Skip to Content
0
Former Member
Jul 20, 2006 at 02:44 PM

Kerberos (SPNego) and a J2EE Cluster

148 Views

Hello,

We have implemented the SPNego-Kerberos Authentication for our DEV and QAS portal servers. We are now implementing on the PRD server(s). In the current guide - it says that there is only one section of repetition for each node (in the "what if I add an additional dialog to my cluster".

This is not true (right off the bat) because the service user has to be registered for each server at the OS level.

Based on this we have created a user for the entire cluster, the keytab for the HTTP and HOST for both servers (4 entries for CI and DI) and stored it - along with the krb5.conf file - in the SCS path under
server\SAPMNT\EPP\SYS\keytab\ directory so that both servers can access it at ony one time.

So now we have taken this GUESSed process to the point where we are configuring the login module stack and find that we cannot define a single "principal" property for the com.sun.security.auth.module.Krb5LoginModule.

If this is the case how do we specify two principal's in the one globally shared keytab...? Or are we going about it wrong.

Again, the guide has very little to state and it doesn't mention that the "Security Provider" service is the same across all clustered Engines and nodes. So how do you define the SPN for two servers from one file/config.

Can someone please provide some direction for Kerbing in a J2EE Clustered environment?

Thanks very much,

Judson