The Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a GSSAPI mechanism you use to secure messages when a client application wants to authenticate to a remote server, but does not know what authentication protocol to use.
SPNEGO helps organizations deploy security mechanisms. It determines the available GSSAPI mechanisms, selects one of them and uses it for all security operations.
Configuring ReadyAPI for using SPNEGO/Kerberos involves a number of steps. Typically, the basic steps are enough. In certain cases, you may need to perform some additional steps.
You can add the SPNEGO/Kerberos authentication by using built-in and external profiles.
Use built-in profiles if you do not need to apply the same authentication settings to other requests or test steps.
If you are going to reuse these settings, use external profiles. ReadyAPI stores these profiles in the Authorization manager, so you can later apply them to other requests or test steps. Also, you can use such profiles to specify different authorization settings in various environments.
By default, Windows does not provide access to the TGT session key. To work this around, add the following Registry key on the client machine:
Add the following parameter to the vmoptions file:
To learn how to do it, see Modifying JVM Settings.
kinit utility to get a ticket-granting ticket. You can find this utility in the <ReadyAPI>/jre/bin directory.
The utility will ask you for the user account password:
After you specify the password, the utility will create and cache a ticket-granting ticket.
|The generated ticket has an expiration date. To check whether a ticket has expired or not, use the
Open the desired request for editing and switch to the Auth tab.
Select the SPNEGO/Kerberos authentication type from the Authorization drop-down list.
|Tip:||To reuse the same authentication settings, use external authentication profiles.|
Specify the username, password and domain:
In most cases, the actions described above are enough. You should be able to use the SPNEGO/Kerberos authentication in your requests. If this authentication does not work, follow the steps described in the Additional authentication settings.
Bellow are configuration steps you may need to perform during the SPNEGO/Kerberos Authentication configuration. The may help you, if your authentication does not work after the configuration described in Basic Configuration Steps.
Create a configuration file, krb5.conf. It should contain realm info and the hostname of the KDC. The file contents should look like this:
Save the krb5.conf file in a directory that can be accessed by ReadyAPI, for example:
You need to create a .keytab file that will store user credentials. This file will be used if the user’s session key is not available in the TGT cache. To create it, your computer should be in the domain and you should be logged in using the credentials for the domain. Then:
Run the following command. You can find the
ktab utility in the <ReadyAPI>/jre/bin directory:
It will ask you to specify the user’s password:
<your-user-name>.keytab) to the appropriate directory (for example,
Create a configuration file, login.conf, that will provide configuration details for the Kerberos login module. Below is the contents of a sample JAAS config file:
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
file:///C:/kerberos/user-name.keytab with the path to the keytab file you created on step 2.
user-name with your user name.
Save the login.config file to the appropriate directory, for example, C:\kerberos\login.conf.
Add the following parameters to the vmoptions file in the <ReadyAPI>\bin directory:
|Make sure the
You may need to avoid using canonical host names. This will help you avoid issues caused by wrong reverse DNS lookups. To do this, add one more parameters to the vmoptions file:
Restart ReadyAPI and use your user name in the SPNEGO/Kerberos Authorization header.