I tried few other blogs and finally encounter some problem when following those. So, I thought to write a new blog to explain the steps which I followed.
You can use Kerberos in Proxy with below steps.
I used below options:
You can use Kerberos in Proxy with below steps.
I used below options:
- WSO2 Identity Server (IS) 5.0.0 as a Key Distribution Center (KDC).
- Active directory (AD) as the KDC
Steps:
1. Change the <IS_HOME>/repository/conf/identity/embedded-ldap . xml
Under KDCServer, enabled property set to true and preAuthenticationTimeStampEnabled property set to false
<KDCServer >
<Property name="name">defaultKDC </Property>
<Property name="enabled">true</Property>
<Property name="protocol">UDP</Property>
<Property name="host">localhost</Property>
<Property name="port">${ Ports. EmbeddedLDAP. KDCServerPort}</Property>
<Property name="maximumTicketLifeTime ">8640000</Property>
<Property name="maximumRenewableLifeTime ">604800000</Property>
<Property name="preAuthenticationTimeStampEnabled ">false</Property>
</KDCServer>
2. If you want to change the default realm of the KDC, change the “realm” property. By default it's WSO2.ORG
<Property name="realm">WSO2.ORG</Property>
3. We can also enable the KDC settings in the <IS_HOME>/repository/conf/user-mgt . xml
<Property name="kdcEnabled ">true</Property>
4. Create a jaas . conf file with the following content, and place inside <IS_HOME>/repository/conf/security/
Server {
com . sun. security. auth . module. Krb5LoginModule required
useKeyTab =tfalse
storeKey =true
useTicketCache =false
isInitiator =false;
} ;
Client {
com . sun. security. auth . module. Krb5LoginModule required
useTicketCache =false;
} ;
5. Create a krb5. conf file with the following content, and place inside <IS_HOME>/repository/conf/security/
[libdefaults]
default_realm = WSO2.ORG
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
dns_lookup_kdc = true
dns_lookup_realm = false
[realms]
WSO2.ORG = {
kdc = 127.0.0.1
}
6. Start the IS server
7. Create a Service Principal (SPN) and client principals to use with kerberos ticket granting system (TGS).
- Configure
- Kerberos KDC
- Service Principals
- Add new Service Principal
- Provide a service principal name, description and a password
- Sample SPN Name
: esb /local
Note: Do not putrelme with the SPN name (Ex:esb /local@WSO2.ORG)
8. Create a new user
- Configure
- Users and Roles
- Users
- Add User
9. Create a jaas . conf file with the following content, and place inside <ESB_HOME>/repository/conf/security/
Server{ com . sun. security. auth . module. Krb5LoginModule requireduseKeyTab =falsestoreKey =trueuseTicketCache =trueisInitiator =false principal="esb /local@WSO2.ORG";} ;
10. Create a krb5. conf file with the following content, and place inside <ESB_HOME>/repository/conf/security/
[libdefaults]
default_realm = WSO2.ORG
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
permitted_enctypes = des-cbc-md5
allow_weak_crypto = true
[realms]
WSO2.ORG = {
kdc = 127.0.0.1:8000
}
[domain_realm]
.wso2.ORG = WSO2.ORG
wso2.ORG = WSO2.ORG
[login]
krb4_convert = true
krb4_get_tickets = false
11. Start the ESB server -> navigate to the proxy list
12. Secure the proxy
- Click a proxy
- Click the Security
- Enable Security set to Yes
- Tick the Kerberos Authentication - Sign - Sign based on a Kerberos Token.
and Next - Give the Service Principal Name and the Service Principal Password
- Finish
Note: Above configuration works without any issue with JDK1.6
If you are using JDK1.7 you have to contact WSO2 support to solve the problem.
We tested the above with a 'Java Client' and it was successful. Please find the below client log for your reference. (We enable the "System.setProperty("sun.security.krb5.debug", "true");" to get the KRB logs)
Calling service with parameter - Hello Shazni!!!!!!! Request = <abc ><in>Hello Shazni!!!!!!!</in ></abc > defaultetypes for default_tkt_enctypes: 3 1 16. >>>KdcAccessibility : reset defaultetypes for default_tkt_enctypes: 3 1 16. >>>KrbAsReq callingcreateMessage >>> KrbAsReq increateMessage >>> KrbKdcReq send:kdc =localhost UDP:8000, timeout=30000, number of retries =3, #bytes=144 >>> KDCCommunication:kdc =localhost UDP:8000, timeout=30000, Attempt =1, #bytes=144 >>> KrbKdcReq send: #bytes read=497 >>> KrbKdcReq send: #bytes read=497 >>> KdcAccessibility: removelocalhost : 8000 >>>EType : sun. security. krb5. internal. crypto. DesCbcMd5EType >>> KrbAsRep cons in KrbAsReq. getReply test_carbon. super defaultetypes for default_tkt_enctypes: 3 1 16. Found ticket for test_carbon.super@WSO2.ORG to go to krbtgt/WSO2.ORG@WSO2.ORG expiring on Fri Mar 10 17:28:24 IST 2017 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for test_carbon.super@WSO2.ORG to go to krbtgt/WSO2.ORG@WSO2.ORG expiring on Fri Mar 10 17:28:24 IST 2017 Service ticket not found in the subject >>> CredentialsacquireServiceCreds : same realm defaultetypes for default_tgs_enctypes: 3 1 16. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>> KrbKdcReq send: kdc=localhost UDP:8000, timeout=30000, number of retries =3, #bytes=551 >>> KDCCommunication: kdc=localhost UDP:8000, timeout=30000,Attempt =1, #bytes=551 >>> KrbKdcReq send: #bytes read=527 >>> KrbKdcReq send: #bytes read=527 >>> KdcAccessibility: remove localhost:8000 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType Krb5Context setting mySeqNumber to: 710568894 Krb5Context setting peerSeqNumber to: 0 Created InitSecContextToken: 0000: 01 00 6E 82 01 D0 30 82 01 CC A0 03 02 01 05 A1 ..n...0......... 0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 81 F5................ 0020: 61 81 F2 30 81 EF A0 03 02 01 05 A1 0A 1B 08 57 a.. 0........... W 0030: 53 4F 32 2E 4F 52 47 A2 1B 30 19 A0 03 02 01 00 SO2. ORG.. 0...... 0040: A1 12 30 10 1B 07 74 65 73 74 61 62 63 1B 05 6C. . 0... testabc .. l 0050: 6F 63 61 6C A3 81 BE 30 81 BB A0 03 02 01 03 A2ocal ... 0........ 0060: 81 B3 04 81 B0 65 12 9C 46 31 27 AF 91 24 DF A8. .... e.. F1'.. $.. 0070: 99 03 4E CE 82 03 AF 29 5F C7 46 10 51 8C 82 3D ..N....)_.F.Q..= 0080: D5 6E C2 52 78 97 27 24 E6 84 F4 25 F1 CB AC EF .n . Rx.'$... %.... 0090: D0 95 E8 F8 61 C6 3E AA 5E 37 6E 68 47 8C FD 58 ....a.>.^7nhG..X 00A0: 9B 49 DE 88 08 EF D2 D8 12 45 5D AC 0B 8B 42 07 .I.......E]... B. 00B0: 4A 0D 43 96 C7 BC AD 81 50 72 5F 63 0F 4A 8D 79 J.C.....Pr_c.J.y 00C0: F3 DB 11 05 15 54 7B 4C C9 B0 DC 28 83 75 6C 05 .....T.L...(.ul. 00D0: E4 8F 4F CF 7D CC 70 0A 0C 85 3C E2 E0 E1 5C 34 .. O...p...<...\4 00E0: BC 8A 3B AB CB 09 79 09 4F E9 62 47 F6 1D 6E CE ..;... y.O.bG..n . 00F0: 46 2C 40 D1 E0 98 A5 3D AD 18 2A 40 17 26 32 0A F, @.... =.. *@. &2. 0100: A7 AA 9C 90 8B 5C 57 30 16 45 F6 E8 22 28 E2 50 .....\W0.E.."(.P 0110: E9 B5 4C CC 7F A4 81 BE 30 81 BB A0 03 02 01 03 .. L..... 0....... 0120: A2 81 B3 04 81 B0 02 D0 DE 35 C5 34 95 07 C9 9A. ........ 5.4.... 0130: 31 56 5B 5E 35 7C 81 5B 12 06 23 27 24 D5 D0 4E 1V[^5..[..#'$..N 0140: 2C 06 2F 91 5D AF E7 FB 9E 9E BC 60 C8 9D 11 2E ,./.]......`.... 0150: BC 1A 98 7D 90 3A AE B1 F1 DA 00 20 0D 6B 06 68.....:..... .k.h 0160: F4 7D FE 7F 9B CC E2 45 D6 AE 95 41 35 C3 D7 4F .......E...A5..O 0170: 89 AD 94 70 25 BC E7 D0 CF 64 3D 1A F8 3A EE C3 ...p%....d=..:.. 0180: EE C6 73 D0 02 2A 12 99 9E B0 EB 8F F8 A8 95 11. . s .. *.......... 0190: 98 F0 29 55 C3 65 F9 8E AE 74 42 5E F3 6C 73 08 ..) U. e... tB^. ls . 01A0: 21 F7 2E F5 2E F4 34 F4 C6 8E D2 68 F2 EC 8F EC !..... 4.... h.... 01B0: B9 A8 20 8D 53 F2 50 3D 94 12 70 31 06 89 0D 4A. . .S.P=..p1...J 01C0: 30 D9 6E FF 86 E9 BE 51 F2 5B C2 94 8E 65 A3 51 0.n....Q.[...e.Q 01D0: 58 0C 6F 00 C8 34 X.o..4 The response is: <abc><in>Hello Shazni!!!!!!!</in ></abc >
Enjoy...!!!
No comments:
Post a Comment