Documentation Contents |
The goal of this exercise is to learn how to use various
Kerberos encryption algorithms to secure the communication. In J2SE
1.4, Java GSS/Kerberos provided support for only DES encryption
type. The Java GSS/Kerberos provider has been enhanced in J2SE 5.0
and later releases to support stronger Kerberos encryption
algorithms, and is in compliance with latest Kerberos specification
RFC4120. Support for various Kerberos encryption types, such as
AES256, AES128, 3DES, RC4-HMAC, and DES are now all available. J2SE
5.0 supports 3DES and DES Kerberos encryption types. Support for
AES and RC4-HMAC in Kerberos is available for Java SE 6
onwards.
Here is a list of all the encryption types supported by the Java GSS/Kerberos provider in Java SE 6.0:
src/krb5.conf
AES256-CTS
encryption type[libdefaults]NOTE: Solaris 10 does not support
default_tkt_enctypes = aes256-cts default_tgs_enctypes = aes256-cts permitted_enctypes = aes256-cts
AES256
by
default. You will need to install the following packages:-SUNWcry, SUNWcryr, SUNWcryptointIn addition, JCE in Java SE also does not support
AES256
by default.AES128-CTS
encryption type[libdefaults]
default_tkt_enctypes = aes128-cts
default_tgs_enctypes = aes128-cts
permitted_enctypes = aes128-cts
RC4-HMAC
encryption type[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
DES3-CBC-SHA1
encryption type[libdefaults]
default_tkt_enctypes = des3-cbc-sha1
default_tgs_enctypes = des3-cbc-sha1
permitted_enctypes = des3-cbc-sha1
DES-CBC-MD5
encryption type[libdefaults]
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
permitted_enctypes = des-cbc-md5
DES-CBC-CRC
encryption type[libdefaults]
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
% kdestroy
% xterm &
% java -Djava.security.auth.login.config=jaas-krb5.conf \ -Djava.security.krb5.conf=krb5.conf \ GSSServer
host
running on the machine
j1hol-001
, you would enter the following. When
prompted for the password, enter changeit.% java -Djava.security.auth.login.config=jaas-krb5.conf
-Djava.security.krb5.conf=krb5.conf \
GSSClient host j1hol-001
In this exercise, you learned
how to write a client-server application that uses Java GSS API to
authenticate and communicate securely with each other, using
stronger Kerberos encryption algorithms. You can enable Kerberos
debugging (-Dsun.security.krb5.debug=true
), to obtain
information about the Kerberos encryption type used.
Copyright © 1993, 2011, Oracle and/or its affiliates. All rights reserved. Please send comments using this Feedback page. |
Java Technology |