+

Search Tips   |   Advanced Search

Kerberos authentication commands


Use wsadmin commands to create, modify or delete Kerberos as the authentication mechanism for WAS.

 

Create Kerberos authentication mechanism

The following items are required before you attempt to use the createKrbAuthMechanism command to create the KRB5 authentication mechanism security object field in the security configuration file:

Use the createKrbAuthMechanism command to create the KRB5 authentication mechanism security object field in the security configuration file.

At the wsadmin prompt...

$AdminTask help createKrbAuthMechanism You can use the following parameters with the createKrbAuthMechanism command:


Table 1. Command parameters

Option Description
<krb5Realm> This parameter is optional. It indicates the Kerberos realm name. If we do not specify this parameter, the default Kerberos realm in the Kerberos configuration file is used.
<krb5Config> Required. It indicates the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab> This parameter is optional. It indicates the directory location and file name of the Kerberos keytab file. If we do not specify this parameter, the default keytab in the Kerberos configuration file is used.
<serviceName> Required. It indicates the Kerberos service name. The default Kerberos service name is WAS.
<trimUserName> This parameter is optional. It removes the suffix of the principal user name, starting from the “@” that precedes the Kerberos realm name. This parameter is optional. The default value is true.
<enabledGssCredDelegate> Optional. Use to indicate whether to extract and place the client GSS delegation credential in the subject. The default value is true.
<allowKrbAuthForCsiInbound> This parameter is optional. It enables Kerberos authentication mechanism for Common Secure Interoperability (CSI) inbound. The default value is true.
<allowKrbAuthForCsiOutbound> Required. It enables Kerberos authentication mechanism for CSI outbound. The default value is true.

The Kerberos configuration file name and Kerberos keytab filename path do not have to be absolute paths. Use WebSphere variables for the paths instead. If we have a mixed platform environment, we can use a variable ${CONF_OR_INI} for the Kerberos configuration file. Security configuration will expand it to “ini” for Windows or “conf” for non-Windows platforms For example:

${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI

The following is an example of the createKrbAuthMechanism command:

wsadmin>$AdminTask createKrbAuthMechanism { 
    -krb5Realm  WSSEC.AUSTIN.IBM.COM 
    -krb5Config C:\\WINNT\\krb5.ini 
    -krb5Keytab C:\\WINNT\\krb5.keytab 
    -serviceName WAS }

 

Modify Kerberos authentication mechanism

Use the modifyKrbAuthMechanism command to make changes to the KRB5 authentication mechanism security object field in the security configuration file.

At the wsadmin prompt...

wsadmin>$AdminTask help modifyKrbAuthMechanism You can use the following parameters with the modifyKrbAuthMechanism command:


Table 2. Command parameters

Option Description
<krb5Realm> This parameter is optional. It indicates the Kerberos realm name. If we do not specify this parameter, the default Kerberos realm in the Kerberos configuration file is used.
<krb5Config> Required. It indicates the directory location and file name of the configuration (krb5.ini or krb5.conf) file.
<krb5Keytab> This parameter is optional. It indicates the directory location and file name of the Kerberos keytab file. If we do not specify this parameter, the default keytab in the Kerberos configuration file is used.
<serviceName> Required. It indicates the Kerberos service name. The default Kerberos service name is WAS.
<trimUserName> This parameter is optional. It removes the suffix of the principal user name, starting from the “@” that precedes the Kerberos realm name. This parameter is optional. The default value is true.
<enabledGssCredDelegate> Optional. Use to indicate whether to extract and place the client Kerberos and GSS delegation credential in the Kerberos authentication token (KRBAuthnToken). The default value is true.

If this parameter is true, and the runtime cannot extract the Kerberos GSS delegation credential, the runtime logs a warning message.

<allowKrbAuthForCsiInbound> This parameter is optional. It enables Kerberos authentication mechanism for Common Secure Interoperability (CSI) inbound. The default value is true.
<allowKrbAuthForCsiOutbound> This parameter is optional. It enables Kerberos authentication mechanism for CSI outbound. The default value is true.

The Kerberos configuration file name and Kerberos keytab filename path do not have to be absolute paths. Use WebSphere variables for the paths instead. If we have a mixed platform environment, we can use a variable ${CONF_OR_INI} for the Kerberos configuration file. Security configuration will expand it to “ini” for Windows or “conf” for non-Windows platforms For example:

${WAS_INSTALL_ROOT}\etc\krb5\krb5.${CFG_OR_INI

The following is an example of the modifyKrbAuthMechanism command:

wsadmin>$AdminTask modifyKrbAuthMechanism {
      -krb5Realm  WSSEC.AUSTIN.IBM.COM 
      -krb5Config C:\\WINNT\\krb5.ini 
      -krb5Keytab C:\\WINNT\\krb5.keytab 
      -serviceName WAS }

 

Delete Kerberos authentication mechanism

Use the deleteKrbAuthMechanism command to remove the KRB5 authentication mechanism security object field in the security configuration file.

At the wsadmin prompt...

wsadmin>$AdminTask help deleteKrbAuthMechanism

The following is an example of the deleteKrbAuthMechanism command:

  wsadmin>$AdminTask deleteKrbAuthMechanism

 

Set active authentication mechanism

Use the setActiveAuthMechanism command to set the active authentication mechanism attribute in the security configuration.

At the wsadmin prompt...

wsadmin>$AdminTask help setActiveAuthMechanism You can use the following parameter with the setActiveAuthMechanism command:


Table 3. Command parameters

Option Description
<authMechanismType> Optional. It indicates the authentication mechanism type. The default is KRB5.

The following is an example of the setActiveAuthMechanism command:

wsadmin> $AdminTask setActiveAuthMechanism {-authMechanismType KRB5 }




 

Related tasks


Create a Kerberos configuration file
Create a Kerberos service principal and keytab file
Set inbound messages
Set outbound messages
Set security with scripting