Kerberos

Owned by Brian May
Last updated: Aug 16, 2023 by Jessica Tomkins
2 min read





If using IBM i 7.5, IBM PTF SI83931 is required to ensure Kerberos functions properly.



Kerberos is a network authentication protocol that uses "tickets" as an alternative to usernames and passwords for authentication. Profound UI supports using Kerberos for single sign on access.

Setting up Kerberos in your environment is well beyond the scope of this document. You can find instructions on how to set up Kerberos here.

If you use Kerberos in your environment, examples of the directives needed to configure it in Profound UI are already provided in your httpd.conf configuration file of your instance, but they are commented out. To enable Kerberos, open your httpd.conf file for editing. You can do so from a command line by entering:



EDTF '/www/profoundui/conf/httpd.conf'

Removing IBM i Profile Authentication Directives

First, you will need to find and comment out the following directives:

# Use the following section for IBM i profile authentication. <DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI000(3.{3})\.PGM"> Require valid-user AuthType Basic AuthName "Profound UI" PasswdFile %%SYSTEM%% UserID %%CLIENT%% ProfileToken On </DirectoryMatch> <LocationMatch "^/profoundui/auth/(.*)"> Require valid-user AuthType Basic AuthName "Profound UI" PasswdFile %%SYSTEM%% UserID %%CLIENT%% ProfileToken On </LocationMatch>

These directives tell the web server to use IBM i user names and passwords for authentication. These lines can be commented out by inserting the # symbol at the beginning of each line.

Enabling the Kerberos Directives

Next, you will need to find and uncomment the following directives:

# Use this section for Kerberos authentication. #<DirectoryMatch "^/QSYS\.LIB/PROFOUNDUI\.LIB/PUI000(3.{3})\.PGM"> # Require valid-user # AuthType KERBEROS # PasswdFile %%KERBEROS%% # UserID %%CLIENT%% # ProfileToken On #</DirectoryMatch> #<LocationMatch "^/profoundui/auth/(.*)"> # Require valid-user # AuthType KERBEROS # PasswdFile %%KERBEROS%% # UserID %%CLIENT%% # ProfileToken On #</LocationMatch>

Lines are uncommented by removing the # symbols before each line. Be sure to leave any comments commented out, though, so they do not cause errors in the configuration. The first line of the above code block is a comment and should remain commented out. 

The <LocationMatch> directive above is matching URLs with /auth/ in the path only. You may need or want to change this depending on other configurations and directives you have set. For example, to have Kerberos log your user into Genie automatically, with the above directive set for the server, you'll want your user to go to http://host:port/profoundui/auth/genie. If your user was to navigate to Genie without /auth/ in the URL path, they will be taken to the log in screen.