如何为WebSphere上的远程EJB调用启用Kerberos验证？ [英] How to enable Kerberos authentication for remote EJB call on WebSphere?

问题描述

我的应用程序是一个独立的Swing客户端，由于经典的JNDI查找和RMI-IIOP方法调用，它调用EJB无状态会话bean。它作为Java WebStart应用程序启动。我的目标是通过Windows工作站ActiveDirectory之间的Kerberos SSO从 EJBContext 中获取客户端用户的身份，使用 getCallerPrincipal 在Linux上运行的WebSphere服务器。

我已经以网络部署模式成功配置了我的WebSphere单元，以支持Kerberos身份验证感谢信息中心文档。

krb5.conf 和 krb5.keytab 文件都可以使用Linux kinit ， klist 和 wsadmin $ $ AdminTask validateKrbConfig 答案 true 。

客户端集up 仅引用使用命令系统属性启用的JAAS login.config 文件。我的直觉告诉我可能还不够。

但现在，我没有找到更多的信息来完成测试用例：

• 如果JNDI初始上下文环境必须设置为触发Kerberos协商？


• 如果服务器端有其他要求，就像保护我的EJB一样一个角色（例如JBoss不要求）？

更新

由于没有运行具有 ./ launchClient 的JavaEE客户端容器，我已经在我的JNLP中设置了所需的属性，以读取 sas .client.props 和JAAS登录配置：

 < property name =java.security。 auth.login.configvalue =C：\temp\wsjaas_client.config/> 
< property name =com.ibm.CORBA.ConfigURLvalue =C：\temp\sas.client.props/> 
  

我的 wsjaas_client.config 适用于Oracle Java所以它包含：

  WSKRB5Login {
 com.sun.security.auth.module.Krb5LoginModule required 
 debug = true useTicketCache = true doNotPrompt = true; 
}; 
  

我的 sas.client.props 包含：

  com.ibm.CORBA.securityEnabled = true 
 com.ibm.CORBA.authenticationTarget = KRB5 
 com.ibm.CORBA.loginSource = krb5Ccache 
 com.ibm.CORBA.loginUserid = 
 com.ibm.CORBA.loginPassword = 
 com.ibm.CORBA.krb5CcacheFile = 
 com .ibm.CORBA.krb5ConfigFile = C：\\\\\krb5.conf 
  

目前，没有Kerberos身份验证被触发：我的kerberos缓存（从Windows或Linux工作站）的SPN WAS / myserver.mydomain.com 没有TGS， JNDI连接仍然匿名建立。

没有错误消息，没有警告，最后没有主体。如何诊断错误或缺少什么？

更新2012/06/20

这是向前的一些步骤。在使用Oracle Java的应用程序JNLP中，我设置了以下属性以使用IBM ORB并启用完整的跟踪和调试信息：

 < property name =org.omg.CORBA.ORBSingletonClassvalue =com.ibm.rmi.corba.ORBSingleton/> 
< property name =org.omg.CORBA.ORBClassvalue =com.ibm.CORBA.iiop.ORB/> 
< property name =traceSettingsFilevalue =C：\temp\TraceSettings.properties/> 
  

文件 TraceSettings.properties 包含

  traceFileName = c：\\\\\traces.log 
 ORBRas = all = enabled 
 SASRas = all = enabled 
 com.ibm。* = all = enabled 
  

即使阅读大部分 WebSphere 7安全IBM RedBook 我仍然无法获得CSIv2从客户端触发Kerberos身份验证。

解决方案

总结上下文：自从IBM WebSphere运行以来，我们的部署已经开始生产在Linux和应用程序部署，由于Java WebStart在Sun JavaSE 6上运行，IBM ORB包含并配置为连接，无需任何身份验证。现在我们要启用自WebSphere 6以来支持的RMI-IIOP的Kerberos身份验证和单点登录（我认为）。

这里是现在的答案。 / p>

自WebSphere 7以来，引入了一种新的概念来配置每个服务器的安全方面：安全域。理论上，在安全域中未被更改的任何选项都继承自全局安全性部分。

在测试Kerberos设置时，我们创建了一个专用的安全域为我们的测试服务器，以避免在单元中运行的其他服务器的麻烦。

但是即使Kerberos在全局安全性，它不会为配置自己的安全域的服务器继承/启用。

一旦我们运行我们的测试服务器，使用默认的全局安全性，其中Kerberos选项是可见和启用的，然后Kerberos身份验证
开始使用从 IBM JavaSE 6 strong> cmd bat脚本与通常的ClassPath和文档中声明的所有属性。

注意：JNDI Context.SECURITY_AUTHENTICATION 选项从未设置。反编译后，IBM ORB的唯一可用值为 none ， simple 和 strong 但 strong 尚未实现。

另一点：根据生成的日志，IBM ORB无法使用文件：/ C：/temp/sas.client.config 作为 com.ibm.CORBA.ConfigURL 。它必须成为一个URI而不是一个文件路径。我们甚至有DNS查找失败来解决 C hostname！ ARFF。所有文档示例都是以文件为基础的Unix：/path/to/sas.client.config ，所以我们在从HTTP服务器传送该文件之前进行了许多试验。

现在部署的 Java WebStart部分：

• 相同的原始JNLP没有任何安全性，没有Kerberos设置与Oracle JavaSE 6和IBM Java 6




• 完美结合，启用了WebSphere安全性，并在JNLP中使用Kerberos （并且只有该更改集），在IBM Java 6上运行的IBM ORB抱怨关于在ClassPath中（仍然/总是）可用的ffdc日志管理器实现的 NoClassDefFoundError 。它真的听起来像代码与Java WebStart安全的ClassLoader层次结构不兼容。




• 与Kerberos JNLP，运行在Oracle JavaSE 6上的IBM ORB似乎只是忽略安全设置，如以往一样匿名连接。

所以第一步现在工作：IBM Java 6从命令行开始，但调查还没有结束我们的目标：在Java WebStart上下文中使用Oracle JavaSE 6的Kerberos。

My application is a stand-alone Swing client invoking EJB Stateless Session beans thanks to classical JNDI lookup and RMI-IIOP method calls. It is started as a Java WebStart application. My aim is to retrieve the client user's identity from EJBContext with getCallerPrincipal method thanks to Kerberos SSO between the Windows workstation, ActiveDirectory and WebSphere server running on Linux.

I have already successfully configured my WebSphere cell in network deployment mode to support Kerberos authentication thanks to the infocenter documentation.

Both krb5.conf and krb5.keytab files are OK and tested with both Linux kinit, klist and wsadmin, $AdminTask validateKrbConfig answers true.

The client setup does only refer to a JAAS login.config file to enable with command system property. My intuition tells me it is probably not enough.

But now, I find no more information to finalize the test case:

• how the JNDI initial context environment must be setup to trigger Kerberos negotiation ?
• if there are other requirements on server-side like protect my EJB with a role (JBoss does not require it for instance) ?

Update

As not running JavaEE client container with ./launchClient, I have set in my JNLP the required properties to read sas.client.props and JAAS login configuration:

<property name="java.security.auth.login.config" value="C:\temp\wsjaas_client.config"/>
<property name="com.ibm.CORBA.ConfigURL" value="C:\temp\sas.client.props"/>

My wsjaas_client.config is for Oracle Java so it contains:

WSKRB5Login{
    com.sun.security.auth.module.Krb5LoginModule required
       debug=true useTicketCache=true doNotPrompt=true;
};

My sas.client.props contains:

com.ibm.CORBA.securityEnabled=true
com.ibm.CORBA.authenticationTarget=KRB5
com.ibm.CORBA.loginSource=krb5Ccache
com.ibm.CORBA.loginUserid=
com.ibm.CORBA.loginPassword=
com.ibm.CORBA.krb5CcacheFile=
com.ibm.CORBA.krb5ConfigFile=C:\\temp\\krb5.conf

At the moment, no Kerberos authentication is triggered: there is no TGS for the SPN WAS/myserver.mydomain.com in my kerberos cache (either from Windows or Linux workstations) and JNDI connection is still established anonymously.

No error message, no warning and finally no principal. How do I diagnose what's wrong or lacking?

Update 2012/06/20

Here are some steps forward. In my application JNLP running with Oracle Java, I have set the following properties to use IBM ORB and enable full trace and debug information:

<property name="org.omg.CORBA.ORBSingletonClass" value="com.ibm.rmi.corba.ORBSingleton"/>
<property name="org.omg.CORBA.ORBClass" value="com.ibm.CORBA.iiop.ORB"/>
<property name="traceSettingsFile" value="C:\temp\TraceSettings.properties"/>

The file TraceSettings.properties contains

traceFileName=c:\\temp\\traces.log
ORBRas=all=enabled
SASRas=all=enabled
com.ibm.*=all=enabled

Even after reading large parts of WebSphere 7 Security IBM RedBook I still fail to get CSIv2 trigger Kerberos authentication from client-side.

解决方案

To sum up the context: our deployment is in production since years with IBM WebSphere running on Linux and application deployed thanks to Java WebStart running on Sun JavaSE 6 with IBM ORB included and configured to connect without any authentication. Now we want to enable Kerberos authentication and single-sign-on over RMI-IIOP, supported since WebSphere 6 (I think).

Here are now pieces of answer.

Since WebSphere 7, a new concept has been introduced to configure security aspects on a per server basis: security domain. Theoretically any option that has not been changed in a security domain inherits from the global security section.

When testing Kerberos setup, we have created a dedicated security domain for our test server, to avoid troubles with other servers running in the cell.

BUT even if Kerberos is enabled in global security, it is not inherited/enabled for a server configured with its own security domain.

As soon as we run our test server with the default global security where Kerberos options are visible and enabled, then Kerberos authentication has began to work with IBM JavaSE 6 executed from a cmd bat script with usual ClassPath and all properties declared in documentation.

To note: the JNDI Context.SECURITY_AUTHENTICATION option is never set. After decompilation, the only available values for IBM ORB are none, simple and strong but strong has no implementation yet.

Another point: according to generated log, IBM ORB is not able to work with file:/C:/temp/sas.client.config as value for com.ibm.CORBA.ConfigURL. It MUST be an URI and not a file path. We even got DNS lookup failure to resolve C hostname ! Arff. All documentation examples are Unix based with file:/path/to/sas.client.config so we made many trials before delivering that file from an HTTP server.

Now the Java WebStart part of the deployment:

• the same original JNLP without any security and no Kerberos settings works perfectly with both Oracle JavaSE 6 and IBM Java 6

• with WebSphere security enabled and Kerberos in JNLP (and only that change set), IBM ORB running on IBM Java 6 complains with NoClassDefFoundError about ffdc log manager implementation that is (still/always) available in ClassPath. It really sounds like a code incompatibility with Java WebStart secured ClassLoader hierarchy.

• with Kerberos JNLP, IBM ORB running on Oracle JavaSE 6 seems to simply ignore security settings and connects anonymously as usual.

So a first step is now working: IBM Java 6 started from command-line but investigations are not over to reach our goal: Kerberos with Oracle JavaSE 6 in Java WebStart context.

这篇关于如何为WebSphere上的远程EJB调用启用Kerberos验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！