Contents
A Kerberos realm performs Kerberos SSO authentication against one or more Kerberos KDCs. Unlike other realm types, Kerberos realm types are limited by the JVM to be singletons, because the JRE's Kerberos implementation uses JVM system properties for configuration. A given node engine can therefore use only one Kerberos realm. If there are multiple engines on a node, each engine can use a different Kerberos realm.
A Kerberos realm configuration is specified in the KerberosAuthenticationRealm root object of the security configuration type.
                  
The JRE's Kerberos implementation uses file-based configuration. The various Kerberos file properties must exist on the node's file system or the Kerberos configuration does not activate.
Kerberos is only supported via the HTTP SPNEGO protocol; non-HTTP communication is not supported. Kerberos only supports authentication, not authorization. To support authorization a fallback realm must be specified to provide authorization services. Each Kerberos realm configuration must specify a fallback realm that is used for all authorization and for authentication from clients that are not using SPNEGO over HTTP. That fallback realm must exist when the Kerberos realm is activated or activation fails.
The following Kerberos Key Distribution Centers (KDC) are supported:
- 
                           Apache DS minimum version 2.0.0 M22 
- 
                           Red Hat Enterprise Linux Server and CentOS version 7 
- 
                           Red Hat Enterprise Linux Server and CentOS version 8 
- 
                           Windows Server 2019 
The following Kerberos clients are supported:
- 
                           Red Hat Enterprise Linux Server version 7 and 8 
- 
                           Windows 7 and 10 
- kerberosConfigurationFile
- 
                           The file, typically named krb5.conf, is in a format defined by the MIT Kerberos implementation, and defines the Kerberos realm, KDC ports, and realm-to-DNS-domain bindings.
- serverKeytabFile
- 
                           A Kerberos keytab file that contains credentials for the Kerberos server principal name that represents an engine API listener to which clients connect, and for which they request Kerberos tickets. 
- serverPrincipalName
- 
                           A Kerberos server principal name that represents an engine API listener to which clients connect, and for which they request Kerberos tickets. 
- ticketCacheFile
- 
                           The location of a Kerberos ticket cache file, defaulting to a system-specific location determined by the JRE's Kerberos implementation. 
- jaasDebug
- 
                           Enable and disable JAAS debugging. 
- internalClientKeytabFile
- 
                           A keytab file used for internal client credentials, used during internal client ticket procuring. If none is specified, the server keytab file is used. Internal credentials are needed by engines making client connections to themselves or to other engines in a node. 
- internalClientPrincipalName
- 
                           The Kerberos principal name of the client requesting tickets for the serverPrincipalName's service. If not specified, an internal client JAAS login configuration file must be specified. 
- internalClientLoginConfigurationFile
- 
                           A JAAS login file that configures internal client use of Kerberos. If no file is specified, then an internal client principal name must be specified, and the realm generates a login file using that principal and either the client keytab file, or the server keytab file if no client keytab file was specified. 
The KerberosAuthenticationRealm root configuration object defines Kerberos authentication for a node. There can only be a single KerberosAuthenticationRealm defined on a node.
                  
Warning
Kerberos requires the local machine to be identified by a fully qualified domain name (FQDN). Ensure that the local machine
                        is set up to use a FQDN, instead of a simple host name, by default. If that is not possible, ensure that the FQDN of the local
                        machine is configured in the Administration.address property of the node deployment configuration (see Administration). For example:
                     
name = "my.application"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.node"
configuration =
{
    NodeDeploy =
    {
        nodes = 
        {
            "A.X" =
            {
                communication =
                {
                    administration =
                    {
                        address = "myhost.com" // FQDN
                        webServiceBindings =
                        {
                            admin =
                            {
                                authenticationRealmName = "kerberos-realm"
                            }
                        }
                    }
                }
            } 
        }
    }
}Figure 1, “KerberosAuthenticationRealm relationships” shows the relationships to other configuration objects.
A detailed description of the configuration object properties is in KerberosAuthenticationRealm object properties and a snippet for these properties is in Example 1, “KerberosAuthenticationRealm object snippet”.
KerberosAuthenticationRealm object properties
Example 1. KerberosAuthenticationRealm object snippet
name = "kerberos-authentication-realm"
version = "1.0.0"
type = "com.tibco.ep.dtm.configuration.security"
configuration =
{
    KerberosAuthenticationRealm =
    {
        name = "my-kerberos-authentication-realm"
        requireTrustedHostMembership = false
        fallbackAuthenticationRealmName = "my-local-realm"
        internalClientLoginConfigurationFile = "/opt/kerberos/client-configuration"
        internalClientKeytabFile = "/opt/kerberos/keytab/client"
        internalClientPrincipalName = "client-principal@ACME.COM"
        jaasDebug = false
        kerberosConfigurationFile = "/opt/kerberos/kerberos-configuration"
        serverKeytabFile = "/opt/kerberos/keytab/server"
        serverPrincipalName = "HTTP/my.host.com@ACME.COM"
        ticketCacheFile = "/opt/kerberos/ticket/cache/file"
    }
}
