...
- Expand the WS-Federation (Passive) Configuration or OpenID Configuration.
- Enter the identifier for the Passive STS Realm and the OpenID Realm. These identifiers need to be specified as identification when the service provider reaches out to the Identity Server. For WS-Federation (Passive), you can also specify the endpoint of the realm in Passive STS WReply URL.
Configuring Kerberos KDC
Kerberos is an authentication protocol which can be used to secure communications in web services. Kerberos enables you to exchange user credentials securely. Thus, it also provides mutual authentication in which the server can also authenticate itself to the client.
The Kerberos protocol uses a trusted third party called “Key Distribution Center” (KDC). KDC consists of two logical parts. They are:
- Authentication Server
- Ticket Granting Server
The actual user credentials are stored within the Authentication Server. The communicating parties will retrieve a Kerberos ticket from the Ticket Granting Server. TGS validates the ticket-requesting users' credentials with the Authentication Server.
Kerberos Security within WSO2 Identity Server
WSO2 Identity Server uses an ApacheDS-based LDAP server user store. It also has an ApacheDS based on KDC implementation. Users can use WSO2 Identity Server as a KDC and implement Kerberos security to secure communications between services and clients.
Enable KDC within WSO2 Identity Server.
To use KDC in Identity Server, you need to use the embedded LDAP which ships with WSO2 Identity Server. Thus, by default, the KDC server is disabled. To enable the KDC server, go to the Identity Server home directory and navigate to the <PRODUCT_HOME>/repository/conf folder. There you will find a file named embedded-ldap.xml. Open embedded-ldap.xml and find the <KDCServer/> XML tag. You will configure the XML element named enabled. Set its value to true. After modifying it, the XML configuration should look like this:
| Code Block |
|---|
<KDCServer>
<Property name="name">defaultKDC</Property>
<Property name="enabled">true</Property>
<Property name="protocol">UDP</Property>
<Property name="host">localhost</Property>
<Property name="port">${Ports.EmbeddedLDAP.KDCServerPort}</Property>
<Property name="maximumTicketLifeTime">8640000</Property>
<Property name="maximumRenewableLifeTime">604800000</Property>
<Property name="preAuthenticationTimeStampEnabled">true</Property>
</KDCServer>
|
Service Principals
The KDC Server issues tickets to access a particular service. Thus, each type of service is associated with a particular service name. In the case of Kerbero, we call the service name “Service Principal Name” (SPN). Before we assign an SPN to a service, we need to define the “Service Principal Name” in KDC.
Users can use this screen to perform operations on service principals.
- Expand the Inbound Authentication Configuration section and click Configure under Kerberos KDC.
- Specify the required information on the "Service Principal Management" page.
- Service Principal Name – Name of the service principal. This usually takes following format:
<Service Name>/<Host where service is running>. This field is mandatory. - Password – The password given to the service principal. You would use this password in the appropriate service's rampart configuration. Thus, the appropriate service will provide a password, given in rampart configuration, to KDC when it needs to authenticate itself to KDC. This field is mandatory.
- Re-Type Password – Re-type password provided in the "Password" section to make sure the given password is accurate. This field is mandatory.
- Description – Brief description of the service principal. This field is not mandatory.
- Service Principal Name – Name of the service principal. This usually takes following format:
- Click on the Finish button.
- Your service principal is added to a list. You can change the password or delete the service principal using the associated links.