Updating the system JAAS login with the Kerberos login module

Update the Kerberos system JAAS login module for JAX-WS applications.

About this task

If the Kerberos authentication mechanism is configured in the WebSphere® Application Server security configuration for JAX-WS applications, the JAAS login wss.caller must be updated with the system JAAS login module for Kerberos. The login module is specified as com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.

There are two methods to update the Kerberos system JAAS login module: using the administrative console, or by running a Jython script.

Procedure

  1. Using the administrative console, follow these steps:
    1. Click Security > Global security > Java Authentication and Authorization Service > System logins.
    2. Click on wss.caller, then click New to create a new JAAS login module.
    3. In the Module class name field, type com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.
    4. Click OK.
    5. In the wss.caller panel, click Set Order, then click on WSKrb5LoginModule.
    6. Move WSKrb5LoginModule up in the list of modules so that it is after com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule but before com.ibm.ws.security.server.lm.ltpaLoginModule. The order of the modules in the list is important. The finished list of modules should look like this:
      com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule                         1
      com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule                         2
      com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule                        3
      com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule                        4
      com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule             5
      com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule                         6
      com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule                             7
      com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule                               8
      com.ibm.ws.security.server.lm.ltpaLoginModule                                       9
      com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule                        10
    7. Click OK, then click Save to save the changes.
    8. Restart the server.
  2. You can also run a Jython script to update the module. For each cell, run the script addKrbLoginModuleWSSCaller.py, located in the app_server_root\bin directory, to update the WSKrb5LoginModule login module in the security configuration.
    1. Run the following command, where app_server_root is C:\WebSphere\AppServer:
      wsadmin -conntype NONE -lang jython -f  C:\WebSphere\AppServer\bin\addKrbLoginModuleWSSCaller.py
    2. If the script is successful, the following message is displayed:
      System JAAS login entry wss.caller has been updated.
    3. Restart the server.
Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 18, 2014 05:01 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-iseries&topic=twbs_kerbjaasloginmodule
File name: twbs_kerbjaasloginmodule.html