Setting up Kerberos as the authentication mechanism for WebSphere Application Server

You must perform the steps to set up Kerberos as the authentication mechanism for WebSphere® Application Server.

About this task

Note: Kerberos authentication mechanism on the server side must be done by the system administrator and on the Java client side by end users. The Kerberos keytab file must to be protected.

You must first ensure that the KDC is configured. For more information, see your Kerberos Administrator and User's guide.

[z/OS] To configure a KDC on z/OS®, you must activate the APPL class in RACF®. This action has the effect of enabling the APPL class profile that is defined for WebSphere and might restrict the ability of authenticated users to access applications that run on WebSphere. If your security configuration is using an SAF profile prefix, the profile name is the SAF profile prefix. Otherwise, the profile name is CBS390. To control whether the APPL profile is checked for WebSphere authorization, you can configure the checkbox that is labeled "Use APPL profile to restrict access to the server" on the SAF authorization panel in the administrative console. This setting can be configured at a WebSphere security domain level.

Avoid trouble Avoid trouble: When configuring the envar file for a z/OS KDC, order the encryption types from most secure to least secure for the SKDC_TKT_ENCTYPES environment variable. The z/OS KDC prefers to use the encryption types that are first in the list, from left to right.gotcha

You must perform the following steps to set up Kerberos as the authentication mechanism for WebSphere Application Server.

Procedure

  1. Create a Kerberos service principal name and keytab file
  2. Create a Kerberos configuration file
  3. Configure Kerberos as the authentication mechanism for WebSphere Application Server by using the administrative console
  4. Map a client Kerberos principal name to the WebSphere user registry ID
  5. Set up Kerberos as the authentication mechanism for the pure Java client (optional)
Task topic    

Terms and conditions for information centers | Feedback

Last updated: April 20, 2014 08:46 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=tsec_kerb_setup
File name: tsec_kerb_setup.html