The Kerberos configuration file contains client configuration information, including the locations of Key Distribution Centers (KDCs) for the realms of interest, defaults for the current Kerberos realm and mappings of host names onto Kerberos realms. Use the wsadmin utility to create a Kerberos configuration file for WebSphere® Application Server.
Kerberos configuration settings, the Kerberos key distribution center (KDC) name, and realm settings for both Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) web authentication and Kerberos authentication are provided in the Kerberos configuration file or through the java.security.krb5.kdc and java.security.krb5.realm Java virtual machine system properties.
$AdminTask help createKrbConfigFile
Option | Description |
---|---|
<krbPath> | Required. Provides the fully qualified file system location of the Kerberos configuration (krb5.ini or krb5.conf) file. |
<realm> | Required. Provides the Kerberos realm name. The value of this attribute is used by SPNEGO to form the Kerberos service principal name for each of the hosts specified with the property com.ibm.ws.security.spnego.SPN<id>.hostName. |
<kdcHost> | Required. Provides the host name of the Kerberos Key Distribution Center (KDC). |
<kdcPort> | Optional. Provides the port number of the Kerberos Key Distribution Center. If this port is omitted, the default value is 88. |
<dns> | Required. A list of default domain name services DNS, separated by a pipe character, that is used to produce a fully qualified host name. The first one in the list is the default domain name service. |
<keytabPath> | Required. Provides the file system location of the Kerberos keytab path and file name. |
<encryption> | Optional. Identifies the list of supported encryption types, separated by a pipe character. The default value is des-cbc-md5. |
Ensure you have a common encryption type for the Kerberos configuration file, the Kerberos keytab file, the Kerberos service principal name and the Kerberos client. For example, if the Kerberos client uses the RC4-HMAC encryption type, the target server must also support the RC4-HMAC encryption type and the Kerberos configuration file must list RC4-HMAC first in default_tgt_enctypes and default_tkt_enctypes.
$AdminTask createKrbConfigFile {-krbPath c:/winnt/krb5.ini
-realm WSSEC.AUSTIN.IBM.COM
-kdcHost host1.austin.ibm.com
-dns austin.ibm.com|raleigh.ibm.com
-keytabPath c:/winnt/krb5.keytab}
[libdefaults]
default_realm = WSSEC.AUSTIN.IBM.COM
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
WSSEC.AUSTIN.IBM.COM = {
kdc = host1.austin.ibm.com:88
default_domain = austin.ibm.com
}
[domain_realm]
.austin.ibm.com = WSSEC.AUSTIN.IBM.COM
.raleigh.ibm.com = WSSEC.AUSTIN.IBM.COM
The createKrbConfigFile command creates a simple Kerberos configuration file. You can edit this file, as needed, to specify a TCP or UDP preference or when you have a cross or trusted realm environment.
udp_preference_limit =1
If
you do not specify this parameter, the Java Kerberos
library uses the TCP protocol only if the Kerberos ticket request
using the UDP protocol fails and the KDC returns the KRB_ERR_RESPONSE_TOO_BIG
error code.[domain_realm]
.austin.ibm.com = WSSEC.AUSTIN.IBM.COM
.raleigh.ibm.com = WSSEC.AUSTIN.IBM.COM
All other hosts in the austin.ibm.com and .raleigh.ibm.com domains map to WSSEC.AUSTIN.IBM.COM by default.
[domain_realm]
.ibm.com =AUSTIN.IBM.COM
ibm.com =AUSTIN.IBM.COM
tech.ibm.com =TEST.AUSTIN.IBM.COM
.fubar.org =FUBAR.ORG
All other hosts in the ibm.com® domain map by default to the AUSTIN.IBM.COM realm and all hosts in the fubar.org domain map by default to the FUBAR.ORG realm.
Note the entries for the hosts, ibm.com and fubar.org. Without these entries, these hosts map into the realms COM and ORG, respectively.
For peer trust cross-realm authentication, see your Kerberos Administrator's and User's Guide for information about how to set up the trust cross-realm authentication on the KDC.
[realms]
AUSTIN.IBM.COM = {
kdc = kdc.austin.ibm.com:88
default_domain = austin.ibm.com
}
FUBAR.ORG = {
kdc = kdc.fubar.org:88
default_domain = fubar.org
}
[domain_realm]
austin.ibm.com = AUSTIN.IBM.COM
.austin.ibm.com = AUSTIN.IBM.COM
fubar.org = FUBAR.ORG
.fubar.org = FUBAR.ORG
In a transitive trust, two realms trust each other if they trust the intermediate realms involved in granting a ticket. If each realm involved in granting the service ticket is present in the trust path, then the ticket is trusted. See your Kerberos Administrator's and User's Guide for information about how to configure transitive trust on the KDC.
REALMA <-> REALMB <-> REALMC
[capaths]
REALMA.AUSTIN.IBM.COM = {
REALMB.AUSTIN.IBM.COM = .
REALMC.AUSTIN.IBM.COM = REALMB.AUSTIN.IBM.COM
}
REALMB.AUSTIN.IBM.COM = {
REALMC.AUSTIN.IBM.COM = .
REALMA.AUSTIN.IBM.COM = .
}
REALMC.AUSTIN.IBM.COM = {
REALMB.AUSTIN.IBM.COM = .
REALMA.AUSTIN.IBM.COM = REALMB.AUSTIN.IBM.COM
}
This means that you can read and write the file. However, members of the group that the file belongs to and all other users can only read the file.
Since the Kerberos configuration and keytab file are set by the JVM system properties, java.security.krb5.conf and KRB5_KTNAME respectively, if SPNEGO web authentication and Kerberos authentication are both enabled you must use the same Kerberos configuration and keytab files for both.