Kerberos Requirements

You must have the Kerberos infrastructure set up in your deployment environment before you can use the Kerberos cipher suites with JSSE. In particular, both the TLS client and server must have accounts set up with the Kerberos Key Distribution Center (KDC). At run time, if one or more of the Kerberos cipher suites have been enabled, the TLS client and server will acquire their Kerberos credentials associated with their respective account from the KDC. For example, a TLS server running on the machine mach1.imc.org in the Kerberos realm IMC.ORG must have an account with the name host/mach1.imc.org@IMC.ORG and be configured to use the KDC for IMC.ORG. See the Kerberos Requirements document for information about using Kerberos with SDK.

An application can acquire its Kerberos credentials by using the Java™ Authentication and Authorization Service (JAAS) and a Kerberos login module. SDK Version 8 Development Kit comes with a Kerberos login module. You can use the Kerberos cipher suites with JSSE with, or without JAAS programming, similar to how you can use the Java Generic Security Services (Java GSS) with, or without JAAS programming.

To use it without JAAS programming, you must use the index names com.ibm.net.ssl.server or other for the TLS server JAAS configuration entry and com.ibm.net.ssl.client or other for the TLS client. For example, a TLS server that is not using JAAS programming might have the following JAAS configuration file.

com.ibm.net.ssl.server {
	com.ibm.security.auth.module.Krb5LoginModule required
	principal="host/mach1.imc.org@IMC.ORG"

	useKeyTab=true
	keyTab=mach1.keytab
	storeKey=true;
};

An example of how to Java GSS and Kerberos without JAAS programming is described in the Java GSS Tutorial. You can adapt it to use JSSE by replacing Java GSS calls with JSSE calls.

To use the Kerberos cipher suites with JAAS programming, you can use any index name because your application is responsible for creating the JAAS LoginContext using the index name, and then wrapping the JSSE calls inside of a Subject.doAs() or Subject.doAsPrivileged() call. An example of how to use JAAS with Java GSS and Kerberos is described in the Java GSS Tutorial. You can adapt it to use JSSE by replacing Java GSS calls with JSSE calls.

If you have trouble using or configuring the JSSE application to use Kerberos, see the Troubleshooting section of the Java GSS Tutorial.