JAAS Kerberos login interface

IBM^® JGSS features a Java™ Authentication and Authorizaiton Service (JAAS) Kerberos login interface. You can disable this feature by setting the Java property javax.security.auth.useSubjectCredsOnly to false.

Note: Although the pure Java JGSS provider can use the login interface, the native iSeries™ JGSS provider cannot.

For more information about JAAS, see Java Authentication and Authorization Service.

JAAS and JVM permissions

If you are using a security manager, you need to ensure that your application and JGSS have the necessary JVM and JAAS permissions. For more information, see Using a security manager.

JAAS configuration file options

The login interface requires a JAAS configuration file that specifies com.ibm.security.auth.module.Krb5LoginModule as the login module to be used. The following table lists the options that Krb5LoginModule supports. Note that the options are not case-sensitive.

Option name	Value	Default	Explanation
principal	<string>	None; prompted for.	Kerberos principal name
credsType	initiator \| acceptor \| both	initiator	The JGSS credential type
forwardable	true\|false	false	Whether to acquire a forwardable ticket-granting ticket (TGT)
proxiable	true\|false	false	Whether to acquire a proxiable TGT
useCcache	<URL>	Don't use ccache	Retrieve TGT from the specified credential cache
useKeytab	<URL>	Don't use key table	Retrieve secret key from the specified key table
useDefaultCcache	true\|false	Don't use default ccache	Retrieve TGT from default credential cache
useDefaultKeytab	true\|false	Don't use default key table	Retrieve secret key from the specified key table

For a simple example of using Krb5LoginModule, see the Sample JAAS login configuration file.

Option incompatabilities

Some Krb5LoginModule options, excluding principal name, are incompatible with each other, meaning that you cannot specify them together. The following table represents compatible and incompatible login module options.

Indicators in the table describe the relationship between the two associated options:

X = Incompatible
N/A = Inapplicable combination
Blank = Compatible

Krb5LoginModule option	credsType initiator	credsType acceptor	credsType both	forward	proxy	use Ccache	use Keytab	useDefault Ccache	useDefault Keytab
credsType=initiator		N/A	N/A				X		X
credsType=acceptor	N/A		N/A	X	X	X		X
credsType=both	N/A	N/A
forwardable		X				X	X	X	X
proxiable		X				X	X	X	X
useCcache		X		X	X		X	X	X
useKeytab	X			X	X	X		X	X
useDefaultCcache		X		X	X	X	X		X
useDefaultKeytab	X			X	X	X	X	X

Principal name option

You can specify a principal name in combination with any other option. If you do not specify a principal name, the Krb5LoginModule may prompt the user for a principal name. Whether or not Krb5LoginModule prompts the user depends on the other options that you specify.

Service principal name format

You must use one of the following formats to specify a service principal name:

<service_name> (for example, superSecureServer)
<service_name>@<host> (for example, superSecureServer@myhost)

In the latter format, <host> is the hostname of the machine on which the service resides. You can (but do not have to) use a fully qualified hostname.

Note: JAAS recognizes certain characters as delimiters. When you use any of the following characters in a JAAS string (such as a principal name), enclose the character in quotes:

     _  (underscore)
     :  (colon)
     /  (forward slash)
     \  (back slash)

Prompting for the principal name and password

The options that you specify in the JAAS configuration file determine whether the Krb5LoginModule login is noninteractive or interactive.

A noninteractive login does not prompt for any information whatsoever
An interactive login prompts for principal name, password, or both

Noninteractive logins

The login proceeds noninteractively when you specify the credential type as initiator (credsType=initiator) and you perform one of the following actions:

Specify the useCcache option
Set the useDefaultCcache option to true

The login also proceeds noninteractively when you specify the credential type as acceptor or both (credsType=acceptor or credsType=both) and you perform one of the following actions:

Specify the useKeytab option
Set the useDefaultKeytab option to true

Interactive logins

Other configurations result in the login module prompting for a principal name and password so that it may obtain a TGT from a Kerberos KDC. The login module prompts for only a password when you specify the principal option.

Interactive logins require that the application specify com.ibm.security.auth.callback.Krb5CallbackHandler as the callback handler when creating the login context. The callback handler is responsible for prompting for input.

Credential type option

When you require the credential type to be both initiator and acceptor (credsType=both), Krb5LoginModule obtains both a TGT and a secret key. The login module uses the TGT to initiate contexts and the secret key to accept contexts. The JAAS configuration file must contain sufficient information to enable the login module to acquire the two types of credentials.

For credential types acceptor and both, the login module assumes a service principal.