Saturday, April 09, 2005

Configuration and policy files

JGSS and JAAS depend on several configuration and policy files. You need to edit these files to conform to your environment and application. If you do not use JAAS with JGSS, you can safely ignore the JAAS configuration and policy files.

Kerberos configuration file
JAAS configuration file
JAAS authorization policy file
Java master security properties file
Credentials cache and server key table
Note: In the following instructions, ${java.home} denotes the path to the location of the version of Java that you are using on your server. For example, if you are using J2SDK, version 1.4, ${java.home} is /QIBM/ProdData/Java400/jdk14. Remember to replace ${java.home}in the property settings with the actual path to the Java home directory.

Kerberos configuration file
IBM JGSS requires a Kerberos configuration file. The default name and location of the Kerberos configuration file depends on the operating system being used. JGSS uses the following order to search for the default configuration file:

The file referenced by the Java property java.security.krb5.conf
${java.home}/lib/security/krb5.conf
c:\winnt\krb5.ini on Microsoft Windows(R) platforms
/etc/krb5/krb5.conf on Solaris(TM) platforms
/etc/krb5.conf on other Unix(R) platforms
JAAS configuration file
The use of the JAAS login feature requires a JAAS configuration file. You can specify the JAAS configuration file by setting one of the following properties:

The Java system property java.security.auth.login.config
The security property login.config.url. in the ${java.home}/lib/security/java.security file
For more information, see the Sun Java Authentication and Authorization Service (JAAS) Web site .

JAAS policy file
When using the default policy implementation, JGSS grants JAAS permissions to entities by recording the permissions in a policy file. You can specify the JAAS policy file by setting one of the following properties:

The Java system property java.security.policy
The security property policy.url. in the ${java.home}/lib/security/java.security file
If you are using J2SDK, version 1.4, specifying a separate policy file for JAAS is optional. The default policy provider in J2SDK, version 1.4 supports the policy file entries that JAAS requires.

For more information, see the Sun Java Authentication and Authorization Service (JAAS) Web site .

Java master security properties file
A Java virtual machine (JVM) uses many important security properties that you set by editing the Java master security properties file. This file, named java.security, usually resides in the ${java.home}/lib/security directory on your iSeries server.

The following list describes several relevant security properties for using JGSS. Use the descriptions as a guide for editing the java.security file.

Note: When applicable, the descriptions include appropriate values required to run the JGSS samples.

security.provider.: The JGSS provider that you want to use. Also statically registers cryptographic provider classes. IBM JGSS uses cryptographic and other security services provided by the IBM JCE Provider. Specify the sun.security.provider.Sun and com.ibm.crypto.provider.IBMJCE packages exactly like the following example:

security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
policy.provider: System policy handler class. For example:

policy.provider=sun.security.provider.PolicyFile
policy.url.: URLs of policy files. To use the sample policy file, include an entry such as:

policy.url.1=file:/home/user/jgss/config/java.policy
login.configuration.provider: JAAS login configuration handler class, for example:

login.configuration.provider=com.ibm.security.auth.login.ConfigFile
auth.policy.provider: JAAS principal-based access control policy handler class, for example:

auth.policy.provider=com.ibm.security.auth.PolicyFile
login.config.url.: URLs for JAAS login configuration files. To use the sample configuration file, include an entry similar to:

login.config.url.1=file:/home/user/jgss/config/jaas.conf
auth.policy.url.: URLs for JAAS policy files. You can include both principal-based and CodeSource-based constructs in the JAAS policy file. To use the sample policy file, include an entry such as:

auth.policy.url.1=file:/home/user/jgss/config/jaas.policy
Credentials cache and server key table
A user principal keeps its Kerberos credentials in a credentials cache. A service principal keeps its secret key in a key table. At runtime, IBM JGSS locates these caches in the following ways:

User credentials cache

JGSS uses the following order to locate the user credentials cache:

The file referenced by the Java(TM) property KRB5CCNAME
The file referenced by the environment variable KRB5CCNAME
/tmp/krb5cc_ on Unix systems
${user.home}/krb5cc_${user.name}
${user.home}/krb5cc (if ${user.name} cannot be obtained)

Server key table

JGSS uses the following order to locate the server key table file:

The value of the Java(TM) property KRB5_KTNAME
default_keytab_name entry in the libdefaults stanza of the Kerberos configuration file
${user.home}/krb5_keytab

No comments:

Post a Comment