2.2. Defining Server Security Domain
The application server must define a security domain to be able to authenticate to the KDC for the first time.
Important
Krb5LoginModule can use a local credentials cache; however, this option is incompatible with the storeKey option, which is required by SPNEGO. Make sure the module does not use the local credentials cache.
To define a server security domain, do the following:
- Open the
$JBOSS_HOME/server/$PROFILE/conf/login-config.xml
file for editing. - Define the application policy element with the authentication element with the following options:
- storeKey
- If
true
the private key is cached in the Subject (set totrue
). - useKeyTab
- If
true
the key is loaded from a keyTab file (set totrue
). - principal
- The attribute needs to state the full name of the principal to obtain from the keyTab file.
- keyTab
- The attribute defines the full path to the keyTab file with the server key (key for encrypting the information between the server and KDC).
- doNotPrompt
- If
true
password prompting is turned off (as this is a server, set totrue
). - debug
- If
true
the system logs additional debug information to STDOUT.
Example 2.1. Server security domain
<application-policy name="host"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="storeKey">true</module-option> <module-option name="useKeyTab">true</module-option> <module-option name="principal">HTTP/testserver@KERBEROS.JBOSS.ORG</module-option> <module-option name="keyTab">/home/jboss_user/testserver.keytab</module-option> <module-option name="doNotPrompt">true</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy>