Tivoli Federated Identity Manager, Version 6.2    

Planning configuration of the trust chain

To deploy a trust chain for Kerberos constrained delegation, you must complete two tasks:

  1. Create an instance of a Kerberos constrained delegation trust service module.
  2. Create a trust chain for Kerberos constrained delegation.

Tivoli® Federated Identity Manager provides configuration wizards for each task. The wizards prompt you to supply values for the required configuration properties.

Kerberos delegation module instance

The default set of Tivoli Federated Identity Manager trust modules does not include an instance of the Kerberos constrained delegation module type. You must create the instance.

Although it is possible for you to create more than one instance, you should create only one instance for each Tivoli Federated Identity Manager domain. This instance can be used in any module chain that is required.

The reason for the restriction to only one instance is that Kerberos constrained delegation module loads a native DLL (Windows® dynamically loaded library) that is shared by all instances of the module. All instances therefore share the same configuration parameters.

When more than one module instance is created, only the last module to be initialized determines the size of the user cache created in the native code. To prevent confusion, the best practice is to create only one module instance.

Module Type
This required property is requested on the Module Type panel. The module type to use is:
com.tivoli.am.fim.trustserver.sts.modules.KerberosDelegationSTSModule
Module Instance name
This required property is requested on the Module Instance Name panel. Supply a string of your choosing. For example:
MyKerberosDelegationInstance
Module Instance Description
This optional property is requested on the Module Instance Name panel. You can enter a string that describes the instance.
Maximum size of the user credential cache

This required property is requested on the Kerberos Delegation Module Configuration panel. This number determines the number of impersonation handles and user credentials cached in the DLL loaded by the module. The caching is done to improve performance. Set this number to the approximate number of expected concurrent end users of the service for high-volume transactions.

The default setting is 100.

Note: The higher the number, the more memory that will be consumed by Tivoli Federated Identity Manager runtime application.

Kerberos delegation trust chain

Chain Mapping Name

This required property is requested on the Chain Mapping Identification panel. You can specify any name for the chain. For example:

ivcred_to_kerberos
Chain Description
This optional property is requested on the Chain Mapping Identification panel. The description can be any string.
Create a Dynamic Chain
This property is requested on the Chain Mapping Identification panel. This option is not used with Kerberos delegation trust chains. Deselect this option
Request Type
This required property is requested on the Chain Mapping Lookup panel. Select Issue Oasis URI
Lookup Type
Select the radio button Use Traditional WS-Trust Elements (AppliesTo, Issuer, and Token Type).
(AppliesTo) Address
This required property is requested on the Chain Mapping Lookup panel. Enter an Address that corresponds to the applies-to property in the [tfimsso:jct_name] stanza in the WebSEAL configuration file. For example:
http://websealhost.example.com/kerbjct
(AppliesTo) Service Name
This required property is requested on the Chain Mapping Lookup panel.

This property has two fields.

For the first field, either set this value to asterisk (*) to match all service names, or set it to value of service-name property in the [tfimsso:jct name] stanza in the WebSEAL configuration file.

For the second field, always set this value to asterisk (*)

(AppliesTo) Port Type
This property is requested on the Chain Mapping Lookup panel.

This property takes two fields.

Leave both fields blank.

(Issuer) Address
This required property is requested on the Chain Mapping Lookup panel. In the Address field, enter: 
amwebrte-sts-client
(Issuer) Service Name
This optional property is requested on the Chain Mapping Lookup panel. Leave this field blank.
(Issuer) Port Type
This optional property is requested on the Chain Mapping Lookup panel. Leave this field blank
Token Type
This required property is requested on the Chain Mapping Lookup panel. Select Kerberos GSS V5.
Initialize the chain upon startup of runtime
This required property is requested on the Chain Identification panel. Do not select this option
Module Instances and modes
These required properties are requested on the Chain Assembly panel.

The Chain Assembly panel prompts you to enter values for the Module Instances in the chain. For each module instance, you must select a mode. You will then click a button to add the instance-mode pair to the chain.

For Kerberos constrained delegation, you want to configure a specific sequence of trust service modules:

  1. The first Module Instance is Default IVCred Token. Choose a mode of validate.
  2. The second Module Instance is the Kerberos delegation module instance that you created, as named in the Module Instance Name property within the module instance wizard. In our example, we used:
    MyKerberosDelegationInstance

    Select the issue mode.

Note: The wizard will warn you that your chain does not contain a module in map mode. For Kerberos constrained delegation, the map mode is not required.

You can add a map mode if your deployment requires it. A map module would be needed if the Tivoli Access Manager user name needs to be mapped to a different user name in the Active Directory registry.

In a typical deployment, this mapping is not required. For example, in many deployments, Tivoli Access Manager will be installed to use the Active Directory registry. In these cases, there is only one identity for each user.

Enable signature validation
This property is requested on the Access Manager Credential (IVCred) Module Configuration panel. Do not select this option.
Default target Service Principal Name
This property is requested on the Kerberos Delegation module configuration panel, as Partner property.

In a typical deployment, you can leave this value blank.

This value can be used for WS-Trust clients that do not send the target Service Principal Name (SPN) in the AppliesTo/ServiceName element of the RequestSecurityToken (RST). The clients would also not have a mapping rule to configure the target SPN as a security token service universal user (STSUU) context attribute.

Options for adding a Tivoli Access Manager username for Kerberos authentication
The options allow you to specify whether the module will auto-append a suffix to the user name in the STSUniversalUser. The options are useful when deploying the Kerberos delegation module with a Tivoli Access Manager WebSEAL deployment. Options:
  • Do not add a suffix to the username.

    This option leaves the user name unmodified.

  • Add the machine DNS domain as a suffix to the username.

    This option auto-appends the DNS domain suffix for the Tivoli Federated Identity Manager runtime machine to the principal name in the STSUniversalUser before calling the Windows API to obtain a Kerberos ticket. The DNS domain is read from the Windows Registry Key:

    SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

    This option optimizes the module behavior for use in Tivoli Access Manager configurations using Kerberos junctions. The addition of the DNS domain enables the Windows API to successfully match the user name against the user record in the Active Directory user registry.

    Note that the module auto-appends the DNS domain name when the STSUniversalUser principal name does not already contain the @ character. This means that if a mapping rule was used to append a suffix containing the @ character to the user principal name, or if the Tivoli Access Manager username contains the @ character, this setting has no effect.

  • Add the configured suffix to the username

    This option is used to optimize the module behavior for use in Tivoli Access Manager configurations using Kerberos junctions.

    This option allows the administrator to manually specify the suffix. This option is for special cases where the userPrincipalName attribute for the user does not match the DNS domain name of the Windows machine running the Tivoli Federated Identity Manager Runtime. This option has no effect when the principal name already contains an @ character.

    The suffix to add if using a configured suffix
    For example:
    @mydomain.com

Topic type Concept topic    

Feedback