www.flickr.com
This is a Flickr badge showing public photos from ashutosh.shahi. Make your own badge here.
Blog::Navigation
Bookmarks::Blogroll
Recent Entries
Blog::Referers
Today's Page Hits: 79
Stat Counter
since 02/20/07
Technorati
Today's Page Hits: 79
Thursday December 06, 2007 As promised in my previous blog, I have tried to put here steps to run a Kerberos Token Profile based WS Security scenario using Metro. Please note that the Kerberos support in Metro is still experimental, and we do not provide a Netbeans support for it yet. Consequently, one has to modify the xml configuration files produced through Netbeans manually to test Kerberos. Netbeans support for Kerberos will come with one of the future release of Metro.
Setting up Kerberos
Install and setup Kerberos appropriate to your environment. The following blogs give good account on how to setup Kerberos for Solaris 10 and Ubuntu Linux:
For Solaris 10: http://blogs.sun.com/tdh/entry/installing_a_kerberos_kdc_and
For Ubuntu Linux: http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
Make sure DNS lookups (or whatever name service in /etc/resolv.conf) to the kdc are working correctly.
# nslookup [hostname]
# nslookup [ip address]
Add user accounts for kerberos client and service to use
Create a user principal for your kerberos account. It is used to administer the kerberos account.
# kadmin.local -q "addprinc admin/admin"
[type password]
Add user accounts for kerberos client and service to use
#kadmin.local -p admin/admin
kadmin.local: addprinc -randkey -e "aes128-cts-hmac-sha1-96:normal" [service_principal]
(Ex of service_principal: websvc/service)
kadmin.local: addprinc -e "aes128-cts-hmac-sha1-96:normal" [client_principal]
[type password]
(Ex of client_principal: testClient)
kadmin.local: ktadd -e "aes128-cts-hmac-sha1-96:normal" [service_principal]
kadmin.local: quit
Login to your kerberos account just created.
#kinit [client_principal]
[type password] Setting up Glassfish and Metro to run Kerberos Scenario
1. Specify the login modules to be used for Kerberos in <GLASSFISH_HOME>/domains/domain1/config/login.conf. Paste the following at the bottom of this file:
KerberosClient {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/krb5.keytab" doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.LOCAL";
}; You can give any names to this login modules (instead of KerberosClient and KerberosServer). You will have to refer to these names from the <sc:KerberosConfig> assertion in the wsdl and wsit-client.xml files.
Also edit the principal in KerberosServer to the service_principal you created.
2. Create a Secure JAX-WS application using Netbeans. Refer 'Using WSIT Security' chapter from WSIT tutorial. Use any Security mechanism e.g. Mutual Certificates Security. Open the <wsit-service-name>.xml file created and replace the Binding level policy with the following policy:
Note the element <sc:KerberosConfig xmlns:sc="http://schemas.sun.com/2006/03/wss/server"/> which points to the LoginModule to be used for the service.
<wsp:Policy wsu:Id="IFinancialService_policy">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:KerberosToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once">
<wsp:Policy>
<!--<sp:RequireDerivedKeys />-->
<sp:WssGssKerberosV5ApReqToken11/>
</wsp:Policy>
</sp:KerberosToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sc:KerberosConfig xmlns:sc="http://schemas.sun.com/2006/03/wss/server" loginModule="KerberosServer"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>Deploy this service.
3. Create a client to access this service using Netbeans. Refer to the WSIT tutorial as mentioned in point 2. Edit wsit-client.xml file created (or the file included in wsit-client.xml) and replace sc:KeyStore and sc:TrustStore elements with:
<sc:KerberosConfig wspp:visibility="private" loginModule="KerberosClient" servicePrincipal="websvc/service@INDIA.SUN.LOCAL"/>
Modify the loginModule to the one you created for client in login.conf file for the client and the servicePrincipal to the name of the service principal for which ticket needs to be obtained. If your client is a Java SE client, you need to set the following system properties while running your client code:
-Djava.security.policy=${glassfish.home}/domains/domain1/config/server.policy
-Djava.security.auth.login.config=${glassfish.home}/domains/domain1/config/login.conf
If it is WebApp deployed on glassfish, nothing else needs to be done. Deploy and run the client.
Updated on 9 Jan 2008
Kerberos support in Metro security now supports credential delegation from client to service, such that the server can initiate other security contexts on behalf of the client. This feature is useful for single sign-on in a multi-tier environment.
The way for client to ask for
credentials delegation is to set the attribute credentialDelegation
to true on KerberosConfig element in wsit-client.xml. For
example:
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosClient"
servicePrincipal="websvc/service@INDIA.SUN.LOCAL"
credentialDelegation="true" />
At the service, we can obtain the delegated credentials from the Subject of the authenticated user. The PrivateCredential set of the will have the delegated client credentials (as GSSCredential). We can pass this GSSCredential to GSSManager.createContext() pretending to be the client.
Also, the PublicCredential set of the authenticated Subject will always have KerberosPrincipal corresponding to the client.