-
Enhancement
-
Resolution: Unresolved
-
P4
-
None
-
None
-
None
The current OpenJDK code has “native” ccache support for both Windows/Mac, allowing native Kerberos credential acquisition on those platforms via the usual system library calls rather than the pure Java code. It does not support Linux, meaning that only file based ccaches are supported on that platform.
The Linux Kerberos / GSS-API system libraries support more than just file-based Kerberos credential caches – in particular, we’re interested in supporting KCM, which is a standard protocol for acquiring credentials via a service based cache – there are two existing implementations in Heimdal Kerberos and the RedHat SSSD. As it stands now, supporting KCM for Java processes means running them inside a “kstart” shell which copies a KCM cache to a file ccache for the process to use initially. This is an unergonomic approach that we would like to avoid, as it’s a source of errors in our environment.
The Linux Kerberos / GSS-API system libraries support more than just file-based Kerberos credential caches – in particular, we’re interested in supporting KCM, which is a standard protocol for acquiring credentials via a service based cache – there are two existing implementations in Heimdal Kerberos and the RedHat SSSD. As it stands now, supporting KCM for Java processes means running them inside a “kstart” shell which copies a KCM cache to a file ccache for the process to use initially. This is an unergonomic approach that we would like to avoid, as it’s a source of errors in our environment.