Hi I am trying to make a secure connection to a solace queue using Kerberos. I have developed a client side application using Solace JMS APIs. As far as I know we need to implement following steps for secure connection:
1) Add a keytab to Solace Keytab directory
2) Use SolAdmin to execute certain config commands on Solace
3) Import Kerberos library and set certain properties on your client side application.
Following are my doubts regarding the topic
1) I want to know if these are the steps we need to follow for a secure connection?
2) What role does a keytab play in establishing an secure connection?
3) How do I set an username and password for secure connection using kerberos or is it provided by default?
4) Other than importing the kerberos libraries and setting some properties, is there anything that should be done as part of client side application?
Keytab is used because Solace appliance as an "APP" cannot use user/pass authentication, so all the auth is in the keytab.
the logic interaction between Kerberos and Solace is as follows:
- When a Kerberos authentication scheme is used for client authentication, a client must first authenticate with a Kerberos Authentication Server (AS) which grants the client a Ticket Granting Ticket (TGT) for a specified Kerberos User Principal. The TGT is typically obtained as part of a Single Sign-on procedure, such as logging into a Windows domain. With a valid TGT, a client can attempt to log onto a router using a service ticket that is in the client’s local ticket cache or has been obtained from the Ticket Granting Service (TGS). The AS and TGS (components of a Key Distribution Center (KDC)) are hosted on an external server or servers—not on a Solace router.
- This authentication scheme allows a client to use the Kerberos mechanism within the GSSAPI (Generic Security Service API) to authenticate its connection with the Solace router. To authenticate with the Solace router, the client must provide a Service Ticket obtained from the KDC ticket granting service (TGS).
KDC services are hosted on an external server. The client then provides this time-stamped ‘Kerberos’ ticket to the Solace router. If the ticket is successfully validated, the client’s connection to the Message VPN is granted.
- For this authentication scheme, the client’s assigned client username, which is used for subsequent client authorization, is the user principal name in the ticket provided to the router.
To use Kerberos to authenticate clients connecting to a Solace router, the following configurations are required:
client-side configuration
- For clients using Solace messaging APIs, the appropriate Java distribution must be used or the appropriate Kerberos libraries must be installed for the Solace messaging API used, and the client session must use a Kerberos authentication scheme.
Solace router configuration
1. SolOS 7.0 or greater must be used.
2. A Kerberos Keytab must be loaded on the router.
3. Kerberos authentication must be configured and enabled for any Message VPNs that Kerberos-authenticated clients will connect to.
4. Optionally, a Kerberos Service Principal Name (SPN) can be assigned to the IP address for the message backbone VRF that will be
used for Kerberos authenticated clients.