IBM Integration Bus, Version 10.0.0.1 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Configuring separate Kerberos configuration files for each integration server

You can create multiple Kerberos configuration files and then use a separate Kerberos configuration file with each integration server.

Before you begin

You must have access to a Key Distribution Center (KDC) and a server that is hosting the Kerberos-secured service, or you must have an existing Kerberos configuration file. For more information about configuring Kerberos, see your host Kerberos documentation.

About this task

Each integration server in an integration node has a separate JVM, and each JVM has a configuration setting for a Kerberos configuration file. Complete the following steps to configure a separate Kerberos configuration file for each integration server:

Procedure

  1. Create a Kerberos configuration file or identify an existing Kerberos configuration file.
    When you use Kerberos for security, the default Kerberos configuration file is the one on your workstation. The location for the configuration file differs depending on the system. The usual locations are as follows:
    • For Windows: C:\Windows\krb5.ini or C:\WINNT\krb5.ini
    • For Linux: /etc/krb5.conf
    • For UNIX (AIX®): /etc/krb5/krb5.conf
    • For z/OS®: /krb5/krb5.conf
  2. Create a new directory for each integration server. For example, on Windows, you might create the following directories:
    • work_path/krb5/server1 (to hold the copy of the Kerberos configuration file for integration server "server1")
    • work_path/krb5/server2 (to hold the copy of the Kerberos configuration file for integration server "server2")
    where work_path is the machine-wide IBM® Integration Bus working directory. By using this directory, you can manage the configuration of both the active and the standby integration nodes in a high availability deployment.
    Note: To verify the machine-wide IBM Integration Bus working directory, enter the following command in a command console:
    echo %MQSI_WORKPATH%
  3. Add a copy of the default Kerberos configuration file to each of the new directories.
  4. If you have an integration server that exposes one or more services, generate a keytab file for each service and place it in the directory for that integration server. For information about creating keytab files, see Configuring IBM Integration Bus as a Kerberos secured service.
  5. Edit each of the Kerberos configuration files and add the path to the keytab file (if required) and the realm information. For example, on Windows, you might add the following entries:
    default_keytab_name=work_path/krb5/server1/krb.keytab
    default_realm=server1Realm
    where server1Realm is the realm name for the integration server "server1". If you have to support multiple realms, you can also add entries for each realm into the [realms] section. The following code shows an example of the configuration for multiple realms:
    [libdefaults]
      default_keytab_name = FILE:/krb/test.keytab
      default_realm = REALM2.MYCO.COM
    #  default_realm = REALM1.MYCO.COM
      default_tkt_enctypes = rc4-hmac
      default_tgs_enctypes = rc4-hmac
    
    [realms]
      REALM1.MYCO.COM = {
        kdc = kdc1.myco.com:88
        admin_server = kdc.myco.ibm.com:749
        default_domain = myco.com
      }
      REALM2.MYCO.COM = {
        kdc = kdc2.myco.com:88
        default_domain = realm2.myco.com
      }
    
    [domain_realm]
    # defines how to map from internet domain names to Kerberos realms
      REALM2.MYCO.COM.MYCO.COM = REALM2.MYCO.COM
      .myco.com = REALM1.MYCO.COM
      .test.myco.com = REALM1.MYCO.COM
  6. For each integration server, run the following command on your integration node:
    mqsichangeproperties node -e server -n jvmSystemProperty -v "-Djava.security.krb5.conf=path"
    where node is the name of your integration node, server is the name of your integration server, and path is the path to your Kerberos configuration file.
  7. Remove the java.security.krb5.conf setting from IBM_JAVA_OPTIONS environment variable and restart your integration node.

Results

You configured a separate Kerberos configuration file (and optional keytab files) for each integration server.


bc49107_.htm | Last updated 2015-05-28 20:52:29