2.2. Defining Server Security Domain
The application server must define a security domain to be able to authenticate to the KDC for the first time.
Important
Krb5LoginModule can use a local credentials cache; however, this option is incompatible with the storeKey option, which is required by SPNEGO. Make sure the module does not use the local credentials cache.
To define a server security domain, do the following:
- Open the
$JBOSS_HOME/server/$PROFILE/conf/login-config.xmlfile for editing. - Define the application policy element with the authentication element with the following options:
- storeKey
- If
truethe private key is cached in the Subject (set totrue). - useKeyTab
- If
truethe key is loaded from a keyTab file (set totrue). - principal
- The attribute needs to state the full name of the principal to obtain from the keyTab file.
- keyTab
- The attribute defines the full path to the keyTab file with the server key (key for encrypting the information between the server and KDC).
- doNotPrompt
- If
truepassword prompting is turned off (as this is a server, set totrue). - debug
- If
truethe system logs additional debug information to STDOUT.
Example 2.1. Server security domain
<application-policy name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">HTTP/testserver@KERBEROS.JBOSS.ORG</module-option>
<module-option name="keyTab">/home/jboss_user/testserver.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
