?
Solved

Kerberos Authentication and Websphere

Posted on 2013-02-05
1
Medium Priority
?
851 Views
Last Modified: 2013-04-28
I am trying to implement a web service on WAS 7.0 that uses JNDI to communicate with an Active Directory running Windows Server 2008 R2.

Before I begin, I'd like to mention that I have not much knowledge in Kerberos authentication but have read up on the mechanism.

I have successfully implemented and tested a change password function using a web service call from a client to the AD through WAS.
System.setProperty("javax.net.ssl.trustStore", keystore);
env.setProperty(Context.SECURITY_AUTHENTICATION, "Simple");
env.setProperty(Context.SECURITY_PROTOCOL, "ssl");
env.setProperty(Context.SECURITY_PRINCIPAL, principal);
env.setProperty(Context.SECURITY_CREDENTIALS, credentials);
env.setProperty(Context.PROVIDER_URL, providerUrl);
InitialLdapContext ctx = new InitialLdapContext(env, null);

// Call change password function using ctx

Open in new window

I understand that to implement Kerberos authentication in JNDI, the code below should be used instead.
env.setProperty(Context.SECURITY_AUTHENTICATION, "GSSAPI");

Open in new window

I have also successfully implemented Kerberos authentication without WAS (no web services) by using the kinit command on the client to retrieve the cache and then running the modified code on the console. This can't be the right way to proceed as I cannot expect the client to open the command prompt to key kinit every time he uses the system.
LoginContext lc = new LoginContext("krb5.conf");
lc.login();

Open in new window

I have executed the above code and managed to get a successfully authentication. The krb5.conf, keytab and keystore are stored locally on the client for this testing purpose. I understand that these are supposed to be configured within WAS.

The problem arises when I am trying to integrate WAS with the code I have. I'm not too familiar with the settings within WAS and assuming the settings within have been set up correctly (by someone else), what should I do to within my code to perform the task at hand? I should not be utilizing files such as the keytab directly.

What I have at the moment is very similar to this Link and I believe that WAS should be handling most of it for me, but I am not sure how.

Thanks in advance.
0
Comment
Question by:pcssecure
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 22

Accepted Solution

by:
Radhakrishnan R earned 1000 total points
ID: 38858164
Hi,

I have seen enabling kerberos authentication in IIS but not WAS. I believe that the configuration will be similar. Please check this article and see it makes any shades http://support.microsoft.com/kb/326089

http://www.ibm.com/developerworks/websphere/library/techarticles/0910_jain1/0910_jain1.html
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month11 days, 14 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question