Configuring the Kerberos Service Provider

Description

The Kerberos service provider is used to authenticate the SPNEGO token retrieved from the HTTP header.

Use Case

  • Authenticate SPNEGO token from the incoming request.

Properties

The following table describes the properties for Kerberos Service Provider:

Properties for Kerberos Service Provider
Property Description 
com.tibco.trinity.runtime.core.provider.lookup
  The property value must be com.tibco.trinity.runtime.core.provider.authn.kerberos and should not be changed. 
com.tibco.trinity.runtime.core.provider.authn.kerberos.enableSecurityTokenAttribute
  A boolean property which controls the embedding of original security token in the SAML assertion as an attribute. 
com.tibco.trinity.runtime.core.provider.authn.kerberos.realm
  Specifies the Kerberos realm. 
com.tibco.trinity.runtime.core.provider.authn.kerberos.kdc
  Specifies the KDC hostname. For example, 
com.tibco.trinity.runtime.core.provider.authn.kerberos.useTicketCache

Set this to true to obtain the TGT from the ticket cache. 

com.tibco.trinity.runtime.core.provider.authn.kerberos.storeKey
A boolean property used to indicate if the key of principal is stored in the private credentials of subject.

Set this property value to true to store the principal's key in the private credentials of subject. The default value is true. 

com.tibco.trinity.runtime.core.provider.authn.kerberos.useKeyTab
Set this to true if you want the module to get the principal's key from the the keytab.(default value is False) If keyatb is not set then the module will locate the keytab from the Kerberos configuration file. Default is TRUE 
com.tibco.trinity.runtime.core.provider.authn.kerberos.keyTab
Specifies the path to keytab file. 
com.tibco.trinity.runtime.core.provider.authn.kerberos.defaultDomain
Specifies the Kerberos domain. 
com.tibco.trinity.runtime.core.provider.authn.kerberos.autoGeneratedKrb5ConfFileLocation
Specifies the relative file name to use for auto generated kerberos configuration file The auto generated file will be saved in the shared area with this name. 
com.tibco.trinity.runtime.core.provider.authn.kerberos.krb5ConfFileLocationOption
Specifies the option to identify the krb5.conf/krb5.ini file location. The possible values are as follows:
  • useDefault: Use the system specific default krb5.conf/krb5.ini location. This is the default value.
  • specifyCustomLocation: Specify the custom file location.
  • autoGenerate:Auto generate the krb5.conf/krb5.ini file dynamically during initialization using configuration options.

Sample File

  • See ASG_CONFIG_HOME/default/security/resource/KerberosAsp.properties, as follows:

    SPNEGOAsp.properties