Configuring Kerberos for Java

Configuring Kerberos for Java by editing the krb5.conf file is the fourth step in configuring Spotfire Server for the Kerberos authentication method.

Procedure

  1. Open the file krb5.conf located in the directory <installation dir>\jdk\jre\lib\security (Windows) or <installation dir>/jdk/jre/lib/security (Unix) and edit the following values to reflect your environment.
    Note: The arguments are case sensitive.
    For more information, see The krb5.conf file.
    • MYDOMAIN: The name of the Kerberos realm, usually the same as the name of the Windows Domain, written in uppercase characters.
    • mydomain: The name of the Windows Domain, written in lowercase characters.
    • mydc: The name of the domain controller, written in lowercase characters.
    Configuring Kerberos for Java in the "research.example.com" domain, with the two domain controllers "dc01.research.example.com" and "dc02.research.example.com":
    [libdefaults]
        default_realm = RESEARCH.EXAMPLE.COM
        default_keytab_name = spotfire.keytab
        default_tkt_enctypes = aes128-cts rc4-hmac
        default_tgs_enctypes = aes128-cts rc4-hmac
        forwardable = true
    
    [realms]
        RESEARCH.EXAMPLE.COM = {
            kdc = dc01.research.example.com
            kdc = dc02.research.example.com
            admin_server = dc01.research.example.com
            default_domain = research.example.com
        }
    
    [domain_realm]
        .research.example.com = RESEARCH.EXAMPLE.COM
        research.example.com = RESEARCH.EXAMPLE.COM
    
    [appdefaults]
        autologin = true
        forward = true
        forwardable = true
        encrypt = true
  2. (Optional) If you want to use the crypto algorithm aes256-sha1, you must perform the following tasks:
    1. Add aes256-cts as the first option in default_tkt_enctypes and default_tgs_enctypes.
    2. Install the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files on the Spotfire Server .
      Note: It is the user's responsibility to verify that these files are allowed under local regulations.