|
Topics: |
The Java Authentication and Authorization Service is one of several Java modules that can be plugged for security. This allows applications to use security services without having to hard code values in the source code of a program. One of the plug-in modules is for Kerberos. A subject is a set of credentials representing a single entity. For a given subject, for example, a principal, representing the specifics of the type of subject, such as KRB_NT_PRINCIPAL, describes the formatting and representation of the credentials. A subject when passed to the Login module goes through states, (either {initialize, login, commit for success}, or {any error is initialized, login, abort, with logout the final stage for both}). There are multiple checks during Kerberos initialization. The Subject is usually the complete FQDN (Fully Qualified Domain Name) of the user ID and the Kerberos TGT ticket attached to it. The Principal is the FQDN of the user ID in the following user principal name format:
domainuser@REAL.COM
A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. However, when you change your Kerberos password, you will need to recreate all your keytabs.
Keytab files are commonly used to allow scripts to automatically authenticate using Kerberos, without requiring human interaction or access to password stored in a plain-text file. The script is then able to use the acquired credentials to access files stored on a remote system.
Keytabs are used by the Java Authentication and Authorization Service for login to Kerberos.
The JAAS service uses different modules and parameters for plug-in security. The Kerberos module is called K5b5LoginModule and has the property required (there are properties for usage such as optional and so on). The Java Authentication and Authorization Service (JAAS) is used here solely for the purpose of authentication. For more information, see Using JAAS.
The following syntax shows how to configure the SQL Server Driver to use the Krb5LoginModule, requiring its use and failing to start the driver if this login module fails. The debug mode is currently ON debug=True.
The login modules are called in a callback. Using doNotPrompt=true ensures that no screen texts appear asking for credentials, and fails if the credentials are not found. The Kerberos default ticket cache will not be use, as shown in useTicketCache=false. The Kerberos authentication key should be fetched and stored in memory, and the credentials are coming from the keytab. Optionally, the user principal can be typed in the JAAS file as user@REALM1.REALM2.COM, overriding the keytab. SQLJDBCDriver is a required term, on linux in lower case letters
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
doNotPrompt=true
useTicketCache=false
useKeyTab=true
keyTab="domainuser.keytab"
};The keytab file and iwjaas.conf should be put into the iWay Service Manager root folder where the iWay7 or iWay8 command file is kept.
SQLJDBCDriver {
com.sun.security.auth.module.Krb5LoginModule required
// refreshKrb5Config=false
debug=true
doNotPrompt=true
useTicketCache=false
useKeyTab=true
keyTab="sqls6.keytab"
// principal="user@REALM.COM";Note: On Linux, sqljdbc must be in lowercase letters.
where:
Turns on debug mode.
Does not prompt user for credentials.
Does not use the Kerberos default cache.
Uses a keytab instead of the cache.
Is the Keytab name. Paths in this name do not always work.
Overrides the principal in the keytab with this value. Note that all values in the principal name must exist.