Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Configure the Kerberos token for Web Services Security

Configure the bindings for message protection for Kerberos

To set up bindings for message protection with JAX-WS applications, create a custom binding. Complete this task to set the bindings for a Kerberos token as defined in the OASIS Web Services Security Specification for Kerberos Token Profile v1.1.

Configure Kerberos for IBM WAS. See Kerberos (KRB5) authentication mechanism support for security. In addition, configure the Kerberos token policy set for JAX-WS applications. See Configuring the Kerberos token policy set for JAX-WS applications.

We can leverage existing frameworks including the policy set and bindings for JAX-WS applications.

We can configure a symmetric protection token or an authentication token. Both symmetric protection token and authentication token configurations use similar configuration data. However, you do not need to configure the authentication token if you intend to use a Kerberos symmetric protection token. For whichever token type you use, configure the token generator and the token consumer as indicated in the following list:

• Symmetric protection token

  • Token generator
  • Token consumer

• Authentication token

  • Token generator
  • Token consumer

Use the administrative console to configure the application-specific bindings to use a Kerberos token in web services message protection.

Procedure

1. Expand Applications > Application Types.

2. Click WebSphere enterprise applications > application name .

3. From the Web Services Properties heading, click Service provider policy sets and bindings to configure the service bindings or click Service client.policy sets and bindings to configure the client bindings.

4. Select the resource to attach to the Kerberos token policy set and select Attach Policy Set > policy set name. To configure the Kerberos token policy set, see Configure the Kerberos token policy set for JAX-WS applications.

5. Click Assign bindings and select the application-specific binding or select New Application Specific Binding to create a new binding.

   To create a new binding, complete the following actions.

   1. Enter a name for the new binding in the Binding configuration name field and optionally enter a description for the binding in the Description field.

   2. Click Add and select WS-Security to specify a new policy set.

   3. Click Authentication and protection > New.

   4. Optional: Define a symmetric protection token for the token generator.

      If you configure a symmetric protection token for the token generator, define a complimentary symmetric protection token for the token consumer.

      1. From the Protection tokens heading, click New and select Token Generator.

      2. Specify the name of the protection token in the Name field.

      3. Select Custom from the values in the Token type menu list.

      4. Specify the local name in the Local name field.

         For interoperability with other web services technologies, specify the following local name: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ. If you are not concerned with interoperability issues, you can specify one of the following local names:

         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120

         These alternative values depend on the specification level for the Kerberos token that is generated by the Key Distribution Center (KDC). For more information about when to use these values, see Protection token settings (generator or consumer).

      5. Do not specify a value for the Namespace URI field.

      6. Select the wss.generate.KRB5BST value from the JAAS login menu list.

         If we have previously defined your own JAAS login module, you can select your login module to handle the Kerberos custom token.

         To define a custom JAAS login module, click New Application Login > New , specify an alias for the new module, and click Apply. See Login module settings for JAAS.

         Attention: Although the information in the "Login module settings for JAAS" topic refers to security and not Web Services Security, the configuration for a login module for Web Services Security is identical to security.

      7. Specify the token generator custom properties for the target service name, host, and realm.

         The combination of the target service name and host values forms the Service Principal Name (SPN), which represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos AP_REQ token for the SPN. Specify the following custom properties.

         Target service custom properties. Use these properties to specify the token generator information.

         Name	Value	Type
         com.ibm.wsspi.wssecurity.krbtoken.targetServiceName	Specify the name of the target service.	Required
         com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost	Specify the host name that is associated with the target service in the following format: myhost.mycompany.com	Required
         com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm	Specify the name of the realm that is associated with the target service.	Optional*

         * If the targetServiceRealm property is not specified, the default realm name from the Kerberos configuration file is used as the realm name. To use Kerberos token security in a cross or trusted realm environment, provide a value for the targetServiceRealm property.

         To specify multiple custom property name and value pairs, click New.

      8. Click Apply.

      9. From the Additional bindings heading, click Callback handler.

      10. From the Class Name heading, select the Use custom option and specify com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler in the associated field.

      11. From the Basic Authentication heading, specify the appropriate values for the User name, Password, and Confirm password fields.

          The user name specifies the default user ID that is passed to the constructor of the callback handler; for example, kerberosuser.

      12. Specify the token generator custom properties for Kerberos client principal name and password to initiate the Kerberos login.

          These custom properties control the prompt and establish the token based on the credential cache. Specify the following custom properties.

          Kerberos login custom properties. Use this property to specify the token generator information.

          Name	Value	Type
          com.ibm.wsspi.wssecurity.krbtoken.loginPrompt	Enable the Kerberos login when the value is True. The default value is False.	Optional

          To specify multiple custom property name and value pairs, click New.

      13. Click Apply and OK.

      When you return to the Authentication and protection panel in the next step, a new protection token is defined for the token generator.

      To edit the configuration for this new token, click its name on the panel.

   5. Optional: Return to the Authentication and protection panel to define a symmetric protection token for the token consumer.

      To return to the Authentication and protection panel, click the Authentication and protection link after the messages section of the panel.

      If you configure a symmetric protection token for the token consumer, ensure that we have previously defined a complimentary symmetric protection token for the token generator.

      1. From the Protection tokens heading, click New and select Token Consumer.

      2. Specify the name of the protection token in the Name field.

      3. Select Custom from the values in the Token type menu list.

      4. Specify the local name in the Local name field.

         For interoperability with other web services technologies, specify the following local name: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ. If you are not concerned with interoperability issues, you can specify one of the following local names:

         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120

         These alternative values depend on the specification level for the Kerberos token that is generated by the Key Distribution Center (KDC). For more information about when to use these values, see Protection token settings (generator or consumer).

      5. Do not specify a value for the Namespace URI field.

      6. Select the wss.consume.KRB5BST value from the JAAS login drop-down menu.

         If we have previously defined your own JAAS login module, you can select this login module to handle the Kerberos custom token.

         To define a custom JAAS login module, click New Application Login > New , specify an alias for the new module, and click Apply. See Login module settings for JAAS.

         Attention: Although the information in the Login module settings for JAAS topic refers to security and not Web Services Security, the configuration for a login module for Web Services Security is identical to security.

      7. Click Apply.

      8. From the Additional bindings heading, click Callback handler.

      9. From the Class Name heading, select the Use custom option and specify com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler in the associated field.

      10. Click Apply and OK.

      When you return to the Authentication and protection panel in the next step, you will see a new protection token defined for the token consumer.

      To edit the configuration for this new token, click its name on the panel.

   6. Optional: Return to the Authentication and protection panel to define an authentication token configuration for the token generator.

      To return to the Authentication and protection panel, click the Authentication and protection link after the messages section of the panel.

      Authentication tokens are sent in messages to prove or assert an identity.

      If you configure an authentication token for the token generator, define a complimentary authentication token for the token consumer.

      1. From the Authentication tokens heading, click New and select Token Generator.

      2. Specify the name of the authentication token in the Name field.

      3. Select Custom from the values in the Token type menu list.

      4. Specify the local name in the Local name field.

         For interoperability with other web services technologies, specify the following local name: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ. If you are not concerned with interoperability issues, you can specify one of the following local names:

         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120

         These alternative values depend on the specification level for the Kerberos token that is generated by the Key Distribution Center (KDC). For more information about when to use these values, see Authentication generator or consumer token settings.

      5. Do not specify a value for the Namespace URI field.

      6. Select the wss.generate.KRB5BST value from the JAAS login menu list.

         If we have previously defined your own JAAS login module, you can select this login module to handle the Kerberos custom token.

         To define a custom JAAS login module, click New Application Login > New , specify an alias for the new module, and click Apply. See Login module settings for JAAS.

         Attention: Although the information in the Login module settings for JAAS topic refers to security and not Web Services Security, the configuration for a login module for Web Services Security is identical to security.

      7. Specify the token generator custom properties for the target service name, host, and realm.

         The combination of the target service name and host values forms the Service Principal Name (SPN), which represents the target Kerberos service principal name. The Kerberos client requests the initial Kerberos AP_REQ token for the SPN. Specify the following custom properties.

         Target service custom properties. Use these custom properties to specify the token generator information.

         Name	Value	Type
         com.ibm.wsspi.wssecurity.krbtoken.targetServiceName	Specify the name of the target service.	Required
         com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost	Specify the host name that is associated with the target service in the following format: myhost.mycompany.com	Required
         com.ibm.wsspi.wssecurity.krbtoken.targetServiceRealm	Specify the name of the realm that is associated with the target service.	Optional

         To specify multiple custom property name and value pairs, click New.

      8. Click Apply.

      9. From the Additional bindings heading, click Callback handler.

      10. From the Class Name heading, select the Use custom option and specify com.ibm.websphere.wssecurity.callbackhandler.KRBTokenGenerateCallbackHandler in the associated field.

      11. From the Basic Authentication heading, specify the appropriate values for the User name, Password, and Confirm password fields.

          The user name specifies the default user ID that is passed to the constructor of the callback handler. For example: kerberosuser

      12. Specify the token generator custom properties for Kerberos client principal name and password to initiate the Kerberos login.

          These custom properties control the prompt and establish the token based on the credential cache. Specify the following custom properties name and value pairs.

          Kerberos login custom properties. Use the custom properties to specify the token generator information.

          Name	Value	Type
          com.ibm.wsspi.wssecurity.krbtoken.loginPrompt	Enable the Kerberos login when the value is True. The default value is False.	Optional
          com.ibm.wsspi.wssecurity.krbtoken.clientRealm	Specify the name of the Kerberos realm associated with the client	Optional*

          * The clientRealm property is optional for a single Kerberos realm environment. When implementing Web Services Security in a cross or trusted Kerberos realm environment, provide a value for the clientRealm property.

          If an application generates or consumes a Kerberos V5 AP_REQ token for each web services request message, set the com.ibm.wsspi.wssecurity.kerberos.attach.apreq custom property to true in the token generator and the token consumer bindings for the application

          To specify multiple custom property name and value pairs, click New.

      13. Click Apply and OK.

      When you return to the Authentication and protection panel in the next step, you will see a new authentication token is defined for the token generator.

      To edit the configuration for this new token, click its name on the panel.

   7. Optional: Return to the Authentication and protection panel to define an authentication token configuration for the token consumer.

      To return to the Authentication and protection panel, click the Authentication and protection link after the messages section of the panel.

      If you configure an authentication token for the token consumer, ensure that we have previously defined an authentication token for the token generator.

      1. From the Authentication tokens heading, click New and select Token Consumer.

      2. Specify the name of the authentication token in the Name field.

      3. Select Custom from the values in the Token type menu list.

      4. Specify the local name in the Local name field.

         For interoperability with other web services technologies, specify the following local name: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ. If you are not concerned with interoperability issues, you can specify one of the following local names:

         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ1510
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ4120
         • http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ4120

         These alternative values depend on the specification level for the Kerberos token that is generated by the Key Distribution Center (KDC). For more information conditions under which to use these values, see the related link for the "Authentication generator or consumer token settings" topic.

      5. Do not specify a value for the Namespace URI field.

      6. Select the wss.consume.KRB5BST value from the JAAS login drop-down menu.

         If we have previously defined your own JAAS login module, you can select this login module to handle the Kerberos custom token.

         To define a custom JAAS login module, click New Application Login > New , specify an alias for the new module, and click Apply. See Login module settings for JAAS.

         Attention: Although the information in the Login module settings for JAAS topic refers to security and not Web Services Security, the configuration for a login module for Web Services Security is identical to security.

      7. Click Apply.

      8. From the Additional bindings heading, click Callback handler.

      9. From the Class Name heading, select the Use custom option and specify com.ibm.websphere.wssecurity.callbackhandler.KRBTokenConsumeCallbackHandler in the associated field.

      10. Click Apply and OK.

      When you return to the Authentication and protection panel in the next step, you will see a new authentication token is defined for the token consumer.

      To edit the configuration for this new token, click its name on the panel.

What to do next

We can optionally define key bindings for the request message protection and response message protection. If you choose to derive a key from the Kerberos token, configure the derived key information when you configure the key information for signature and encryption.

Return to the steps in the Configuring the Kerberos token for Web Services Security topic to ensure we have completed the steps for configuring the Kerberos token.
General JAX-WS default bindings for Web Services Security
Configure the Kerberos token policy set for JAX-WS applications
Configure Kerberos as the authentication mechanism
Configure the Kerberos token for Web Services Security

Related

Protection token settings (generator or consumer)
Login module settings for JAAS
Authentication generator or consumer token settings

+

Search Tips   |   Advanced Search