KrbServiceLoginModule options

The KrbServiceLoginModule (or WebLogic Engine Kerberos Authentication Provider) does the Kerberos service authentication on the Content Platform Engine server. This login module has several options that can change its behavior.

debug

when true will output additional debugging information to the console, server log, or both. The default is false. You can enable additional debugging information when first setting up Kerberos, or afterward if attempting to debug a problem with Kerberos authentication.

useShortNameAsPrincipal

when true will use the user's short name as the principal; if false then will use the full Kerberos name in the form: username@REALM.COM. The default is false.

storeGssContext

when true will add a GSSContext as a private credential. This can be used by the server to encrypt and sign messages between the server and the client, but will need substantial programming on both to accomplish this. When false, this private credential is not added. The default (and recommended) setting is false.

loginUsingTicketSpn

if true will attempt to log in using the SPN (Service Principal Name) of the Kerberos service ticket. The default is false, which will attempt to log in using the normal FNCEWS_computername account name. The recommended setting is false.

serviceAccountName

this specifies the account name that the service will use when it is logging in. If not specified, this defaults to FNCEWS_ computername. This option should only need to be set to some account that is shared by every server if Content Platform Engine is clustered or if on WebSphere systems and the default name would be longer then 20 characters. This option is ignored if loginUsingTicketSpn is true.

tgtLoginConfigName

this option specifies the name of a JAAS configuration that will be used when the service initially logs in to get its Kerberos TGT (Ticket Granting Ticket).

For example, if tgtLoginConfigName=KrbTgtLogin, then there could be a JAAS configuration entry such as:

KrbTgtLogin {
   com.sun.security.auth.module.Krb5LoginModule required
     debug=true useKeyTab=true storeKey=true
     keyTab="c:/etc/krb5.keytab";
 };

If this is not set, the default is to use an internal configuration that is tailored for the application server. It is recommended that this option not be set as the default will almost always work correctly.

keytabPath

this option specifies the keytab file, which will be used for the service's initial TGT login, and will be set like the following example:

keytabPath="file:/c:/etc/krb5.keytab"

If this option is not set, then the default Java keytab will be used, which is usually found in home/krb5.keytab. For example: C:/Documents and Settings/mike.MYDO/krb5.keytab.

The keytabPath option needs to be used when the application server is running as a Windows service or if the keytab is not in the default location. This option is ignored if tgtLoginConfigName is set.