The bcsLogin.conf file defines the Login module used for Kerberos implementation, service principal name for Identity server, location of the keytab file, and other configuration options.
Perform the following steps to create the file:
A sample editable file called bcsLogin.conf.template is included. Open this file.
Enter the following lines:
IMPORTANT:The file cannot contain any white space, only end-of-line characters. Two lines (principal and keyTab) need to specify unique information for your configuration. The principal line needs to specify the service principal name for Identity Server. The keyTab line needs to specify the location of the keytab file. The following file uses the values of the example configuration for the principal and keyTab lines. The keyTab and ticketCache lines use the default path for SUSE Linux Enterprise Server (SLES).
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
useTicketCache="true"
ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/amser.nam.example.com@AD.EXAMPLE.COM"
useKeyTab="true"
keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab"
storeKey="true";
};
Identity Server checks the Kerberos server for each user transaction. When you set the isInitiator value to false (isInitiator="false") in the bcsLogin.conf file after the keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab" line, Identity Server does not communicate to the Kerberos server.
NOTE:Before setting the value to false, it is recommended that you access the protected site via https and the keytab file is secure.
Save this file with a name of bcsLogin.conf.
Add this file to the location specified in the JAAS config file for Kerberos field of Step 4 in Creating the Authentication Class, Method, and Contract. For information about how to add a file, see Section 4.2.1, Adding Configurations to a Cluster.
Ensure that the file permissions are set to 644.