A Java client
can authenticate with WebSphere® Application Server with
a Kerberos
principal name and password or with the Kerberos credential cache
(krb5Ccache).
Procedure
- Create
a Kerberos configuration file (krb5.ini or krb5.conf).
Read about Creating a Kerberos configuration file for
more information.
- Place either the krb5.ini or krb5.conf files
you have created in a default location. If either file
is not located in the default location you must set com.ibm.COBRA.krb5ConfigFile in
the sas.client.props file with the correct path and
Kerberos configuration file name.
The default
location is c:\winnt\krb5.ini.
The
default location is /etc/krb5.conf.
![[AIX]](../images/aixlogo.gif)
![[HP-UX]](../images/hpux.gif)
![[Solaris]](../images/solaris.gif)
The default location is /etc/krb5/krb5.conf.
The default location is /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf
- In the sas.client.props file, set the com.ibm.CORBA.authenticationTarget
property to KRB5. Read about configuring security with
scripting for more information.
- Also in the sas.client.props
file, set the com.ibm.CORBA.loginSource
property to one of the supported values shown below:
When
authenticationTarget is
BasicAuth, the loginSource supported
are:
- prompt [default]
- properties
- stdin
- none
When authenticationTarget is
KRB5, the loginSource
supported are:
- prompt [default]
- properties
- stdin
- none
- krb5Ccache
- krb5Ccache:prompt
- krb5Ccache:properties
- krb5Ccache:stdin
Also consider the following:
- krb5Ccache:prompt
- Use krb5Ccache to authenticate
to WebSphere Application Server first.
If it fails,
then it falls back to prompt.
- krb5Ccache:properties
- Use krb5Ccache to authenticate to WebSphere Application Server first. If it fails,
then it falls back to properties.
- krb5Ccache:stdin
- Use krb5Ccache to authenticate to WebSphere Application Server first. If it fails,
then it falls back to stdin.
- If the authenticationTarget is KRB5, the Java client application
must have the wsjaas_client.conf file. If you don't
use the launchClient command, then you must set the java option as
follows:
-Djava.security.auth.login.config=wsjaas_client.config
- If the authenticationTarget is KRB5 and
loginSource
is the Kerberos credential cache, do the following:
- In the wsjaas_client.conf file, update the WSKRB5Login
entry:
WSKRB5Login{
com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient required
credsType=INITIATOR useFirstPass=false
forwardable=false renewable=false noAddress=false;
};
- If the Kerberos credential
cache is not at the default
location, set the com.ibm.CORBA.krb5CcacheFile property as a URL: For example:
com.ibm.CORBA.krb5CcacheFile=FILE:/home/smith/krb5cc_smith
The
default location of the Kerberos credential cache file depends on
which operating system you use. The user credential cache is located
in the following order:
The file referenced by the Java property KRB5CCNAME
<user.home>/krb5cc_<user.name>
<user.home>/krb5cc (if <user.name> cannot be obtained)
Note: When the Kerberos credential cache is used for
authentication, the client Kerberos delegation ticket is not renewable.
- Optional: If an
error occurs, make sure that
all WebSphere Application Server machine's
clocks are in sync with the KDC machines. Validate a Kerberos principal
name and password by using the kinit command. It
is recommended that you use the kinit command that comes with
the Java SE Development Kit (JDK) 6.
Type the
following to receive help for this command:
kinit -help
An
example of the
kinit command is as follows. In this example,
a Kerberos ticket-granting ticket (TGT) can be obtained for
duke,
and the Kerberos credential cache is stored in the default location,
c:\Documents
and Settings\duke\krb5cc_duke:
kinit duke@JAVA.SUN.COM
Note: This
command usage might not work on all versions of KDCs.
Note: Both the Kerberos principal
name and the password are case-sensitive. In the case where you are
using a KDC on z/OS, you must enter the Kerberos principal name exactly
as it appears in the RACF user id's KERB segment. Unless you have
mixed-case passwords enabled for RACF, you must enter the password
in all capital letters for the kinit command.