Welcome to the new Parasoft forums! We hope you will enjoy the site and try out some of the new features, like sharing an idea you may have for one of our products or following a category.

Kerberos Authentication

beitliche
beitliche Posts: 3

Hello,

I am trying to setup Kerberos Authentication for a client and am running into some issues with the configuration of it.

The help file states this:
"To begin setting up Kerberos authentication in SOAtest, you must first place a file in the installation directory of SOAtest called kerberos.config. This file can be found in the Parasoft/SOAtest/[version number] directory."

This does not provide any detail as to where this file should be? I see one placed in:

"C:\Program Files\Parasoft\SOAtest\9.10\eclipse\plugins\com.parasoft.xtest.libs.web_9.10.0.20161130\root\kerberos.config"

Am I supposed to move this to the base /[version]/ folder?

Also, when I setup my configuration for the Kerberos settings in the Security section, I receive an error:

"default realm not specified"

I have attempted to add this to the kerberos.config, is this the place to do this?

The documentation is very unclear about this feature. Please assist.

Comments

  • OmarR
    OmarR Posts: 235 admin
    edited December 2017

    Hey Beitliche,

    The current location of the Kerberos config file should be okay. I suspect the userguide needs to be updated. The error shown is due to the default realm not being specified in the Kerberos configuration file or kerberos ini file (windows). It may also be that the tool is unable to read the file altogether.

    Below is an example of what your Kerberos config or Kerberos ini (windows) file should look like. Please ensure that your file contains all the required parameters:
    http://docs.oracle.com/cd/E19253-01/816-4557/setup-341/index.html

    http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html

    After updating your kerberos file and the Kerberos security settings in the SOAtest Preferences, restart SOAtest to ensure the changes take effect.

  • reactancexl
    reactancexl Posts: 176

    Where does parasoft refer to the kerberos.config file? Also are you saying that these contents listed in links above need to be added to the below? This is my kerberos config file which I did not yet modify.
    com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true
    doNotPrompt=true;
    };

  • benken_parasoft
    benken_parasoft Posts: 1,302 ✭✭✭

    "To begin setting up Kerberos authentication in SOAtest, you must first place a file in the installation directory of SOAtest called kerberos.config. This file can be found in the Parasoft/SOAtest/[version number] directory."

    The docs are totally wrong here. That kerberos.config file is product internals and is not something users are supposed to edit. Please ignore that.

    If clicking the Check Ticket button in preferences works then there is likely nothing be nothing else to configure outside of SOAtest since your system was able to get a TGT and SOAtest was able to find the TGT from the system. However, if SOAtest can't find a TGT then your system may not be setup properly for Kerberos. On Windows, you configure kerberos settings in a C:\Windows\krb5.ini file. For non-Windows (Linux) this is /etc/krb5.conf. There's some detail about these files here.

  • OmarR
    OmarR Posts: 235 admin
    edited December 2017

    Hello reactancexl,

    I apologize for the confusion, but the documentation is incorrect. Please disregard the following portion:

    To begin setting up Kerberos, you must first place a file in the installation directory called kerberos.config. This file can be found in the [INSTALL_HOME]/ Parasoft/SOAtest or Virtualize/[version number] directory.

    My previous post was in regards to the krb5.ini file (windows). Unfortunately, documentation assumes that the reader is familiar with Kerberos protocol and does not provide any further information on how to setup the client machine to interact with the authenticating Server. For this reason, I provided the links above to help you get started.

    https://docs.parasoft.com/display/SOAVIRT9103/Additional+Preference+Settings#AdditionalPreferenceSettings-ConfiguringKerberosAuthenticationinSOAtest

  • reactancexl
    reactancexl Posts: 176

    I can not find the krb5.ini or the krb5.conf on my client machine. Does that mean I have to install Kerberos on my client machine that soatest will use? I can connect to the endpoint with Chrome/Postman but not thru soatest. thx

  • benken_parasoft
    benken_parasoft Posts: 1,302 ✭✭✭
    edited December 2017

    I can not find the krb5.ini or the krb5.conf on my client machine. Does that mean I have to install Kerberos on my client machine that soatest will use?

    As mentioned, you need to first check if java can find a TGT cached on your system. What happens when you click the Check Ticket button in SOAtest?

  • reactancexl
    reactancexl Posts: 176

    "Could not retrieve ticket from system cache" is what I get when I click on the "Check ticket" button.. I checked my system cache and there are 18 tickets on my system (windows)cache Klist tickets is the command I run. thx

  • benken_parasoft
    benken_parasoft Posts: 1,302 ✭✭✭

    I checked my system cache and there are 18 tickets on my system (windows)cache Klist tickets is the command I run. thx

    Does klist show them being valid and not expired?

  • reactancexl
    reactancexl Posts: 176

    Yes they are valid, expiration is 2018. How does parasoft get to the cache under the scenes? Is it looking at a config file? thx

  • benken_parasoft
    benken_parasoft Posts: 1,302 ✭✭✭
    edited December 2017

    How does parasoft get to the cache under the scenes?

    I believe SOAtest uses JGSS/JAAS and the Krb5LoginModule. That kerberos.conf file (burried deep within the installation) is the login configuration file, which configures JGSS/JASS to use the Krb5LoginModule and the local ticket cache. The docs for Krb5LoginModule says:

    This module will search for the ticket cache in the following locations: On Solaris and Linux it will look for the ticket cache in /tmp/krb5cc_uid where the uid is numeric user identifier. If the ticket cache is not available in the above location, or if we are on a Windows platform, it will look for the cache as {user.home}{file.separator}krb5cc_{user.name}. You can override the ticket cache location by using ticketCache. For Windows, if a ticket cannot be retrieved from the file ticket cache, it will use Local Security Authority (LSA) API to get the TGT.

  • Rainz
    Rainz Posts: 1

    Hi, we are getting the same error mentioned above while configuring Kerberos authentication in SOAtest,i.e. "Could not retrieve ticket from system cache", but could see the valid tickets while running the command klist tickets. Any pointers or resolution will help. Do we need to place the krb5.conf file in any specific folder ?