Wednesday, February 26, 2014

Kerberos Java Client: Configuration

These posts will guide you through on using Java to talk to a kerberized server using the JCraft library [1].

This particular post will be on configuring the environment changes needed to make the Java Client work. The next post will be focussing on the java Client. 

Problem Scenario
This will be using the JSCH( of the JCraft) to SSH to the kerberos server using the Kerberos Ticket (TGT). It will execute a certain command on the kerberized server and read the output stream.
Note: This program uses a generated Kerberos ticket. it does not create one.

First of all make sure your computer is running a Kerberos client and you are able to ssh to the Kerberized server using the TGT using the terminal. It would look something like 
ssh username@REALM

If so that means you are good to proceed.

If you are doing this on a Mac, you need to do the following step, else skip this step
You have to set the KRB5CCNAME to point to a new Kerberos ticket Cache. Ex:
export KRB5CCNAME="/Users/swithana/krb5cc_swithana_022322"

This is the ticket cache that you should be pointing to in the login file( discussed below).

Steps
First run the command below to generate the kerberos ticket.
kinit username@REALM

You can list the tickets you have by using the 'klist' command.

Then you need to have the Kerberos configuration file in your local system ( usually at /etc/krb5.conf).
If you don't have it, create one.
Here's what a krb5.conf look like,
[domain_realm]
        .test.iu.edu = TEST.IU.EDU
        .indiana.edu = TEST.IU.EDU
        

[libdefaults]
        default_realm = TEST.IU.EDU
        forwardable = TRUE
[realms]
        TEST.IU.EDU = {
                kdc = test.iu.edu:88
        }

[logging]
        default = FILE:/var/log/krb5.log


You also need to have a login configuration for JAAS[2]. This will specify which module to use to login, where the TGT is ...etc. Here's an example jaas.conf file.
 com.sun.security.jgss.krb5.initiate {
               com.sun.security.auth.module.Krb5LoginModule required
                             debug="true"
                   doNotPrompt="true"
               useTicketCache="true"
              ticketCache="/tmp/krb5cc_1005";

  };

ticketCache: the path to the TGT.

After these changes you are good to go.

But sometimes Java is unable to decrypt the Kerberos Ticket since Java doesn't support AES256 out of the box due to some export control reasons.
To overcome that you need to manually modify the JRE and apply the Java Cryptography Extension (JCE)  [3] to the $JAVA_HOME/jre/lib/security directory.


2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. i have a kerberos client. i want to add kerberos ticket to my impala jdbc program. how can i map jaas.conf to my jdbc program?

    ReplyDelete