Configure Kerberos based Authentication into WSO2 Datasources


As you know, Kerberos can be used to authenticate System or users reside on a none secured network. In my use case, I have Windows AD and MSSQL server and I have a couple of WSO2 Servers running on Linux systems.

In my initial setup I have configured, WSO2 servers has to use SQL users. But instead of using SQL users, I prefer to use AD users. So I have started configuring Kerberos and faced a lot of troubles.

If you are starting from scratch, I would recommend writing a Java class to connect MSSQL server using Kerberos. Then You can identify all small mistakes such as character case issues, typos, JDBC driver compatibility issues, etc. 

Below are a few issues I have faced:

1) CASE is significant in krb5.conf file

2) I found that we need to use MSSQL JDBC 6.4 version in order to get new tickets. But if you are just planning use pre-generated tickets, you can use the older version as well.

Here are the steps you need follow when configuring Kerberos with WSO2 Enterprise Integrator. 

1) Define your krb5.conf File

In my config file, I have defined two KDC and admin server(KDC) which will handle the database administration requests and all KDC(master and worker) will generate credentials. KDCs are your Active directory server hostnames

[libdefaults]
default_realm = NAPAGODA.COM
[realms]
NAPAGODA.COM = {
kdc = dc1.napagoda.com
kdc = dc2.napagoda.com
admin_server = dc1.napagoda.com
default_domain = NAPAGODA.COM
}

[domain_realm]
    .napagoda.com = NAPAGODA.COM
    napagoda.com = NAPAGODA.COM

2) . Configure jaas.conf File

This file needs to be created under 'repository/conf/identity/' directory. With WSO2 Enterprise Integrator product they have moved conf directory into product home. However, still, this file needs to be created based on the old folder structure. So make sure to use 'repository/conf/identity/'. Luckily, if not, it will display an error message in the log file(or console). 

SQLJDBCDriver {
   com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};

3). Locating the krb5.conf File

If you have created your krb5.conf file inside lib/security directory of the JRE, you don't need to set the environment variable. Otherwise, you have to pass 'krb5.conf' file location as a 'java.security.krb5.conf' environment variable. Oracle Docs

ex: -Djava.security.krb5.conf=/file/location/krb5.conf 

4) Configure WSO2 Datasources

You can use Kerberos based Authentication in your datasources XML files or datasources defined via the 'admin console'. But make sure to pass correct parameters into SQL connection URL to use Kerberos Authentication. Please note, in the connection user and password fields, you can AD user's credentials. 

ex: jdbc:sqlserver://your.sql.server.com;database=database_name;integratedSecurity=true;authenticationScheme=JavaKerberos



- Kerberos Debugging in Java
- Microsoft JDBC Driver 6.4 for SQL Server

Comments

Popular posts from this blog

Secure Spring Boot REST API using Basic Authentication

Building a RESTFul Service using Spring Boot

Integrating Swagger with Spring Boot REST API