To secure web services messages, you can use a Kerberos token as either an authentication token or a message protection token. For Kerberos authentication, both the single Kerberos realm environment, and the cross or trusted Kerberos realm environment are supported.
ServiceName/HostName@Kerberos_Realm_NameFor cell-level configuration in WebSphere® Application Server, all service providers use the same Kerberos realm.
If the service provider uses the Kerberos identity from the client for downstream web services requests, a delegated Kerberos ticket must exist in the Kerberos token that is specified in the Kerberos configuration file. The system JAAS login module for Kerberos is added to the provided Web Services Security caller. For more information on using the Kerberos token for caller credentials, read about updating the system Java Authentication and Authorization Service (JAAS) login with the Kerberos login module, and creating a Kerberos configuration file.
ServiceName/HostName@Kerberos_Realm_NameThe client application must specify the Kerberos realm name for the client in the callback handler portion of the client policy token generator bindings. At the cell level, all service providers use the same Kerberos realm. However, client applications can still define their own Kerberos realm. Only peer-to-peer and transitive trust cross-realm authentication are supported.
The following figure illustrates the relationship
between trusted realms as defined in the Kerberos Key Distribution
Center (KDC):
If the service provider uses the Kerberos identity from the client for downstream web services requests, a delegated Kerberos ticket must exist in the Kerberos token that is configured in the Kerberos configuration file. The system JAAS login module for Kerberos is added to the provided Web Services Security caller. For more information on using the Kerberos token for caller credentials, read about updating the system JAAS login with the Kerberos login module, and creating a Kerberos configuration file.