12.6. Configuring Kerberos for Glassfish and Tomcat

This section explains how to setup Glassfish or Tomcat to use Kerberos Authentication. It assumes that the underlying infrastructure has Kerberos Authentication available. If you need information on how to setup Kerberos in Solaris or Ubuntu Linux environments, refer to the following links:

Note that in a Windows environment you can set up a Kerberos KDC only on Window Server editions 2000, 2003 and 2008. The KDC is bundled in these editions with its own Kerberos implementation as part of Active Directory. You can not install MIT Kerberos KDC on Windows. A Windows XP/Vista system can act as a client of the Windows Server editions KDC. Alternatively, you can install a client module of MIT Kerberos for Windows -- see Kerberos for Windows Release 3.2.2.You can then use the client module to authenticate against a KDC that was set up on a UNIX system.

12.6.1. For Glassfish

Specify the JAAS login modules to be used for Kerberos in the $GLASSFISH_HOME/domains/domain1/config/login.conf file, as follows:

            KerberosClient {
                com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
            }

            KerberosServer {
                com.sun.security.auth.module.Krb5LoginModule required
                useKeyTab=true keyTab="/etc/krb5.keytab"
                doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.LOCAL";
            }
          

You can give any names to the login modules, that is, instead of KerberosClient and KerberosServer. You need to refer to these names in the <sc:KerberosConfig> assertion in the WSDL file and in the wsit-client.xml file.

Also edit the principal in KerberosServer to the service_principal that you created, and specify the correct location of krb5.keytab file.

12.6.2. For Tomcat

Glassfish picks the login modules from $GLASSFISH_HOME/domains/domain1/config/login.conf. In Tomcat we need to specify the file explicitly using java.security.auth.login.config system property. Here are the steps:
  • Create a file jaas.conf , and place it in $CATALINA_HOME/conf. Here's what jaas.conf looks like:
                  KerberosClient {
                      com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
                  };
                  KerberosServer {
                      com.sun.security.auth.module.Krb5LoginModule required
                      useKeyTab=true keyTab="/etc/krb5.keytab"
                      doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.COM";
                  };
                
  • Add following line to the catalina.sh script (or specify the mentioned JAVA_OPTS property):
                  JAVA_OPTS="$JAVA_OPTS "-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf
                
  • Specify the following system property in your client code:
                  -Djava.security.policy=/conf/catalina.policy
                  -Djava.security.auth.login.config=/conf/jaas.conf
    
                

Terms of Use; Privacy Policy; Copyright ©2013-2014 (revision 20140418.2d69abc)
 
 
Close
loading
Please Confirm
Close