To deploy a trust chain for Kerberos constrained delegation, you must complete two tasks:
Tivoli® Federated Identity Manager provides configuration wizards for each task. The wizards prompt you to supply values for the required configuration properties.
The default set of Tivoli Federated Identity Manager trust modules does not include an instance of the Kerberos constrained delegation module type. You must create the instance.
Although it is possible for you to create more than one instance, you should create only one instance for each Tivoli Federated Identity Manager domain. This instance can be used in any module chain that is required.
The reason for the restriction to only one instance is that Kerberos constrained delegation module loads a native DLL (Windows® dynamically loaded library) that is shared by all instances of the module. All instances therefore share the same configuration parameters.
When more than one module instance is created, only the last module to be initialized determines the size of the user cache created in the native code. To prevent confusion, the best practice is to create only one module instance.
com.tivoli.am.fim.trustserver.sts.modules.KerberosDelegationSTSModule
MyKerberosDelegationInstance
This required property is requested on the Kerberos Delegation Module Configuration panel. This number determines the number of impersonation handles and user credentials cached in the DLL loaded by the module. The caching is done to improve performance. Set this number to the approximate number of expected concurrent end users of the service for high-volume transactions.
The default setting is 100.
This required property is requested on the Chain Mapping Identification panel. You can specify any name for the chain. For example:
ivcred_to_kerberos
http://websealhost.example.com/kerbjct
This property has two fields.
For the first field, either set this value to asterisk (*) to match all service names, or set it to value of service-name property in the [tfimsso:jct name] stanza in the WebSEAL configuration file.
For the second field, always set this value to asterisk (*)
This property takes two fields.
Leave both fields blank.
amwebrte-sts-client
The Chain Assembly panel prompts you to enter values for the Module Instances in the chain. For each module instance, you must select a mode. You will then click a button to add the instance-mode pair to the chain.
For Kerberos constrained delegation, you want to configure a specific sequence of trust service modules:
MyKerberosDelegationInstance
Select the issue mode.
You can add a map mode if your deployment requires it. A map module would be needed if the Tivoli Access Manager user name needs to be mapped to a different user name in the Active Directory registry.
In a typical deployment, this mapping is not required. For example, in many deployments, Tivoli Access Manager will be installed to use the Active Directory registry. In these cases, there is only one identity for each user.
In a typical deployment, you can leave this value blank.
This value can be used for WS-Trust clients that do not send the target Service Principal Name (SPN) in the AppliesTo/ServiceName element of the RequestSecurityToken (RST). The clients would also not have a mapping rule to configure the target SPN as a security token service universal user (STSUU) context attribute.
This option leaves the user name unmodified.
This option auto-appends the DNS domain suffix for the Tivoli Federated Identity Manager runtime machine to the principal name in the STSUniversalUser before calling the Windows API to obtain a Kerberos ticket. The DNS domain is read from the Windows Registry Key:
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain
This option optimizes the module behavior for use in Tivoli Access Manager configurations using Kerberos junctions. The addition of the DNS domain enables the Windows API to successfully match the user name against the user record in the Active Directory user registry.
Note that the module auto-appends the DNS domain name when the STSUniversalUser principal name does not already contain the @ character. This means that if a mapping rule was used to append a suffix containing the @ character to the user principal name, or if the Tivoli Access Manager username contains the @ character, this setting has no effect.
This option is used to optimize the module behavior for use in Tivoli Access Manager configurations using Kerberos junctions.
This option allows the administrator to manually specify the suffix. This option is for special cases where the userPrincipalName attribute for the user does not match the DNS domain name of the Windows machine running the Tivoli Federated Identity Manager Runtime. This option has no effect when the principal name already contains an @ character.
@mydomain.com