Configuring Kerberos constrained delegation for out-bound SPNEGO tokens in Liberty

You can configure a Liberty server to support Kerberos constrained delegation for out-bound SPNEGO tokens.

Before you begin

Make sure that you have configured SPNEGO web authentication.

IBM® SDK 1.8 and later is supported. The Oracle JDK and OpenJDK are supported at the same levels that they are supported for Liberty.

About this task

The Kerberos v5 extension called S4U (Services for Users) also known as constrained delegation compromises two parts:
S4U2self

Allows a Liberty server to obtain a service ticket to itself on behalf of a user. This can be used with any form of authentication that is supported by Liberty. S4U2self is the Kerberos Protocol Transition extension.

S4U2proxy

Allows a Liberty server to obtain service tickets to trusted services on behalf of a user. These service tickets are obtained by using the user's service ticket to the Liberty service. The services are constrained by the Kerberos Key Distribution Center (KDC) administrator. S4U2proxy is the Kerberos Constrained Delegation extension.

The constrained delegation feature provides the following APIs to create the out-bound SPNEGO token for back-end services that support SPNEGO authentication, such as .NET servers and other Liberty servers.
  • S4U2self API: com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorizationUsingS4U2self()
  • S4U2proxy API: com.ibm.websphere.security.s4u2proxy.SpnegoHelper.buildS4U2proxyAuthorization()

The following steps use the same example system setup that is used in Configuring SPNEGO authentication in Liberty and illustrated in Single sign-on for HTTP requests using SPNEGO web authentication.

Procedure

  1. On the Microsoft domain controller myAdMachine.example.com, update the service principal name (SPN) that you use to validate the incoming SPNEGO token. For example, update the HTTP/myLibertyMachine.example.com SPN as follows:
    1. To use S4U2self, perform the following steps:
      1. Open the user account that is mapped to the delegate SPN.
      2. Open the Attribute Editor tab.
      3. Modify the userAccountControl property as follows:
        • Trusted for auth delegation 0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION enum) must be true.
      4. Set the trusted service:
        • Open the Delegation tab in the user account.
        • Select Trust this user for delegation to specified services only.
        • Select Use any authentication protocol.
        • Click Add to add the trusted service.
        • Click Users or Computers.
        • Enter the SPN to be used for the trusted service.
        • Click Check Names and verify that the appropriate object name was found.
        • Click OK.
        • Select the SPN specified and click OK.
    2. To use S4U2proxy, perform the following steps:
      1. Open the user account that is mapped to the delegate SPN.
      2. Open the Attribute Editor tab.
      3. Modify the userAccountControl property as follows:
        • Trusted for auth delegation (0x1000000, or the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION enum) must be true.
      4. Set the trusted service:
        • Open the Delegation tab in the user account.
        • Select the Trust this user for delegation to specified services only radio button.
        • Click Add to add the trusted service.
        • Click Users or Computers.
        • Enter the SPN to be used for the trusted service.
        • Click Check Names and verify that the appropriate object name was found.
        • Click OK.
        • Select the SPN specified and click OK.
  2. On the Liberty server machine (myLibertyMachine.example.com), enable the constrained delegation feature by adding constrianedDelegation-1.0 to the featureManager and, for IBM JDK 1.8, configure the JAAS Kerberos login module in the server.xml file.

    The following example for the featureManager element applies to the IBM JDK, the Oracle JDK, and OpenJDK.

    
<featureManager>
        <feature>spnego-1.0</feature>
        <feature>constrainedDelegation-1.0</feature>
        ...
</featuremanager>

    The following example for the JAAS Kerberos login module applies to IBM JDK 1.8:

    
<jaasLoginContextEntry id="com.ibm.security.jgss.krb5.accept" name="com.ibm.security.jgss.krb5.accept" loginModuleRef="useKeytab" />
	 <jaasLoginModule id="useKeytab" className="com.ibm.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
                <options 
                        credsType="both"
                        debug="true" 
                        useDefaultCcache="false"
                        tryFirstPass="true"
                        forwardable ="true"                    
                        principal="HTTP/myLibertyMachine.example.com"
                        useKeytab="${server.config.dir}/resources/security/kerberos/krb5.keytab">
                </options>		 		 		 		  
        </jaasLoginModule>


<library id="jaasSharedLib" apiTypeVisibility="spec, ibm-api, stable, api">
      <fileset dir="${server.config.dir}/lib/global/" includes="*" />
</library>
    The following example for the JAAS Kerberos login module applies to IBM JDK versions later than 1.8, OpenJDK, and Oracle JDK:
    
<jaasLoginContextEntry id="com.sun.security.auth.module.Krb5LoginModule" name="com.sun.security.auth.module.Krb5LoginModule" loginModuleRef="com.sun.security.auth.module.Krb5LoginModule" />
	
<jaasLoginModule id="com.sun.security.auth.module.Krb5LoginModule" className="com.sun.security.auth.module.Krb5LoginModule" controlFlag="REQUIRED" libraryRef="jaasSharedLib">
    	<options useKeyTab="true" 
    			 refreshKrb5Config="true" 
    			 doNotPrompt="true" 
    			 storeKey="true"  
    			 isInitiator="false"
    			 debug="true"
    			 keyTab="${server.config.dir}/resources/security/kerberos/krb5.keytab" />
    </jaasLoginModule>
	
	<library id="jaasSharedLib" apiTypeVisibility="spec, ibm-api, api">
		<fileset dir="${server.config.dir}/lib/global/" includes="*" />
	</library>
    When the constrainedDelegation-1.0 feature is enabled, the following configuration is implicit:
    
<constrainedDelegation id="defaultConstrainedDelegation" s4U2selfEnabled="false" />
    To use S4U2self, the following configuration is needed in the server.xml file:
    
<constrainedDelegation s4U2selfEnabled = "true" id="defaultConstrainedDelegation"/>
    Note: When you use the S4U2proxy API, the jaasLoginContextEntry id and name com.ibm.security.jgss.krb5.accept cannot change.
    Note: By default, S4U2proxy is enabled and S4U2self is disabled. The S4U2self extension can be enabled or disabled by modifying the s4U2selfEnabled attribute in the server.xml file.

Results

Your application is now ready to call the API provided by the constrained delegation feature.