Before you begin
You must have access to a Key Distribution Center (KDC)
and a server that is hosting the Kerberos-secured service, or
you must have an existing Kerberos configuration file. For more
information about configuring Kerberos, see your host Kerberos
documentation.
About this task
Each integration server in an integration node has a separate
JVM, and each JVM has a configuration setting for a Kerberos configuration
file. Complete the following steps to configure a separate Kerberos
configuration file for each integration server:
Procedure
- Create a Kerberos configuration file or identify an existing
Kerberos configuration file.
When you use Kerberos for
security, the default Kerberos configuration file is the one on your
workstation. The location for the configuration file differs depending
on the system. The usual locations are as follows:
- For Windows: C:\Windows\krb5.ini or C:\WINNT\krb5.ini
- For Linux: /etc/krb5.conf
- For UNIX (AIX®): /etc/krb5/krb5.conf
- For z/OS®: /krb5/krb5.conf
- Create a new directory for each integration server. For example, on Windows,
you might create the following directories:
- work_path/krb5/server1 (to
hold the copy of the Kerberos configuration file for integration
server "server1")
- work_path/krb5/server2 (to
hold the copy of the Kerberos configuration file for integration
server "server2")
where work_path is the machine-wide IBM® Integration Bus working directory. By using
this directory, you can manage the configuration of both the
active and the standby integration nodes in a high availability
deployment.
Note: To verify the machine-wide
IBM Integration Bus working directory, enter the
following command in a command console:
echo %MQSI_WORKPATH%
- Add a copy of the default Kerberos configuration file to
each of the new directories.
- If you have an integration server that exposes one or more
services, generate a keytab file for each service and place it
in the directory for that integration server. For information
about creating keytab files, see Configuring IBM Integration Bus as a Kerberos secured service.
- Edit each of the Kerberos configuration files and add the
path to the keytab file (if required) and the realm information. For example, on Windows,
you might add the following entries:
default_keytab_name=work_path/krb5/server1/krb.keytab
default_realm=server1Realm
where server1Realm is
the realm name for the integration server "server1". If you have
to support multiple realms, you can also add entries for each
realm into the [realms] section. The following code
shows an example of the configuration for multiple realms:
[libdefaults]
default_keytab_name = FILE:/krb/test.keytab
default_realm = REALM2.MYCO.COM
# default_realm = REALM1.MYCO.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
REALM1.MYCO.COM = {
kdc = kdc1.myco.com:88
admin_server = kdc.myco.ibm.com:749
default_domain = myco.com
}
REALM2.MYCO.COM = {
kdc = kdc2.myco.com:88
default_domain = realm2.myco.com
}
[domain_realm]
# defines how to map from internet domain names to Kerberos realms
REALM2.MYCO.COM.MYCO.COM = REALM2.MYCO.COM
.myco.com = REALM1.MYCO.COM
.test.myco.com = REALM1.MYCO.COM
- For each integration server, run the following command
on your integration node:
mqsichangeproperties node -e server -n jvmSystemProperty -v "-Djava.security.krb5.conf=path"
where
node is the name of your integration node,
server is the name of your integration server,
and path is the path to your Kerberos configuration
file.
- Remove the java.security.krb5.conf setting
from IBM_JAVA_OPTIONS environment variable
and restart your integration node.
Results
You configured a separate Kerberos configuration file
(and optional keytab files) for each integration server.