Kerberos authentication for Open Liberty
Kerberos is a network authentication protocol through which a client and server can authenticate one another by communicating with a trusted third-party Key Distribution Center (KDC). You can configure your Open Liberty server to use Kerberos credentials to authenticate to protected resources, such as Java Database Connectivity (JDBC) data sources, Lightweight Directory Access Protocol (LDAP) servers, and more.
Kerberos configuration for Open Liberty
Kerberos authentication in Open Liberty builds on the Kerberos Login Module and the Java Generic Security Service (JGSS) API that are provided by the Java SDK.
The optional kerberos element provides configuration options for any Open Liberty features that use Kerberos credentials. If you enable any features that use Kerberos credentials, you can specify this element in your server.xml
file. To determine whether a feature supports this element, see the list of feature configuration elements in the reference documentation for the feature.
The following example shows a Kerberos configuration for the Java Database Connectivity feature:
<featureManager>
<feature>jdbc-4.2</feature>
</featureManager>
<kerberos keytab="${server.config.dir}/security/krb5.keytab" configFile="${server.config.dir}/security/krb5.conf"/>
The keytab
and configFile
attributes are both optional. If you don’t specify these attributes, Open Liberty resolves their values according to the following priority:
Any
ccache
file locations that are specified by thekrb5TicketCache
attributeThe default locations that are defined by the Java SDK, such as the
{user.home}/krb5.keytab
file or a location that is specified by Java SDK-defined system properties
The krb5TicketCache
attribute can be optionally specified for any feature that uses Kerberos credentials. If specified, this attribute takes precedence over any keytab
and configFile
values, Java SDK defaults, or operating system defaults. You might specify this attribute to configure credentials for a specific feature that are different from the configured values in the kerberos
element.
On the Windows operating system, the default Kerberos configuration file name is krb5.ini
. On other operating systems, the file name is krb5.conf
, as shown in the value for the configFile
attribute in the previous example.