IBM Integration Bus, Version 10.0.0.17
Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS
Kerberos security concepts
Learn about Kerberos authentication and WS-Security concepts.
Concepts
Kerberos configuration file
The configuration file contains information that is important
for authentication and access. The configuration file contains the
key distribution center (KDC) realm and location, supported encryption
types, and keytab file location. Clients use the configuration file
to authenticate with the KDC and request access to networked services.
Kerberos secured services also use the configuration file to locate
the keytab file that contains the private key that is associated with
it.
Kerberos keytab file
The keytab file contains the principal and encrypted private key
that is associated with the principal. The keytab file is created
by exporting a principal from the KDC. Using the keytab file, a service
can check the authenticity of a client and provide authentication
without contacting the KDC.
Key Distribution Center (KDC)
The Key Distribution Center stores user and service principals
with their associated key. A combination of either a user name and
a password or a service name and a password provide the key. The KDC
also provides an authentication server and a server that grants tickets.
Principals
Networked users and Services are known as principals. They authenticate
with a Key Distribution Center (KDC).
Realm
The unique range of control that is provided by the KDC. By convention
the realm is the DNS domain name that is converted to uppercase.
Service Principal Name (SPN)
The service principal name represents a unique, networked service.
For a client to use a Kerberos secured service, the client must authenticate
with a KDC and provide the SPN for the service. The ticketing server
provides a ticket to the client that allows it to authenticate itself
to the service.