Using ActiveMatrix Administrator

To configure ActiveMatrix BPM to use Kerberos by using ActiveMatrix Administrator, use ActiveMatrix Administrator to create a Kerberos Authentication resource template.

For more comprehensive coverage of the resource template, see the TIBCO ActiveMatrix BPM SOA Administration guide. The main settings are covered below.

Procedure

  1. From TIBCO ActiveMatrix Administrator, select Shared Objects > Resource Templates > Kerberos Authentication.
  2. From the Scope window, select Environment and, from the drop-down list, select BPMEnvironment.
  3. From the Scope Window, select Application and, from the drop-down list, select amx.bpm.app.
  4. Click New.

    The Add Resource Template window displays.

  5. In the Name box, type amx.bpm.auth.kerberos.
    Important: The name of the shared resource template and instance must be amx.bpm.auth.kerberos.
  6. Select the Configuration File tab. From the Kerberos Configuration File Option list, select Generated.

    This creates a local configuration file at a given location, using the values that you type into the fields below:

    Option Description
    Kerberos Realm The name of the domain where the Kerberos configuration applies. For example, XYZCOMPANY.COM.
    Key Distribution Center The name or IP address of the host running the Kerberos KDC for the Kerberos realm. Optionally, you can include a port number.
    Generated Configuration File Name The name of the Kerberos configuration file where TIBCO ActiveMatrix Administrator writes the Kerberos properties. For example, amx.bpm.auth.kerberos.conf.
    Default DNS Domain The domain used to expand host names when translating Kerberos 4 service principals to Kerberos 5 principals. Domain names must be lower case. For example, xyzcompany.com.
    Clock Skew Sets the maximum allowable amount of clock-skew (in seconds) that the library tolerates before assuming that a Kerberos message is invalid.

    Default: 300 seconds.

    Ticket Lifetime Sets the default lifetime for initial ticket requests.

    Default: 24

    Renew Lifetime Sets the default renewable life time for initial ticket requests.

    Default: 0

    Client TGS Encryption Identifies the supported list of session key encryption types that the client should request when making a ticket granting service request (TGS-REQ), in order of preference from highest to lowest. The list can be delimited with commas or whitespace. For example, aes256-cts-hmac-sha1-96aes256-cts rc4-hmac.
    Client Ticket Encryption Identifies the supported list of session key encryption types that the client should request when making an authentication service request(AS_REQ), in order of preference from highest to lowest. The list may be delimited with commas or whitespace. For example, aes256-cts-hmac-sha1-96aes256-cts rc4-hmac.
    Service Ticket Encryption Identifies all encryption types that are permitted for use in session key encryption. The list may be delimited with commas or whitespace. For example, aes256-cts-hmac-sha1-96aes256-cts rc4-hmac.
    Lookup DNS for KDC Indicates whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm.
    Note: The admin_server entry must be in the krb5.conf realm information to contact kadmind. This is because the DNS implementation for kadmin is incomplete.
  7. Select the Advanced tab. You can configure the following options:
    Option Description
    Login Module Class Names the Java class that implements javax.security.auth.spi.LoginModule, and is used to perform the Kerberos authentication. Unless a custom implementation is provided, use the default value.
    Refresh KRB5 Configuration Indicates that you want the configuration to be refreshed before the login authentication method is invoked.
    Renew TGT Indicates that you want to renew ticket granting tickets. If selected, the Use Ticket Cache checkbox is selected and the Ticket Cache Name field is enabled.
    Use Ticket Cache Indicates that you want the ticket granting tickets to be obtained from the ticket cache.
    Ticket Cache Name The full pathname of the ticket cache file that contains ticket granting tickets.
    Use Key Tab Indicates that the service principal's key should be obtained from the named keytab file. When checked, the Keytab Filename box is enabled. If the Keytab Filename box is not set, the keytab is obtained from the Kerberos configuration file.
    Store Key Indicates that the principal's key should be stored in the private credentials of the authenticated subject - placed in the security context.
    Principal Name The principal name of the service (SPN) that is to be protected. When a service ticket is received it is verified using the KDC against the SPN you specify here. The same value must be specified in the substitution variables. See Editing Substitution Variables for Kerberos.