Running Kerberos Token Profile scenario with Metro

As promised in my previous blog, I have tried to put here steps to run a Kerberos Token Profile based WS Security scenario using Metro. Please note that the Kerberos support in Metro is still experimental, and we do not provide a Netbeans support for it yet. Consequently, one has to modify the xml configuration files produced through Netbeans manually to test Kerberos. Netbeans support for Kerberos will come with one of the future release of Metro.

Setting up Kerberos

  1. Install and setup Kerberos appropriate to your environment. The following blogs give good account on how to setup Kerberos for Solaris 10 and Ubuntu Linux:

Make sure DNS lookups (or whatever name service in /etc/resolv.conf) to the kdc are working correctly.

                     # nslookup [hostname]
                     # nslookup [ip address]
  1. Add user accounts for kerberos client and service to use

    • Create a user principal for your kerberos account. It is used to administer the kerberos account.

                     # kadmin.local -q "addprinc admin/admin"
                     [type password]
    • Add user accounts for kerberos client and service to use

                      #kadmin.local -p admin/admin
                       kadmin.local: addprinc -randkey -e "aes128-cts-hmac-sha1-96:normal" [service_principal]
                                     (Ex of service_principal: websvc/service)
                       kadmin.local: addprinc -e "aes128-cts-hmac-sha1-96:normal" [client_principal]
                       [type password]
                                    (Ex of client_principal: testClient)
                       kadmin.local: ktadd -e "aes128-cts-hmac-sha1-96:normal" [service_principal]
                       kadmin.local: quit
    • Login to your kerberos account just created.

                      #kinit [client_principal]
                       [type password] 

Setting up Glassfish and Metro to run Kerberos Scenario

        1. Specify the login modules to be used for Kerberos in <GLASSFISH_HOME>/domains/domain1/config/login.conf. Paste the following at the bottom of this file:

                KerberosClient { 
                     com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; 
                }; 

                KerberosServer { 
                     com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/krb5.keytab" doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.LOCAL"; 
                }; 

You can give any names to this login modules (instead of KerberosClient and KerberosServer). You will have to refer to these names from the <sc:KerberosConfig> assertion in the wsdl and wsit-client.xml files.

Also edit the principal in KerberosServer to the service_principal you created.

        2. Create a Secure JAX-WS application using Netbeans. Refer 'Using WSIT Security' chapter from WSIT tutorial. Use any Security mechanism e.g. Mutual Certificates Security. Open the <wsit-service-name>.xml file created and replace the Binding level policy with the following policy:

Note the element <sc:KerberosConfig xmlns:sc="http://schemas.sun.com/2006/03/wss/server"/> which points to the LoginModule to be used for the service.



        <wsp:Policy wsu:Id="IFinancialService_policy">
         <wsp:ExactlyOne>
            <wsp:All>
                <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>
                <sp:SymmetricBinding>
                    <wsp:Policy>
                        <sp:ProtectionToken>
                            <wsp:Policy>
                                <sp:KerberosToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once">
                                    <wsp:Policy>
                                        <!--<sp:RequireDerivedKeys />-->
                                        <sp:WssGssKerberosV5ApReqToken11/>
                                    </wsp:Policy>
                                </sp:KerberosToken>
                            </wsp:Policy>
                        </sp:ProtectionToken>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:Strict/>
                            </wsp:Policy>
                        </sp:Layout>
                        <sp:IncludeTimestamp/>
                        <sp:OnlySignEntireHeadersAndBody/>
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic128/>
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                    </wsp:Policy>
                </sp:SymmetricBinding>
                <sp:Wss11>
                    <wsp:Policy>
                        <sp:MustSupportRefKeyIdentifier/>
                        <sp:MustSupportRefIssuerSerial/>
                        <sp:MustSupportRefThumbprint/>
                        <sp:MustSupportRefEncryptedKey/>
                    </wsp:Policy>
                </sp:Wss11>
                <sc:KerberosConfig xmlns:sc="http://schemas.sun.com/2006/03/wss/server" loginModule="KerberosServer"/>
            </wsp:All>
        </wsp:ExactlyOne>
        </wsp:Policy>

Deploy this service.

        3. Create a client to access this service using Netbeans. Refer to the WSIT tutorial as mentioned in point 2. Edit wsit-client.xml file created (or the file included in wsit-client.xml) and replace sc:KeyStore and sc:TrustStore elements with:

<sc:KerberosConfig wspp:visibility="private" loginModule="KerberosClient" servicePrincipal="websvc/service@INDIA.SUN.LOCAL"/>

Modify the loginModule to the one you created for client in login.conf file for the client and the servicePrincipal to the name of the service principal for which ticket needs to be obtained. If your client is a Java SE client, you need to set the following system properties while running your client code:

-Djava.security.policy=${glassfish.home}/domains/domain1/config/server.policy

-Djava.security.auth.login.config=${glassfish.home}/domains/domain1/config/login.conf

If it is WebApp deployed on glassfish, nothing else needs to be done. Deploy and run the client.

Updated on 9 Jan 2008

Kerberos support in Metro security now supports credential delegation from client to service, such that the server can initiate other security contexts on behalf of the client. This feature is useful for single sign-on in a multi-tier environment.

The way for client to ask for credentials delegation is to set the attribute credentialDelegation to true on KerberosConfig element in wsit-client.xml. For example:
<sc:KerberosConfig wspp:visibility="private" loginModule="KerberosClient" servicePrincipal="websvc/service@INDIA.SUN.LOCAL" credentialDelegation="true" />

At the service, we can obtain the delegated credentials from the Subject of the authenticated user. The PrivateCredential set of the will have the delegated client credentials (as GSSCredential). We can pass this GSSCredential to GSSManager.createContext() pretending to be the client.

Also, the PublicCredential set of the authenticated Subject will always have KerberosPrincipal corresponding to the client.

Comments:

thanks...

Posted by araba resimleri on January 28, 2008 at 08:03 PM IST #

Hi, I am trying to use metro to create a Web Service client to talk to a Web Service of .NET using Kerberos authentication. Can you please point out how to do that? Your help is greatly appreciated.

Posted by s liu on October 22, 2008 at 06:36 PM IST #

Hello, You can develop the client the same was as mentioned in this blog. Or for a sample application you can refer to my techtip at http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services . Beginning with Netbeans 6.5 you can also develop the client using Netbeans IDE. Check the example at: https://metro.dev.java.net/guide/Example_Applications.html#gfzhh . If you have any specific questions/issues please let me know or post at the Metro forum and we will be happy to help.
Ashutosh

Posted by Ashutosh Shahi on October 23, 2008 at 04:34 AM IST #

I'm new to java and WSIT, and I'm trying to create a WSIT client that talks to a simple HelloWorld WCF service with wsHttpBinding and Kerberos security by following the instructions from the Metro user guide at:
https://metro.dev.java.net/guide/Example_Applications.html#gfzhh.
But I'm getting the following error when running the client:

SEVERE: WSSTUBE0024: Error in Securing Outbound Message.
com.sun.xml.wss.XWSSecurityException: java.security.PrivilegedActionException: java.security.PrivilegedActionException: GSSException: [b]Invalid name provided
(Mechanism level: Could not load configuration file C:\\WINDOWS\\krb5.ini (The system cannot find the file specified))[/b]

It seems to me that my kerberos infrastructure is not setup correctly, but I don't know how to fix it. Here's the description of my environment: (please note that both the client and server machines below are running Windows and belong to the same Active Directory domain)

On the client machine:
- Windows 2003 server;
- JDK1.6.0_11
- NetBeans IDE 6.5 (Build 200811100001)
- GlassFish v3.0-Prelude Prelude (build b28c)
- Metro 1.4-5010

On the service machine:
- Windows XP;
- .NET framework 3.5

And here's the binding configuration of my WCF service:

<wsHttpBinding>
<binding name="WindowsBindingMessageConfig">
<security mode="Message">
<message clientCredentialType="Windows"
negotiateServiceCredential="false"
establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>

In the glassFish_hom\\domains\\domain1\\config\\login.conf file, I added the following entry for the Kerberos client (no server config is added though):

KerberosClient { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};

Also, I have some specific questions as to setting up the Kerberos infrastructure on Windows machine:
1. Do I need to install Kerberos client tools such as MIT Kerberos for Windows on the client Windows machine to enable JAAS login module to talk to server? If so, how to config the krb5.ini file during installation?
2. the web service client is a servlet deployed to GlassFish, do I really need to config the Kerberos Server in the glassFish_hom\\domains\\domain1\\config\\login.conf file like this?:

KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true keyTab="/etc/krb5.keytab"
doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.COM";
};

Thanks for your patience to read this long message, any feedback is greatly appreciated.

Yudong

Posted by Yudong He on March 02, 2009 at 06:51 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

ashutoshshahi

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks
Blogroll

No bookmarks in folder