Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure web services > Secure web services > Administer Web Services Security > Administer message-level security for JAX-WS web services > Configure the Kerberos token for Web Services Security

Update the system JAAS login with the Kerberos login module

Update the Kerberos system JAAS login module for JAX-WS applications. If the Kerberos authentication mechanism is configured in the WAS security configuration for JAX-WS applications, the JAAS login wss.caller must be updated with the system JAAS login module for Kerberos. The login module is specified as com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.

There are two methods to update the Kerberos system JAAS login module: using the admin console, or by running a Jython script.

Procedure

1. Use the admin console, follow these steps:

   1. Click Security > Global security > JAAS > System logins.

   2. Click on wss.caller, then click New to create a new JAAS login module.

   3. In the Module class name field, type com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.

   4. Click OK.

   5. In the wss.caller panel, click Set Order, then click on WSKrb5LoginModule.
   6. Move WSKrb5LoginModule up in the list of modules so that it is after com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule but before com.ibm.ws.security.server.lm.ltpaLoginModule. The order of the modules in the list is important. The finished list of modules should look like this:

      com.ibm.ws.wssecurity.impl.auth.module.PreCallerLoginModule                         1
      com.ibm.ws.wssecurity.impl.auth.module.UNTCallerLoginModule                         2 com.ibm.ws.wssecurity.impl.auth.module.X509CallerLoginModule                        3
      com.ibm.ws.wssecurity.impl.auth.module.LTPACallerLoginModule                        4
      com.ibm.ws.wssecurity.impl.auth.module.LTPAPropagationCallerLoginModule             5
      com.ibm.ws.wssecurity.impl.auth.module.KRBCallerLoginModule                         6
      com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule                             7
      com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule                              8
      com.ibm.ws.security.server.lm.ltpaLoginModule                                       9
      com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule                        10
      

   7. Click OK, then click Save to save the changes.

   8. Restart the server.

2. We can also run a Jython script to update the module. For each cell, run the script addKrbLoginModuleWSSCaller.py, located in the WAS_HOME\bin directory, to update the WSKrb5LoginModule login module in the security configuration.
   1. Run the following command, where WAS_HOME is C:\WebSphere\AppServer:

      wsadmin -conntype NONE -lang jython -f  C:\WebSphere\AppServer\bin\addKrbLoginModuleWSSCaller.py
      

   2. If the script is successful, the following message is displayed:

      System JAAS login entry wss.caller has been updated.
      

   3. Restart the server.

Configure the Kerberos token for Web Services Security

+

Search Tips   |   Advanced Search