friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaha_5.4.0.1/rzahajgssusejaas20.htm

303 lines
20 KiB
HTML
Raw Normal View History

Add readme and dist folders
2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="JAAS Kerberos login interface" />
<meta name="abstract" content="IBM JGSS features a Java Authentication and Authorizaiton Service (JAAS) Kerberos login interface. You can disable this feature by setting the Java property javax.security.auth.useSubjectCredsOnly to false." />
<meta name="description" content="IBM JGSS features a Java Authentication and Authorizaiton Service (JAAS) Kerberos login interface. You can disable this feature by setting the Java property javax.security.auth.useSubjectCredsOnly to false." />
<meta name="DC.Relation" scheme="URI" content="rzahajgssuse.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahajgssusejaas.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahajgssusejaas10.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahajgssconfigs.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahajgssusejaas20" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>JAAS Kerberos login interface</title>
</head>
<body id="rzahajgssusejaas20"><a name="rzahajgssusejaas20"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">JAAS Kerberos login interface</h1>
<div><p>IBM<sup>®</sup> JGSS
features a Java™ Authentication and Authorizaiton Service (JAAS)
Kerberos login interface. You can disable this feature by setting the Java property
javax.security.auth.useSubjectCredsOnly to false.</p>
<div class="note"><span class="notetitle">Note:</span> Although the pure Java JGSS provider can use the login interface,
the native iSeries™ JGSS
provider cannot.</div>
<p>For more information about JAAS, see <a href="jaasbase.htm">Java Authentication
and Authorization Service</a>.</p>
<div class="section"><h4 class="sectiontitle">JAAS and JVM permissions</h4><p>If you are using a security
manager, you need to ensure that your application and JGSS have the necessary
JVM and JAAS permissions. For more information, see <a href="rzahajgsscfgsecmgr.htm">Using
a security manager</a>.</p>
</div>
<div class="section"><h4 class="sectiontitle"> JAAS configuration file options</h4><p>The login interface
requires a JAAS configuration file that specifies com.ibm.security.auth.module.Krb5LoginModule
as the login module to be used. The following table lists the options that
Krb5LoginModule supports. Note that the options are not case-sensitive. </p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr valign="bottom"><th valign="bottom" width="17.737789203084834%" id="d0e56">Option name</th>
<th valign="bottom" width="16.709511568123396%" id="d0e58">Value</th>
<th valign="bottom" width="21.336760925449873%" id="d0e60">Default</th>
<th valign="bottom" width="44.2159383033419%" id="d0e62">Explanation</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="17.737789203084834%" headers="d0e56 ">principal </td>
<td valign="top" width="16.709511568123396%" headers="d0e58 ">&lt;string&gt; </td>
<td valign="top" width="21.336760925449873%" headers="d0e60 ">None; prompted for. </td>
<td valign="top" width="44.2159383033419%" headers="d0e62 ">Kerberos principal name </td>
</tr>
<tr><td valign="top" width="17.737789203084834%" headers="d0e56 ">credsType </td>
<td valign="top" width="16.709511568123396%" headers="d0e58 ">initiator | acceptor | both </td>
<td valign="top" width="21.336760925449873%" headers="d0e60 ">initiator </td>
<td valign="top" width="44.2159383033419%" headers="d0e62 ">The JGSS credential type </td>
</tr>
<tr><td valign="top" width="17.737789203084834%" headers="d0e56 ">forwardable </td>
<td valign="top" width="16.709511568123396%" headers="d0e58 ">true|false </td>
<td valign="top" width="21.336760925449873%" headers="d0e60 ">false </td>
<td valign="top" width="44.2159383033419%" headers="d0e62 ">Whether to acquire a forwardable ticket-granting ticket (TGT)</td>
</tr>
<tr><td valign="top" width="17.737789203084834%" headers="d0e56 ">proxiable </td>
<td valign="top" width="16.709511568123396%" headers="d0e58 ">true|false </td>
<td valign="top" width="21.336760925449873%" headers="d0e60 ">false </td>
<td valign="top" width="44.2159383033419%" headers="d0e62 ">Whether to acquire a proxiable TGT </td>
</tr>
<tr><td valign="top" width="17.737789203084834%" headers="d0e56 ">useCcache </td>
<td valign="top" width="16.709511568123396%" headers="d0e58 ">&lt;URL&gt; </td>
<td valign="top" width="21.336760925449873%" headers="d0e60 ">Don't use ccache </td>
<td valign="top" width="44.2159383033419%" headers="d0e62 ">Retrieve TGT from the specified credential cache </td>
</tr>
<tr><td valign="top" width="17.737789203084834%" headers="d0e56 ">useKeytab </td>
<td valign="top" width="16.709511568123396%" headers="d0e58 ">&lt;URL&gt; </td>
<td valign="top" width="21.336760925449873%" headers="d0e60 ">Don't use key table </td>
<td valign="top" width="44.2159383033419%" headers="d0e62 ">Retrieve secret key from the specified key table </td>
</tr>
<tr><td valign="top" width="17.737789203084834%" headers="d0e56 ">useDefaultCcache </td>
<td valign="top" width="16.709511568123396%" headers="d0e58 ">true|false </td>
<td valign="top" width="21.336760925449873%" headers="d0e60 ">Don't use default ccache </td>
<td valign="top" width="44.2159383033419%" headers="d0e62 ">Retrieve TGT from default credential cache </td>
</tr>
<tr><td valign="top" width="17.737789203084834%" headers="d0e56 ">useDefaultKeytab </td>
<td valign="top" width="16.709511568123396%" headers="d0e58 ">true|false </td>
<td valign="top" width="21.336760925449873%" headers="d0e60 ">Don't use default key table </td>
<td valign="top" width="44.2159383033419%" headers="d0e62 "> Retrieve secret key from the specified key table </td>
</tr>
</tbody>
</table>
</div>
<p>For a simple example of using Krb5LoginModule, see the <a href="rzahajgssjaascfg.htm">Sample
JAAS login configuration file</a>. </p>
<p><strong>Option incompatabilities</strong></p>
<p>Some
Krb5LoginModule options, excluding principal name, are incompatible with each
other, meaning that you cannot specify them together. The following table
represents compatible and incompatible login module options.</p>
<p>Indicators
in the table describe the relationship between the two associated options:</p>
<ul><li>X = Incompatible</li>
<li>N/A = Inapplicable combination</li>
<li>Blank = Compatible</li>
</ul>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr valign="bottom"><th valign="bottom" width="23.66325369738339%" id="d0e170">Krb5LoginModule option </th>
<th valign="bottom" width="9.556313993174061%" id="d0e172">credsType initiator</th>
<th valign="bottom" width="9.442548350398178%" id="d0e174">credsType acceptor</th>
<th valign="bottom" width="9.670079635949943%" id="d0e176">credsType both</th>
<th valign="bottom" width="6.825938566552901%" id="d0e178">forward </th>
<th valign="bottom" width="5.5745164960182025%" id="d0e180">proxy</th>
<th valign="bottom" width="9.215017064846416%" id="d0e182">use Ccache </th>
<th valign="bottom" width="7.167235494880546%" id="d0e184">use Keytab </th>
<th valign="bottom" width="9.215017064846416%" id="d0e186">useDefault Ccache</th>
<th valign="bottom" width="9.670079635949943%" id="d0e188">useDefault Keytab </th>
</tr>
</thead>
<tbody><tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>credsType=initiator </strong></td>
<td valign="top" width="9.556313993174061%" headers="d0e172 "> </td>
<td align="center" valign="top" width="9.442548350398178%" headers="d0e174 ">N/A</td>
<td align="center" valign="top" width="9.670079635949943%" headers="d0e176 ">N/A</td>
<td valign="top" width="6.825938566552901%" headers="d0e178 "> </td>
<td valign="top" width="5.5745164960182025%" headers="d0e180 "> </td>
<td valign="top" width="9.215017064846416%" headers="d0e182 "> </td>
<td align="center" valign="top" width="7.167235494880546%" headers="d0e184 ">X</td>
<td valign="top" width="9.215017064846416%" headers="d0e186 "> </td>
<td align="center" valign="top" width="9.670079635949943%" headers="d0e188 ">X</td>
</tr>
<tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>credsType=acceptor </strong></td>
<td align="center" valign="top" width="9.556313993174061%" headers="d0e172 ">N/A</td>
<td valign="top" width="9.442548350398178%" headers="d0e174 "> </td>
<td align="center" valign="top" width="9.670079635949943%" headers="d0e176 ">N/A</td>
<td align="center" valign="top" width="6.825938566552901%" headers="d0e178 ">X</td>
<td align="center" valign="top" width="5.5745164960182025%" headers="d0e180 ">X</td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e182 ">X</td>
<td valign="top" width="7.167235494880546%" headers="d0e184 "> </td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e186 ">X</td>
<td valign="top" width="9.670079635949943%" headers="d0e188 "> </td>
</tr>
<tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>credsType=both </strong></td>
<td align="center" valign="top" width="9.556313993174061%" headers="d0e172 ">N/A</td>
<td align="center" valign="top" width="9.442548350398178%" headers="d0e174 ">N/A</td>
<td valign="top" width="9.670079635949943%" headers="d0e176 "> </td>
<td valign="top" width="6.825938566552901%" headers="d0e178 "> </td>
<td valign="top" width="5.5745164960182025%" headers="d0e180 "> </td>
<td valign="top" width="9.215017064846416%" headers="d0e182 "> </td>
<td valign="top" width="7.167235494880546%" headers="d0e184 "> </td>
<td valign="top" width="9.215017064846416%" headers="d0e186 "> </td>
<td valign="top" width="9.670079635949943%" headers="d0e188 "> </td>
</tr>
<tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>forwardable </strong></td>
<td valign="top" width="9.556313993174061%" headers="d0e172 "> </td>
<td align="center" valign="top" width="9.442548350398178%" headers="d0e174 ">X</td>
<td valign="top" width="9.670079635949943%" headers="d0e176 "> </td>
<td valign="top" width="6.825938566552901%" headers="d0e178 "> </td>
<td valign="top" width="5.5745164960182025%" headers="d0e180 "> </td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e182 ">X</td>
<td align="center" valign="top" width="7.167235494880546%" headers="d0e184 ">X</td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e186 ">X</td>
<td align="center" valign="top" width="9.670079635949943%" headers="d0e188 ">X</td>
</tr>
<tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>proxiable </strong></td>
<td valign="top" width="9.556313993174061%" headers="d0e172 "> </td>
<td align="center" valign="top" width="9.442548350398178%" headers="d0e174 ">X</td>
<td valign="top" width="9.670079635949943%" headers="d0e176 "> </td>
<td valign="top" width="6.825938566552901%" headers="d0e178 "> </td>
<td valign="top" width="5.5745164960182025%" headers="d0e180 "> </td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e182 ">X</td>
<td align="center" valign="top" width="7.167235494880546%" headers="d0e184 ">X</td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e186 ">X</td>
<td align="center" valign="top" width="9.670079635949943%" headers="d0e188 ">X</td>
</tr>
<tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>useCcache </strong></td>
<td valign="top" width="9.556313993174061%" headers="d0e172 "> </td>
<td align="center" valign="top" width="9.442548350398178%" headers="d0e174 ">X</td>
<td valign="top" width="9.670079635949943%" headers="d0e176 "> </td>
<td align="center" valign="top" width="6.825938566552901%" headers="d0e178 ">X</td>
<td align="center" valign="top" width="5.5745164960182025%" headers="d0e180 ">X</td>
<td valign="top" width="9.215017064846416%" headers="d0e182 "> </td>
<td align="center" valign="top" width="7.167235494880546%" headers="d0e184 ">X</td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e186 ">X</td>
<td align="center" valign="top" width="9.670079635949943%" headers="d0e188 ">X</td>
</tr>
<tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>useKeytab </strong></td>
<td align="center" valign="top" width="9.556313993174061%" headers="d0e172 ">X</td>
<td valign="top" width="9.442548350398178%" headers="d0e174 "> </td>
<td valign="top" width="9.670079635949943%" headers="d0e176 "> </td>
<td align="center" valign="top" width="6.825938566552901%" headers="d0e178 ">X</td>
<td align="center" valign="top" width="5.5745164960182025%" headers="d0e180 ">X</td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e182 ">X</td>
<td valign="top" width="7.167235494880546%" headers="d0e184 "> </td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e186 ">X</td>
<td align="center" valign="top" width="9.670079635949943%" headers="d0e188 ">X</td>
</tr>
<tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>useDefaultCcache </strong></td>
<td valign="top" width="9.556313993174061%" headers="d0e172 "> </td>
<td align="center" valign="top" width="9.442548350398178%" headers="d0e174 ">X</td>
<td valign="top" width="9.670079635949943%" headers="d0e176 "> </td>
<td align="center" valign="top" width="6.825938566552901%" headers="d0e178 ">X</td>
<td align="center" valign="top" width="5.5745164960182025%" headers="d0e180 ">X</td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e182 ">X</td>
<td align="center" valign="top" width="7.167235494880546%" headers="d0e184 ">X</td>
<td valign="top" width="9.215017064846416%" headers="d0e186 "> </td>
<td align="center" valign="top" width="9.670079635949943%" headers="d0e188 ">X</td>
</tr>
<tr><td valign="top" width="23.66325369738339%" headers="d0e170 "><strong>useDefaultKeytab </strong></td>
<td align="center" valign="top" width="9.556313993174061%" headers="d0e172 ">X</td>
<td valign="top" width="9.442548350398178%" headers="d0e174 "> </td>
<td valign="top" width="9.670079635949943%" headers="d0e176 "> </td>
<td align="center" valign="top" width="6.825938566552901%" headers="d0e178 ">X</td>
<td align="center" valign="top" width="5.5745164960182025%" headers="d0e180 ">X</td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e182 ">X</td>
<td align="center" valign="top" width="7.167235494880546%" headers="d0e184 ">X</td>
<td align="center" valign="top" width="9.215017064846416%" headers="d0e186 ">X</td>
<td valign="top" width="9.670079635949943%" headers="d0e188 "> </td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section"><h4 class="sectiontitle">Principal name option</h4><p>You can specify a principal
name in combination with any other option. If you do not specify a principal
name, the Krb5LoginModule may prompt the user for a principal name. Whether
or not Krb5LoginModule prompts the user depends on the other options that
you specify.</p>
<p><strong> Service principal name format</strong></p>
<p>You must use
one of the following formats to specify a service principal name:</p>
<ul><li>&lt;service_name&gt; (for example, superSecureServer)</li>
<li> &lt;service_name&gt;@&lt;host&gt; (for example, superSecureServer@myhost)</li>
</ul>
<p>In the latter format, &lt;host&gt; is the hostname of the machine
on which the service resides. You can (but do not have to) use a fully qualified
hostname.</p>
<div class="note"><span class="notetitle">Note:</span> JAAS recognizes certain characters as delimiters. When
you use any of the following characters in a JAAS string (such as a principal
name), enclose the character in quotes:<pre> _ (underscore)
: (colon)
/ (forward slash)
\ (back slash)</pre>
</div>
</div>
<div class="section"><h4 class="sectiontitle">Prompting for the principal name and password</h4><p>The
options that you specify in the JAAS configuration file determine whether
the Krb5LoginModule login is noninteractive or interactive.</p>
<ul><li>A noninteractive login does not prompt for any information whatsoever</li>
<li>An interactive login prompts for principal name, password, or both</li>
</ul>
<p><strong>Noninteractive logins</strong></p>
<p>The login proceeds noninteractively
when you specify the credential type as initiator (<tt class="sysout">credsType=initiator</tt>)
and you perform one of the following actions:</p>
<ul><li>Specify the useCcache option</li>
<li>Set the useDefaultCcache option to true</li>
</ul>
<p>The login also proceeds noninteractively when you specify the credential
type as acceptor or both (<tt class="sysout">credsType=acceptor</tt> or <tt class="sysout">credsType=both</tt>)
and you perform one of the following actions:</p>
<ul><li>Specify the useKeytab option</li>
<li>Set the useDefaultKeytab option to true</li>
</ul>
<p><strong>Interactive logins</strong></p>
<p> Other configurations result in the
login module prompting for a principal name and password so that it may obtain
a TGT from a Kerberos KDC. The login module prompts for only a password when
you specify the principal option.</p>
<p>Interactive logins require that the
application specify com.ibm.security.auth.callback.Krb5CallbackHandler as
the callback handler when creating the login context. The callback handler
is responsible for prompting for input.</p>
</div>
<div class="section"><h4 class="sectiontitle"><strong>Credential type option</strong></h4><p>When you require the
credential type to be both initiator and acceptor (<tt class="sysout">credsType=both</tt>),
Krb5LoginModule obtains both a TGT and a secret key. The login module uses
the TGT to initiate contexts and the secret key to accept contexts. The JAAS
configuration file must contain sufficient information to enable the login
module to acquire the two types of credentials.</p>
<p>For credential types
acceptor and both, the login module assumes a service principal.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahajgssuse.htm" title="The IBM Java Generic Security Service (JGSS) API 1.0 shields secure applications from the complexities and peculiarities of the different underlying security mechanisms. JGSS uses features provided by Java Authentication and Authorization Service (JAAS) and IBM Java Cryptography Extension (JCE).">Running IBM JGSS applications</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahajgssusejaas.htm" title="The GSS-API does not define a way to get credentials. For this reason, the IBM JGSS Kerberos mechanism requires that the user obtain Kerberos credentials. This topic instructs you on how to obtain Kerberos credentials and create secret keys, and about using JAAS to perform Kerberos logins and authorization checks and review a list of JAAS permissions required by the Java virtual machine (JVM).">Obtaining Kerberos credentials and creating secret keys</a></div>
<div><a href="rzahajgssusejaas10.htm" title="Your choice of a JGSS provider determines which tools that you use to obtain Kerberos credentials and secret keys.">The Kinit and Ktab tools</a></div>
<div><a href="rzahajgssconfigs.htm" title="JGSS and JAAS depend on several configuration and policy files. You need to edit these files to conform to your environment and application. If you do not use JAAS with JGSS, you can safely ignore the JAAS configuration and policy files.">Configuration and policy files</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue Copy Permalink