Configuring IBM Integration Bus as a Kerberos secured service
You can configure IBM® Integration Bus to operate as a Kerberos secured service for message integrity, confidentiality, and authenticity.
Before you begin
About this task
Use this task to configure Kerberos as a secured service for IBM Integration Bus.
Procedure
- Export a keytab that contains the private key of the service
principal from the KDC. For example:
wherektpass -out c:\Windows\krb5.keytab -princ SomePrincipal@YourDomain -crypto RC4-HMAC-NT mapUser Username -pass Password -mapOp set
- out filename
- Specifies the name and path of the keytab file to be generated.
- princ principal_name
- Specifies the principal name.
- crypto encryption_type
- Specifies the encryption type.
- mapUser username
- Maps the name of a Kerberos principal to a local account.
- pass password
- Specifies the password to use for this principal name.
- mapOp attribute
- Defines how the mapping attribute is set. The attribute alternatives
are either
add
orset
.
- Copy the keytab file to the server
that hosts the service. You can copy the file
to the server by exporting the keytab file and transferring it to
the server, for instance by using FTP. The Kerberos
configuration file contains a reference to the
keytab file in the form of a file URL (such as:
/home/user/my.keytab). Because the reference is in the configuration file on the server, the server service can take on the Kerberos principal that is defined in the keytab.
- Create a Kerberos configuration file
that specifies the location of the keytab file
on the local workstation. You can use more than one service principal name per integration node per Kerberos realm. Use your workstation default Kerberos configuration file when you are using Kerberos for security. The location for the configuration file differs depending on the system. The usual locations are:
- Windows:
C:\Windows\krb5.ini
and C:\WINNT\krb5.ini
- Linux® :
/etc/krb5.conf
- UNIX (AIX®):
/etc/krb5/krb5.conf
- z/OS®:
/krb5/krb5.conf
The following sample Kerberos configuration file shows typical values for the variables. The variables default_realm, default_keytab_name, and the names in the realms are among the values you change in the configuration file, depending on your network and location of the configuration file.
[libdefaults] default_realm = MYREALM.EXAMPLE.COM default_keytab_name = FILE:c:\Windows\krb5.keytab default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] MYREALM.EXAMPLE.COM = { kdc = kdc.myrealm.example.com admin_server = kdc.myrealm.example.com }
- Windows:
- Create a new Kerberos configuration file to use unique Kerberos Service Principals per integration node or per integration server. You do so by specifying the keytab file that contains the required service principal.
- Use one of these mqsichangeproperties
commands to specify the location of your new configuration
file.
- For an integration node level Kerberos configuration:
mqsichangeproperties integrationNodeName -o BrokerRegistry -n brokerKerberosConfigFile -v kerberosConfigLocation
- For an integration server level Kerberos configuration:
mqsichangeproperties integrationNodeName -e integrationServerName -o ComIbmJVMManager -n brokerKerberosConfigFile -v kerberosConfigLocation
- For an integration node level Kerberos configuration:
- Configure a policy set and binding that is associated with
the SOAPInput node for the BAR containing the
message flow.
- To configure the Kerberos token with a policy set, see Policy Sets and Policy Set Bindings editor: Message Level Protection panel.
- To configure a provider message part policy, see Policy Sets and Policy Set Bindings editor: Message Part Protection panel.
- To sign or encrypt message parts optionally by using a policy set, see Policy Sets and Policy Set Bindings editor: Message Part Policies panel.
- To configure Kerberos specific settings (such as, target service name and target service realm), see Policy Sets and Policy Set Bindings editor: Message Part Policies panel.
Results
You configured IBM Integration Bus to be a Kerberos secured service.