This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

Configuring Kerberos constrained delegation for out-bound SPNEGO tokens in Liberty

You can configure a Liberty server to support Kerberos constrained delegation for out-bound SPNEGO tokens.

Before you begin

Make sure that you have configured SPNEGO web authentication.

Only IBM® JDK 1.8 and later are supported.

About this task

The Kerberos v5 extension called S4U (Services for Users) also known as constrained delegation compromises two parts:
S4U2self

Allows a Liberty server to obtain a service ticket to itself on behalf of a user. This can be used with any form of authentication that is supported by Liberty. S4U2self is the Kerberos Protocol Transition extension.

S4U2proxy

Allows a Liberty server to obtain service tickets to trusted services on behalf of a user. These service tickets are obtained by using the user's service ticket to the Liberty service. The services are constrained by the Kerberos Key Distribution Center (KDC) administrator. S4U2proxy is the Kerberos Constrained Delegation extension.

The constrained delegation feature provides the following APIs to create the out-bound SPNEGO token for back end services that support SPNEGO authentication, such as .NET servers and other Liberty servers.
  • S4U2self API: com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorizationUsingS4U2self()
  • S4U2proxy API: com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorization()

The following steps use the same example system setup that is used in Configuring SPNEGO authentication in Liberty and illustrated in Single sign-on for HTTP requests using SPNEGO web authentication.

Procedure

  1. On the Microsoft domain controller myAdMachine.example.com, update the service principal name (SPN) that you use to validate the incoming SPNEGO token. For example, update the HTTP/myLibertyMachine.example.com SPN as follows:
    1. To use S4U2self, perform the following steps:
      1. Open the user account that is mapped to the delegate SPN.
      2. Open the Attribute Editor tab.
      3. Modify the userAccountControl property as follows:
        • Trusted for auth delegation 0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION enum) must be true.
      4. Set the trusted service:
        • Open the Delegation tab in the user account.
        • Select the Trust this user for delegation to specified services only radio button.
        • Select the Use any authentication protocol radio button.
        • Click on Add to add the trusted service.
        • Click Users or Computers.
        • Enter the SPN to be used for the trusted service.
        • Click Check Names and verify that the appropriate object name was found.
        • Click OK.
        • Select the SPN specified and click OK.
    2. To use S4U2proxy, perform the following steps:
      1. Open the user account that is mapped to the delegate SPN.
      2. Open the Attribute Editor tab.
      3. Modify the userAccountControl property as follows:
        • Trusted for auth delegation (0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION enum) must be true.
      4. Set the trusted service:
        • Open the Delegation tab in the user account.
        • Select the Trust this user for delegation to specified services only radio button.
        • Click on Add to add the trusted service.
        • Click Users or Computers.
        • Enter the SPN to be used for the trusted service.
        • Click Check Names and verify that the appropriate object name was found.
        • Click OK.
        • Select the SPN specified and click OK.
  2. On the Liberty server machine (myLibertyMachine.example.com), enable the constrained delegation feature by adding constrianedDelegation-1.0 to the featureManager and configure the JAAS Kerberos login module in the server.xml file.
    <featureManager>
            <feature>spnego-1.0</feature>
            <feature>contrainedDelegation-1.0</feature>
            ...
    </featuremanager>
    <jaasLoginContextEntry id="com.ibm.security.jgss.krb5.accept" name="com.ibm.security.jgss.krb5.accept" loginModuleRef="useKeytab" />
    	 <jaasLoginModule id="useKeytab" className="com.ibm.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
                    <options 
                            credsType="both"
                            debug="true" 
                            useDefaultCcache="false"
                            tryFirstPass="true"
                            forwardable ="true"                    
                            principal="HTTP/myLibertyMachine.example.com"
                            useKeytab="${server.config.dir}/resources/security/kerberos/krb5.keytab">
                    </options>		 		 		 		  
            </jaasLoginModule>
    
    
    <library id="jaasSharedLib" apiTypeVisibility="spec, ibm-api, api">
          <fileset dir="${server.config.dir}/lib/global/" includes="*" />
    </library>
    When the constrainedDelegation-1.0 feature is enabled, the following configuration is implicit:
    <constrainedDelegation id="defaultConstrainedDelegation" s4U2selfEnabled="false" />
    To use S4U2self, the following configuration is needed in the server.xml file:
    <constrainedDelegation s4U2selfEnabled = "true" id="defaultConstrainedDelegation"/>
    Note: When you use the S4U2proxy API, the jaasLoginContextEntry id and name com.ibm.security.jgss.krb5.accept can not change.
    Note: By default, S4U2proxy is enabled and S4U2self is disabled. The S4U2self extension can be enabled or disabled by modifying the s4U2selfEnabled attribute in the server.xml file.

Results

Your application is now ready to call the API provided by the constrained delegation feature.

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=twlp_config_kerb_constrained_del
File name: twlp_config_kerb_constrained_del.html