Key
Distribution Center
Configuration
Use
The Kerberos authentication process uses a Key Distribution Center (KDC) to authenticate a client and to issue the Kerberos Client/Server Session Ticket, which is used for the communication between the Web client and the J2EE Engine. For this reason, the KDC maintains a directory of the users that can access J2EE Engine resources for a Kerberos Realm.
You can use this topic for information about the KDC configuration requirements that have to be in place to use SPNego for Kerberos authentication with the J2EE Engine.
Features
The configuration steps are specific to the KDC that you use. For more information, see the documentation provided by your KDC vendor.
If you use a Sun JDK to run the J2EE Engine and the KDC is a Windows 2000 Domain Controller with ADS, you also have to disable delegation in the ADS to avoid errors during ticket verification.
Activities
1. Create a service user to identify the J2EE Engine instance on the KDC. We recommend that you choose a naming convention for these users to help you identify them with their corresponding J2EE instances. For example, if your instance is called JD1 then you could name the service user j2ee-jd1-hades.
The service user represents a J2EE instance running on a specific host and must meet the following requirements:
a. The password of the service user must never expire.
We recommend that you choose a strong password for the service user. For example, use a minimum length of 12 characters, with at least one digit, one special character and one uppercase letter.
b. Use Data Encryption Standard (DES) for this user account.
c. If you are using Sun JDK and the UME of the J2EE Engine uses a Microsoft Windows ADS for a user data source, the service user node must be under the root node of the users section in the UMEconfiguration.
For example, if the DistinguishedName (DN) for the user node is CN=Users, DC=MyCompany, DC=MyCompanyDomain, DC=com, then you create a service user under the root node with a DN CN=Users, DC=MyCompany, DC=MyCompanyDomain, DC=com. Therefore, if the service user name is j2ee-jd1-host, then the service user's DN is CN=j2ee-jd1-host, CN=Users, DC=MyCompany, DC=MyCompanyDomain, DC=com.
2. Register a Service Principal Name (SPN) for each of the DNS aliases that you use to access the J2EE engine.
When using a reverse proxy or an application level gateway to access the J2EE Engine from the Web client, you have to add an SPN for the physical host name and each DNS alias of the reverse proxy or application level gateway. For this scenario, the Web client procures a Kerberos ticket from the KDC for the reverse proxy or application level gateway host and not for the J2EE Engine host.
Example
The following example shows the configuration steps when the KDC is a Microsoft Windows 2000 Domain Controller (DC) that uses an Active Directory Server (ADS) for a user store.
Assumptions
For the purpose of this example we assume that:
· The KDC is a Microsoft Windows 2000 Active Directory Server
· The Windows Domain Name is IT.CUSTOMER.DE
· The fully qualified host name of the J2EE Engine is hades.customer.de.
· The J2EE Engine has an additional alias su3x24.customer.de.
Configuration steps on the DC
1. Create a service user j2ee-jd1-hades with a password for this example secret12. Enable the Password Never Expiresoption for this user.
2. From a command line, enter the following command to register service principal names (SPNs) for the J2EE Engine host name and alias and map them to the service user j2ee-jd1-hades.
setspn –A HTTP/hades.customer.de j2ee-jd1-hades setspn –A HTTP/su3x24.customer.de j2ee-jd1-hades |
In this case both aliases hades.customer.de and su3x24.customer.de is registered as SPNs and associated with the J2EE Engine service user on the Windows DC.
Result
To check the result of the configuration, enter the following command line for each SPN you registered:
ldifde -r serviceprincipalname=HTTP/hades.customer.de -f out.ldf
The output of this command is one entry which points to the previously created service user.