Configuring IBM Integration Bus as
a Kerberos secured service
You can configure IBM® Integration Bus to
operate as a Kerberos secured service for message integrity,
confidentiality, and authenticity.
Before you begin
You must have access to a Key Distribution Center (KDC) and
a server that is hosting the Kerberos secured service.
For more information about configuring Kerberos, see your
host Kerberos documentation.
About this task
Use this task to configure Kerberos as a
secured service for IBM Integration Bus.
Procedure
- Export a keytab that contains the private key of the service
principal from the KDC. For example:
ktpass -out c:\Windows\krb5.keytab -princ SomePrincipal@YourDomain
-crypto RC4-HMAC-NT mapUser Username -pass Password -mapOp set
where- out filename
- Specifies the name and path of the keytab file to be generated.
- princ principal_name
- Specifies the principal name.
- crypto encryption_type
- Specifies the encryption type.
- mapUser username
- Maps the name of a Kerberos principal to a local account.
- pass password
- Specifies the password to use for this principal name.
- mapOp attribute
- Defines how the mapping attribute is set. The attribute alternatives
are either add or set.
- Copy the keytab file to the server
that hosts the service. You can copy the file
to the server by exporting the keytab file and transferring it to
the server, for instance by using FTP. The Kerberos
configuration file contains a reference to the
keytab file in the form of a file URL (such as:
/home/user/my.keytab). Because
the reference is in the configuration file on the server, the server
service can take on the Kerberos principal that
is defined in the keytab.
- Create a Kerberos configuration file
that specifies the location of the keytab file
on the local workstation.
You can use more than one
service principal name per integration
node per Kerberos realm. Use your workstation
default Kerberos configuration file when you are using
Kerberos for security. The location for the configuration
file differs depending on the system.
The usual locations are: - Windows:
C:\Windows\krb5.ini
and C:\WINNT\krb5.ini
- Linux :
/etc/krb5.conf
- UNIX (AIX®): /etc/krb5/krb5.conf
- z/OS®:
/krb5/krb5.conf
Different Kerberos
configuration files can be configured
for use by the integration node and integration
servers.
The following sample Kerberos configuration file
shows typical values for the variables. The
variables default_realm,
default_keytab_name, and
the names in the realms are
among the values you change in the configuration
file, depending on your network and location of the
configuration file.
[libdefaults]
default_realm = MYREALM.EXAMPLE.COM
default_keytab_name = FILE:c:\Windows\krb5.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYREALM.EXAMPLE.COM = {
kdc = kdc.myrealm.example.com
admin_server = kdc.myrealm.example.com
}
- Create a new Kerberos configuration
file to use unique Kerberos Service Principals
per integration node or per integration server.
You do so by specifying the keytab file that contains the required
service principal.
- Use one of these mqsichangeproperties
commands to specify the location of your new configuration
file.
- For an integration node level Kerberos configuration:
mqsichangeproperties integrationNodeName -o BrokerRegistry
-n brokerKerberosConfigFile -v kerberosConfigLocation
- For an integration server level Kerberos configuration:
mqsichangeproperties integrationNodeName -e integrationServerName
-o ComIbmJVMManager -n brokerKerberosConfigFile -v kerberosConfigLocation
- Configure a policy set and binding that is associated with
the SOAPInput node for the BAR containing the
message flow.
Results
You configured IBM Integration Bus to be a Kerberos secured
service.