doc/java-broker/src/docbkx/security/Java-Broker-Security-Authentication-Providers-Kerberos.xml - qpid-broker-j - Git at Google

 <?xml version="1.0"?>
 <!--

  Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
  distributed with this work for additional information
  regarding copyright ownership.  The ASF licenses this file
  to you under the Apache License, Version 2.0 (the
  "License"); you may not use this file except in compliance
  with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing,
  software distributed under the License is distributed on an
  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, either express or implied.  See the License for the
  specific language governing permissions and limitations
  under the License.

 -->

 <section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="Java-Broker-Security-Kerberos-Provider">
     <title>Kerberos</title>

     <para> Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the
         connections. </para>

     <para> Configuration of kerberos is done through system properties (there doesn't seem to be a
         way around this unfortunately). </para>

     <programlisting>
     export JAVA_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf
     \${QPID_HOME}/bin/qpid-server
   </programlisting>

     <para>Where qpid.conf would look something like this:</para>

     <programlisting>
 com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     useKeyTab=true
     storeKey=true
     doNotPrompt=true
     realm="EXAMPLE.COM"
     useSubjectCredsOnly=false
     kdc="kerberos.example.com"
     keyTab="/path/to/keytab-file"
     principal="&lt;name&gt;/&lt;host&gt;";
 };</programlisting>

     <para> Where realm, kdc, keyTab and principal should obviously be set correctly for the
         environment where you are running (see the existing documentation for the C++ broker about
         creating a keytab file). </para>

     <para> Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength
         Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. </para>

 </section>
	<?xml version="1.0"?>
	<!--

	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	-->

	<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="Java-Broker-Security-Kerberos-Provider">
	<title>Kerberos</title>

	<para> Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the
	connections. </para>

	<para> Configuration of kerberos is done through system properties (there doesn't seem to be a
	way around this unfortunately). </para>

	<programlisting>
	export JAVA_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf
	\${QPID_HOME}/bin/qpid-server
	</programlisting>

	<para>Where qpid.conf would look something like this:</para>

	<programlisting>
	com.sun.security.jgss.accept {
	com.sun.security.auth.module.Krb5LoginModule required
	useKeyTab=true
	storeKey=true
	doNotPrompt=true
	realm="EXAMPLE.COM"
	useSubjectCredsOnly=false
	kdc="kerberos.example.com"
	keyTab="/path/to/keytab-file"
	principal="<name>/<host>";
	};</programlisting>

	<para> Where realm, kdc, keyTab and principal should obviously be set correctly for the
	environment where you are running (see the existing documentation for the C++ broker about
	creating a keytab file). </para>

	<para> Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength
	Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. </para>

	</section>