Red Hat
Aug 15, 2017
by Jan Kalina

Testing environment

For needs of this tutorial will be used simple Kerberos server and keytab generator by Josef Cacek:

git clone https://github.com/kwart/kerberos-using-apacheds/
cd kerberos-using-apacheds
mvn install

Generate keytab file - file with username HTTP/localhost@JBOSS.ORG and password httppwd for WildFly server to connect to Kerberos:

java -classpath target/kerberos-using-apacheds.jar org.jboss.test.kerberos.CreateKeytab HTTP/localhost@JBOSS.ORG httppwd http.keytab

Just note you need to replace HTTP by remote to use with remoting protocol. In such case there is also necessary to add such user into LDIF:

dn: uid=remote,ou=Users,dc=jboss,dc=org
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: remote
sn: Service
uid: remote
userPassword: remotepwd
krb5PrincipalName: remote/localhost@JBOSS.ORG
krb5KeyVersionNumber: 0
java -classpath target/kerberos-using-apacheds.jar org.jboss.test.kerberos.CreateKeytab remote/localhost@JBOSS.ORG remotepwd remote.keytab

Now you can start testing Kerberos server with database from example test.ldif file:

java -jar target/kerberos-using-apacheds.jar test.ldif

Now you can log-in as user using kinit:

export KRB5_CONFIG=/home/jkalina/Desktop/tutorial/kerberos-using-apacheds/krb5.conf
kinit hnelson@JBOSS.ORG
Password for hnelson@JBOSS.ORG: secret

Now we can start to configure the WildFly server.

Configuring WildFly to use Kerberos

At first we need to specify java.security.krb5.conf property - path to the krb5.conf file generated by testing server above:

/system-property=java.security.krb5.conf:add(value=/home/jkalina/Desktop/tutorial/kerberos-using-apacheds/krb5.conf)

Lets specify credentials to connect to the Kerberos server - principal and path to corresponding keytab file:

/subsystem=elytron/kerberos-security-factory=krbSFhttp:add(principal=HTTP/localhost@JBOSS.ORG, path=/home/jkalina/Desktop/tutorial/kerberos-using-apacheds/http.keytab, mechanism-names=[KRB5, SPNEGO])
/subsystem=elytron/kerberos-security-factory=krbSFremote:add(principal=remote/localhost@JBOSS.ORG, path=/home/jkalina/Desktop/tutorial/kerberos-using-apacheds/remote.keytab, mechanism-names=[KRB5])

Now we can add required mechanism into authentication factory:

/subsystem=elytron/http-authentication-factory=management-http-authentication:list-add(name=mechanism-configurations, \
    value={mechanism-name=SPNEGO, mechanism-realm-configurations=[{realm-name=exampleFsSD}], credential-security-factory=krbSFhttp})
/subsystem=elytron/sasl-authentication-factory=management-sasl-authentication:list-add(name=mechanism-configurations, \
    value={mechanism-name=GS2-KRB5-PLUS, credential-security-factory=krbSFremote})

Just note that Kerberos is used only for authentication but not for authorization - users still need to exists in appropriate security realms - you need to add user into mgmt-users.properties:

hnelson@JBOSS.ORG=

Enabling Elytron for authentication

To use authentication factories above we need to switch to them from legacy security realms:

/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=management-http-authentication)
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)

Testing

Using CURL:

curl  --negotiate -u hnelson@JBOSS.ORG --trace-ascii - http://localhost:9990/management

Getting debug output

We can specify property to enable Kerberos debug in Oracle JDK:

/system-property=sun.security.krb5.debug:add(value=true)

Trace messages from Elytron and from remoting will be also useful:

/subsystem=logging/logger=org.wildfly.security:add(level=TRACE)
/subsystem=logging/logger=org.jboss.remoting.remote.server:add(level=TRACE)

Often error messages

No server entry found for kerberos principal name HTTP/127.0.0.1@JBOSS.ORG

You are accessing the WildFly server from browser by different hostname (127.0.0.1) then for which kerberos account exists (localhost).

Original Post