Configuration and policy files

JGSS and JAAS depend on several configuration and policy files. You need to edit these files to conform to your environment and application. If you do not use JAAS with JGSS, you can safely ignore the JAAS configuration and policy files.

Note: In the following instructions, ${java.home} denotes the path to the location of the version of Java™ that you are using on your server. For example, if you are using J2SDK, version 1.4, ${java.home} is /QIBM/ProdData/Java400/jdk14. Remember to replace ${java.home}in the property settings with the actual path to the Java home directory.

Kerberos configuration file

IBM^® JGSS requires a Kerberos configuration file. The default name and location of the Kerberos configuration file depends on the operating system being used. JGSS uses the following order to search for the default configuration file:

The file referenced by the Java property java.security.krb5.conf
${java.home}/lib/security/krb5.conf
c:\winnt\krb5.ini on Microsoft^® Windows^® platforms
/etc/krb5/krb5.conf on Solaris platforms
/etc/krb5.conf on other Unix platforms

JAAS configuration file

The use of the JAAS login feature requires a JAAS configuration file. You can specify the JAAS configuration file by setting one of the following properties:

The Java system property java.security.auth.login.config
The security property login.config.url.<integer> in the ${java.home}/lib/security/java.security file

For more information, see the Sun Java Authentication and Authorization Service (JAAS) Web site.

JAAS policy file

When using the default policy implementation, JGSS grants JAAS permissions to entities by recording the permissions in a policy file. You can specify the JAAS policy file by setting one of the following properties:

The Java system property java.security.policy
The security property policy.url.<integer> in the ${java.home}/lib/security/java.security file

If you are using J2SDK, version 1.4 or a subsequent release, specifying a separate policy file for JAAS is optional. The default policy provider in J2SDK, version 1.4 and above supports the policy file entries that JAAS requires.

For more information, see the Sun Java Authentication and Authorization Service (JAAS) Web site.

Java master security properties file

A Java virtual machine (JVM) uses many important security properties that you set by editing the Java master security properties file. This file, named java.security, usually resides in the ${java.home}/lib/security directory on your iSeries™ server.

The following list describes several relevant security properties for using JGSS. Use the descriptions as a guide for editing the java.security file.

Note: When applicable, the descriptions include appropriate values required to run the JGSS samples.

security.provider.<integer>: The JGSS provider that you want to use. Also statically registers cryptographic provider classes. IBM JGSS uses cryptographic and other security services provided by the IBM JCE Provider. Specify the sun.security.provider.Sun and com.ibm.crypto.provider.IBMJCE packages exactly like the following example:

     security.provider.1=sun.security.provider.Sun
     security.provider.2=com.ibm.crypto.provider.IBMJCE

policy.provider: System policy handler class. For example:

     policy.provider=sun.security.provider.PolicyFile

policy.url.<integer>: URLs of policy files. To use the sample policy file, include an entry such as:

     policy.url.1=file:/home/user/jgss/config/java.policy

login.configuration.provider: JAAS login configuration handler class, for example:

     login.configuration.provider=com.ibm.security.auth.login.ConfigFile

auth.policy.provider: JAAS principal-based access control policy handler class, for example:

     auth.policy.provider=com.ibm.security.auth.PolicyFile

login.config.url.<integer>: URLs for JAAS login configuration files. To use the sample configuration file, include an entry similar to:

     login.config.url.1=file:/home/user/jgss/config/jaas.conf

auth.policy.url.<integer>: URLs for JAAS policy files. You can include both principal-based and CodeSource-based constructs in the JAAS policy file. To use the sample policy file, include an entry such as:

     auth.policy.url.1=file:/home/user/jgss/config/jaas.policy

Credentials cache and server key table

A user principal keeps its Kerberos credentials in a credentials cache. A service principal keeps its secret key in a key table. At runtime, IBM JGSS locates these caches in the following ways:

User credentials cache

JGSS uses the following order to locate the user credentials cache:

The file referenced by the Java property KRB5CCNAME
The file referenced by the environment variable KRB5CCNAME
/tmp/krb5cc_<uid> on Unix systems
${user.home}/krb5cc_${user.name}
${user.home}/krb5cc (if ${user.name} cannot be obtained)

Server key table

JGSS uses the following order to locate the server key table file:

The value of the Java property KRB5_KTNAME
default_keytab_name entry in the libdefaults stanza of the Kerberos configuration file
${user.home}/krb5_keytab