Java security krb5 conf - IT Справочник

IT Справочник
5 просмотров
Рейтинг статьи
1 звезда2 звезды3 звезды4 звезды5 звезд

Java security krb5 conf

Java security krb5 conf

HttpClient provides full support for authentication schemes defined by the HTTP standard specification as well as a number of widely used non-standard authentication schemes such as NTLM and SPNEGO .

4.1. User credentials

Any process of user authentication requires a set of credentials that can be used to establish user identity. In the simplest form user credentials can be just a user name / password pair. UsernamePasswordCredentials represents a set of credentials consisting of a security principal and a password in clear text. This implementation is sufficient for standard authentication schemes defined by the HTTP standard specification.

NTCredentials is a Microsoft Windows specific implementation that includes in addition to the user name / password pair a set of additional Windows specific attributes such as the name of the user domain. In a Microsoft Windows network the same user can belong to multiple domains each with a different set of authorizations.

4.2. Authentication schemes

The AuthScheme interface represents an abstract challenge-response oriented authentication scheme. An authentication scheme is expected to support the following functions:

Parse and process the challenge sent by the target server in response to request for a protected resource.

Provide properties of the processed challenge: the authentication scheme type and its parameters, such the realm this authentication scheme is applicable to, if available

Generate the authorization string for the given set of credentials and the HTTP request in response to the actual authorization challenge.

Please note that authentication schemes may be stateful involving a series of challenge-response exchanges.

HttpClient ships with several AuthScheme implementations:

Basic: Basic authentication scheme as defined in RFC 2617. This authentication scheme is insecure, as the credentials are transmitted in clear text. Despite its insecurity Basic authentication scheme is perfectly adequate if used in combination with the TLS/SSL encryption.

Digest. Digest authentication scheme as defined in RFC 2617. Digest authentication scheme is significantly more secure than Basic and can be a good choice for those applications that do not want the overhead of full transport security through TLS/SSL encryption.

NTLM: NTLM is a proprietary authentication scheme developed by Microsoft and optimized for Windows platforms. NTLM is believed to be more secure than Digest.

SPNEGO: SPNEGO ( S imple and P rotected GSSAPI Nego tiation Mechanism) is a GSSAPI «pseudo mechanism» that is used to negotiate one of a number of possible real mechanisms. SPNEGO’s most visible use is in Microsoft’s HTTP Negotiate authentication extension. The negotiable sub-mechanisms include NTLM and Kerberos supported by Active Directory. At present HttpClient only supports the Kerberos sub-mechanism.

Kerberos: Kerberos authentication implementation.

4.3. Credentials provider

Credentials providers are intended to maintain a set of user credentials and to be able to produce user credentials for a particular authentication scope. Authentication scope consists of a host name, a port number, a realm name and an authentication scheme name. When registering credentials with the credentials provider one can provide a wild card (any host, any port, any realm, any scheme) instead of a concrete attribute value. The credentials provider is then expected to be able to find the closest match for a particular scope if the direct match cannot be found.

HttpClient can work with any physical representation of a credentials provider that implements the CredentialsProvider interface. The default CredentialsProvider implementation called BasicCredentialsProvider is a simple implementation backed by a java.util.HashMap .

4.4. HTTP authentication and execution context

HttpClient relies on the AuthState class to keep track of detailed information about the state of the authentication process. HttpClient creates two instances of AuthState in the course of HTTP request execution: one for target host authentication and another one for proxy authentication. In case the target server or the proxy require user authentication the respective AuthScope instance will be populated with the AuthScope , AuthScheme and Crednetials used during the authentication process. The AuthState can be examined in order to find out what kind of authentication was requested, whether a matching AuthScheme implementation was found and whether the credentials provider managed to find user credentials for the given authentication scope.

In the course of HTTP request execution HttpClient adds the following authentication related objects to the execution context:

Lookup instance representing the actual authentication scheme registry. The value of this attribute set in the local context takes precedence over the default one.

CredentialsProvider instance representing the actual credentials provider. The value of this attribute set in the local context takes precedence over the default one.

AuthState instance representing the actual target authentication state. The value of this attribute set in the local context takes precedence over the default one.

AuthState instance representing the actual proxy authentication state. The value of this attribute set in the local context takes precedence over the default one.

AuthCache instance representing the actual authentication data cache. The value of this attribute set in the local context takes precedence over the default one.

The local HttpContext object can be used to customize the HTTP authentication context prior to request execution, or to examine its state after the request has been executed:

4.5. Caching of authentication data

As of version 4.1 HttpClient automatically caches information about hosts it has successfully authenticated with. Please note that one must use the same execution context to execute logically related requests in order for cached authentication data to propagate from one request to another. Authentication data will be lost as soon as the execution context goes out of scope.

4.6. Preemptive authentication

HttpClient does not support preemptive authentication out of the box, because if misused or used incorrectly the preemptive authentication can lead to significant security issues, such as sending user credentials in clear text to an unauthorized third party. Therefore, users are expected to evaluate potential benefits of preemptive authentication versus security risks in the context of their specific application environment.

Nonetheless one can configure HttpClient to authenticate preemptively by prepopulating the authentication data cache.

4.7. NTLM Authentication

As of version 4.1 HttpClient provides full support for NTLMv1, NTLMv2, and NTLM2 Session authentication out of the box. One can still continue using an external NTLM engine such as JCIFS library developed by the Samba project as a part of their Windows interoperability suite of programs.

4.7.1. NTLM connection persistence

The NTLM authentication scheme is significantly more expensive in terms of computational overhead and performance impact than the standard Basic and Digest schemes. This is likely to be one of the main reasons why Microsoft chose to make NTLM authentication scheme stateful. That is, once authenticated, the user identity is associated with that connection for its entire life span. The stateful nature of NTLM connections makes connection persistence more complex, as for the obvious reason persistent NTLM connections may not be re-used by users with a different user identity. The standard connection managers shipped with HttpClient are fully capable of managing stateful connections. However, it is critically important that logically related requests within the same session use the same execution context in order to make them aware of the current user identity. Otherwise, HttpClient will end up creating a new HTTP connection for each HTTP request against NTLM protected resources. For detailed discussion on stateful HTTP connections please refer to this section.

As NTLM connections are stateful it is generally recommended to trigger NTLM authentication using a relatively cheap method, such as GET or HEAD , and re-use the same connection to execute more expensive methods, especially those enclose a request entity, such as POST or PUT .

Читать еще:  Как настроить java

4.8. SPNEGO /Kerberos Authentication

The SPNEGO ( S imple and P rotected GSSAPI Nego tiation Mechanism) is designed to allow for authentication to services when neither end knows what the other can use/provide. It is most commonly used to do Kerberos authentication. It can wrap other mechanisms, however the current version in HttpClient is designed solely with Kerberos in mind.

Client Web Browser does HTTP GET for resource.

Web server returns HTTP 401 status and a header: WWW-Authenticate: Negotiate

Client generates a NegTokenInit , base64 encodes it, and resubmits the GET with an Authorization header: Authorization: Negotiate .

Server decodes the NegTokenInit , extracts the supported MechTypes (only Kerberos V5 in our case), ensures it is one of the expected ones, and then extracts the MechToken (Kerberos Token) and authenticates it.

If more processing is required another HTTP 401 is returned to the client with more data in the the WWW-Authenticate header. Client takes the info and generates another token passing this back in the Authorization header until complete.

When the client has been authenticated the Web server should return the HTTP 200 status, a final WWW-Authenticate header and the page content.

4.8.1. SPNEGO support in HttpClient

The SPNEGO authentication scheme is compatible with Sun Java versions 1.5 and up. However the use of Java >= 1.6 is strongly recommended as it supports SPNEGO authentication more completely.

The Sun JRE provides the supporting classes to do nearly all the Kerberos and SPNEGO token handling. This means that a lot of the setup is for the GSS classes. The SPNegoScheme is a simple class to handle marshalling the tokens and reading and writing the correct headers.

The best way to start is to grab the file in examples and try and get it to work. There are a lot of issues that can happen but if lucky it’ll work without too much of a problem. It should also provide some output to debug with.

In Windows it should default to using the logged in credentials; this can be overridden by using ‘kinit’ e.g. $JAVA_HOMEbinkinit testuser@AD.EXAMPLE.NET , which is very helpful for testing and debugging issues. Remove the cache file created by kinit to revert back to the windows Kerberos cache.

Make sure to list domain_realms in the krb5.conf file. This is a major source of problems.

4.8.2. GSS/Java Kerberos Setup

This documentation assumes you are using Windows but much of the information applies to Unix as well.

The org.ietf.jgss classes have lots of possible configuration parameters, mainly in the krb5.conf / krb5.ini file. Some more info on the format at

4.8.3. login.conf file

The following configuration is a basic setup that works in Windows XP against both IIS and JBoss Negotiation modules.

The system property can be used to point at the login.conf file.

login.conf content may look like the following:

4.8.4. krb5.conf / krb5.ini file

If unspecified, the system default will be used. Override if needed by setting the system property to point to a custom krb5.conf file.

krb5.conf content may look like the following:

4.8.5. Windows Specific configuration

To allow Windows to use the current user’s tickets, the system property must be set to false and the Windows registry key allowtgtsessionkey should be added and set correctly to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.

On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:

Here is the location of the registry setting on Windows XP SP2:

Configure kerberos without krb5.conf

I’m using kerberos authentication to login to ActiveDirectory. I’m doing it with GSSAPI.

Currently, I’m using krb5.conf file, that describes the realms, encryption algs and more, and the authentication works fine.

I would like avoid using this file. Can I programmatically configure kerberos, without using this file?

Создан 18 дек. 12 2012-12-18 11:19:19 Matan

3 ответа

You could try just configuring two system properties:

Note that you can’t programmatically configure anything beyond this if you are using JDK’s native support for Kerberos.

If you are coding for Windows, I would warmly recommend using WAFFLE to achieve seamless Single Sign-On. It doesn’t have a GSS-API adapter, though. I wrote my own, but only because the rest of the system already relied on it. You could just as easily skip GSS-API and program directly against WAFFLE.

Hi, Thanks! i’m not sure that these properties will be enough. What about the encryption algorithm? – Matan 18 дек. 12 2012-12-18 12:45:17

Just try them and see if the defaults are good enough. In my setup I found the defaults satisfactory. – Marko Topolnik 18 дек. 12 2012-12-18 12:47:04

I know that I can’t use the defaults since the encryption algorithms are not supported. – Matan 18 дек. 12 2012-12-18 16:49:51

You mean your target server doesn’t support the encryption algo of the service ticket? Since I think that even older Java versions support all the relevant algos. – Marko Topolnik 18 дек. 12 2012-12-18 17:34:10

Yes, and I do like to be able to configure more than just the kdc and the realm (for example — default domain). – Matan 20 дек. 12 2012-12-20 12:12:20

Then you are stuck with ‘krb5.conf’, unless you change your mind about the Kerberos implementation you intend to use. BTW as far as I recall, the encryption algorithm for the Service Ticket is not at all controlled by the client: the KDC decides this for itself. After all, this is strictly between the KDC and the target server; the client has no business with it. – Marko Topolnik 20 дек. 12 2012-12-20 12:20:36

Thanks. What is this waffle? – Matan 20 дек. 12 2012-12-20 12:23:42

It’s a wrapper to Windows SSPI, which is a native Windows API equivalent to GSS-API. SSPI manages all tickets internally so it is zero-configuration. You just get the token you need to send to the server—just like you get from GSS-API. – Marko Topolnik 20 дек. 12 2012-12-20 12:31:22

But it won’t work with unix. Am I right? – Matan 23 дек. 12 2012-12-23 10:35:07

That’s right, it works strictly on Windows. Let me also warn you that, to the best of my knowledge, JDK’s native implementation doesn’t do ticket renewal. When the ticket expires, it just stops working. – Marko Topolnik 23 дек. 12 2012-12-23 10:52:32

@MarkoTopolnik Can you tell me which property to be set in krb5.ini file to extend the ticket lifetime using jdk? – Kumar 13 апр. 15 2015-04-13 12:28:48

If you only want to avoid a system-wide krb5.conf, you can create it in your program in any directory with any name (say, in your home directory) and use it by setting the Java system property to its full path. I do believe this has to be done before you call any Kerberos related codes.

Создан 01 янв. 13 2013-01-01 10:39:34 speedogoo

It seems we may not have the official methods to configure the Kerberos without the krb5.conf, even ignoring some parts of keytabs(They are defined to be auto fetched at TGS status, but sometimes things are getting wired) will lead to fatal errors.

Читать еще:  Код ошибки 10 0 tera

Создан 04 сен. 16 2016-09-04 07:54:04 ChunYu Wang

Apache Tomcat Kerberos Authentication Tutorial

Posted by: Jesus Boadas in Tomcat November 24th, 2016 0 Views

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

1. The tools

  • Java JDK
  • Apache Tomcat

2. Introduction

Kerberos authentication is used to make Tomcat Web applications use the domain windows controller credentials to authenticate the Tomcat hosted web applications. Integrated Windows authentication is most frequently used within intranet environments since it requires that both the server which performs the authentication and the user being authenticated are part of the same domain. For the user to be authenticated automatically, the client machine used by the user must also be part of the domain.

3. Prerequisites

  • JDK installed

4. Download Tomcat

Go to the page and download the tomcat server as a zip compressed file for windows.

1 Download Tomcat for Windows

5. Tomcat Installation

5.1 Uncompress Apache Tomcat

Choose an installation directory and uncompress the Tomcat server in its own directory.

2 Uncompress Tomcat

5.2 Install the Tomcat service

Open the Window terminal and go to the Tomcat Installation bin directory.

Tomcat installation directory

Install the service with the following command:

Install Tomcat service

You should get an output similar to this:

install Tomcat output

5.3 Start the Tomcat service

Start the service with the following command:

Start tomcat output

You should get an output similar to the following:

5.4 Check that tomcat is running

Open the browser in the URL: http://localhost:8080 and you the Tomcat Welcome screen should appear.

3 Tomcat Welcome

6. Checklist before enable Kerberos Authentication

  • The host name used to access the Tomcat server must match the host name in the Service Principal Name.
  • The client must be part of the local trusted intranet.
  • The Service Principal Name must be HTTP/
  • The port number must not be included in the Service Principal Name.
  • No more than one Service Principal Name may be mapped to a domain user.
  • Tomcat must run as the domain account with which the Service Principal Name has been associated.
  • The domain must be specified when using the ktpass command.

7 Components

The name of the Windows domain is:

There are four components to the configuration of the built-in Tomcat support for Windows authentication.

7.1 The domain controller

In our case is going to be:

7.2 The server hosting Tomcat

In our case is going to be:

7.3 The web application wishing to use Windows authentication

This application is hosted in tomcat so it uses the same domain name as the Tomcat instance.

7.4 The client machine.

In our case is going to be:
As you can see the client is part of our window domain.

8. Configuring the domain controller

Create a domain user that will be mapped to the service name used by the Tomcat server. We are going to use the user MYTOMCATUSER and the password MYTOMCATPASSWORD

Map the service principal name to the user account. Service Principal Name take the form / :

/ .
The SPN used in this how-to is HTTP/mytomcat.mydomain.local. To map the user to the Service Principal Name, run the following:

Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command:

Create a domain user to be used on the client. We are going to use the user myclientuser and the password myclientpassword .

9. Configuring the Tomcat instance

Install Tomcat following the steps explained before. Tomcat need to be run with the MYTOMCATUSER@MYDOMAIN.LOCAL user.

The steps to configure the Tomcat instance for Windows authentication are as follows:

$CATALINA_BASE is the tomcat install folder.
Copy the mytomcat.keytab file created on the domain controller to $CATALINA_BASE/conf/mytomcat.keytab. Create the kerberos configuration file $CATALINA_BASE/conf/krb5.ini.

Create the JAAS login configuration file $CATALINA_BASE/conf/jaas.conf.

10. Configuring the Web application

The web application needs to be configured to the Tomcat specific authentication method of SPNEGO in web.xml.

Find the filter section in the file and add your servlet’s initial parameter configuration.

11. Configuring the client

The client must be configured to use Kerberos authentication. For Internet Explorer this means that you have to make sure that the Tomcat instance is in the “Local intranet” security domain and that it is configured (Tools > Internet Options > Advanced) with integrated Windows authentication enabled. Note that this will not work if you use the same machine for the client and the Tomcat instance as Internet Explorer will use the unsupported NTLM protocol.

12. Conclusion

Authentication is the process of identifying yourself to the network and is fundamental to the security of computer systems. Without knowing who is requesting an operation it is hard to decide whether the operation should be allowed. Weak authentication systems are authentication by assertion and assume that services and machines cannot be compromised or spoofed and that network traffic cannot be monitored. Strong authentication systems that do not disclose secrets on the network and use encryption are becoming increasingly popular and important.

Kerberos has strong mutual authentication. Secrets are not transmitted across the network. Critical authentication data is encrypted. The client (normally a user) is authenticated to the server and the server is authenticated to the client. The client identity is used to authorize services on the server. The server identity prevents the spoofing and hijacking of services.

Single sign-on. A user convenience meaning a single identity and password can be used for many services with only one login sequence.

Authentication using SASL¶



If your organization is already using a Kerberos server (for example, by using Active Directory), there is no need to install a new server just for Kafka. Otherwise you will need to install one, your Linux vendor likely has packages for Kerberos and a short guide on how to install and configure it (Ubuntu, Redhat). Note that if you are using Oracle Java, you will need to download JCE policy files for your Java version and copy them to $JAVA_HOME/jre/lib/security .

Kerberos Principals¶

If you are using the organization’s Kerberos or Active Directory server, ask your Kerberos administrator for a principal for each Kafka broker in your cluster and for every operating system user that will access Kafka with Kerberos authentication (via clients and tools).

If you have installed your own Kerberos, you will need to create these principals yourself using the following commands:

All hosts must be reachable using hostnames¶

It is a Kerberos requirement that all your hosts can be resolved with their FQDNs.

Configuring Kafka Brokers¶

  1. Add a suitably modified JAAS file similar to the one below to each Kafka broker’s config directory, let’s call it kafka_server_jaas.conf for this example (note that each broker should have its own keytab):
  1. Pass the name of the JAAS file as a JVM parameter to each Kafka broker:
Читать еще:  Java sql запросы

You may also wish to specify the path to the krb5.conf file (see JDK’s Kerberos Requirements for more details):

  1. Make sure the keytabs configured in the JAAS file are readable by the operating system user who is starting the Kafka broker.
  2. Configure a SASL port in , by adding at least one of SASL_PLAINTEXT or SASL_SSL to the listeners parameter, which contains one or more comma-separated values:

If SASL_SSL is used, then SSL must also be configured . Note that a PLAINTEXT port is needed if you intend to use any client that does not support SASL.

If you are only configuring a SASL port (or if you want the Kafka brokers to authenticate each other using SASL) then make sure you set the same SASL protocol for inter-broker communication:

We must also configure the service name in , which should match the principal name of the Kafka brokers. In the above example, the principal is kafka/ , so:

Important notes:

  1. KafkaServer is a section name in the JAAS file used by each broker. This section tells the broker which principal to use and the location of the keytab where this principal is stored. It allows the broker to login using the keytab specified in this section.
  2. The Client section is used to authenticate a SASL connection with zookeeper. It also allows the brokers to set SASL ACL on ZooKeeper nodes which locks these nodes down so that only the brokers can modify it. It is necessary to have the same principal name across all brokers. If you want to use a section name other than Client , set the system property zookeeper.sasl.client to the appropriate name (e.g. -Dzookeeper.sasl.client=ZkClient ).
  3. ZooKeeper uses zookeeper as the service name by default. If you want to change this, set the system property zookeeper.sasl.client.username to the appropriate name (e.g. -Dzookeeper.sasl.client.username=zk ).

Configuring Kafka Clients¶

SASL authentication is only supported for the new Kafka producer and consumer, the older API is not supported. To configure SASL authentication on the clients:

1. Clients (producers, consumers, connect workers, etc) will authenticate to the cluster with their own principal (usually with the same name as the user running the client), so obtain or create these principals as needed. Then create a JAAS file for each principal. The KafkaClient section describes how the clients like producer and consumer can connect to the Kafka Broker. The following is an example configuration for a client using a keytab (recommended for long-running processes):

For command-line utilities like kafka-console-consumer or kafka-console-producer , kinit can be used along with useTicketCache=true as in:

  1. Pass the name of the JAAS file as a JVM parameter to the client JVM:

You may also wish to specify the path to the krb5.conf file (see JDK’s Kerberos Requirements for more details).

  1. Make sure the keytabs configured in the kafka_client_jaas.conf are readable by the operating system user who is starting kafka client.
  2. Configure the following properties in and/or :

В© Copyright , Confluent, Inc. Privacy Policy | Terms & Conditions. Apache, Apache Kafka, Kafka and the Kafka logo are trademarks of the Apache Software Foundation. All other trademarks, servicemarks, and copyrights are the property of their respective owners.

Secure Kafka Java Producer with Kerberos

The most recent release of Kafka 0.9 with it’s comprehensive security implementation has reached an important milestone. In his blog post Kafka Security 101 Ismael from Confluent describes the security features part of the release very well.

As a part II of the here published post about Kafka Security with Kerberos this post discussed a sample implementation of a Java Kafka producer with authentication. It is part of a mini series of posts discussing secure HDP clients, connecting services to a secured cluster, and kerberizing the HDP Sandbox (Download HDP Sandbox). In this effort at the end of this post we will also create a Kafka Servlet to publish messages to a secured broker.

Kafka provides SSL and Kerberos authentication. Only Kerberos is discussed here.

Kafka from now on supports four different communication protocols between Consumers, Producers, and Brokers. Each protocol considers different security aspects, while PLAINTEXT is the old insecure communication protocol.

  • PLAINTEXT (non-authenticated, non-encrypted)
  • SSL (SSL authentication, encrypted)
  • PLAINTEXT+SASL (authentication, non-encrypted)
  • SSL+SASL (encrypted authentication, encrypted transport)

A Kafka client needs to be configured to use the protocol of the corresponding broker. This tells the client to use authentication for communication with the broker:

Making use of Kerberos authentication in Java is provided by the Java Authentication and Authorization Service (JAAS) which is a pluggable authentication method similar to PAM supporting multiple authentication methods. In this case the authentication method being used is GSS-API for Kerberos.

Demo Setup

For JAAS a proper configuration of GSS would be needed in addition to being in possession of proper credentials, obviously. Some credentials can be created with MIT Kerberos like this:

The last line is not necessarily needed as it creates us a so called keytab – basically an encrypted password of the user – that can be used for password less authentication for example for automated services. We will make use of that here as well.

First we need to prepare a test topic to publish messages with proper privileges for our kafka-user:

As a sample producer we will use this:

With this setup we can go ahead demonstrating two ways to use a JAAS context to authenticate with the Kafka broker. At first we will configure a context to use the existing privileges possessed by the executing user. Next we use a so called keytab to demonstrate a password-less login for automated producer processes. At last we will look at a Servlet implementation provided here.

Authentication with User Login

To configure a JAAS config with userKeyTab set to false and useTicketCache to true, so that the privileges of the current users are being used.

We store this in a file under /home/kafka-user/kafka-jaas.conf and exeute the broker like this:

Using Keytab to Login

Next we will configure the JAAS context to use a generated keytab file instead of the security context of the executing user. Before we can do this we need to create the keytab storing it also under /home/kafka-user/kafka-user.keytab .

The JAAS configuration can now be changed to look like this:

This will use the keytab stored under /home/kafka-user/kafka-user.keytab while the user executing the producer must not be logged in to any security controller:

Kafka Producer Servlet

In a last example we will add a Kafka Servlet to the hdp-web-sample project previously described in this post. Our Servlet will get the topic and message as a GET parameter. The Servlet looks as follwoing:

Again we are changing the JAAS config of the Tomcat service to be able to make use of the previously generated keytab. The jaas.conf of Tomcat will contain now this:

After deploying the web app and restarting tomcat with this newly adapted JAAS config you should be able to publish message to a secured broker be triggering the following GET address from a browser http://one.hdp:8099/hdp-web/kafka?topic=test&msg=Test1 . The response should be a 200 OK like this:

You might be having some issues and in particular seeing this Exception:

Ссылка на основную публикацию
ВсеИнструменты 220 Вольт