Use wsadmin commands to create, modify or delete Kerberos as the authentication mechanism for WebSphere® Application Server.
The following items are required before you attempt to use the createKrbAuthMechanism command to create the KRB5 authentication mechanism security object field in the security configuration file:
For example, if you have two application server machines, host1.austin.ibm.com and host2.austin.ibm.com, the Kerberos keytab file must contain the <service name>/host1.austin.ibm.com and service name>/host2.austin.ibm.com SPNs and their Kerberos keys.
Use the createKrbAuthMechanism command to create the KRB5 authentication mechanism security object field in the security configuration file.
At the wsadmin prompt, enter the following command:
$AdminTask help createKrbAuthMechanism
Option | Description |
---|---|
<krb5Realm> | This parameter is optional. It indicates the Kerberos realm name. If you do not specify this parameter, the default Kerberos realm in the Kerberos configuration file is used. |
<krb5Config> | This parameter is required. It indicates the directory location and file name of the configuration (krb5.ini or krb5.conf) file. |
<krb5Keytab> | This parameter is optional. It indicates the directory location and file name of the Kerberos keytab file. If you do not specify this parameter, the default keytab in the Kerberos configuration file is used. |
<serviceName> | This parameter is required. It indicates the Kerberos service name. The default Kerberos service name is WAS. |
<trimUserName> | This parameter is optional. It removes the suffix
of the principal user name, starting from the “@” that precedes the
Kerberos realm name. This parameter is optional. The default value
is true. Note: You must set this field
to true if you are using both the Local Operating
System registry on z/OS and select the Use the KERB segment
of an SAF user profile radio button to map Kerberos principals
to SAF identities.
|
<enabledGssCredDelegate> | This parameter is not required. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true. |
<allowKrbAuthForCsiInbound> | This parameter is optional. It enables Kerberos authentication mechanism for Common Secure Interoperability (CSI) inbound. The default value is true. |
<allowKrbAuthForCsiOutbound> | This parameter is required. It enables Kerberos authentication mechanism for CSI outbound. The default value is true. |
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI}
wsadmin>$AdminTask createKrbAuthMechanism { -krb5Realm WSSEC.AUSTIN.IBM.COM -krb5Config C:\\WINNT\\krb5.ini -krb5Keytab C:\\WINNT\\krb5.keytab -serviceName WAS }
Use the modifyKrbAuthMechanism command to make changes to the KRB5 authentication mechanism security object field in the security configuration file.
At the wsadmin prompt, enter the following command:
$AdminTask help modifyKrbAuthMechanism
Option | Description |
---|---|
<krb5Realm> | This parameter is optional. It indicates the Kerberos realm name. If you do not specify this parameter, the default Kerberos realm in the Kerberos configuration file is used. |
<krb5Config> | This parameter is required. It indicates the directory location and file name of the configuration (krb5.ini or krb5.conf) file. |
<krb5Keytab> | This parameter is optional. It indicates the directory location and file name of the Kerberos keytab file. If you do not specify this parameter, the default keytab in the Kerberos configuration file is used. |
<serviceName> | This parameter is required. It indicates the Kerberos service name. The default Kerberos service name is WAS. |
<trimUserName> | This parameter is optional. It removes the suffix of the principal user name, starting from the “@” that precedes the Kerberos realm name. This parameter is optional. The default value is true. |
<enabledGssCredDelegate> | This parameter is not required. Use to indicate
whether to extract and place the client Kerberos and GSS delegation
credential in the Kerberos authentication token (KRBAuthnToken). The
default value is true. Note: If this parameter is true,
and the runtime cannot extract the Kerberos GSS delegation credential,
the runtime logs a warning message.
|
<allowKrbAuthForCsiInbound> | This parameter is optional. It enables Kerberos authentication mechanism for Common Secure Interoperability (CSI) inbound. The default value is true. |
<allowKrbAuthForCsiOutbound> | This parameter is optional. It enables Kerberos authentication mechanism for CSI outbound. The default value is true. |
${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI}
The following is an example of the modifyKrbAuthMechanism command:
wsadmin>$AdminTask modifyKrbAuthMechanism { -krb5Realm WSSEC.AUSTIN.IBM.COM -krb5Config C:\\WINNT\\krb5.ini -krb5Keytab C:\\WINNT\\krb5.keytab -serviceName WAS }
Use the deleteKrbAuthMechanism command to remove the KRB5 authentication mechanism security object field in the security configuration file.
At the wsadmin prompt, enter the following command:
$AdminTask help deleteKrbAuthMechanism
The following is an example of the deleteKrbAuthMechanism command:
wsadmin>$AdminTask deleteKrbAuthMechanism
Use the setActiveAuthMechanism command to set the active authentication mechanism attribute in the security configuration.
At the wsadmin prompt, enter the following command:
$AdminTask help setActiveAuthMechanism
Option | Description |
---|---|
<authMechanismType> | This parameter is not required. It indicates the authentication mechanism type. The default is KRB5. |
The following is an example of the setActiveAuthMechanism command:
wsadmin> $AdminTask setActiveAuthMechanism {-authMechanismType KRB5 }