Thursday, May 3, 2012

Configure Kerberos and SPNEGO in WebSphere Application Server

Configure Kerberos Trace:

CreateKrbAuthMechanism=finest





Problem: minor string: Cannot get credential from JAAS Subject for principal: HTTP/hostname@REALM

this is WAS Admin Console bug, to fix it, edit the security.xml directly:


<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Security_1" useLocalSecurityServer="true" useDomainQualifiedUserNames="false" enabled="true" cacheTimeout="600" issuePermissionWarning="false" activeProtocol="BOTH" enforceJava2Security="false" enforceFineGrainedJCASecurity="false" appEnabled="true" dynamicallyUpdateSSLConfig="true" allowBasicAuth="true" activeAuthMechanism="KRB5_1" activeUserRegistry="LDAPUserRegistry_1" defaultSSLSettings="SSLConfig_1">
<authMechanisms xmi:type="security:KRB5" xmi:id="KRB5_1" OID="oid:1.2.840.113554.1.2.2" authContextImplClass="com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5WSSecurityContextImpl" authConfig="system.KRB5" simpleAuthConfig="system.KRB5" authValidationConfig="system.KRB5" krb5Realm="ARTICY.COM" krb5Config="/opt/was/krb5.ini" krb5Keytab="/opt/was/wasabccldvapp01.keytab" krb5Spn="HTTP/${HOST}" trimUserName="true" enabledGssCredDelegate="false" configured="true"/>
authMechanisms xmi:type="security:LTPA" xmi:id="LTPA_1" OID="oid:1.3.18.0.2.30.2" authContextImplClass="com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextLTPAImpl" authConfig="system.LTPA" simpleAuthConfig="system.LTPA" authValidationConfig="system.LTPA" timeout="120" keySetGroup="KeySetGroup_1">



setspn -l mywasserver
Registered ServicePrincipalNames for CN=Service mywasserver,OU=Service Groupand Accounts,DC=AD,DC=ARTICY,DC=net:
        HTTP/mywasserver.articy.com
        HTTP/mywasserver.articy.com@AD.ARTICY.NET



$AdminTask createKrbConfigFile {-krbPath /opt/was/krb5.ini -realm AD.ARTICY.NET -kdcHost kdc02.ad.articy.net -dns ad.articy.net -keytabPath /opt/was/mywasserver.keytab}
ktpass -princ HTTP/mywasserver.articy.com@AD.ARTICY.NET -mapuser mywasserver -pass * -out c:\mywasserver.keytab -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

the password must be same as the user's password.

 References:
1. setspn syntax

2 comments:

  1. hi.
    I Am trying to setup SSO between WAS running on Linux and windows AD. I have few queries.
    1. Should the Realm name always in CAPS?
    2. when we use setspn command the principal name shoud be displayed with @realm? in my case its not displaying like, am i getting error "Cannot get credential from JAAS Subject for principal: HTTP/hostname@REALM" like this because of this?
    3. in our environment WAS is xxx.om and AD is in yyy.com , will this be a issue for this authentication?

    ReplyDelete
  2. Q1: I think it is Windows Conventions. not sure, I always use CAPS.
    Q2: SPN must be in that format. follow above instructions you should be able to fix it.
    Q3: it is now a issue.

    ReplyDelete