IMPORTANT NOTE: The APIs and features described in this document are SUBJECT TO CHANGE.

The following enhancements were made to the Java GSS/Kerberos implementation in J2SE 5. Please send feedback related to these new features to java-security@sun.com.

• Support for Triple DES encryption type.
  Prior to J2SE 5, only the DES encryption type was supported. J2SE 5 supports both DES and Triple DES encryption type. This improves interoperability of the J2SE Kerberos implementation with other Kerberos implementations, such as Solaris 10 and MIT Kerberos.

  Triple DES encryption type is specified in the Kerberos configuration file under the "libdefaults" section. It is specified as "des3-cbc-sha1" with following tags: default_tkt_enctypes, default_tgs_enctypes, permitted_enctypes. "dec3-cbc-sha1" has the following aliases:

  des3-hmac-sha1
  des3-cbc-sha1-kd
  des3-cbc-hmac-sha1-kd
  

  For example, the libdefaults section in the configuration file might include the following.

  default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  permitted_enctypes   = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  

  default_tkt_enctypes is used to specify the encryption types to use for the session key in the ticket-granting-ticket. It is used by the client to restrict the encryption types of session keys that will be used to communicate with the KDC. The default value is "des-cbc-md5 des-cbc-crc des3-cbc-sha1"

  default_tgs_enctypes is used to specify the encryption types to use for the session key in service tickets. It is used by the client to restrict the encryption types of session keys that are shared by the client and server. The default value is "des-cbc-md5 des-cbc-crc des3-cbc-sha1".

  permitted_enctypes is used to specify the encryption types permitted to be used by a service. It is used by the server to restrict the encryption types of session keys that it will accept. The default value is "des-cbc-md5 des-cbc-crc des3-cbc-sha1".

• TCP vs. UDP Preference Configuration
  J2SE now supports the use of the "udp_preference_limit" property in the Kerberos configuration file (krb5.conf).

  When sending a message to the KDC, the J2SE Kerberos library will use TCP if the size of the message is above udp_preference_list. If the message is smaller than udp_preference_list, then UDP will be tried at most three times. If the KDC indicates that the request is too big, the J2SE Kerberos library will use TCP.

• IPv6 Support in Kerberos
  J2SE now supports IPv6 addresses in Kerberos tickets. Prior to J2SE 5, only IPv4 addresses were supported in tickets.

• TGT Renewals
  The Java Authentication and Authorizaton Server (JAAS) Kerberos login module in JDK 5.0, Krb5LoginModule, now supports Ticket Granting Ticket (TGT) renewal. This allows long-running services to renew their TGT automatically without user interaction or requiring the services to restart.

  With this feature, if Krb5LoginModule obtains an expired ticket from the ticket cache, the TGT will be automatically renewed and be added to Subject of the caller who requested the ticket. If the ticket cannot be renewed for any reason, then Krb5LoginModule will use its configured callback handler to retrieve a username and password to acquire a new TGT.

  To use this feature, configure Krb5LoginModule to use the ticket cache and set the newly introduced renewTGT option to true. Here is an example of a JAAS login configuration file that requests TGT renewal.

  server {
    com.sun.security.auth.module.Krb5LoginModule required
          principal=principal@your_realm
  	useTicketCache=true
  	renewTGT=true;
  };
  

  Note that if renewTGT is set to true, then useTicketCache must also be set to true; otherwise, it results in a configuration error.

• Login Entry Names for SunJSSE
  In JDK 5.0, the SunJSSE provider has added support for the Kerberos cipher suites, as described in RFC 2712 and the What's New in JSSE in J2SE 5 in the JSSE Reference Guide. The following JAAS login configuration index names are reserved for this feature.

  com.sun.net.ssl.server
  com.sun.net.ssl.client
  

  When a JSSE application uses the Kerberos cipher suites without explicit JAAS program, the SunJSSE provider will use these index names to find and configure the JAAS login module to acquire the necessary Kerberos credentials. For example, such an application might have the following JAAS configuration file.

   com.sun.net.ssl.server {
    com.sun.security.auth.module.Krb5LoginModule required
          principal=service_principal@your_realm
          useKeyTab=true
          keyTab=keytab_name
  	storeKey=true;
  };
  

  If the entry is not found, the default "other" index name will be used. The service name for TLS is "host". For example, a TLS service running on a machine named "raven.abc.com" in the realm named "KRBNT-OPERATIONS.ABC.COM" would have the service principal name

  host/raven.abc.com@KRBNT-OPERATIONS.ABC.COM
  

  There are no restrictions on the TLS client; it may use any valid Kerberos principal name.

  When a JSSE application uses the Kerberos cipher suites with explicit JAAS program, it can use any index name, including the ones listed above.