Configuring Kerberos Authentication for Java in the Windows Environment

This appendix provides information on configuring Java Kerberos Authentication for Query Design Center, Relational Design Center and the Relational Database Server for ClearPath MCP JDBC Driver.

Configuring Kerberos Authentication

  1. Create a registry key using the Windows Registry Editor to make the session ticket-granting ticket (TGT) key available. Do the following:

    1. Open Registry Editor and expand the HKEY_LOCAL_MACHINE folder.

    2. Expand the SYSTEM folder.

    3. Expand the CurrentControlSet folder.

    4. Expand the Control folder.

    5. Expand the LSA folder.

    6. Right-click the Kerberos folder.

    7. Select New and click DWORD (32-bit) Value.

    8. In the right pane of the Registry Editor window, name the new DWORD AllowTGTSessionKey.

    9. Right-click AllowTGTSessionKey and select Modify....

      The Edit DWORD (32-bit) Value dialog box appears.

    10. In the Value data field, change the value to 1.

    11. Click OK.

  2. Locate the java.security file using one of the following methods:

    • For systems running Java 11, in your Java directory, do the following:

      1. Click the config folder.

      2. Click the security folder.

    • For systems running Java 8, in your Java directory, do the following:

      1. Click the lib folder.

      2. Click the security folder.

  3. Modify the java.security file to reference the Java Authentication and Authorization Service (JAAS) configuration file named jaas.config, which is in the same directory. For example: 

    login.config.url.1=file:${java.home}/lib/security/jaas.config
    Note: If login.config.url.1 exists, use the next available number. For example, login.config.url.2=file:${java.home}/lib/security/jaas.config.

  4. Create or modify the ${java.home}lib/security/jaas.config file.

    The JAASconfiguration file indicates the Pluggable Authentication Module (PAM) to use. The following lists sample contents, which can be added to an existing jaas.config file: 

    unisys.mcpsql.provider {
      com.sun.security.auth.module.Krb5LoginModule required
      useTicketCache=true client=true debug=false useKeyTab=true
      default_tkt_enctypes=des-cdc-md5 default_tgs_enctypes=des-cbc-md5;    
    };

  5. Create the Kerberos configuration file named krb5.conf in the lib/security directory of the JRE structure.

    The following lists sample contents of the Kerberos configuration file: 

    [libdefaults]
default_realm = FOO.BAR
    dns_lookup_kdc = true[realms]
FOO.BAR = {
             kdc = kdc.foo.bar
             admin_server = kdc.foo.bar
     }
[domain_realm]
[logging]

  6. Optionally, you can configure Kerberos Authentication for Query Design Center, Relational Design Center, and the JDBC Driver. Do the following:

    1. Launch the tool you want to configure Kerberos Authentication for (for example, the Query Design Center, Relational Design Center, or the JDBC Driver).

      The \.MCPSQL directory is created in your home directory. A file with the extension .properties is also created with all property settings commented out. The following lists the file name of each tool for which you can configure Kerberos Authentication:

      Software

      File Name

      Query Design Center

      qdc.properties

      Relational Design Center

      rdc.properties

      JDBC Driver

      provider.properties

    2. Using a text editor, change the properties for the service name attributes.

      You change a property by removing the number sign character (#) at the beginning of a property name and editing the corresponding value.

    3. Save the file in the \.MCPSQL directory.

      The modified properties take effect the next time you launch the tool you configured Kerberos Authentication for.

Caching Kerberos Credentials

Once you have configured Kerberos Authentication, you can cache your Kerberos credentials using the Java kinit command.

Prev     Next
Saving and Restoring Permissions  Home  Configuring Secure Communications