This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Kerberos Security

Kerberos is an authentication protocol which can be used to secure communications in web services. Kerberos enables you to exchange user credentials securely. Thus, it also provides mutual authentication in which the server can also authenticate itself to the client.

The Kerberos protocol uses a trusted third party called “Key Distribution Center” (KDC). KDC consists of two logical parts. They are:

  • Authentication Server
  • Ticket Granting Server

The actual user credentials are stored within the Authentication Server. The communicating parties will retrieve a Kerberos ticket from the Ticket Granting Server. TGS validates the ticket-requesting users' credentials with the Authentication Server.

Kerberos Security within WSO2 Identity Server

WSO2 Identity Server uses an ApacheDS-based LDAP server user store. It also has an ApacheDS based on KDC implementation. Users can use WSO2 Identity Server as a KDC and implement Kerberos security to secure communications between services and clients.
Enable KDC within WSO2 Identity Server.

To use KDC in Identity Server, you need to use the embedded LDAP which ships with WSO2 Identity Server. Thus, by default, the KDC server is disabled. To enable the KDC server, go to the Identity Server home directory and navigate to the <PRODUCT_HOME>/repository/conf folder. There you will find a file named embedded-ldap.xml. Open embedded-ldap.xml and find the <KDCServer/> XML tag. You will configure the XML element named enabled. Set its value to true. After modifying it, the XML configuration should look like this:

<KDCServer>
<Property name="name">defaultKDC</Property>
<Property name="enabled">true</Property>
<Property name="protocol">UDP</Property>
<Property name="host">localhost</Property>
<Property name="port">${Ports.EmbeddedLDAP.KDCServerPort}</Property>
<Property name="maximumTicketLifeTime">8640000</Property>
<Property name="maximumRenewableLifeTime">604800000</Property>
<Property name="preAuthenticationTimeStampEnabled">true</Property>
</KDCServer>

Service Principals

The KDC Server issues tickets to access a particular service. Thus, each type of service is associated with a particular service name. In the case of Kerbero, we call the service name “Service Principal Name” (SPN). Before we assign an SPN to a service, we need to define the “Service Principal Name” in KDC.

Users can use this screen to perform operations on service principals. Visit the pages below to learn more information on their associated topics: