Kerberos Authentication

beitlichebeitliche Posts: 3

Hello,

I am trying to setup Kerberos Authentication for a client and am running into some issues with the configuration of it.

The help file states this:
"To begin setting up Kerberos authentication in SOAtest, you must first place a file in the installation directory of SOAtest called kerberos.config. This file can be found in the Parasoft/SOAtest/[version number] directory."

This does not provide any detail as to where this file should be? I see one placed in:

"C:\Program Files\Parasoft\SOAtest\9.10\eclipse\plugins\com.parasoft.xtest.libs.web_9.10.0.20161130\root\kerberos.config"

Am I supposed to move this to the base /[version]/ folder?

Also, when I setup my configuration for the Kerberos settings in the Security section, I receive an error:

"default realm not specified"

I have attempted to add this to the kerberos.config, is this the place to do this?

The documentation is very unclear about this feature. Please assist.

Comments

  • OmarROmarR Posts: 205 admin
    edited December 2017

    Hey Beitliche,

    The current location of the Kerberos config file should be okay. I suspect the userguide needs to be updated. The error shown is due to the default realm not being specified in the Kerberos configuration file or kerberos ini file (windows). It may also be that the tool is unable to read the file altogether.

    Below is an example of what your Kerberos config or Kerberos ini (windows) file should look like. Please ensure that your file contains all the required parameters:
    http://docs.oracle.com/cd/E19253-01/816-4557/setup-341/index.html

    http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html

    After updating your kerberos file and the Kerberos security settings in the SOAtest Preferences, restart SOAtest to ensure the changes take effect.

  • reactancexlreactancexl Posts: 105

    Where does parasoft refer to the kerberos.config file? Also are you saying that these contents listed in links above need to be added to the below? This is my kerberos config file which I did not yet modify.
    com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true
    doNotPrompt=true;
    };

  • benken_parasoftbenken_parasoft Posts: 517 ✭✭✭

    "To begin setting up Kerberos authentication in SOAtest, you must first place a file in the installation directory of SOAtest called kerberos.config. This file can be found in the Parasoft/SOAtest/[version number] directory."

    The docs are totally wrong here. That kerberos.config file is product internals and is not something users are supposed to edit. Please ignore that.

    If clicking the Check Ticket button in preferences works then there is likely nothing be nothing else to configure outside of SOAtest since your system was able to get a TGT and SOAtest was able to find the TGT from the system. However, if SOAtest can't find a TGT then your system may not be setup properly for Kerberos. On Windows, you configure kerberos settings in a C:\Windows\krb5.ini file. For non-Windows (Linux) this is /etc/krb5.conf. There's some detail about these files here.

  • OmarROmarR Posts: 205 admin
    edited December 2017

    Hello reactancexl,

    I apologize for the confusion, but the documentation is incorrect. Please disregard the following portion:

    To begin setting up Kerberos, you must first place a file in the installation directory called kerberos.config. This file can be found in the [INSTALL_HOME]/ Parasoft/SOAtest or Virtualize/[version number] directory.

    My previous post was in regards to the krb5.ini file (windows). Unfortunately, documentation assumes that the reader is familiar with Kerberos protocol and does not provide any further information on how to setup the client machine to interact with the authenticating Server. For this reason, I provided the links above to help you get started.

    https://docs.parasoft.com/display/SOAVIRT9103/Additional+Preference+Settings#AdditionalPreferenceSettings-ConfiguringKerberosAuthenticationinSOAtest

  • reactancexlreactancexl Posts: 105

    I can not find the krb5.ini or the krb5.conf on my client machine. Does that mean I have to install Kerberos on my client machine that soatest will use? I can connect to the endpoint with Chrome/Postman but not thru soatest. thx

  • benken_parasoftbenken_parasoft Posts: 517 ✭✭✭
    edited December 2017

    I can not find the krb5.ini or the krb5.conf on my client machine. Does that mean I have to install Kerberos on my client machine that soatest will use?

    As mentioned, you need to first check if java can find a TGT cached on your system. What happens when you click the Check Ticket button in SOAtest?

  • reactancexlreactancexl Posts: 105

    "Could not retrieve ticket from system cache" is what I get when I click on the "Check ticket" button.. I checked my system cache and there are 18 tickets on my system (windows)cache Klist tickets is the command I run. thx

  • benken_parasoftbenken_parasoft Posts: 517 ✭✭✭

    I checked my system cache and there are 18 tickets on my system (windows)cache Klist tickets is the command I run. thx

    Does klist show them being valid and not expired?

  • reactancexlreactancexl Posts: 105

    Yes they are valid, expiration is 2018. How does parasoft get to the cache under the scenes? Is it looking at a config file? thx

  • benken_parasoftbenken_parasoft Posts: 517 ✭✭✭
    edited December 2017

    How does parasoft get to the cache under the scenes?

    I believe SOAtest uses JGSS/JAAS and the Krb5LoginModule. That kerberos.conf file (burried deep within the installation) is the login configuration file, which configures JGSS/JASS to use the Krb5LoginModule and the local ticket cache. The docs for Krb5LoginModule says:

    This module will search for the ticket cache in the following locations: On Solaris and Linux it will look for the ticket cache in /tmp/krb5cc_uid where the uid is numeric user identifier. If the ticket cache is not available in the above location, or if we are on a Windows platform, it will look for the cache as {user.home}{file.separator}krb5cc_{user.name}. You can override the ticket cache location by using ticketCache. For Windows, if a ticket cannot be retrieved from the file ticket cache, it will use Local Security Authority (LSA) API to get the TGT.

Sign In or Register to comment.