The Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is a GSSAPI mechanism you use to secure messages when a client application wants to authenticate to a remote server but does not know what authentication protocol to use.
SPNEGO helps organizations deploy security mechanisms. It determines the available GSSAPI mechanisms, selects one, and uses it for all security operations.
Configuring ReadyAPI for using SPNEGO/Kerberos involves several steps. Typically, the basic steps are enough. In certain cases, you may need to perform additional steps.
You can add the SPNEGO/Kerberos authentication by using built-in and external profiles.
Use built-in profiles if you do not need to apply the same authentication settings to other requests or test steps.
If you are going to reuse these settings, use external profiles. ReadyAPI stores these profiles in the Authorization Manager so you can later apply them to other requests or test steps. Also, you can use such profiles to specify different authorization settings in various Environments.
By default, Windows does not provide access to the TGT session key. To work this around, add the following Registry key on the client machine:
Item | Value |
|---|---|
Key |
|
Value Name |
|
Value Type |
|
Value |
|
Add the following parameter to the vmoptions file:
-Djavax.security.auth.useSubjectCredsOnly=falseTo learn how to do it, see Modifying JVM Settings.
Run the
kinitutility to get a ticket-granting ticket. You can find this utility in the<ReadyAPI>/jre/bindirectory.The utility will ask you for the user account password:
After you specify the password, the utility will create and cache a ticket-granting ticket.
Important
The generated ticket has an expiration date. To check whether a ticket has expired or not, use the klist utility that is located in the <ReadyAPI>/jre/bin directory:
 |
Restart ReadyAPI.
Open the desired request for editing and switch to the Auth tab.
Select the authentication type from the Authorization drop-down list.
Tip
To reuse the same authentication settings, use external authentication profiles.
Specify the username, password and domain:
In most cases, the actions described above are enough. You should be able to use the SPNEGO/Kerberos authentication in your requests. If this authentication does not work, follow the steps described in the Additional authentication settings.
Below are configuration steps you may need to perform during the SPNEGO/Kerberos Authentication configuration. The may help you, if your authentication does not work after the configuration described in Basic Configuration Steps.
Create a configuration file,
krb5.conf. It should contain realm info and the hostname of the KDC. The file contents should look like this:[libdefaults] default_realm = YOUR-DOMAIN-REALM (for example, MY.DOMAIN.LOCAL) udp_preference_limit = 1 [realms] YOUR-DOMAIN-REALM = { kdc = YOUR-KEY-DISTRIBUTION-CENTER-SERVER (for example, kdc.my.domain.local) default_domain = YOUR-DOMAIN-REALM } [domain_realms] .ad.example.net=YOUR-DOMAIN-REALM ad.example.net=YOUR-DOMAIN-REALM
Save the
krb5.conffile in a directory that can be accessed by ReadyAPI, for example:C:/kerberos.
You need to create a .keytab file that will store user credentials. This file will be used if the user’s session key is not available in the TGT cache. To create it, your computer should be in the domain and you should be logged in using the credentials for the domain. Then:
Run the following command. You can find the
ktabutility in the<ReadyAPI>/jre/bindirectory:ktab -a <username> -k C:\Temp\<your-user-name>.keytabIt will ask you to specify the user’s password:
Store the keytab file (
<your-user-name>.keytab) to the appropriate directory (for example,C:\kerberos).
Create a configuration file, login.conf, that will provide configuration details for the Kerberos login module. Below is the contents of a sample JAAS config file:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule
required
client=TRUE;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
useTicketCache=true
useKeyTab=true
keyTab="file:///C:/kerberos/user-name.keytab"
principal=user.name
doNotPrompt=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;
};
Replace
file:///C:/kerberos/user-name.keytabwith the path to the keytab file you created on step 2.Replace the
user-namewith your user name.Save the
login.configfile to the appropriate directory, for example,C:\kerberos\login.conf.
Add the following parameters to the vmoptions file in the
<ReadyAPI>\bindirectory:-Djava.security.auth.login.config=C:/kerberos/login.conf -Djava.security.krb5.conf=C:/kerberos/krb5.confImportant
Make sure the
-Djavax.security.auth.useSubjectCredsOnly=falsekey has already been added.You may need to avoid using canonical host names. This will help you avoid issues caused by wrong reverse DNS lookups. To do this, add one more parameter to the
vmoptionsfile:For SPNEGO:
-Dhttpclient.spnego.usecanonicalname=falseFor Kerberos:
-Dhttpclient.kerberos.usecanonicalname=false
Restart ReadyAPI and use your user name in the SPNEGO/Kerberos Authorization header.