Configure JAAS and JGSS Support on the Stages Server

Java Authentication and Authorization Service (JAAS)

JAAS is a standard Java API, which has to be configured with your network settings. Please edit the provided example file conf/jaas.conf and replace the example values according to your network configuration:

de.methodpark.pkit.auth.SpnegoAuthenticator {
  com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="//**PATH_TO_KEYTAB_FILE**// "
    storeKey=true
    realm="<KERBEROS-REALM>"
    debug="false"
    principal="HTTP/<fqnd>@<KERBEROS-REALM>";
};

Argument	Description
<key-tab file>	The full path to the keytab file is linked here.
<KERBEROS-REALM>	The Active Directory Kerberos realm. By default this is the domain name of your Active Directory in capital letters.
<fqdn>	The full quantified DNS domain name of the Stages Server.

Example:

de.methodpark.pkit.auth.SpnegoAuthenticator {
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=true
 keyTab="c:/Program Files/MethodPark/Stages/krb5.keytab"
 storeKey=true
 realm="PKITBUILD.ER.METHODPARK.DE"
 debug="false"
 principal="HTTP/pkit.methodpark.de@PKITBUILD.ER.METHODPARK.DE";
};

Java Generic Security Services (JGSS)

JGSS is another Java Standard API, which has to be configured with your network information. Please edit the provided example file /conf/krb5.conf and replace the example values according to your network configuration:

[libdefaults]
default_realm = <KERBEROS-REALM>
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
forwardable = true
[realms]
<KERBEROS-REALM> = {
kdc = <ad-server-fqdn>:88
}
[domain_realm]
.<ad-dns-domain> = PKITBUILD.ER.METHODPARK.DE
<ad-dns-domain> = PKITBUILD.ER.METHODPARK.DE

Argument	Description
<KERBEROS-REALM>	The Active Directory Kerberos realm. By default this is the domain name of your Active Directory in capital letters.
<ad-server-fqdn>	The full qualified DNS name of the Active Directory server.
<ad-dns-domain>	The DNS domain which belongs to the Active Directory.

Example:

[libdefaults]
default_realm = PKITBUILD.ER.METHODPARK.DE
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
forwardable = true
[realms]
PKITBUILD.ER.METHODPARK.DE = {
kdc = projectkit.pkitbuild.er.methodpark.de:88
}
[domain_realm]
.pkitbuild.er.methodpark.de = PKITBUILD.ER.METHODPARK.DE
pkitbuild.er.methodpark.de = PKITBUILD.ER.METHODPARK.DE

AES-256 encryption

To use AES-256 encryption add aes256-cts to the list of default_tkt_enctypes and default_tgs_enctypes .

Configuration Test

To test your JAAS and JGSS configuration in a Stages server environment proceed in the way described below:

Open a command prompt and change to the <stages> directory.
Type bin\testAutoLogin.bat (on Windows) or bin/testAutoLogin.sh (on Unix) and hit enter.
Watch the command prompt for output messages.