Generation of SPNEGO tokens for outbound JAX-WS requests using Client Policy Set Bindings
JAX-WS clients can authenticate using a number of different HTTP transport authentication mechanisms.
In addition to authenticating to service provider applications
via WS-Security authentication, JAX-WS clients can authenticate using
a number of HTTP transport authentication mechanisms, including the
following:
- Basic Authentication using properties in the HTTP transport bindings.
- SSL/TLS Client authentication using SSL transport bindings.
- SPNEGO authentication using custom properties in the HTTP transport bindings.
There are 5 different variations for obtaining the Kerberos
credentials that are used for the outbound SPNEGO token:
- A token requested using Windows Native credentials. When the WebSphere® Java™ process is running on a Windows system under a userid, which has Kerberos credentials, the Windows OS maintains a Kerberos Ticket Granting Ticket (TGT) for that user. The JAX-WS client runtime uses that TGT to request a SPNEGO token that can be requested for a ServicePrincipalName (SPN) for the target service system.
- A token requested using cached Kerberos credentials. On a system where a user has logged in, typically using tools such as the Java kinit tool, the user's Kerberos credentials are stored in a cache file named krb5cc_<userid>. Alternatively, a keytab file that contains a user's key can be created by using a number of tools such as the Microsoft ktpass tool, or the Java ktab tool. These files contain a copy of the user's Kerberos key that can be used to get a Ticket Granting Ticket (TGT) for that userid. The JAX-WS client runtime uses that TGT to request a SPNEGO token that can be requested for a ServicePrincipalName (SPN) for the target service system. The WebSphere process must be configured to use either the krb5cc_<userid> or keytab file. The UserPrincipalName (UPN) for the cached credential within the file must also be provided.
- A token requested using a Kerberos credential with a userid and password. In this scenario, the JAX-WS client runtime connects to the Kerberos Key Distribution server with the supplied userid and password to get a Ticket Granting Ticket (TGT). The class will then request the SPNEGO token with that TGT. The JAX-WS client runtime requires the ServicePrincipalName (SPN) for the target service system, and the userid and password.
- A token requested using a Kerberos credential that exists within
a Java Subject. The Subject
can obtain a Kerberos credential in one of the following ways:
- The user who is logged into a web application using inbound SPNEGO web authentication. Only SPNEGO web authentication needs to be configured and enabled in the WebSphere Application Server for this option. The Kerberos userid that is associated with the inbound SPNEGO service must be enabled for full Kerberos delegation.
- A JAX-WS web service request was received containing a WS-Security Kerberos token. The Kerberos userid that is associated with the inbound web service request must be enabled for full Kerberos delegation.
- The user who is logged in with a userid and password, and the WebSphere Application Server is configured for LTPA and Kerberos authentication.
- A JAX-WS web service request was received containing a user name token with a password, and the WebSphere Application Server is configured for LTPA and Kerberos authentication.
All 5 of the previous variations that can be used for
obtaining the Kerberos credentials that are used for the outbound
SPNEGO token require custom properties to be defined on the HTTP bindings
in the client policy set bindings.
Property Name | Value | Comments |
---|---|---|
com.ibm.websphere.webservices.spnego.enabled | Boolean | Must be set to true to enable any of the SPNEGO authentication options in the JAX-WS client binding runtime. |
com.ibm.websphere.webservices.spnegoOutboundSPN | String | Must be set to the Service Principal Name for the Web Service provider. |
com.ibm.websphere.webservices.spnegoLoginMechanism | String | Must be one of GSSUP, native, caller, or keytab. |
com.ibm.websphere.webservices.JAASConfigName | String | When spnegoLoginMechanism is set to the keytab, then this property must be set to the JAAS Login Configuration which identifies the keytab file to be used. |
com.ibm.websphere.webservices.spnegoUPN | String | When spnegoLoginMechanism is set to the keytab, then this property must be set to the User Principal Name of the key within the keytab to be used. |
com.ibm.websphere.webservices.spnegoOutboundLifeTime | Integer | If not specified the SPNEGO token is requested for Infinite lifetime. |
com.ibm.websphere.webservices.spnegoOutboundDelegate | Boolean | If set to true, and the web service SPN account is enabled for delegation, then the SPNEGO token sent to the web service can be delegated. |
When the spnegoLoginMechanism property is set to GSSUP, the userid and password are obtained from the basic authentication for outbound service requests properties.
When the spnegoLoginMechanism property is set to caller, the Kerberos credential is obtained from the Caller Subject.
When the spnegoLoginMechanism property is set to Native, the Kerberos credential is obtained from the Windows operating system.
- Notes for Native credentials
- The Microsoft Kerberos
Logon Session credentials cache (MSLSA) relies on the ability to extract
the entire Kerberos ticket, including the session key from the Kerberos
Logon Session credentials cache (LSA). In an attempt to increase security, Microsoft has implemented a
feature by which they no longer export the session keys for Ticket
Getting Tickets, which can cause them to be useless to the IBM® JGSS when
attempts are made to request more service tickets. This new feature
has been seen in Windows 2003
Server and later systems. Microsoft has
provided the following registry key to disable this new feature:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters AllowTGTSessionKey = 0x01 (DWORD)
- Requirements in the Kerberos configuration file
- The Kerberos configuration file must be correctly configured regardless
of the approach.
- How the WebSphere process reaches the Key Distribution Center (KDC) must be properly configured via the [realms] and [domain_realm] stanzas.
- The encryption types to be used in the [libdefaults] stanza must specify the default_tkt_enctypes and default_tgs_enctypes values.
- The [libdefaults] stanza must include the following:
- forwardable = true
- renewable = true
- noaddresses = true
- The [libdefaults] stanza must define a reasonable clockskew value.