Configure Kerberos Authentication for Directory Services
You can configure a directory service in My webMethods Server to connect to the Active Directory using Kerberos. To configure this authentication option you must add your Kerberos realms in the krb5.conf file for the installation and add a new authentication module in the jaas.conf file for your server instance. To use Kerberos credentials cache, you must also configure the ticket cache location in the jaas.conf file.
To configure a directory service in My webMethods Server to connect to LDAP via Kerberos
1. Create a krb5.conf file in the /conf/security or /jre/lib/security directory of your Java installation. If a krb5.conf file is already available, edit it to include the realm configuration and the location of the Kerberos Key Distribution Center, as follows:
[libdefaults]
default_realm = MYREALM.COM
[realms]
MYREALM.COM =
{ kdc=myrealm.kdc_url:port }
2. Specify the location of the krb5.conf file by adding the following property in the custom_wrapper.conf file for My webMethods Server:
wrapper.java.additional.nnn=-Djava.security.krb5.conf="file_location/krb5.conf"
where file_location is the full path to your krb5.conf file.
3. Restart My webMethods Server.
4. Open the jaas.config file for you My webMethods Server instance in a text editor.
The file is located in Software AG_directory/profiles/instance_name/configuration directory.
5. At the bottom of the file, add one of the following snippets, depending on the required configuration:
to register a new authentication module with name
MWSKerberosLDAP that uses the credentials of the security principal for authentication:
MWSKerberosLDAP { com.sun.security.auth.module.Krb5LoginModule required; }
;
to register a new authentication module with name
MWSKerberosLDAP that uses Kerberos ticket cache:
MWSKerberosLDAP{
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true
ticketCache="path_to_ticket_cache_location/security_principal_krb5.tc"
};
For ticketCache, supply the full path and the file name of the credentials cache file for your security principal.
Note:
Do not change the module name!
6. In My webMethods, navigate to Applications > Administration > My webMethods > Directory Services > Directory Services Administration.
7. Click the name of the LDAP directory service you want to configure.
8. From the Use Kerberos drop-down list under Connection Information, select Yes. Use Kerberos.
9. Do one of the following:
For
Security Principal, enter the name of the Kerberos principal, and for
Security Credentials, enter the password of the Kerberos principal. These fields are required when you don't want to use Kerberos ticket cache.
Enable the
Use Ticket Cache checkbox. For this setting to take effect, you must first configure a ticket cache location as described in step 2.
10. Click Apply.