Kerberos authentication settings
Use this page to configure and to verify Kerberos as the authentication mechanism for the application server.
When you have entered and applied the required information to the configuration, the server principal name is created from the service name, realm name, and host name, and is used to automatically verify authentication to the Kerberos service.
When configured, Kerberos is the primary authentication mechanism. Configure Enterprise JavaBeans (EJB) authentication to resources by accessing the resource references links on the application details panel.
To view this administrative console page, click . Under Authentication, click Kerberos configuration.
<service name>/<fully_qualified
hostname>@KerberosRealm. If you do not use this format, you might get following
error:org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Cannot get credential for principal service WAS/test@AUSTIN.IBM.COMIn the exception example, the fully qualified host name is not specified, which is why the failure occurs. For this failure, the host name of the system is usually obtained from the /etc/hosts file instead of from the domain name system (DNS) server. On UNIX or Linux® systems, if the "hosts": line in the /etc/nsswitch.conf file is configured to use the hosts file before the DNS, the Kerberos configuration fails if the hosts file contains an entry for the system that is not the fully qualified host name.
Kerberos realm name
Specifies the name of your Kerberos realm. In most cases, your realm is your domain name
in uppercase letters. For example, a machine with the domain name of
test.austin.ibm.com typically has a Kerberos realm name of
AUSTIN.IBM.COM.
There are two components that use a realm name. The IBM® implementation of the Java™ Generic Security Service (JGSS) component obtains the realm name from the krb5.conf file. WebSphere® Application Server also maintains a realm name, which is usually the same one that JGSS uses. If you leave the Kerberos realm name field blank, WebSphere Application Server inherits the realm name from JGSS.
You might want WebSphere Application Server to use a different realm name, and can use the Kerberos realm name field to change it. However, be aware that if you change the realm name in the administrative console only the WebSphere Application Server realm name is changed.
| Information | Value |
|---|---|
| Data type: | String |
Kerberos service name
By convention, a Kerberos service principal is divided into three parts: the primary, the
instance, and the Kerberos realm name. The format of the Kerberos service principal name is
service/<fully qualified
hostname>@KERBEROS_REALM.service_name. The service name is the
first part of the Kerberos service principal name. For example, in
WAS/test.austin.ibm.com@AUSTIN.IBM.COM, the service name is
WAS.
| Information | Value |
|---|---|
| Data type: | String |
Kerberos configuration file with full path
The Kerberos configuration file, krb5.conf or krb5.ini, contains client configuration information, including the locations of the Key Distribution Centers (KDCs) for the realm of interest. The krb5.conf file is used for all platforms except the Windows operating system, which uses the krb5.ini file.
| Information | Value |
|---|---|
| Data type: | String |
Kerberos keytab file name with full path
Specifies the Kerberos keytab file name with its full path. You can click Browse to locate it. If this field is empty, then the keytab file name specified in the Kerberos configuration file is used.
| Information | Value |
|---|---|
| Data type: | String |
Trim Kerberos realm from principal name
Specifies whether Kerberos removes the suffix of the principal user name, starting from the @ that precedes the Kerberos realm name. If this attribute is set to true, the suffix of the principal user name is removed. If this attribute is set to false, the suffix of the principal name is retained. The default value used is true.
| Information | Value |
|---|---|
| Default: | Enabled |
Enable delegation of Kerberos credentials
Specifies whether the Kerberos delegated credentials are to be stored in the subject by the Kerberos authentication.
This option also enables an application to retrieve the stored credentials and to propagate them to other applications downstream for additional Kerberos authentication with the credential from the Kerberos client.
If this parameter is boolean: no, and the runtime cannot extract a client GSS delegation credential, then a warning message is logged.
| Information | Value |
|---|---|
| Default: | Enabled |
![[z/OS]](../images/ngzos.svg)
Mapping Kerberos principal names to SAF identities
Specifies whether to use the built-in mapping module to map a Kerberos principal name to an SAF identity on z/OS®. This option only applies when the active user registry is Local OS.
Mapping a Kerberos principal to a System Authorization Facility (SAF) identity on z/OS for
more information.- Do not use SAF profiles for mapping Kerberos principals to SAF identities
- Select this option if the Kerberos principal name already matches
an SAF user so that mapping is not necessary, or if a Java Authentication and Authorization Service
(JAAS) login module is configured to do the mapping.Note: This button is only visible when the active user registry is Local OS and the platform is z/OS.
- Use the KERB segment of an SAF user profile
- Select this option to map a Kerberos principal to an SAF user,
where the Kerberos principal is specified in the KERB segment of that
SAF user. When selected, the security custom property, com.ibm.websphere.security.krb.useBuiltInMappingToSAF,
is set to true.Note: This button is only visible when the active user registry is Local OS and the platform is z/OS. This option uses the full Kerberos principal name and Kerberos realm for the mapping, regardless of what the Trim Kerberos realm from principal name field is set to.
- Use the RACMAP profiles in the SAF product for distributed identity mapping
- Select this option to map a Kerberos principal to an SAF user, where the Kerberos principal and
the Kerberos realm are specified in the RACMAP profiles of the SAF product. Before you can select
this option, the SAF product must support distributed identity mapping. When selected, the security
custom property, com.ibm.websphere.security.krb.useRACMAPMappingToSAF, is set to
true.Note: This button is only visible when the active user registry is Local OS, the cell is not mixed-version, and the z/OS security product supports SAF identity mapping (for RACF®, this means z/OS version 1.11 or later). This option uses the full Kerberos principal name and Kerberos realm for the mapping, regardless of what the Trim Kerberos realm from principal name field is set to.