Adding more info to what Prabath mentioned, In the kerberos configuration (krb.conf) we can define the realms that clients can access. In the case of apacheds for each tenant there will be a separate partition created. In other sense for each tenant a separate realm will be created. Thus when giving the service principle to kerberos scenario as a parameter we need to append appropriate realm. Then GSS-API will check the given service principle in the specified realm.
But we have not tested this scenario. As Prabath mentioned we need to spend some more time testing and verifying this scenario. Thanks AmilaJ On Fri, Feb 25, 2011 at 1:11 AM, Prabath Siriwardana <[email protected]> wrote: > Currently - the JGSS API reads these configuration files as system > properties.. So we would be able to setup a single KDC. We need to invest > some time on this to find out a ways of doing this with out system > properties.. > Same issues exists there when a tenant - for example wants to talk to an > external service secured with Mutual Authentication. Here we are setting a > system property for the key store - and if the external service allows > access to a tenant - that means it should let access to the stratos - in > other words to the all the tenants.. > Same applies - if some wants to secure a service with mutual auth.. I guess > this is not possible currently per tenant.. > I have look in to the mutual auth issue - and it is possible to get rid of > the key store system property... we will work on these to get multitenant > ready.. > Thanks & regards, > -Prabath > On Fri, Feb 25, 2011 at 12:16 AM, Afkham Azeez <[email protected]> wrote: >> >> So, my usual question, how does this work in a multitenant environment? >> How are you going to provide tenant specific conf files? >> Azeez >> >> On Thu, Feb 24, 2011 at 11:36 PM, Amila Jayasekara <[email protected]> >> wrote: >>> >>> Hi All, >>> As some of you may know, there is a Kerberos KDC server with latest IS >>> build. In-order to complete the use case we added kerberos based >>> security scenario to security-mgt component. Now there is a security >>> scenario 16. See screen-shot for more details. Now users can easily >>> secure services using Kerberos security policy by selecting scenario >>> 16. >>> But this change is not yet in trunk as kerberos related rampart >>> changes are not yet in trunk (Currently i am doing changes in 3.0.1 >>> support branch). But hopefully by next week we will be adding these >>> changes to the trunk. >>> >>> Please review the attached screen shot and let me know, if any of the >>> text needs to be changed. >>> >>> Also we need to add two more config files to support, scenario 16. >>> They are krb5.conf (Contains parameters related to requesting ticket) >>> and jaas.conf (Authorization properties). >>> I am planning to add above mentioned files to esb's conf directory. >>> Please let me know if you have any concerns. >>> >>> Also i have a sample which demonstrate the use of KDC in IS and usage >>> of scenario 16, in esb. Since this sample is related to 2 products, i >>> am not sure where should i place the sample. Will be great if you >>> could give feedback on where to place sample program (In IS or ESB ?). >>> >>> Thanks >>> AmilaJ >>> >>> _______________________________________________ >>> Carbon-dev mailing list >>> [email protected] >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >> >> >> >> -- >> Afkham Azeez >> Senior Software Architect & Senior Manager; WSO2, Inc.; http://wso2.com, >> >> Member; Apache Software Foundation; http://www.apache.org/ >> email: [email protected] cell: +94 77 3320919 >> blog: http://blog.afkham.org >> twitter: http://twitter.com/afkham_azeez >> linked-in: http://lk.linkedin.com/in/afkhamazeez >> >> Lean . Enterprise . Middleware >> >> _______________________________________________ >> Carbon-dev mailing list >> [email protected] >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> > > > > -- > Thanks & Regards, > Prabath > > http://blog.facilelogin.com > http://RampartFAQ.com > > _______________________________________________ > Carbon-dev mailing list > [email protected] > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > _______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
