Kerberos configuration file
JAAS configuration file
JAAS authorization policy file
Java master security properties file
Credentials cache and server key table
Note: In the following instructions, ${java.home} denotes the path to the location of the version of Java that you are using on your server. For example, if you are using J2SDK, version 1.4, ${java.home} is /QIBM/ProdData/Java400/jdk14. Remember to replace ${java.home}in the property settings with the actual path to the Java home directory.
Kerberos configuration file
IBM JGSS requires a Kerberos configuration file. The default name and location of the Kerberos configuration file depends on the operating system being used. JGSS uses the following order to search for the default configuration file:
The file referenced by the Java property java.security.krb5.conf
${java.home}/lib/security/krb5.conf
c:\winnt\krb5.ini on Microsoft Windows(R) platforms
/etc/krb5/krb5.conf on Solaris(TM) platforms
/etc/krb5.conf on other Unix(R) platforms
JAAS configuration file
The use of the JAAS login feature requires a JAAS configuration file. You can specify the JAAS configuration file by setting one of the following properties:
The Java system property java.security.auth.login.config
The security property login.config.url.
For more information, see the Sun Java Authentication and Authorization Service (JAAS) Web site .
JAAS policy file
When using the default policy implementation, JGSS grants JAAS permissions to entities by recording the permissions in a policy file. You can specify the JAAS policy file by setting one of the following properties:
The Java system property java.security.policy
The security property policy.url.
If you are using J2SDK, version 1.4, specifying a separate policy file for JAAS is optional. The default policy provider in J2SDK, version 1.4 supports the policy file entries that JAAS requires.
For more information, see the Sun Java Authentication and Authorization Service (JAAS) Web site .
Java master security properties file
A Java virtual machine (JVM) uses many important security properties that you set by editing the Java master security properties file. This file, named java.security, usually resides in the ${java.home}/lib/security directory on your iSeries server.
The following list describes several relevant security properties for using JGSS. Use the descriptions as a guide for editing the java.security file.
Note: When applicable, the descriptions include appropriate values required to run the JGSS samples.
security.provider.
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
policy.provider: System policy handler class. For example:
policy.provider=sun.security.provider.PolicyFile
policy.url.
policy.url.1=file:/home/user/jgss/config/java.policy
login.configuration.provider: JAAS login configuration handler class, for example:
login.configuration.provider=com.ibm.security.auth.login.ConfigFile
auth.policy.provider: JAAS principal-based access control policy handler class, for example:
auth.policy.provider=com.ibm.security.auth.PolicyFile
login.config.url.
login.config.url.1=file:/home/user/jgss/config/jaas.conf
auth.policy.url.
auth.policy.url.1=file:/home/user/jgss/config/jaas.policy
Credentials cache and server key table
A user principal keeps its Kerberos credentials in a credentials cache. A service principal keeps its secret key in a key table. At runtime, IBM JGSS locates these caches in the following ways:
User credentials cache
JGSS uses the following order to locate the user credentials cache:
The file referenced by the Java(TM) property KRB5CCNAME
The file referenced by the environment variable KRB5CCNAME
/tmp/krb5cc_
${user.home}/krb5cc_${user.name}
${user.home}/krb5cc (if ${user.name} cannot be obtained)
Server key table
JGSS uses the following order to locate the server key table file:
The value of the Java(TM) property KRB5_KTNAME
default_keytab_name entry in the libdefaults stanza of the Kerberos configuration file
${user.home}/krb5_keytab
Posts
No comments:
Post a Comment