Kerberos Authentication Realm

Overview

A Kerberos realm performs Kerberos SSO authentication against one or more Kerberos KDCs. Unlike other realm types, Kerberos realm types are limited by the JVM to be singletons, because the JRE's Kerberos implementation uses JVM system properties for configuration. A given node engine can therefore use only one Kerberos realm. If there are multiple engines on a node, each engine can use a different Kerberos realm.

A Kerberos realm configuration is specified in the KerberosAuthenticationRealm root object of the security configuration type.

The JRE's Kerberos implementation uses file-based configuration; the various Kerberos file properties must exist on the node's file system or the Kerberos configuration does not activate.

Kerberos is only supported via the HTTP SPNEGO protocol; non-HTTP communication is not supported. Kerberos only supports authentication, not authorization. Each Kerberos realm configuration must specify a fallback realm that is used for all authorization and for authentication from clients that are not using SPNEGO over HTTP. That fallback realm must exist when the Kerberos realm is activated or activation fails.

The following Kerberos Key Distribution Centers (KDC) are supported:

  • Apache DS minimum version 2.0.0 M22

  • Red Hat Enterprise Linux Server and CentOS version 7

  • Red Hat Enterprise Linux Server version 8

  • Windows Server 2016

The following Kerberos clients are supported:

  • Red Hat Enterprise Linux Server version 7 and 8

  • CentOS version 7

  • Windows 7 and 10

Required Properties

kerberosConfigurationFile

The file, typically named krb5.conf, is in a format defined by the MIT Kerberos implementation, and defines the Kerberos realm, KDC ports, and realm-to-DNS-domain bindings.

serverKeytabFile

A Kerberos keytab file that contains credentials for the Kerberos server principal name that represents an engine API listener to which clients connect, and for which they request Kerberos tickets.

serverPrincipalName

A Kerberos server principal name that represents an engine API listener to which clients connect, and for which they request Kerberos tickets.

Optional Properties

ticketCacheFile

The location of a Kerberos ticket cache file, defaulting to a system-specific location determined by the JRE's Kerberos implementation.

jaasDebug

Enable and disable JAAS debugging.

internalClientKeytabFile

A keytab file used for internal client credentials, used during internal client ticket procuring. If none is specified, the server keytab file is used. Internal credentials are needed by engines making client connections to themselves or to other engines in a node.

internalClientPrincipalName

The Kerberos principal name of the client requesting tickets for the serverPrincipalName's service. If not specified, an internal client JAAS login configuration file must be specified.

internalClientLoginConfigurationFile

A JAAS login file that configures internal client use of Kerberos. If no file is specified, then an internal client principal name must be specified, and the realm generates a login file using that principal and either the client keytab file, or the server keytab file if no client keytab file was specified.