The Kerberos configuration properties, krb5.ini or krb5.conf files, must be configured on every WebSphere® Application Server instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) for WebSphere Application Server.
Operating System | Default Location |
---|---|
Windows | c:\winnt\krb5.ini Note: If the krb5.ini file
is not located in the c:\winnt directory it might
be located in c:\windows directory.
|
Linux | /etc/krb5.conf |
other UNIX-based | /etc/krb5/krb5.conf |
z/OS | /etc/krb5/krb5.conf |
IBM i | /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf |
For SPNEGO TAI, if you do not use the default location and Kerberos configuration file name, then you must specify the java.security.krb5.conf JVM property.
$AdminTask createKrbConfigFile
Option | Description |
---|---|
<krbPath> | This parameter is required. It provides the fully qualified file system location of the Kerberos configuration (krb5.ini or krb5.conf) file. |
<realm> | This parameter is required. It provides the Kerberos realm name. The value of this attribute is used by the SPNEGO TAI to form the Kerberos service principal name for each of the hosts specified with the property com.ibm.ws.security.spnego.SPNid.hostName. |
<kdcHost> | This parameter is required. It provides the host name of the Kerberos Key Distribution Center (KDC). |
<kdcPort> | This parameter is optional. It provides the port number of the KDC. The default value, if not specified, is 88. |
<dns> | This parameter is required. It provides the default domain name service (DNS) that is used to produce a fully qualified host name. |
<keytabPath> | This parameter is required. It provides the file system location of the Kerberos keytab file. |
<encryption> | This parameter is optional. It identifies the list of supported encryption types, separated by a space. The specified value is used for the default_tkt_enctypes and default_tgs_enctypes. The default encryption types, if not specified, are des-cbc-md5 and rc4-hmac. |
In the following example, the wsadmin command creates the krb5.ini file in the c:\winnt directory. The default Kerberos keytab file is also in c:\winnt. The actual Kerberos realm name is WSSEC.AUSTIN.IBM.COM and the KDC host name is host1.austin.ibm.com.
wsadmin>$AdminTask createKrbConfigFile {-krbPath
c:\winnt\krb5.ini -realm WSSEC.AUSTIN.IBM.COM -kdcHost host1.austin.ibm.com
-dns austin.ibm.com -keytabPath c:\winnt\krb5.keytab}
[libdefaults]
default_realm = WSSEC.AUSTIN.IBM.COM
default_keytab_name = FILE:c:\winnt\krb5.keytab
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
WSSEC.AUSTIN.IBM.COM = {
kdc = host1.austin.ibm.com:88
default_domain = austin.ibm.com
}
[domain_realm]
.austin.ibm.com = WSSEC.AUSTIN.IBM.COM
Kerberos configuration settings, the Kerberos key distribution center (KDC) name, and realm settings for the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) are provided in the Kerberos configuration file or through java.security.krb5.kdc and java.security.krb5.realm system property files.