Configuring Kerberos authentication in the WebSphere Application Server Community Edition

Websphere®application Server Community Edition does not currently support Kerberos authentication. This article describes how to implement Kerberos authentication in the WebSphere application Server Community Edition using Kerberos provided by Ibm®java™platform.

Brief introduction

IBM WebSphere application Server Community Edition V2.1.1.2 (hereinafter referred to as Community Edition) is a free Java based on the Apache Geronimo 2.1.4 Platform, Enterprise Edition 5.0 (Java EE 5) certification Application server. Community Edition uses the Java authentication and Authorization Service (JAAS) login module to authenticate users in WEB applications using Java Authorization Cont Ract for Containers (JACC) authorization.

Kerberos is an authentication protocol developed by MIT. The Kerberos protocol allows computer nodes that communicate on insecure computer networks to authenticate each other in a secure way. The latest versions of the Kerberos protocol are version 5.

Community Edition does not provide Kerberos protocol implementations. In this article, you will use the Kerberos protocol provided by the IBM Java Platform to authenticate and authorize users in Community Edition. For the purposes of this article, we use a microsoft®active directory server (Active Directory for short) as a user repository. This article requires WebSphere application Server Community Edition V2.1.1.2 or later.

Kerberos: How does it work?

Kerberos uses a symmetric key cipher system that requires a trusted third party called the Key Distribution Center (KDC), which contains a authentication Server (as) and a Ticket granting Se RVer (TGS). The KDC maintains a secret key database. Each entity (user or service) on the network shares a secret key with the KDC, which is only known to the KDC and the entity itself. In this way, the entity can be authenticated by the secret key. The Kerberos use Ticket (ticket), called a "Kerberos ticket", has a timestamp and has a short time. Therefore, the entity must maintain time synchronization.

The entity uses a shared secret (usually a password) to authenticate the authentication Server and receive a Ticket granting Ticket (TGT). It then contacts Ticket granting Server, authenticates its identity using a TGT, and requests a service. TGS verifies that the entity has the right to use the service and sends one service Ticket (ST). The entity then contacted Service Server (SS), using ST to prove that he was entitled to use the service, and then actually use the services. Entities can reuse the TGT to obtain additional ST to use SS, without having to use as to authenticate themselves again. The Kerberos protocol is specially designed so that you do not have to propagate shared secrets (such as passwords) on the network to authenticate. When using Kerberos authentication, users typically enter their credentials with an input device, such as a keyboard, and the service uses a keytab file to store user credentials and use them to authenticate the KDC.

Kerberos and Community Edition

Community Edition does not provide implementations of the Kerberos protocol. The IBM Java Platform provides an implementation of the Kerberos protocol through the Com.ibm.security.auth.module.Krb5LoginModule class. To take advantage of the Kerberos implementation provided by the Java Platform, we create a loginmodule implementation of the wrapper Krb5loginmodule and delegate all Loginmodule API calls to Krb5loginmodule. The Kerberosloginmodule code is shown in Listing 1.