Use the ktab command to manage the Kerberos keytab file


The Kerberos key table manager command (Ktab) allows the product administrator to manage the Kerberos service principal names and keys stored in a local Kerberos keytab file. With the IBM SDK or Sun Java Development Kit (JDK) 1.6 or later, we can use the ktab command to merge two Kerberos keytab files.

[Solaris]

To merge the ktab files, install Java Development Kit (JDK) V1.6 SR3 cumulative fix, which upgrades the JDK to V1.6.0_07.

[HP-UX] To merge the ktab files, install SDK V1.6 SR3 cumulative fix, which upgrades the JDK to V1.6.0.02.

[AIX]

(Windows) [Linux] To merge the ktab files, install Java Development Kit (JDK) V1.6 SR3 cumulative fix, which upgrades the SDK to V1.6.0 Java Technology Edition SR3. Kerberos service principal (SPN) name and keys listed in the Kerberos keytab file allow services running on the host to validate the incoming Kerberos or SPNEGO token request. Before configuring Kerberos or SPNEGO web authentication, the WAS administrator must setup a Kerberos keytab file on the host that is running WAS.

Deprecated feature:

In WAS Version 6.1, a TAI that uses the SPNEGO to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WAS V7.0, this function is now deprecated.

SPNEGO Web authentication has taken its place to provide the following enhancements:

depfeat

The syntax of Ktab is illustrated below by using Ktab with the -help operand.

$ ktab -help

Usage: java com.ibm.security.krb5.internal.tools.Ktab [options] Available options: -l list the keytab name and entries -a <principal_name> [password] add an entry to the keytab -d <principal_name> delete an entry from the keytab -k <keytab_name> specify keytab name and path with FILE: prefix -m <source_keytab_name> <destination_keytab_name> specify merging source keytab file name and destination keytab file name

Below is an example of how Ktab is used to merge krb5Host1.conf to the krb5.conf file:

[root@wssecjibe bin]# ./ktab -m /etc/krb5Host1.conf /etc/krb5.conf Merging keytab files:   source=krb5Host1.conf   destination=krb5.conf Done!
[root@wssecjibe bin]# ls /etc/krb5.*
/etc/krb5Host1.conf/etc/krb5.conf
/etc/krb5.keytab

Below is an example of how Ktab is used on a LINUX platform to add new principal names to the Kerberos keytab file, where ot56prod is the password for the Kerberos principal name:

[root@wssecjibe bin]# ./ktab -a   HTTP/wssecjibe.mpls.setgetweb.com@WSSEC.AUSTIN.IBM.COM ot56prod -k /etc/krb5.keytab Done! Service key for principal HTTP/wssecjibe.mpls.setgetweb.com@WSSEC.AUSTIN.IBM.COM saved



Below is an example of how Ktab is used on a Linux platform to list Kerberos keytab file content.

[root@wssecjibe bin]# ./ktab

        KVNO    Principal
        ----    ---------

        1       HTTP/wssecjibe.mpls.setgetweb.com@WSSEC.AUSTIN.IBM.COM

[root@wssecjibe bin]# ls /etc/krb5.*
/etc/krb5.conf 
/etc/krb5.keytab

Tip: We can run the ktab command from the install_root/java/jre/bin directory.



 

Related concepts


Single sign-on for HTTP requests using SPNEGO TAI (deprecated)
Kerberos (KRB5) authentication mechanism support for security

 

Related tasks


Create a Kerberos service principal and keytab file used by the WAS SPNEGO TAI (deprecated)

 

Related


Single sign-on capability with SPNEGO TAI - checklist (deprecated)
Kerberos: The Network Authentication Protocol