[[Kerberos_Based_Authentication_Migration]] = Kerberos Authentication Migration When working with Kerberos configuration it is possible for the application server to rely on configuration from the environment or the key configuration can be specified using system properties, for the purpose of these examples I define system properties - these properties are applicable to both the legacy configuration and the migrated Elytron configuration. [source, ruby] ---- ./system-property=sun.security.krb5.debug:add(value=true) ./system-property=java.security.krb5.realm:add(value=ELYTRON.ORG) ./system-property=java.security.krb5.kdc:add(value=kdc.elytron.org) ---- The first line makes debugging easier but the last two lines specify the Kerberos realm in use and the address of the KDC. [source, xml] ---- ---- [[http-authentication]] == HTTP Authentication [[legacy-security-realm]] === Legacy Security Realm A legacy security realm can be define so that SPNEGO authentication can be enabled for the HTTP management interface. [source, ruby] ---- ./core-service=management/security-realm=Kerberos:add ./core-service=management/security-realm=Kerberos/server-identity=kerberos:add ./core-service=management/security-realm=Kerberos/server-identity=kerberos/keytab=HTTP\/test-server.elytron.org@ELYTRON.ORG:add(path=/home/darranl/src/kerberos/test-server.keytab, debug=true) ./core-service=management/security-realm=Kerberos/authentication=kerberos:add(remove-realm=true) ---- This results in the following configuration: - [source, xml] ---- ...

---- [[application-spnego]] === Application SPNEGO Alternatively deployed applications would make use of a pair of security domains. [source, java] ---- ./subsystem=security/security-domain=host:add ./subsystem=security/security-domain=host/authentication=classic:add ./subsystem=security/security-domain=host/authentication=classic/login-module=1:add(code=Kerberos, flag=Required, module-options={storeKey=true, useKeyTab=true, principal=HTTP/test-server.elytron.org@ELYTRON.ORG, keyTab=/home/darranl/src/kerberos/test-server.keytab, debug=true} ---- [source, ruby] ---- ./subsystem=security/security-domain=SPNEGO:add ./subsystem=security/security-domain=SPNEGO/authentication=classic:add ./subsystem=security/security-domain=SPNEGO/authentication=classic/login-module=1:add(code=SPNEGO, flag=requisite, module-options={password-stacking=useFirstPass, serverSecurityDomain=host}) ./subsystem=security/security-domain=SPNEGO/authentication=classic/login-module=1:write-attribute(name=module, value=org.jboss.security.negotiation) ./subsystem=security/security-domain=SPNEGO/authentication=classic/login-module=2:add(code=UsersRoles, flag=required, module-options={password-stacking=useFirstPass, usersProperties=file:///home/darranl/src/kerberos/spnego-users.properties, rolesProperties=file:///home/darranl/src/kerberos/spnego-roles.properties, defaultUsersProperties=file:///home/darranl/src/kerberos/spnego-users.properties, defaultRolesProperties=file:///home/darranl/src/kerberos/spnego-roles.properties}) ---- This results in: - [source, xml] ----

...

---- An application can now be deployed referencing the SPNEGO security domain and secured with SPNEGO mechanism. [[migrated-spnego]] === Migrated SPNEGO The equivalent configuration can be achieved with WildFly Elytron by first defining a security realm which will be used to load identity information. [source, ruby] ---- ./subsystem=elytron/properties-realm=spnego-properties:add(users-properties={path=/home/darranl/src/kerberos/spnego-users.properties, plain-text=true, digest-realm-name=ELYTRON.ORG}, groups-properties={path=/home/darranl/src/kerberos/spnego-roles.properties}) ---- Next a Kerberos security factory is defined which allows the server to load it's own Kerberos identity. [source, ruby] ---- ./subsystem=elytron/kerberos-security-factory=test-server:add(path=/home/darranl/src/kerberos/test-server.keytab, principal=HTTP/test-server.elytron.org@ELYTRON.ORG, debug=true) ---- As with the previous examples we define a security realm to pull together the policy as well as a HTTP authentication factory for the authentication policy. [source, ruby] ---- ./subsystem=elytron/security-domain=SPNEGODomain:add(default-realm=spnego-properties, realms=[{realm=spnego-properties, role-decoder=groups-to-roles}], permission-mapper=default-permission-mapper) ./subsystem=elytron/http-authentication-factory=spnego-http-authentication:add(security-domain=SPNEGODomain, http-server-mechanism-factory=global,mechanism-configurations=[{mechanism-name=SPNEGO, credential-security-factory=test-server}]) ---- Overall this results in the following configuration: - [source, xml] ---- ... ...

...

... ...

... ... ---- Now, to enable SPNEGO authentication for the HTTP management interface, update this interface to reference the `http-authentication-factory` defined above, as described in the https://docs.jboss.org/author/display/WFLY/Migrate+Legacy+Security+to+Elytron+Security#MigrateLegacySecuritytoElytronSecurity-MigratedConfiguration[properties authentication section]. Alternatively, to secure an application using SPNEGO authentication, an application security domain can be defined in the Undertow subsystem to map security domains to the `http-authentication-factory` defined above, as described in the https://docs.jboss.org/author/display/WFLY/Migrate+Legacy+Security+to+Elytron+Security#MigrateLegacySecuritytoElytronSecurity-FullyMigratedConfiguration[properties authentication section]. [[remoting-sasl-authentication]] == Remoting / SASL Authentication [[legacy-security-realm-1]] === Legacy Security Realm It is also possible to define a legacy security realm for Kerberos / GSSAPI SASL authenticatio for Remoting authentication such as the native management interface. [source, ruby] ---- ./core-service=management/security-realm=Kerberos:add ./core-service=management/security-realm=Kerberos/server-identity=kerberos:add ./core-service=management/security-realm=Kerberos/server-identity=kerberos/keytab=remote\/test-server.elytron.org@ELYTRON.ORG:add(path=/home/darranl/src/kerberos/remote-test-server.keytab, debug=true) ./core-service=management/security-realm=Kerberos/authentication=kerberos:add(remove-realm=true) ---- [source, xml] ---- ...

... ---- [[migrated-gssapi]] === Migrated GSSAPI The steps to define the equivalent Elytron configuration are very similar to the HTTP example. First define the security realm to load the identity from: - [source, ruby] ---- ./path=kerberos:add(relative-to=user.home, path=src/kerberos) ./subsystem=elytron/properties-realm=kerberos-properties:add(users-properties={path=kerberos-users.properties, relative-to=kerberos, digest-realm-name=ELYTRON.ORG}, groups-properties={path=kerberos-groups.properties, relative-to=kerberos}) ---- Then define the Kerberos security factory for the server's identity. [source, ruby] ---- ./subsystem=elytron/kerberos-security-factory=test-server:add(relative-to=kerberos, path=remote-test-server.keytab, principal=remote/test-server.elytron.org@ELYTRON.ORG) ---- Finally define the security domain and this time a SASL authentication factory. [source, ruby] ---- ./subsystem=elytron/security-domain=KerberosDomain:add(default-realm=kerberos-properties, realms=[{realm=kerberos-properties, role-decoder=groups-to-roles}], permission-mapper=default-permission-mapper) ./subsystem=elytron/sasl-authentication-factory=gssapi-authentication-factory:add(security-domain=KerberosDomain, sasl-server-factory=elytron, mechanism-configurations=[{mechanism-name=GSSAPI, credential-security-factory=test-server}]) ---- This results in the following subsystem configuration: - [source, xml] ---- ... ...

...

... ...

... ---- The management interface or Remoting connectors can now be updated to reference the SASL authentication factory. The two Elytron examples defined here could also be combined into one to use a shared security domain and security realm and just use protocol specific authentication factories each referencing their own Kerberos security factory.