DOC

VSJs Java Kerberos Library

By Charles Long,2014-04-24 12:46
9 views 0
VSJs Java Kerberos Library

VSJ's Java Kerberos Library

Kerberos Authentication for J2EE Applications

    ? Identity integration with cross-realm and cross-forest authentication

    ? Strong integration with Microsoft's Active Directory (including Microsoft Windows Server 2003)

    ? Support for Kerberos-based single sign-on

    ? Standard Java GSS-API for application-level messaging

Overview

    If you're looking to develop your own applications and require a Java Kerberos library, you can leverage the

    one included in Vintela Single Sign-on for Java (VSJ) 3.0. VSJ's Java Kerberos library provides the functionality

    necessary to deliver single sign-on for Active Directory and other Kerberos environments and supports Java /

    Microsoft interoperability.

    VSJ's Java Kerberos library is a pure Java implementation of the Kerberos protocol and allows developers to

    integrate Kerberos functionality for authentication and single sign-on with Microsoft's Active Directory and MIT

    Kerberos servers into their applications. The Java Kerberos library provides an API for Kerberos ticket requests,

    a Java binding of the GSS-API implementation, and user-to-service and user-to-user Kerberos authentication

    mechanisms. The library includes full API documentation and examples.

    How Is VSJ's Java Kerberos Library Different from Sun's Implementation?

    The library works on all versions of JDK from 1.2.2 onwards and provides a number of advantages over Sun's

    implementation in JDK 1.4 including:

    Feature Sun VSJ JDK Support JDK 1.4 and above Works on all versions

    only. of JDK from version

    1.2.2 onwards. API Support An implementation A 'raw' Kerberos API

    of JGSS using in addition to an

    built-in JAAS implementation of

    LoginModules with JGSS. This allows

    little scope for customization of ticket

    extension. requests (for example,

    to include alternative

    pre-authentication

    data when requesting

    a TGT). Cryptographic Support DES only. DES, TripleDES (used

    in MIT Kerberos) and

    RC4? (used in

    Microsoft Windows

    2000) Kerberos

    encryption types.

    Note: DES uses only

    56 bit keys, which is

    not generally

    considered secure

    enough in today's

    environment. Supported GSS-API Mechanisms User-to-service User-to-service and

    only. user-to-user. Microsoft Windows 2000 Support Fails for users Supports Microsoft

    belonging to many Windows 2000 'large

    groups due to large tickets'.

    tickets (no support

    for TCP fallback).

    Pre-authentication Support No pluggable Flexible

    support for pre-authentication

    pre-authentication. during initial

    authentication. Password Management None. API for password

    changing and setting. Access to Underlying Kerberos Information Generic GSSAPI Has GSSAPI hooks

    support only. into Kerberos

    functionality like

    inspection of peer

    tickets & setting of

    delegation options. Support for Inter-realm Authentication No support. Supports

    cross-domain and

    cross-forest operation. Discovery of KDCs Manually configured Supports DNS

    via system discovery of KDCs

    properties. specifically for use

    with Active Directory. Key Features

    VSJ's Java Kerberos Library Includes

    Component Description

    Support for Large-scale Directory Deployments with Active VSJ's Java Kerberos

    Directory Sites library supports

    large-scale Microsoft's

    Active Directory

    deployments through

    Active Directory sites,

    including support for

    replication, redundancy

    and load balancing.

    Identity Federation with Cross-realm and Cross-forest VSJ's Java Kerberos

    Authentication library supports both

    cross-realm

    authentication with MIT

    and Microsoft Windows

    KDCs, and cross-forest authentication with

    Windows 2003. This

    support is provided

    transparently via the

    GSS-API.

    Identity Integration with Active Directory The Java Kerberos

    library provides

    additional features to

    enable tight integration

    with Active Directory with

    Windows 2000 and

    Windows Server 2003,

    including:

    ? Support for

    Windows native

    credential cache

    ? An API for

    administrator

    password resets

    with Active

    Directory

    accounts

    ? DNS

    discovery of

    KDCs

    Support for Kerberos-based Single Sign-on The Java Kerberos

    library provides the

    functionality necessary to

    deliver single sign-on for

    Active Directory and

    other Kerberos

    environments.

    Standard Java GSS-API for Application-level Messaging The GSS-API standardized by the IETF

    RFC 1508 - Generic Security Service

    Application Programming

    Interface provides a

    high-level security,

    mechanism-independent, transport-neutral API to security services. Two

    GSS-API mechanisms

    (user-toservice and

    user-to-user) have been

    defined for Kerberos.

    GSS-API is the preferred

    API for Kerberizing

    applications.

    Simplifed Integration with Java Applications In addition to the

    GSS-API, VSJ's Java

    Kerberos library supports

    the standard Java

    Authentication and

    Authorization Service

    (JAAS) API, and

    provides a login module

    allowing Java clients to

    use Kerberos for single

    sign-on.

    Kerberos API for Credential and Password Management In addition to the

    standard JGSS and

    JAAS support, the Java

    Kerberos library also

    provides a custom

    Kerberos API that

    provides access to more

    Kerberos-specific

    functionality. Using this

    API allows you to do a

    number of things whic

    are not possible with

    JGSS and JAAS, for

    example, issuing custom

    ticket requests that use

    different

    pre-authentication data,

    changing passwords, or

    accessing authorization

    data.

    Supports a Wide Range of Encryption Types and GSS-API VSJ's Java Kerberos

    Mechanisms library supports DES,

    TripleDES and RC4? at

    both Kerberos and

    GSS-API levels,

    and supports both

    regular or user-to-service

    and user-to-user

    GSS-API mechanisms.

     How Do I Download the Java Kerberos Library?

    Download and unpack the VSJ zip distribution. The Kerberos Library jars are located in the lib directory. You

    will find a guide to the library in the jcsi/apidocs directory. Simply open index.html in your browser.

    How Do I Install the Java Kerberos Library?

    Once you have unpacked the VSJ distribution, add the jars to your CLASSPATH variable. On Microsoft Windows, do the following:

     set CLASSPATH=C:\Program Files\Vintela\VSJ\lib\jcsi_license.jar

     set CLASSPATH=%CLASSPATH%;C:\Program Files\Vintela\VSJ\lib\

     jcsi_base.jar

     set CLASSPATH=%CLASSPATH%;C:\Program Files\Vintela\VSJ\lib\

     jcsi_jce.jar

     set CLASSPATH=%CLASSPATH%;C:\Program Files\Vintela\VSJ\lib\

     jcsi_krb_provider.jar

     set CLASSPATH=%CLASSPATH%;C:\Program Files\Vintela\VSJ\lib\

     jcsi_krb.jar

     set CLASSPATH=%CLASSPATH%;C:\Program Files\Vintela\VSJ\lib\

     jcsi_krb_jaas.jar

     set CLASSPATH=%CLASSPATH%;C:\Program Files\Vintela\VSJ\lib\

     commons-logging-1.0.3.jar

    On Microsoft Windows you will also need to add the native jcsiKrb.dll to your java comand line. Doing this allows direct integration into the Windows Integrated Authentication mechanism:

     C:\> java "-Djava.library.path=C:\Program Files\Vintela\VSJ\lib"

     your.class.here

    On Unix or Linux you do not require the the jcsiKrb.dll. All you need to do is set the CLASSPATH as follows :

     CLASSPATH="/opt/vsj/lib/jcsi_license.jar"

     CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_base.jar"

     CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_jce.jar"

     CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_krb_provider.jar"

     CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_krb.jar"

     CLASSPATH="${CLASSPATH}:/opt/vsj/lib/jcsi_krb_jaas.jar"

     CLASSPATH="${CLASSPATH}:/opt/vsj/lib/commons-logging-1.0.3.jar"

     export CLASSPATH

     java your.class.here

Report this document

For any questions or suggestions please email
cust-service@docsford.com