ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaha_5.4.0.1/rzahajgssconfigs.htm

151 lines
10 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Configuration and policy files" />
<meta name="abstract" content="JGSS and JAAS depend on several configuration and policy files. You need to edit these files to conform to your environment and application. If you do not use JAAS with JGSS, you can safely ignore the JAAS configuration and policy files." />
<meta name="description" content="JGSS and JAAS depend on several configuration and policy files. You need to edit these files to conform to your environment and application. If you do not use JAAS with JGSS, you can safely ignore the JAAS configuration and policy files." />
<meta name="DC.Relation" scheme="URI" content="rzahajgssuse.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahajgssusejaas.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahajgssusejaas10.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahajgssusejaas20.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahajgssconfigs" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configuration and policy files</title>
</head>
<body id="rzahajgssconfigs"><a name="rzahajgssconfigs"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configuration and policy files</h1>
<div><p>JGSS and JAAS depend on several configuration and policy files.
You need to edit these files to conform to your environment and application.
If you do not use JAAS with JGSS, you can safely ignore the JAAS configuration
and policy files.</p>
<div class="note"><span class="notetitle">Note:</span> In the following instructions, ${java.home} denotes the path to the
location of the version of Java™ that you are using on your server.
For example, if you are using J2SDK, version 1.4, ${java.home} is /QIBM/ProdData/Java400/jdk14.
Remember to replace ${java.home}in the property settings with the actual
path to the Java home directory.</div>
<div class="section"><h4 class="sectiontitle">Kerberos configuration file</h4><p>IBM<sup>®</sup> JGSS requires a Kerberos configuration
file. The default name and location of the Kerberos configuration file depends
on the operating system being used. JGSS uses the following order to search
for the default configuration file:</p>
<ol><li>The file referenced by the Java property java.security.krb5.conf</li>
<li>${java.home}/lib/security/krb5.conf</li>
<li>c:\winnt\krb5.ini on Microsoft<sup>®</sup> Windows<sup>®</sup> platforms</li>
<li>/etc/krb5/krb5.conf on Solaris platforms</li>
<li>/etc/krb5.conf on other Unix platforms</li>
</ol>
</div>
<div class="section"><h4 class="sectiontitle">JAAS configuration file</h4><p>The use of the JAAS login
feature requires a JAAS configuration file. You can specify the JAAS configuration
file by setting one of the following properties:</p>
<ul><li>The Java system property java.security.auth.login.config</li>
<li>The security property login.config.url.&lt;integer&gt; in the ${java.home}/lib/security/java.security
file</li>
</ul>
<p>For more information, see the <a href="http://java.sun.com/products/jaas/" target="_blank">Sun Java Authentication and Authorization Service
(JAAS)</a> Web site.</p>
</div>
<div class="section"><h4 class="sectiontitle">JAAS policy file</h4><p> When using the default policy
implementation, JGSS grants JAAS permissions to entities by recording the
permissions in a policy file. You can specify the JAAS policy file by setting
one of the following properties:</p>
<ul><li>The Java system property java.security.policy</li>
<li>The security property policy.url.&lt;integer&gt; in the ${java.home}/lib/security/java.security
file</li>
</ul>
<p>If you are using J2SDK, version 1.4 or a subsequent release, specifying
a separate policy file for JAAS is optional. The default policy provider in
J2SDK, version 1.4 and above supports the policy file entries that JAAS requires.</p>
<p>For
more information, see the <a href="http://java.sun.com/products/jaas/" target="_blank">Sun Java Authentication and Authorization Service
(JAAS)</a> Web site.</p>
</div>
<div class="section"><h4 class="sectiontitle">Java master security properties file</h4><p>A Java virtual
machine (JVM) uses many important security properties that you set by editing
the Java master
security properties file. This file, named java.security, usually resides
in the ${java.home}/lib/security directory on your iSeries™ server.</p>
<p>The following list
describes several relevant security properties for using JGSS. Use the descriptions
as a guide for editing the java.security file.</p>
<div class="note"><span class="notetitle">Note:</span> When applicable, the
descriptions include appropriate values required to run the JGSS samples.</div>
<p> <strong>security.provider.&lt;integer&gt;</strong>:
The JGSS provider that you want to use. Also statically registers cryptographic
provider classes. IBM JGSS uses cryptographic and other security services
provided by the IBM JCE
Provider. Specify the sun.security.provider.Sun and com.ibm.crypto.provider.IBMJCE
packages exactly like the following example:</p>
<pre> security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE</pre>
<p> <strong>policy.provider</strong>:
System policy handler class. For example:</p>
<pre> policy.provider=sun.security.provider.PolicyFile </pre>
<p> <strong>policy.url.&lt;integer&gt;</strong>: URLs of policy files. To use the sample policy file, include an entry such
as:</p>
<pre> policy.url.1=file:/home/user/jgss/config/java.policy</pre>
<p> <strong>login.configuration.provider</strong>:
JAAS login configuration handler class, for example:</p>
<pre> login.configuration.provider=com.ibm.security.auth.login.ConfigFile </pre>
<p> <strong>auth.policy.provider</strong>: JAAS principal-based access control policy
handler class, for example:</p>
<pre> auth.policy.provider=com.ibm.security.auth.PolicyFile</pre>
<p> <strong>login.config.url.&lt;integer&gt;</strong>: URLs for JAAS login configuration files. To use the sample configuration
file, include an entry similar to:</p>
<pre> login.config.url.1=file:/home/user/jgss/config/jaas.conf</pre>
<p> <strong>auth.policy.url.&lt;integer&gt;</strong>: URLs for JAAS policy files. You can include both principal-based and CodeSource-based
constructs in the JAAS policy file. To use the sample policy file, include
an entry such as:</p>
<pre> auth.policy.url.1=file:/home/user/jgss/config/jaas.policy </pre>
</div>
<div class="section"><h4 class="sectiontitle">Credentials cache and server key table</h4><p>A user principal
keeps its Kerberos credentials in a credentials cache. A service principal
keeps its secret key in a key table. At runtime, IBM JGSS locates these caches in the following
ways: </p>
<p> <strong>User credentials cache</strong></p>
<div class="p"> JGSS uses the following
order to locate the user credentials cache: <ol><li>The file referenced by the Java property KRB5CCNAME</li>
<li>The file referenced by the environment variable KRB5CCNAME</li>
<li>/tmp/krb5cc_&lt;uid&gt; on Unix systems</li>
<li>${user.home}/krb5cc_${user.name}</li>
<li>${user.home}/krb5cc (if ${user.name} cannot be obtained)</li>
</ol>
</div>
<p><strong>Server key table</strong></p>
<div class="p">JGSS uses the following order to
locate the server key table file: <ol><li>The value of the Java property KRB5_KTNAME</li>
<li>default_keytab_name entry in the libdefaults stanza of the Kerberos configuration
file </li>
<li>${user.home}/krb5_keytab</li>
</ol>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahajgssuse.htm" title="The IBM Java Generic Security Service (JGSS) API 1.0 shields secure applications from the complexities and peculiarities of the different underlying security mechanisms. JGSS uses features provided by Java Authentication and Authorization Service (JAAS) and IBM Java Cryptography Extension (JCE).">Running IBM JGSS applications</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahajgssusejaas.htm" title="The GSS-API does not define a way to get credentials. For this reason, the IBM JGSS Kerberos mechanism requires that the user obtain Kerberos credentials. This topic instructs you on how to obtain Kerberos credentials and create secret keys, and about using JAAS to perform Kerberos logins and authorization checks and review a list of JAAS permissions required by the Java virtual machine (JVM).">Obtaining Kerberos credentials and creating secret keys</a></div>
<div><a href="rzahajgssusejaas10.htm" title="Your choice of a JGSS provider determines which tools that you use to obtain Kerberos credentials and secret keys.">The Kinit and Ktab tools</a></div>
<div><a href="rzahajgssusejaas20.htm" title="IBM JGSS features a Java Authentication and Authorizaiton Service (JAAS) Kerberos login interface. You can disable this feature by setting the Java property javax.security.auth.useSubjectCredsOnly to false.">JAAS Kerberos login interface</a></div>
</div>
</div>
</body>
</html>