Adapter for JDBC 10.3 | webMethods Adapter for JDBC Documentation | webMethods Adapter for JDBC Installation and User’s Documentation | Adapter for JDBC Connections | Configuring Database Common Connection Properties | Kerberos Authentication
 
Kerberos Authentication
Kerberos is an authentication protocol that uses symmetric encryption and a trusted third-party system to validate the identity of clients. The Kerberos protocol provides authentication over open and insecure networks in which communication between the hosts can be intercepted. You can use Integration Server to enable and configure Kerberos authentication for service requests.
Pre-requisites: The krb5.conf file from the Key Distribution Center(KDC).
1. Configure the krb5.conf in Integration Server Administrator.
a. Start Integration Server Administrator.
b. Go to Security > Kerberos.
c. Click Edit Kerberos Settings.
d. Go to Security > Kerberos > Edit page.
Provide the following information in Kerberos Settings section:
Field
Description
Realm
Optional. Domain name of the Kerberos server, in all uppercase letters.
Key Distribution Center Host
Optional. Host name of the machine on which the KDC resides.
Kerberos Configuration File
Location of the Kerberos configuration file that contains the Kerberos configuration information, including the locations of KDCs, defaults for the realm and for Kerberos applications, and the host names and Kerberos realms mappings
Use Subject Credentials Only
Specifies whether Integration Server requires a Kerberos V5 Generic Security Services (GSS) mechanism to obtain the necessary credentials from an existing subject set up by the JAAS authentication module.
For more information about configuring Integration Server to use Kerberos, see webMethods Integration Server Administrator’s Guide.
2. Add the login module in Integration Server_directory\instances\<instance_name>\config\is_jaas.cnf file. The is_jaas.cnf file is provided by Integration Server and located in Integration Server_directory\instances\<instance_name>\config directory.
If you decide to create a login module configuration file, the file must follow this format:
<name> {
<LoginModule> <flag> <LoginModule options>;
<optional_additional_LoginModules, flags_and_options>;
};
Example of a login module configuration file for Microsoft SQL Server JDBC driver:
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
Note:
The name of the login module configuration file can be fixed or variable, depending on the driver, and can be optionally passed as a connection property. For Microsoft SQL Server JDBC driver, the name of the login module configuration file can optionally be passed using connection property jaasConfigurationName, thereby allowing each connection to have its own login configuration.
3. You can utilize Kerberos authentication in two ways.
*Kerberos ticket cache
Example of Kerberos ticket cache authentication for Microsoft SQL Server JDBC driver:
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
*Kerberos keytab file
The keytab file specifies the service principal. Example of Kerberos keytab file authentication for Microsoft SQL Server JDBC driver:
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule
required useKeyTab=true
keyTab="c:\softwareag\joe_analyst.keytab"
principal="joe_analyst/xxx.eur.ad.sag@example.com";
};
4. Configure the Other Properties field in JDBC Connection.
For example a Microsoft SQL Server JDBC driver:
integratedSecurity=true;authenticationScheme=JavaKerberos