WAS v8.5 > Secure applications > Secure web services > Secure web services > Web Services Security concepts > Web Services Security concepts > Web Services Security provides message integrity, confidentiality, and authentication

Kerberos token

IBM WebSphere Application Server provides Kerberos token support for web services message-level security. The support is based on the Organization for the OASIS Web Services Security Kerberos Token Profile v1.1. Use this topic to understand the Kerberos support that is available for web services.

Kerberos token profile version 1.1

Kerberos v5 is a mature, open standard that provides a secure third-party authentication mechanism. The OASIS Web Services SOAP Message Security specification references the Kerberos token in the SOAP message. Web services applications can use the Kerberos token to send identities and protect messages more securely. Overall, Kerberos support involves Kerberos support in Java EE security and the Kerberos token support in Web Services Security. This topic covers the Kerberos token support in Web Services Security only.

In WAS v7.0 and later, Web Services Security supports the Kerberos token, which is based on OASIS WS-Security Kerberos Token Profile v1.1 specification. The Kerberos token is a binary security token for web services message-level security. Web Services Security provides SOAP message-level security, such as security token propagation, message signature, and message encryption. The Kerberos token is used for message security, specifically with the SOAP message security specification for web services, and is another supported token, such as the username token and the secure conversation token.

For more information, see the Web Services Security Kerberos Token Profile v1.1 specification. The specification explains how to use Kerberos security with the Web Services Security and how the Kerberos token is propagated and used to secure the SOAP message through signing and encryption.

Kerberos token profile enablement

The WAS configuration model leverages existing tools and frameworks for the Kerberos token profile configuration of authentication and message protection, such as:

• Policy set and binding configuration to enable the Kerberos token profile for JAX-WS applications
• Deployment descriptor and binding configuration to enable the Kerberos token profile for JAX-RPC applications
• Token profile enablement with a Kerberos token for JAX-WS applications
• Minimal client configuration to enable the Kerberos token profile using the JAX-WS programming model

For JAX-WS client applications, the design updates the APIs for Web Services Security and enforces a Web Services Security policy with a Kerberos token, which is based on the OASIS token profile. To enable a Kerberos token profile using a policy set, first establish the Web Services Security policy and binding files using a custom token. For more information, see the "Kerberos configuration models for web services" topic.

Kerberos support

The following Kerberos-related function is supported by web services in WAS:

• Client programming models for JAX-WS applications with Web Services Security APIs
• Interoperability with Web Services Enhancements (WSE) v3.5 and Windows Communication Foundation (WCF) v3.5 for Microsoft .NET
• Recovery of web services message security tokens for JAX-WS applications
• Kerberos token profile enablement
• Integration with the base security for the application server
• Kerberos token generation for the client and service
• Kerberos consumption at the service
• Clustering and high-availability for JAX-WS applications
• Kerberos token profile configuration of authentication and message protection for JAX-WS applications
• Integration in a single realm with either a Microsoft or z/OS operating system Key Distribution Center (KDC).
• Kerberos token profile configuration of authentication for JAX-RPC applications

The application server does not support the following function:

• Key name references
• Message protection using session keys for JAX-RPC applications
• Message protection using derived keys for JAX-RPC applications
• Generation of SHA1 keys for JAX-RPC applications
• Kerberos delegation is not supported when we are using JAX-RPC applications configured with the Kerberos authentication security mechanism
• A Kerberos token is not recoverable when JAX-WS applications are enabled with web services Reliable Messaging

Subtopics

• Kerberos message protection for web services
  Message-level security is based on the Organization for the OASIS Web Services Security Kerberos Token Profile v1.1 specification. Use this topic to gain an overall understanding of how message protection is implemented with a Kerberos token for web services.
• Kerberos usage overview for web services
  We can use a Kerberos token to complete similar functions that you might currently complete with other binary security tokens, such as LTPA and Secure Conversation tokens.
• Kerberos configuration models for web services
  The IBM WAS configuration model leverages existing frameworks.
• Kerberos clustering for web services
  Clusters are groups of servers that are managed together and participate in workload management.
• Web Services Security Kerberos token for authentication in a single or cross Kerberos realm environment
  To secure web services messages, we can use a Kerberos token as either an authentication token or a message protection token. For Kerberos authentication, both the single Kerberos realm environment, and the cross or trusted Kerberos realm environment are supported.

Related

Configure the Kerberos token for Web Services Security

Related information:

Kerberos Token Profile v1.1 specification

Kerberos Token Profile 1.1 Approved Errata

+

Search Tips   |   Advanced Search