- Create a GSS credential for
the Kerberos credential
cache. For example:
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
GSSManager manager = GSSManager.getInstance();
GSSName gssUserName = manager.createName(userName, GSSName.NT_USER_NAME, krb5MechOid);
clientGssCreds = manager.createCredential(gssUserName.canonicalize(krb5MechOid),
GSSCredential.INDEFINITE_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
clientGssCreds.add (gssUserName,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid,
GSSCredential.INITIATE_ONLY);
- Create a GSS credential from a subject that
has Kerberos
tickets. For example:
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
GSSManager manager = GSSManager.getInstance();
clientGssCreds = (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction()
{
public Object run() throws GSSException, Exception
{
try {
gssName = manager.createName( userName,
GSSName.NT_USER_NAME,
getKrb5MechOid());
GSSCredential gssCred = manager.createCredential(
gssName.canonicalize(krb5MechOid),
GSSCredential.DEFAULT_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
gssCred.add (gssUserName,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid,
GSSCredential.INITIATE_ONLY);
return gssCred;
} catch (GSSException gsse) {
} catch (Exception e) {
}
return null;
}
});
- Create a GSS credential
after calling the WSKRB5Login
login module. For example:
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
GSSManager manager = GSSManager.getInstance();
GSSName gssUserName = manager.createName(userName, GSSName.NT_USER_NAME, krb5MechOid);
clientGssCreds = manager.createCredential(gssUserName.canonicalize(krb5MechOid),
GSSCredential.INDEFINITE_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
clientGssCreds.add (gssUserName,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid,
GSSCredential.INITIATE_ONLY);
- Create a GSS credential using the Microsoft® native Kerberos
credential cache. For example:
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
GSSManager manager = GSSManager.getInstance();
clientGssCreds = manager.createCredential(null,
GSSCredential.INDEFINITE_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
clientGssCreds.add(null,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid, GSSCredential.INITIATE_ONLY);
Note: The
MSLSA: credential cache relies on the ability to extract the entire
Kerberos ticket, including the session key from the Kerberos LSA. .
In an attempt to increase security, Microsoft has begun to implement a feature
by which they no longer export the session keys for Ticket Getting
Tickets, which can cause them to be useless to the IBM
® JGSS when attempts are made to request additional
service tickets. This new feature has been seen in Windows
® 2003 Server and Windows XP SP2 Beta. Microsoft has provided the following registry
key to disable this new feature:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
On Windows XP SP2 Beta 1 the key is specified
as:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
AllowTGTSessionKey = 0x01 (DWORD)