[Fix Pack 1 or later]

Updating the system JAAS login with the Kerberos login module

Update the Kerberos system JAAS login module for JAX-WS applications.

About this task

If the Kerberos authentication mechanism is configured in the WebSphere® Application Server security configuration for JAX-WS applications, the JAAS login wss.caller must be updated with the system JAAS login module for Kerberos. The login module is specified as com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.

There are two methods to update the Kerberos system JAAS login module: using the administrative console, or by running a Jython script.

Procedure

  1. Using the administrative console, follow these steps:
    1. Click Security > Global security > Java Authentication and Authorization Service > System logins.
    2. Click on wss.caller, then click New to create a new JAAS login module.
    3. In the Module class name field, type com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.
    4. Click OK.
    5. In the wss.caller panel, click Set Order, then click on WSKrb5LoginModule.
    6. Move WSKrb5LoginModule up in the list of modules so that it is after com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule but before com.ibm.ws.security.server.lm.ltpaLoginModule. The order of the modules in the list is important. The finished list of modules should look like this:
      com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule                         1
      com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule                         2
      com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule                        3
      com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule                        4
      com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule             5
      com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule                         6
      com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule                             7
      com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule                              8
      com.ibm.ws.security.server.lm.ltpaLoginModule                                       9
      com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule                        10
    7. Click OK, then click Save to save the changes.
    8. Restart the server.
  2. You can also run a Jython script to update the module. For each cell, run the script addKrbLoginModuleWSSCaller.py, located in the app_server_root\bin directory, to update the WSKrb5LoginModule login module in the security configuration.
    1. Run the following command, where app_server_root is C:\WebSphere\AppServer:
      wsadmin -conntype NONE -lang jython -f  C:\WebSphere\AppServer\bin\addKrbLoginModuleWSSCaller.py
    2. If the script is successful, the following message is displayed:
      System JAAS login entry wss.caller has been updated.
    3. Restart the server.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 1:44:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-express-dist&topic=twbs_kerbjaasloginmodule
File name: twbs_kerbjaasloginmodule.html