From 5909a24cd389c55e5081cf1e497d87ffc4c362f4 Mon Sep 17 00:00:00 2001 From: gtully Date: Wed, 9 Aug 2017 17:21:39 +0100 Subject: [PATCH] [ARTEMIS-1310] addition of sample config scope to krb5 doc --- docs/user-manual/en/security.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md index e77a0dd92e..24fbcd3708 100644 --- a/docs/user-manual/en/security.md +++ b/docs/user-manual/en/security.md @@ -659,8 +659,20 @@ authentication, TLS can be used to provide integrity and confidentially to the c The `GSSAPI` SASL mechanism must be enabled on the amqp acceptor by adding it to the `saslMechanisms` list url parameter: `saslMechanisms="GSSAPI<,PLAIN, etc>`. -By default the server will use a JAAS login configuration scope named `amqp-sasl-gssapi` to obtain acceptor Kerberos -credentials. An alternative configuration scope can be specified on the amqp acceptor url using the parameter: `saslLoginConfigScope=`. +The server will use a JAAS login configuration scope named `amqp-sasl-gssapi` to obtain Kerberos acceptor credentials. +An alternative configuration scope can be specified on the amqp acceptor using the url parameter: `saslLoginConfigScope=`. + +A sample configuration scope in 'login.config' that will pick up a Kerberos keyTab for the Kerberos acceptor Principal +'amqp/localhost' is as follows: + + amqp-sasl-gssapi { + com.sun.security.auth.module.Krb5LoginModule required + isInitiator=false + storeKey=true + useKeyTab=true + principal="amqp/localhost" + debug=true; + }; On the server, the Kerberos authenticated Peer Principal can be associated with a JAAS Subject as an Apache ActiveMQ Artemis UserPrincipal using the Apache ActiveMQ Artemis Krb5LoginModule login module. The [PropertiesLoginModule](#propertiesloginmodule) can be used to map