kerberosConfigLocation
- Configure a policy set and binding that is associated with
the SOAPInput node for the BAR containing the message flow.
You configured WebSphere Message
Broker to be a Kerberos secured
service.