Previous Topic: Using HTTPS Communication with the DevTest ConsoleNext Topic: Access Control (ACL)

AdministeringSecurityUsing Kerberos Authentication

Using Kerberos Authentication

Kerberos support is similar to Basic Authentication and NTLM support in DevTest. DevTest uses Kerberos support when an application or resource that DevTest accesses through some of the steps is protected with Kerberos authentication. For example, HTTP/HTTPS, Web Service XML – the same steps as NTLM and Basic Authentication. Kerberos support uses the following properties in the local.properties file:

lisa.java.security.auth.login.config

The location of the login configuration file.

lisa.java.security.krb5.conf

The location of the Kerberos configuration file that is used to override any preset locations.

lisa.http.kerberos.principal

The name of the principal that is used for logging in when using DevTest support for principal + password authentication. When DevTest Workstation starts, it encrypts this principal.

lisa.http.kerberos.pass

The password that is used for logging in when using DevTest support for principal + password authentication. When DevTest Workstation starts, it encrypts this principal.

You can authenticate with only the lisa.java.security.auth.login.config and the lisa.java.security.krb5.conf settings. These files and their settings vary depending on the operating system where DevTest runs. Consult the appropriate documentation about how to configure those two files for authentication that does not use DevTest support for principal + password authentication.

 

DevTest support for principal + password authentication

To support logging a user in by giving DevTest the credentials, the user must configure their login configuration file to use the DevTest login configuration file. The following example illustrates the contents of the file:

com.sun.security.jgss.initiate {

  com.itko.lisa.http.LisaKrb5LoginModule required doNotPrompt=false;

};

The custom LisaKrb5LoginModule is an extension of the standard com.sun.security.auth.module.Krb5LoginModule with one change. This extension submits the credentials in lisa.http.kerberos.principal and lisa.http.kerberos.pass instead of prompting the user for credentials.

 

Sample krb5.conf file

[libdefaults]

        default_realm = EXAMPLE.COM

        allow_weak_crypto = true

 

[realms]

        EXAMPLE.COM = {

                kdc = kdc.fakedomain.com:60088

        }

[domain_realm]

        .example.com = EXAMPLE.COM

        example.com = EXAMPLE.COM

[login]

        krb4_convert = true

 

Sample krb5.conf file with Active Directory as KDC

[libdefaults]

        default_realm = FAKEDOMAIN.COM

        allow_weak_crypto = false

        default_tkt_enctypes = arcfour-hmac-md5

        default_tgs_enctypes = arcfour-hmac-md5

        permitted_enctypes = RC4-HMAC arcfour-hmac-md5

[realms]

        FAKEDOMAIN.COM = {

            kdc = kdc.fakedomain.com

            master_kdc = kdc.fakedomain.com

            admin_server = kdc.fakedomain.com

            default_domain = FAKEDOMAIN.COM

        }

[domain_realm]

        fakedomain.com = FAKEDOMAIN.COM

[login]

        krb4_convert = true

 

Sample login.config file

com.sun.security.jgss.initiate {

  com.itko.lisa.http.LisaKrb5LoginModule required doNotPrompt=false;

};