Integration Server 10.3 | Integration Server Administrator's Guide | Configuring Integration Server to Use Kerberos | Configuring Integration Server to Use Kerberos
 
Configuring Integration Server to Use Kerberos
 
Order of Precedence for Principal Name and Password
Use Integration Server Administrator to enable and configure Integration Server to use Kerberos authentication for inbound and outbound service requests. Integration Server passes this information to the Kerberos login module.
Keep the following information in mind when configuring Kerberos for Integration Server:
*Values specified for Realm and Key Distribution Center Host overwrite the default key distribution center (KDC) and realm set in the KDC configuration file specified in the Kerberos Configuration File. Do not specify values for Realm and Key Distribution Center Host if you do not want to overwrite the default KDC and realm in the Kerberos configuration file.
*If you specify Key Distribution Center Host, you must also specify Realm, and vice versa.
*By default, for outbound requests that require Kerberos authentication ,Integration Server generates a Java Kerberos ticket using the JGSS Kerberos OID. If you need Integration Server to generate a SPNEGO-based Kerberos ticket for outbound requests that use Kerberos authentication, set the watt.security.kerberos.client.useSPNEGO server configuration parameter to true. This instructs Integration Server to generate a SPNEGO token using SPNEGO OID (Object Identifier) for all outbound requests that require Kerberos authentication.
*To configure Kerberos authentication
1. Open Integration Server Administrator.
2. In the Navigation panel, select Security > Kerberos.
3. Click Edit Kerberos Settings.
4. On the Security > Kerberos > Edit page, under Kerberos Settings, provide the following information:
In this field...
Specify...
Realm
The domain name of the Kerberos server, in all uppercase letters. All the computers managed by the KDC and secondary KDCs, if any, constitute the realm.
Example: KERBEROS.RNDLAB.LOC
This field is optional.
Note:
A value specified for Realm overwrites the realm set in the KDC configuration file specified in Kerberos Configuration File.
Key Distribution Center Host
The host name of the machine on which the KDC resides.
Example: lab.kerberos.rndlab.loc
This field is optional.
Note:
A value specified for Key Distribution Center Host overwrites the default key distribution center set in the KDC configuration file specified in Kerberos Configuration File.
Kerberos Configuration File
The location of the Kerberos configuration file that contains the Kerberos configuration information, including the locations of KDCs, defaults for the realm and for Kerberos applications, and the host names and Kerberos realms mappings.
Use Subject Credentials Only
Specifies whether Integration Server requires a Kerberos V5 Generic Security Services (GSS) mechanism to obtain the necessary credentials from an existing subject set up by the JAAS authentication module. Here, “subject” represents the user or service being authenticated in the JAAS login context.
When the Use Subject Credentials Only check box is selected, Integration Server requires a GSS mechanism to obtain the credentials from an existing Subject. Integration Server uses the Ticket Granting Ticket (TGT) stored in the subject to establish a GSS security context. The service ticket is also stored in the subject. When the Use Subject Credentials Only check box is selected, the JVM in which Integration Server runs can use only the credentials found in the Subject in the JAAS authentication module. The JVM cannot use another underlying mechanism to obtain the credentials.
When the Use Subject Credentials Only check box is cleared, Integration Server does not require a GSS mechanism to obtain credentials from an existing Subject. Instead, the JVM in which Integration Server runs can use another underlying mechanism of its choice, such as a reading from a protected file on disk, to obtain credentials for the Subject. The JVM first checks the Subject in the JAAS authentication module. If the JVM does not find the credentials in the JAAS Subject, then the JVM uses an alternate credential mechanism to obtain credentials.
The Use Subject Credentials Only check box must be selected if you want to use Kerberos authentication for service requests.
5. Click Save Changes.