Integration Server 10.3 | Web Services Developer’s Guide | Securing Web Services Using WS-SecurityPolicy | Securing Web Services Using Policies Based on WS-SecurityPolicy | Using Kerberos for Authentication
 
Using Kerberos for Authentication
If you want to use policies based on WS-SecurityPolicy that include Kerberos tickets for authentication, you must set up Integration Server so that it can process the Kerberos tickets. Integration Server supports Kerberos tickets in policies attached to provider and consumer web service descriptors for inbound and outbound requests, respectively.
For a provider inbound request message, Integration Server must be able to validate the Kerberos ticket using its Java Authorization and Authentication Service (JAAS) login modules. For a consumer outbound request message, Integration Server must be able to create the Kerberos ticket using its JAAS login modules.
Note:
Integration Server currently supports Kerberos authentication for outbound web service requests of transportType HTTPS only.
Note:
Kerberos Delegated Authentication is currently not supported for web service requests.
*To use Kerberos for inbound authentication or outbound requests
1. Configure the Kerberos settings. For instructions, see Kerberos Delegated Authentication.
2. Go to Software AG_directory /IntegrationServer/instances/instance_name/config and open the is_jaas.cnf file.
a. For inbound, create a JAAS login context similar to this:
WS_KERBEROS_INBOUND {
com.sun.security.auth.module.Krb5LoginModule required
refreshKrb5Config=true storeKey=true isInitiator=false debug=true;
};
b. For outbound, create a JAAS login context similar to this:
WS_KERBEROS_OUTBOUND {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
3. Supply Kerberos settings in the web service endpoint aliases. Requests that use Kerberos tickets must be transported securely so the Kerberos settings are available only after you select HTTPS as the Transport Type. For inbound, supply the Kerberos settings in the provider web service endpoint alias. For outbound, supply these settings in the consumer endpoint alias or pass in the settings when you run the web service connector. For instructions, see Creating an Endpoint Alias for a Consumer Web Service Descriptor for Use with HTTP/S.
4. Attach the Kerberos authentication policy to the web service descriptor. For instructions, see webMethods Service Development Help.
5. For inbound, configure an LDAP directory service for the Kerberos key distribution center (KDC). If you are using Central Users in Integration Server, see Administering My webMethods Server for instructions. If you want to directly configure an LDAP in Integration Server, see Configuring the Server to Use LDAP. for instructions.
6. For inbound, Integration Server uses the KerberosPrincipalMapper login module, which resolves the Kerberos ticket to a user name and is already present in the is_jaas.cnf file. The resolved principal appears as username@realm-name (for example, alice@ARGOS.RNDLAB.LOC). The KerberosPrincipalMapper login module exposes a parameter named parse_kerberos_principal. By default, it is set to true, so Integration Server parses out the user name (for example, alice) and then searches for that user name in Central Users or in the LDAP directories.
If you want to resolve the identified principal to something else, add your own login module above the KerberosPrincipalMapper login module. You can also remove the default KerberosPrincipalMapper by commenting out that line. You can access the authenticated principal using this code in the authenticate method of your JAAS login module:
Map headers = userCreds.getHeaderFields();
if(headers == null || headers.isEmpty()) {
return false;
}
Principal principal = (Principal)headers.get
("sin.jaas.binary.security.token.principal");
For more information on how to build and deploy your own JAAS login module, see the customizing authentication section of webMethods Integration Server Administrator’s Guide.