Map Setting up Kerberos as the authentication mechanism for WebSphere Application Server

You must perform steps in this article in order to set up Kerberos as the authentication mechanism for WebSphere® Application Server.

About this task

Note: Kerberos authentication mechanism on the server side must be done by the system administrator and on the Java client side by end users. The Kerberos keytab file must to be protected.

You must first ensure that the KDC is configured. See your Kerberos Administrator and User's guide for more information.

To configure a KDC on z/OS®, you must activate the APPL class in RACF®. This action has the effect of enabling the APPL class profile defined for WebSphere and might restrict the ability of authenticated users to access applications running on WebSphere. If your security configuration is using an SAF profile prefix, the profile name is the SAF profile prefix. Otherwise, the profile name is CBS390. To control whether the APPL profile is checked for WebSphere authorization, you can configure the checkbox labeled "Use APPL profile to restrict access to the server" on the SAF authorization panel in the administrative console. This setting can be configured at a WebSphere security domain level.

Avoid trouble Avoid trouble: When configuring the envar file for a z/OS KDC, order the encryption types from most secure to least secure for the SKDC_TKT_ENCTYPES environment variable. The z/OS KDC prefers to use the encryption types that are first in the list, from left to right.gotcha

You must perform the following steps in order to set up Kerberos as the authentication mechanism for WebSphere Application Server.

Procedure

  1. Create a Kerberos service principal name and keytab file
  2. Create a Kerberos configuration file
  3. Configure Kerberos as the authentication mechanism for WebSphere Application Sever using the administrative console
  4. Map a client Kerberos principal name to the WebSphere user registry ID
  5. Set up Kerberos as the authentication mechanism for the pure Java client (optional)




In this information ...


(Index)

IBM Redbooks, demos, education, and more


Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.



Terms and conditions for information centers | Feedback

Last updated: Feb 5, 2014 9:41:54 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=tsec_kerb_setup
File name: tsec_kerb_setup.html