Kerberos configuration requirements for SPNEGO TAI

Kerberos configuration requirements for SPNEGO TAI

+
Search Tips | Advanced Search

Kerberos configuration settings...

Kerberos key distribution center (KDC) name
Realm settings for SPNEGO TAI

...are provided in the Kerberos configuration file.
The Web administrator creates the Kerberos configuration file with the appropriate settings that allow HTTP requests to be processed by the SPNEGO TAI.
The Web administrator can also provide the same Kerberos configuration system properties in separate files:

java.security.krb5.kdc
java.security.krb5.realm.

The Kerberos key table manager command (Ktab) allows the Web administrator to manage the principal names and service keys stored in a local Kerberos keytab file. Kerberos service principal (SPN) name and keys listed in the Kerberos keytab file allow services running on the host to authenticate themselves to the KDC. Before SPNEGO TAI can use Kerberos, the WAS administrator must setup a Kerberos keytab file on the host running WAS.
It is very important to protect the keytab files, making them readable only by the authorized WebSphere users.
Any updates to the Kerberos keytab file using Ktab do not affect the Kerberos database. If you change the keys in the Kerberos keytab file, also make the corresponding changes to the Kerberos database. Below is an example of how Ktab is used on a LINUX platform to add new principal names to the Kerberos keytab file.
# ./java com.ibm.security.krb5.internal.tools.Ktab -a  HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM ot56prod -k /etc/krb5.keytab

Done!
Service key for principal HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM saved
[root@wssecjibe bin]# ./java com.ibm.security.krb5.internal.tools.Ktab
1 entries in keytab, name: /etc/krb5.keytab
        KVNO    Principal
        ----    ---------

        1       HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
[root@wssecjibe bin]# ls /etc/krb5.*
/etc/krb5.conf       /etc/krb5.ini.orig  /etc/krb5.keytab.good
/etc/krb5.conf.orig  /etc/krb5.keytab
[root@wssecjibe bin]# ./java com.ibm.security.krb5.internal.tools.Ktab -a  HTTP/wssecredhat.austin.ibm.com@WSSEC.AUSTIN.IBM.COM ot56prod -k /etc/krb5.keytab
Done!
Service key for principal HTTP/wssecredhat.austin.ibm.com@WSSEC.AUSTIN.IBM.COM  saved
[root@wssecjibe bin]# ./java com.ibm.security.krb5.internal.tools.Ktab
2 entries in keytab, name: /etc/krb5.keytab
        KVNO    Principal
        ----    ---------

        1       HTTP/wssecjibe.austin.ibm.com@WSSEC.AUSTIN.IBM.COM

        1       HTTP/wssecredhat.austin.ibm.com@WSSEC.AUSTIN.IBM.COM
On WebSphere Application Server, Ktab is located at:
<install root>/java/jre/bin
Related concepts

Single sign-on for HTTP requests using SPNEGO
Single sign-on

Related tasks

Configure single sign-on capability with SPNEGO TAI
Creating the Kerberos configuration file for use with the SPNEGO TAI

Related Reference

Kerberos: The Network Authentication Protocol
Ktab - Kerberos Key Table Manager

Reference topic