Kerberos Version 5 is used for both the authentication and secure communication aspects of the client and server applications developed in this tutorial. The reader is assumed to already be familiar with Kerberos. See the Kerberos reference documentation.
The JAAS framework, and the Kerberos mechanism required by the Java GSS-API methods, are built into the version 1.4 JREs from all vendors. (Actually, JAAS was available as a separately-downloadable optional package starting in version 1.3.) The Kerberos LoginModule required for the JAAS authentication in this tutorial may not be available in all vendors' JREs. We will be using the LoginModule for Kerberos provided in the JRE from Sun Microsystems (J2RE v 1.4).
In order to run the sample programs, you will need access to a Kerberos installation. As described in the following sections, you may also need a
krb5.conf
Kerberos configuration file and an indication as to where that file is located.As with all Kerberos installations, a Kerberos Key Distribution Center (KDC) is required. It needs to contain the user name and password you will use to be authenticated to Kerberos. Note: A KDC implementation is part of a Kerberos installation, not a part of the J2RE, v 1.4.
As with most Kerberos installations, a Kerberos configuration file
krb5.conf
is consulted to determine such things as the default realm and KDC. If you are using a Kerberos implementation such as that from Microsoft for Windows 2000, which does not include akrb5.conf
file, you will either need to create one or use system properties as described in Setting Properties to Indicate the Default Realm and KDC.Setting Properties to Indicate the Default Realm and KDC
Typically, the default realm and the KDC for that realm are indicated in the Kerberos
krb5.conf
configuration file. However, if you like, you can instead specify these values by setting the following system properties to indicate the realm and KDC, respectively:java.security.krb5.realm java.security.krb5.kdcIf you set one of these properties you must set them both.
Also note that if you set these properties, then no cross-realm authentication is possible unless a
krb5.conf
file is also provided from which the additional information required for cross-realm authentication may be obtained.If you set values for these properties, then they override the default realm and KDC values specified in
krb5.conf
(if such a file is found). Thekrb5.conf
file is still consulted if values for items other than the default realm and KDC are needed. If nokrb5.conf
file is found, then the default values used for these items are implementation-specific.Locating the
krb5.conf
Configuration FileThe essential Kerberos configuration information is the default realm and the default KDC. As shown in Setting Properties to Indicate the Default Realm and KDC, if you set properties to indicate these values, they are not obtained from a
krb5.conf
configuration file.If these properties do not have values set, or if other Kerberos configuration information is needed, an attempt is made to find the required information in a
krb5.conf
file. The algorithm to locate thekrb5.conf
file is the following:
- If the system property
java.security.krb5.conf
is set, its value is assumed to specify the path and file name.
- If that system property value is not set, then the configuration file is looked for in the directory
Here <java-home> refers to the directory where the JRE was installed. For example, if you have J2SDK v 1.4 installed on Solaris in a directory named<java-home>\lib\security [Win32] <java-home>/lib/security [Solaris and Linux]/jdk1.4
, the directory in which the configuration file is looked for is:/jdk1.4/jre/lib/security- If the file is still not found, then an attempt is made to locate it as follows:
/etc/krb5/krb5.conf [Solaris] c:\winnt\krb5.ini [Win32] /etc/krb5.conf [Linux]- If the file is still not found, and the configuration information being searched for is not the default realm and KDC, then implementation-specific defaults are used. If, on the other hand, the configuration information being searched for is the default realm and KDC because they weren't specified in system properties, and the
krb5.conf
file is not found either, then an exception is thrown.