Kerberos authentication for Open Liberty

Kerberos is a network authentication protocol through which a client and server can authenticate one another by communicating with a trusted third-party Key Distribution Center (KDC). You can configure your Open Liberty server to use Kerberos credentials to authenticate to protected resources, such as Java Database Connectivity (JDBC) data sources, Lightweight Directory Access Protocol (LDAP) servers, and more.

Kerberos configuration for Open Liberty

Kerberos authentication in Open Liberty builds on the Kerberos Login Module and the Java Generic Security Service (JGSS) API that are provided by the Java SDK.

The optional kerberos element provides configuration options for any Open Liberty features that use Kerberos credentials. If you enable any features that use Kerberos credentials, you can specify this element in your server.xml file. To determine whether a feature supports this element, see the list of feature configuration elements in the reference documentation for the feature.

The following example shows a Kerberos configuration for the Java Database Connectivity feature:

<featureManager>
  <feature>jdbc-4.2</feature>
</featureManager>

<kerberos keytab="${server.config.dir}/security/krb5.keytab" configFile="${server.config.dir}/security/krb5.conf"/>

The keytab and configFile attributes are both optional. If you don’t specify these attributes, Open Liberty resolves their values according to the following priority:

  1. Any ccache file locations that are specified by the krb5TicketCache attribute

  2. The default locations that are defined by the Java SDK, such as the {user.home}/krb5.keytab file or a location that is specified by Java SDK-defined system properties

The krb5TicketCache attribute can be optionally specified for any feature that uses Kerberos credentials. If specified, this attribute takes precedence over any keytab and configFile values, Java SDK defaults, or operating system defaults. You might specify this attribute to configure credentials for a specific feature that are different from the configured values in the kerberos element.

On the Windows operating system, the default Kerberos configuration file name is krb5.ini. On other operating systems, the file name is krb5.conf, as shown in the value for the configFile attribute in the previous example.