IMPORTANT NOTE: The APIs and features described in this document are SUBJECT TO CHANGE.
The following enhancements were made to the Java GSS/Kerberos implementation in Java SE 5.
Triple DES encryption type is specified in the Kerberos configuration file under the "libdefaults" section. It is specified as "des3-cbc-sha1" with following tags: default_tkt_enctypes, default_tgs_enctypes, permitted_enctypes. "dec3-cbc-sha1" has the following aliases:
des3-hmac-sha1 des3-cbc-sha1-kd des3-cbc-hmac-sha1-kdFor example, the libdefaults section in the configuration file might include the following.
default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc permitted_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crcdefault_tkt_enctypes is used to specify the encryption types to use for the session key in the ticket-granting-ticket. It is used by the client to restrict the encryption types of session keys that will be used to communicate with the KDC. The default value is "des-cbc-md5 des-cbc-crc des3-cbc-sha1"
default_tgs_enctypes is used to specify the encryption types to use for the session key in service tickets. It is used by the client to restrict the encryption types of session keys that are shared by the client and server. The default value is "des-cbc-md5 des-cbc-crc des3-cbc-sha1".
permitted_enctypes is used to specify the encryption types permitted to be used by a service. It is used by the server to restrict the encryption types of session keys that it will accept. The default value is "des-cbc-md5 des-cbc-crc des3-cbc-sha1".
When sending a message to the KDC, the Java SE Kerberos library will use TCP if the size of the message is above udp_preference_list. If the message is smaller than udp_preference_list, then UDP will be tried at most three times. If the KDC indicates that the request is too big, the Java SE Kerberos library will use TCP.
With this feature, if Krb5LoginModule obtains an expired ticket from the ticket cache, the TGT will be automatically renewed and be added to Subject of the caller who requested the ticket. If the ticket cannot be renewed for any reason, then Krb5LoginModule will use its configured callback handler to retrieve a username and password to acquire a new TGT.
To use this feature, configure Krb5LoginModule to use the ticket cache and set the newly introduced renewTGT option to true. Here is an example of a JAAS login configuration file that requests TGT renewal.
server { com.sun.security.auth.module.Krb5LoginModule required principal=principal@your_realm useTicketCache=true renewTGT=true; };Note that if renewTGT is set to true, then useTicketCache must also be set to true; otherwise, it results in a configuration error.
com.sun.net.ssl.server com.sun.net.ssl.clientWhen a JSSE application uses the Kerberos cipher suites without explicit JAAS program, the SunJSSE provider will use these index names to find and configure the JAAS login module to acquire the necessary Kerberos credentials. For example, such an application might have the following JAAS configuration file.
com.sun.net.ssl.server { com.sun.security.auth.module.Krb5LoginModule required principal=service_principal@your_realm useKeyTab=true keyTab=keytab_name storeKey=true; };If the entry is not found, the default "other" index name will be used. The service name for TLS is "host". For example, a TLS service running on a machine named "raven.example.com" in the realm named "KRBNT-OPERATIONS.EXAMPLE.COM" would have the service principal name
host/raven.example.com@KRBNT-OPERATIONS.EXAMPLE.COMThere are no restrictions on the TLS client; it may use any valid Kerberos principal name.
When a JSSE application uses the Kerberos cipher suites with explicit JAAS program, it can use any index name, including the ones listed above.