Network Deployment (Distributed operating systems), v8.0 > Reference > Sets
Kerberos authentication settings
Use this page to configure and to verify Kerberos as the authentication mechanism for the application server.
When we have entered and applied the required information to the configuration, the server principal name is created from the service name, realm name, and host name, and is used to automatically verify authentication to the Kerberos service.
When configured, Kerberos is the primary authentication mechanism. Configure EJB authentication to resources by accessing the resource references links on the application details panel.
To view this administrative console page, click Security > Global security. Under Authentication, click Kerberos configuration.
When configuring Kerberos, the principal service must be in the format: <service name>/ <fully_qualified hostname>@KerberosRealm. If you do not use this format, you might get following error:
org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Cannot get credential for principal service WAS/test@AUSTIN.IBM.COMIn the exception example, the fully qualified host name is not specified, which is why the failure occurs. For this failure, the host name of the system is usually obtained from the /etc/hosts file instead of from the Domain Name Server (DNS). On UNIX or Linux systems, if the "hosts": line in the /etc/nsswitch.conf file is configured to use the hosts file before the DNS, the Kerberos configuration fails if the hosts file contains an entry for the system that is not the fully qualified host name.
Kerberos realm name
Name of your Kerberos realm. In most cases, your realm is your domain name in uppercase letters. For example, a machine with the domain name of test.austin.ibm.com typically has a Kerberos realm name of AUSTIN.IBM.COM.
There are two components that use a realm name. The IBM implementation of the Java Generic Security Service (JGSS) component obtains the realm name from the krb5.conf file. WAS also maintains a realm name, which is usually the same one that JGSS uses. If you leave the Kerberos realm name field blank, WAS inherits the realm name from JGSS.
You might want WAS to use a different realm name, and can use the Kerberos realm name field to change it. However, be aware that if you change the realm name in the admin console only the WAS realm name is changed.
Data type: String
Kerberos service name
By convention, a Kerberos service principal is divided into three parts: the primary, the instance, and the Kerberos realm name. The format of the Kerberos service principal name is service/ <fully qualified hostname>@KERBEROS_REALM.service_name. The service name is the first part of the Kerberos service principal name. For example, in WAS/test.austin.ibm.com@AUSTIN.IBM.COM, the service name is WAS.
Default: String
Kerberos configuration file with full path
The Kerberos configuration file, krb5.conf or krb5.ini, contains client configuration information, including the locations of the Key Distribution Centers (KDCs) for the realm of interest. The krb5.conf file is used for all platforms except the Windows operating system, which uses the krb5.ini file.
Data type: String
Kerberos keytab file name with full path
Specifies the Kerberos keytab file name with its full path. We can click Browse to locate it. If this field is left empty, then the keytab file name specified in the Kerberos configuration file is used.
Data type: String
Trim Kerberos realm from principal name
Whether Kerberos removes the suffix of the principal user name, starting from the @ that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true.
We must set this field to true if you are using both the Local Operating System registry on z/OS and the built-in mapping module to map Kerberos principals to SAF identities.
Default: Enabled
Enable delegation of Kerberos credentials
Whether the Kerberos delegated credentials are to be stored in the subject by the Kerberos authentication.
This option also enables an application to retrieve the stored credentials and to propagate them to other applications downstream for additional Kerberos authentication with the credential from the Kerberos client.
If this parameter is true, and the runtime cannot extract a client GSS delegation credential, then a warning message is logged.
Default: Enabled
Related
SPNEGO web authentication enablement
SPNEGO web authentication filter values